apt update fails to connect but ping works in container

[foveann]

Required information

• Distribution: Ubuntu 18.04.02 LTS on Fedora 29 host
• Distribution version: 18.04.2 LTS
• The output of "lxc info" or if that fails: config: {} api_extensions:
  • storage_zfs_remove_snapshots
  • container_host_shutdown_timeout
  • container_stop_priority
  • container_syscall_filtering
  • auth_pki
  • container_last_used_at
  • etag
  • patch
  • usb_devices
  • https_allowed_credentials
  • image_compression_algorithm
  • directory_manipulation
  • container_cpu_time
  • storage_zfs_use_refquota
  • storage_lvm_mount_options
  • network
  • profile_usedby
  • container_push
  • container_exec_recording
  • certificate_update
  • container_exec_signal_handling
  • gpu_devices
  • container_image_properties
  • migration_progress
  • id_map
  • network_firewall_filtering
  • network_routes
  • storage
  • file_delete
  • file_append
  • network_dhcp_expiry
  • storage_lvm_vg_rename
  • storage_lvm_thinpool_rename
  • network_vlan
  • image_create_aliases
  • container_stateless_copy
  • container_only_migration
  • storage_zfs_clone_copy
  • unix_device_rename
  • storage_lvm_use_thinpool
  • storage_rsync_bwlimit
  • network_vxlan_interface
  • storage_btrfs_mount_options
  • entity_description
  • image_force_refresh
  • storage_lvm_lv_resizing
  • id_map_base
  • file_symlinks
  • container_push_target
  • network_vlan_physical
  • storage_images_delete
  • container_edit_metadata
  • container_snapshot_stateful_migration
  • storage_driver_ceph
  • storage_ceph_user_name
  • resource_limits
  • storage_volatile_initial_source
  • storage_ceph_force_osd_reuse
  • storage_block_filesystem_btrfs
  • resources
  • kernel_limits
  • storage_api_volume_rename
  • macaroon_authentication
  • network_sriov
  • console
  • restrict_devlxd
  • migration_pre_copy
  • infiniband
  • maas_network
  • devlxd_events
  • proxy
  • network_dhcp_gateway
  • file_get_symlink
  • network_leases
  • unix_device_hotplug
  • storage_api_local_volume_handling
  • operation_description
  • clustering
  • event_lifecycle
  • storage_api_remote_volume_handling
  • nvidia_runtime
  • container_mount_propagation
  • container_backup
  • devlxd_images
  • container_local_cross_pool_handling
  • proxy_unix
  • proxy_udp
  • clustering_join
  • proxy_tcp_udp_multi_port_handling
  • network_state
  • proxy_unix_dac_properties
  • container_protection_delete
  • unix_priv_drop
  • pprof_http
  • proxy_haproxy_protocol
  • network_hwaddr
  • proxy_nat
  • network_nat_order
  • container_full
  • candid_authentication
  • backup_compression
  • candid_config
  • nvidia_runtime_config
  • storage_api_volume_snapshots
  • storage_unmapped
  • projects
  • candid_config_key
  • network_vxlan_ttl
  • container_incremental_copy
  • usb_optional_vendorid
  • snapshot_scheduling
  • container_copy_project
  • clustering_server_address
  • clustering_image_replication
  • container_protection_shift
  • snapshot_expiry
  • container_backup_override_pool
  • snapshot_expiry_creation api_status: stable api_version: "1.0" auth: trusted public: false auth_methods:
  • tls environment: addresses: [] architectures:
  • x86_64
  • i686 certificate: | -----BEGIN CERTIFICATE-----

    ---

    -----END CERTIFICATE----- certificate_fingerprint: *** driver: lxc driver_version: 3.1.0 kernel: Linux kernel_architecture: x86_64 kernel_version: 5.0.5-200.fc29.x86_64 server: lxd server_pid: 5939 server_version: "3.11" storage: zfs storage_version: 0.7.13-1 server_clustered: false server_name: **** project: default

Issue description

I created a container Ubuntu 18.04 on host Fedora 29 and cannot execute 'apt update' as root. I am able to ping 8.8.8.8 and archive.ubuntu.com without any packet loss. I confirmed 'ip link set dev eth0 up'.

Error for 'apt update':

Err:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Could not connect to archive.ubuntu.com:80 (91.189.88.161), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.91.23), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.149), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.162), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.91.26), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out .... Info for 'ip a':

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:16:3e:ee:d3:74 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.230.159.32/24 brd 10.230.159.255 scope global dynamic eth0 valid_lft 3348sec preferred_lft 3348sec inet6 fe80::216:3eff:feee:d374/64 scope link valid_lft forever preferred_lft forever

Info for 'lxc network list': +--------+----------+---------+-------------+---------+ | NAME | TYPE | MANAGED | DESCRIPTION | USED BY | +--------+----------+---------+-------------+---------+ | lxdbr0 | bridge | YES | | 1 | +--------+----------+---------+-------------+---------+ | virbr0 | bridge | NO | | 0 | +--------+----------+---------+-------------+---------+ | wlp2s0 | physical | NO | | 0 | +--------+----------+---------+-------------+---------+

Info for 'lxc profile show default':

config: {} description: Default LXD profile devices: eth0: name: eth0 nictype: bridged parent: lxdbr0 type: nic root: path: / pool: default type: disk name: default used_by:

• /1.0/containers/robust-orca

Steps to reproduce

1. lxc exec robust-orca -- /bin/bash -c 'apt update -y'

[stgraber]

Can you show ip link show on the host?

This smells like an MTU issue.

I'm assuming you also tried to download from other servers? The Ubuntu archive mirrors were rather swamped and slow yesterday.

[foveann]

Haven't tried other servers yet. Here is the ip link show on the host:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000
    link/ether 98:5f:d3:e9:d7:83 brd ff:ff:ff:ff:ff:ff
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:3a:3b:a1 brd ff:ff:ff:ff:ff:ff
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:3a:3b:a1 brd ff:ff:ff:ff:ff:ff
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 100
    link/none 
6: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether fe:cc:24:ae:25:56 brd ff:ff:ff:ff:ff:ff
8: vethPCJF22@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP mode DEFAULT group default qlen 1000
    link/ether fe:cc:24:ae:25:56 brd ff:ff:ff:ff:ff:ff link-netnsid 0

[stgraber]

Ok, that looks fine.

Internally, I'm seeing this warning: Active/known issues: archive servers slowness / bandwidth peak | US servers added to archive.u.c so I'm going to just assume that this is the archive servers being completely swamped which would explain why ping would work but downloads wouldn't.

You may have some luck updating your /etc/apt/sources.list to use another mirror for the time being.

[foveann]

I tried a different mirror and got this error message :

Err:1 http://mirror.cs.pitt.edu/ubuntu/archive bionic InRelease Could not connect to mirror.cs.pitt.edu:80 (136.142.23.206), connection timed out

[foveann]

Thanks for all your help. I'll try again tomorrow.

[stgraber]

Hmm, now that's a bit odd, that mirror answers immediately here. So there can be two things I can think of that would explain this:

• Some MTU issue on your network
• A firewalling dropping the traffic.

Can you show iptables -L -n -v on your host as well as the output of tracepath archive.ubuntu.com (also from the host)?

[stgraber]

The iptables output looks odd, it shows no packet having gone through any of the rules in the FORWARD table which doesn't make much sense given that you're sending traffic out of the container...

[foveann]

I am very grateful for your time on this issue. Not sure how to troubleshoot further. All I know is that the first time I set up a container I was able to run 'apt update' and even 'apt install nginx' successfully but after rebooting and restarting my host, this issue started. I tried uninstalling lxd then reinstalling lxd but nothing has changed. During this whole time, I have not made any changes to the iptables rules nor installed anything so I can't think of what it could be.

[stgraber]

Can you try doing lxc network set lxdbr0 bridge.mtu 1280 and then restart your container and try again?

If there's some kind of MTU issue, that should unblock it.

[foveann]

I ran that command and it didn't complain but when I checked the tracepath again, the MTU size reverted back to the default 1500. Output same as first tracepath.

[stgraber]

What's odd is that ICMP would go through but the rest is blocked...

You could temporarily try (as root on the host):

• iptables -I INPUT -j ACCEPT
• iptables -I OUTPUT -j ACCEPT
• iptables -I FORWARD -j ACCEPT

That should mostly rule out firewall problems. To undo that change, run:

• iptables -D INPUT -j ACCEPT
• iptables -D OUTPUT -j ACCEPT
• iptables -D FORWARD -j ACCEPT

[foveann]

I tried it but nothing has changed unfortunately.

[stgraber]

Ok, I suspect you're at the point now where you'll need to use tcpdump to follow the traffic coming out of the container, hitting the bridge then hitting the outside interface to see where things go wrong.

You can find the interface name of the container in lxc info, dump that one first, then dump lxdbr0 then finally dump your upstream link with wlan0 and make sure you see all packets in all of them, if they disappear somewhere, that should give you a clue as to what's going on.

[foveann]

First time doing the tcpdump on my side. I installed it and can't figure out which interface to run the command on...this is what I have when I run 'nmcli device status' on my host:

' DEVICE TYPE STATE CONNECTION
wlp2s0 wifi connected NETWORKNAME lxdbr0 bridge connected lxdbr0
virbr0 bridge connected virbr0
tun0 tun connected tun0
lxdbr0-mtu dummy unmanaged --
vethIVB9H4 ethernet unmanaged --
lo loopback unmanaged --
virbr0-nic tun unmanaged -- '

I am guessing the lxdbr0 and the wlp2s0 but what am I looking for?

[stgraber]

tcpdump -ni vethIVB9H4 port 80 should show you the http traffic, then repeat on lxdbr0 and then on wlp2s0, that's the path your http traffic should be taking out and back.

[foveann]

Thanks a lot! I ran all three and it is the wlp2s0 that yields nothing.

[stgraber]

Ok, so suspects there could be that ip_forward is disabled somehow, or firewalling (though that didn't seem to be the case earlier) or maybe there's something odd going on with the nat tables or ebtables.

• iptables -t nat -L -n -v
• ebtables -L -v
• cat /proc/sys/net/ipv4/ip_forward
• cat /proc/sys/net/ipv4/conf/wlp2s0/forwarding
• cat /proc/sys/net/ipv4/conf/lxdbr0/forwarding
• ifconfig -a
• dmesg

May all be useful to track down what configuration is causing this problem.

[foveann]

There seems to be some discussion about port forwarding between host and container but in my case I don't even have 'apt update' so I can't possibly have a web server running. Someone in this thread suggests connecting a web server on port 9090 with this command: 'lxc config device add c1 proxy0 listen=tcp:127.0.0.1:80 connect=tcp:127.0.0.1:9090' How would I modify this if I don't have a web server running within the container to begin with? Or maybe I misunderstand the problem.

[stgraber]

The proxy device is completely unrelated to your issue.

[U-236]

try using a cloud image, i have that problem with OpenSUSE Leap 15.4 host and fixed using cloud image like ubuntu/jammy/cloud, LXD installed using snap