lxd fails to start after reboot when core.storage_buckets_address is set to a port on the private lxdbr0 ipv4 address

[melato]

Issue description

lxd fails to start after reboot when core.storage_buckets_address is set to a port on the private lxdbr0 ipv4 address.

Steps to reproduce

1. Install LXD on a new server (I used a hetzner image snapshot that had zfs and LXD 5.12, so it was not the latest version). The LXD configuration notably has these configuration values on top of the defaults:

   core.https_address: :8443
   ipv6.dhcp.stateful: true

   2. lxc config set core.storage_buckets_address 10.91.97.1:8555 # 10.91.97.1 is the ip address of lxdbr0.
   3. sudo zfs create z/storage/s -p
   4. lxc storage create s zfs source=z/storage/s
   5. lxc storage bucket create s apple
   6. Use minio mc to perform some operations in the bucket:

      mc --insecure alias set local https://10.91.97.1:8555 <key> <secret>
      date | mc --insecure pipe local/apple/date
      mc --insecure ls local/apple

   7. reboot
   8. lxc list Error: Get "http://unix.socket/1.0": read unix @->/var/snap/lxd/common/lxd-user/unix.socket: read: connection reset by peer
2. journalctl -u snap.lxd.daemon -n 300 This line was in the output: Error: Bind network address: listen tcp 10.91.97.1:8555: bind: cannot assign requested address

Fixed it like this: sudo sqlite3 /var/snap/lxd/common/lxd/database/local.db sqlite> DELETE FROM config WHERE key='core.storage_buckets_address';

sudo systemctl start snap.lxd.daemon

This was easily reproducible. After the fix I did it again:

lxc config set core.storage_buckets_address 10.91.97.1:8555
reboot

and got the same problem after step 7 above.

Required information

• Distribution: Debian
• Distribution version: 11 uname -a: Linux pin 5.10.0-21-arm64 #1 SMP Debian 5.10.162-1 (2023-01-21) aarch64 GNU/Linux lxc info: config: core.https_address: :8443 api_extensions:
  • storage_zfs_remove_snapshots
  • container_host_shutdown_timeout
  • container_stop_priority
  • container_syscall_filtering
  • auth_pki
  • container_last_used_at
  • etag
  • patch
  • usb_devices
  • https_allowed_credentials
  • image_compression_algorithm
  • directory_manipulation
  • container_cpu_time
  • storage_zfs_use_refquota
  • storage_lvm_mount_options
  • network
  • profile_usedby
  • container_push
  • container_exec_recording
  • certificate_update
  • container_exec_signal_handling
  • gpu_devices
  • container_image_properties
  • migration_progress
  • id_map
  • network_firewall_filtering
  • network_routes
  • storage
  • file_delete
  • file_append
  • network_dhcp_expiry
  • storage_lvm_vg_rename
  • storage_lvm_thinpool_rename
  • network_vlan
  • image_create_aliases
  • container_stateless_copy
  • container_only_migration
  • storage_zfs_clone_copy
  • unix_device_rename
  • storage_lvm_use_thinpool
  • storage_rsync_bwlimit
  • network_vxlan_interface
  • storage_btrfs_mount_options
  • entity_description
  • image_force_refresh
  • storage_lvm_lv_resizing
  • id_map_base
  • file_symlinks
  • container_push_target
  • network_vlan_physical
  • storage_images_delete
  • container_edit_metadata
  • container_snapshot_stateful_migration
  • storage_driver_ceph
  • storage_ceph_user_name
  • resource_limits
  • storage_volatile_initial_source
  • storage_ceph_force_osd_reuse
  • storage_block_filesystem_btrfs
  • resources
  • kernel_limits
  • storage_api_volume_rename
  • macaroon_authentication
  • network_sriov
  • console
  • restrict_devlxd
  • migration_pre_copy
  • infiniband
  • maas_network
  • devlxd_events
  • proxy
  • network_dhcp_gateway
  • file_get_symlink
  • network_leases
  • unix_device_hotplug
  • storage_api_local_volume_handling
  • operation_description
  • clustering
  • event_lifecycle
  • storage_api_remote_volume_handling
  • nvidia_runtime
  • container_mount_propagation
  • container_backup
  • devlxd_images
  • container_local_cross_pool_handling
  • proxy_unix
  • proxy_udp
  • clustering_join
  • proxy_tcp_udp_multi_port_handling
  • network_state
  • proxy_unix_dac_properties
  • container_protection_delete
  • unix_priv_drop
  • pprof_http
  • proxy_haproxy_protocol
  • network_hwaddr
  • proxy_nat
  • network_nat_order
  • container_full
  • candid_authentication
  • backup_compression
  • candid_config
  • nvidia_runtime_config
  • storage_api_volume_snapshots
  • storage_unmapped
  • projects
  • candid_config_key
  • network_vxlan_ttl
  • container_incremental_copy
  • usb_optional_vendorid
  • snapshot_scheduling
  • snapshot_schedule_aliases
  • container_copy_project
  • clustering_server_address
  • clustering_image_replication
  • container_protection_shift
  • snapshot_expiry
  • container_backup_override_pool
  • snapshot_expiry_creation
  • network_leases_location
  • resources_cpu_socket
  • resources_gpu
  • resources_numa
  • kernel_features
  • id_map_current
  • event_location
  • storage_api_remote_volume_snapshots
  • network_nat_address
  • container_nic_routes
  • rbac
  • cluster_internal_copy
  • seccomp_notify
  • lxc_features
  • container_nic_ipvlan
  • network_vlan_sriov
  • storage_cephfs
  • container_nic_ipfilter
  • resources_v2
  • container_exec_user_group_cwd
  • container_syscall_intercept
  • container_disk_shift
  • storage_shifted
  • resources_infiniband
  • daemon_storage
  • instances
  • image_types
  • resources_disk_sata
  • clustering_roles
  • images_expiry
  • resources_network_firmware
  • backup_compression_algorithm
  • ceph_data_pool_name
  • container_syscall_intercept_mount
  • compression_squashfs
  • container_raw_mount
  • container_nic_routed
  • container_syscall_intercept_mount_fuse
  • container_disk_ceph
  • virtual-machines
  • image_profiles
  • clustering_architecture
  • resources_disk_id
  • storage_lvm_stripes
  • vm_boot_priority
  • unix_hotplug_devices
  • api_filtering
  • instance_nic_network
  • clustering_sizing
  • firewall_driver
  • projects_limits
  • container_syscall_intercept_hugetlbfs
  • limits_hugepages
  • container_nic_routed_gateway
  • projects_restrictions
  • custom_volume_snapshot_expiry
  • volume_snapshot_scheduling
  • trust_ca_certificates
  • snapshot_disk_usage
  • clustering_edit_roles
  • container_nic_routed_host_address
  • container_nic_ipvlan_gateway
  • resources_usb_pci
  • resources_cpu_threads_numa
  • resources_cpu_core_die
  • api_os
  • container_nic_routed_host_table
  • container_nic_ipvlan_host_table
  • container_nic_ipvlan_mode
  • resources_system
  • images_push_relay
  • network_dns_search
  • container_nic_routed_limits
  • instance_nic_bridged_vlan
  • network_state_bond_bridge
  • usedby_consistency
  • custom_block_volumes
  • clustering_failure_domains
  • resources_gpu_mdev
  • console_vga_type
  • projects_limits_disk
  • network_type_macvlan
  • network_type_sriov
  • container_syscall_intercept_bpf_devices
  • network_type_ovn
  • projects_networks
  • projects_networks_restricted_uplinks
  • custom_volume_backup
  • backup_override_name
  • storage_rsync_compression
  • network_type_physical
  • network_ovn_external_subnets
  • network_ovn_nat
  • network_ovn_external_routes_remove
  • tpm_device_type
  • storage_zfs_clone_copy_rebase
  • gpu_mdev
  • resources_pci_iommu
  • resources_network_usb
  • resources_disk_address
  • network_physical_ovn_ingress_mode
  • network_ovn_dhcp
  • network_physical_routes_anycast
  • projects_limits_instances
  • network_state_vlan
  • instance_nic_bridged_port_isolation
  • instance_bulk_state_change
  • network_gvrp
  • instance_pool_move
  • gpu_sriov
  • pci_device_type
  • storage_volume_state
  • network_acl
  • migration_stateful
  • disk_state_quota
  • storage_ceph_features
  • projects_compression
  • projects_images_remote_cache_expiry
  • certificate_project
  • network_ovn_acl
  • projects_images_auto_update
  • projects_restricted_cluster_target
  • images_default_architecture
  • network_ovn_acl_defaults
  • gpu_mig
  • project_usage
  • network_bridge_acl
  • warnings
  • projects_restricted_backups_and_snapshots
  • clustering_join_token
  • clustering_description
  • server_trusted_proxy
  • clustering_update_cert
  • storage_api_project
  • server_instance_driver_operational
  • server_supported_storage_drivers
  • event_lifecycle_requestor_address
  • resources_gpu_usb
  • clustering_evacuation
  • network_ovn_nat_address
  • network_bgp
  • network_forward
  • custom_volume_refresh
  • network_counters_errors_dropped
  • metrics
  • image_source_project
  • clustering_config
  • network_peer
  • linux_sysctl
  • network_dns
  • ovn_nic_acceleration
  • certificate_self_renewal
  • instance_project_move
  • storage_volume_project_move
  • cloud_init
  • network_dns_nat
  • database_leader
  • instance_all_projects
  • clustering_groups
  • ceph_rbd_du
  • instance_get_full
  • qemu_metrics
  • gpu_mig_uuid
  • event_project
  • clustering_evacuation_live
  • instance_allow_inconsistent_copy
  • network_state_ovn
  • storage_volume_api_filtering
  • image_restrictions
  • storage_zfs_export
  • network_dns_records
  • storage_zfs_reserve_space
  • network_acl_log
  • storage_zfs_blocksize
  • metrics_cpu_seconds
  • instance_snapshot_never
  • certificate_token
  • instance_nic_routed_neighbor_probe
  • event_hub
  • agent_nic_config
  • projects_restricted_intercept
  • metrics_authentication
  • images_target_project
  • cluster_migration_inconsistent_copy
  • cluster_ovn_chassis
  • container_syscall_intercept_sched_setscheduler
  • storage_lvm_thinpool_metadata_size
  • storage_volume_state_total
  • instance_file_head
  • instances_nic_host_name
  • image_copy_profile
  • container_syscall_intercept_sysinfo
  • clustering_evacuation_mode
  • resources_pci_vpd
  • qemu_raw_conf
  • storage_cephfs_fscache
  • network_load_balancer
  • vsock_api
  • instance_ready_state
  • network_bgp_holdtime
  • storage_volumes_all_projects
  • metrics_memory_oom_total
  • storage_buckets
  • storage_buckets_create_credentials
  • metrics_cpu_effective_total
  • projects_networks_restricted_access
  • storage_buckets_local
  • loki
  • acme
  • internal_metrics
  • cluster_join_token_expiry
  • remote_token_expiry
  • init_preseed
  • storage_volumes_created_at
  • cpu_hotplug
  • projects_networks_zones
  • network_txqueuelen
  • cluster_member_state
  • instances_placement_scriptlet
  • storage_pool_source_wipe
  • zfs_block_mode
  • instance_generation_id
  • disk_io_cache api_status: stable api_version: "1.0" auth: trusted public: false auth_methods:
  • tls environment: addresses:
  • x.x.x.x:8443
  • '[2a01:...:2]:8443'
  • 10.91.97.1:8443
  • '[fd42:e2:704a:386f::1]:8443' architectures:
  • aarch64
  • armv6l
  • armv7l
  • armv8l certificate: | -----BEGIN CERTIFICATE----- MIIB+zCCAYGgAwIBAgIRAOb2yY4vQsEAkZTPZVLuhGswCgYIKoZIzj0EAwMwMTEc MBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzERMA8GA1UEAwwIcm9vdEBhbXAw HhcNMjMwNDI2MTQxNjE3WhcNMzMwNDIzMTQxNjE3WjAxMRwwGgYDVQQKExNsaW51 eGNvbnRhaW5lcnMub3JnMREwDwYDVQQDDAhyb290QGFtcDB2MBAGByqGSM49AgEG BSuBBAAiA2IABOHkLL0e+mTZwvVJdsoLIBdVygxTbLYLe9D0Er1YqIdeAIy8hZb5 syMsYIZ7AoUodYt2ZzrlTKDQhyA8ypalM181k2ABdg+Z6UVPCWCGbXjYw+B4/AYW Y5u29pXH52ypy6NdMFswDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwJgYDVR0RBB8wHYIDYW1whwR/AAABhxAAAAAAAAAA AAAAAAAAAAABMAoGCCqGSM49BAMDA2gAMGUCMDeTLC4TOUeYwQkRskhNPXldGJTS 9nGn6QaCIFG6u3agZWDPj1VqpgSbZ6ESEzwBcgIxAOMTywFI27/xUcDVh1Ojzv+3 G0sgv0LoSdKeawoQf9rNESk+SmM5FqdaM85lL6hpAQ== -----END CERTIFICATE----- certificate_fingerprint: 05bd8b073ce485c371ff6daf4a8149495981ad470bfd67ecafb26a797fcb197b driver: lxc driver_version: 5.0.2 firewall: nftables kernel: Linux kernel_architecture: aarch64 kernel_features: idmapped_mounts: "false" netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" shiftfs: "false" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 5.10.0-21-arm64 lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Debian GNU/Linux os_version: "11" project: default server: lxd server_clustered: false server_event_mode: full-mesh server_name: pin server_pid: 3394 server_version: "5.12" storage: zfs storage_version: 2.0.3-9 storage_supported_drivers:
  • name: btrfs version: 5.16.2 remote: false
  • name: ceph version: 17.2.0 remote: true
  • name: cephfs version: 17.2.0 remote: true
  • name: cephobject version: 17.2.0 remote: true
  • name: dir version: "1" remote: false
  • name: lvm version: 2.03.11(2) (2021-01-08) / 1.02.175 (2021-01-08) / 4.43.0 remote: false
  • name: zfs version: 2.0.3-9 remote: false

[stgraber]

I've had similar trouble with some of the other listeners. In general, other than the cluster listener, we should be able to have the others issue a warning (both in log and warning API) and keep retrying in the background.

[tomponline]

Reported from https://discuss.linuxcontainers.org/t/lxc-daemon-fails-to-start-if-it-cannot-bind-to-bgp-address/15293/5

[melato]

Could it be that LXD does not wait for lxdbr0 to initialize before attempting to start some listeners on it?

This problem does not happen with core.https_address. I set it to {lxdbr0-ipv4}:8443 and rebooted. lxc was operational. Using "netstat -nat" I saw that LXD started listening to {lxdbr0-ipv4}:8443 several seconds later. I used the same LXD version, as above.

[tomponline]

Yeah listeners are started before networks. But adding retries would solve this also.

[kamzar1]

I had it with proxy config,

  some_rpc:
    connect: tcp:127.0.0.1:8545
    listen: tcp:192.168.2.40:8545
    type: proxy

After a host reboot, the private IP 192.168.2.40 vanished, as consequence, some containers rejected to start. I rather seen a more forgiving behavior than going through multiple containers' config and start manually.

[stgraber]

I rather seen a more forgiving behavior than going through multiple containers' config and start manually.

We could introduce an optional key on the proxy as is done with many other device types, but that may still cause issues as the container will then be allowed to start with that proxy device missing. LXD doesn't really have a way to keep track of every single little detail on your system, so it's not going to be practical for us to start monitoring IP addresses and port usage on the host system to then start instances.

I believe we already have a background retry logic for instances on startup, so if the instance still can't start after the 30s or whatever retry delay we have, then your system isn't likely to fix itself without human intervention at which point, the human in question can also start the affected instances.