jyte commented 4 years ago

Required information

Distribution: Ubuntu
Distribution version: 20.04 (up to date as of 16/04/2020)

The output of "lxc info" :

$ lxc info
config: {}
api_extensions:
- storage_zfs_remove_snapshots
- container_host_shutdown_timeout
- container_stop_priority
- container_syscall_filtering
- auth_pki
- container_last_used_at
- etag
- patch
- usb_devices
- https_allowed_credentials
- image_compression_algorithm
- directory_manipulation
- container_cpu_time
- storage_zfs_use_refquota
- storage_lvm_mount_options
- network
- profile_usedby
- container_push
- container_exec_recording
- certificate_update
- container_exec_signal_handling
- gpu_devices
- container_image_properties
- migration_progress
- id_map
- network_firewall_filtering
- network_routes
- storage
- file_delete
- file_append
- network_dhcp_expiry
- storage_lvm_vg_rename
- storage_lvm_thinpool_rename
- network_vlan
- image_create_aliases
- container_stateless_copy
- container_only_migration
- storage_zfs_clone_copy
- unix_device_rename
- storage_lvm_use_thinpool
- storage_rsync_bwlimit
- network_vxlan_interface
- storage_btrfs_mount_options
- entity_description
- image_force_refresh
- storage_lvm_lv_resizing
- id_map_base
- file_symlinks
- container_push_target
- network_vlan_physical
- storage_images_delete
- container_edit_metadata
- container_snapshot_stateful_migration
- storage_driver_ceph
- storage_ceph_user_name
- resource_limits
- storage_volatile_initial_source
- storage_ceph_force_osd_reuse
- storage_block_filesystem_btrfs
- resources
- kernel_limits
- storage_api_volume_rename
- macaroon_authentication
- network_sriov
- console
- restrict_devlxd
- migration_pre_copy
- infiniband
- maas_network
- devlxd_events
- proxy
- network_dhcp_gateway
- file_get_symlink
- network_leases
- unix_device_hotplug
- storage_api_local_volume_handling
- operation_description
- clustering
- event_lifecycle
- storage_api_remote_volume_handling
- nvidia_runtime
- container_mount_propagation
- container_backup
- devlxd_images
- container_local_cross_pool_handling
- proxy_unix
- proxy_udp
- clustering_join
- proxy_tcp_udp_multi_port_handling
- network_state
- proxy_unix_dac_properties
- container_protection_delete
- unix_priv_drop
- pprof_http
- proxy_haproxy_protocol
- network_hwaddr
- proxy_nat
- network_nat_order
- container_full
- candid_authentication
- backup_compression
- candid_config
- nvidia_runtime_config
- storage_api_volume_snapshots
- storage_unmapped
- projects
- candid_config_key
- network_vxlan_ttl
- container_incremental_copy
- usb_optional_vendorid
- snapshot_scheduling
- container_copy_project
- clustering_server_address
- clustering_image_replication
- container_protection_shift
- snapshot_expiry
- container_backup_override_pool
- snapshot_expiry_creation
- network_leases_location
- resources_cpu_socket
- resources_gpu
- resources_numa
- kernel_features
- id_map_current
- event_location
- storage_api_remote_volume_snapshots
- network_nat_address
- container_nic_routes
- rbac
- cluster_internal_copy
- seccomp_notify
- lxc_features
- container_nic_ipvlan
- network_vlan_sriov
- storage_cephfs
- container_nic_ipfilter
- resources_v2
- container_exec_user_group_cwd
- container_syscall_intercept
- container_disk_shift
- storage_shifted
- resources_infiniband
- daemon_storage
- instances
- image_types
- resources_disk_sata
- clustering_roles
- images_expiry
- resources_network_firmware
- backup_compression_algorithm
- ceph_data_pool_name
- container_syscall_intercept_mount
- compression_squashfs
- container_raw_mount
- container_nic_routed
- container_syscall_intercept_mount_fuse
- container_disk_ceph
- virtual-machines
- image_profiles
- clustering_architecture
- resources_disk_id
- storage_lvm_stripes
- vm_boot_priority
- unix_hotplug_devices
- api_filtering
- instance_nic_network
- clustering_sizing
- firewall_driver
- projects_limits
- container_syscall_intercept_hugetlbfs
- limits_hugepages
- container_nic_routed_gateway
- projects_restrictions
- custom_volume_snapshot_expiry
- volume_snapshot_scheduling
- trust_ca_certificates
- snapshot_disk_usage
- clustering_edit_roles
- container_nic_routed_host_address
- container_nic_ipvlan_gateway
- resources_usb_pci
- resources_cpu_threads_numa
- resources_cpu_core_die
- api_os
- container_nic_routed_host_table
- container_nic_ipvlan_host_table
- container_nic_ipvlan_mode
- resources_system
api_status: stable
api_version: "1.0"
auth: trusted
public: false
auth_methods:
- tls
environment:
addresses: []
architectures:
- aarch64
- armv7l
certificate: |
-----BEGIN CERTIFICATE-----
MIICBTCCAYqgAwIBAgIRALrTrIWKp4fnzR1BkcC5B84wCgYIKoZIzj0EAwMwNDEc
MBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzEUMBIGA1UEAwwLcm9vdEB1YnVu
dHUwHhcNMjAwNDE2MTgwMDE3WhcNMzAwNDE0MTgwMDE3WjA0MRwwGgYDVQQKExNs
aW51eGNvbnRhaW5lcnMub3JnMRQwEgYDVQQDDAtyb290QHVidW50dTB2MBAGByqG
SM49AgEGBSuBBAAiA2IABA1hC2mFuPb4JQ0FRV/gejGdfKtI6q2/hNeWcqMDw9ds
f2uJ16DkCLbOfoxJT/xkzUUfxbTlvikEmkt6ZOjOc8E3Ae6IBdivpfc1rFiowaXh
fMY2T7wUNkb2LcrIhGcqCKNgMF4wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG
CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwKQYDVR0RBCIwIIIGdWJ1bnR1hwR/AAAB
hxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMDA2kAMGYCMQD59DJdVqfW8QCA
Zj9l2K1DP7U96qTXzMe0bZ/BLeC3oiJ+JTD95tHkPYBedeM8oVkCMQCaSxNjzBgg
SMZLmwgizBachiwnZiJxc4tojUkYpex3PWVJ/puiokM++rawr2zK9sM=
-----END CERTIFICATE-----
certificate_fingerprint: c88896c95f831a9bdb9347db2abd4becade0264278cb0c2978304905de56683b
driver: lxc
driver_version: 4.0.0 (devel)
firewall: xtables
kernel: Linux
kernel_architecture: aarch64
kernel_features:
netnsid_getifaddrs: "true"
seccomp_listener: "true"
seccomp_listener_continue: "true"
shiftfs: "false"
uevent_injection: "true"
unpriv_fscaps: "true"
kernel_version: 5.4.0-1008-raspi
lxc_features:
cgroup2: "true"
mount_injection_file: "true"
network_gateway_device_route: "true"
network_ipvlan: "true"
network_l2proxy: "true"
network_phys_macvlan_mtu: "true"
network_veth_router: "true"
seccomp_notify: "true"
os_name: Ubuntu
os_version: "20.04"
project: default
server: lxd
server_clustered: false
server_name: ubuntu
server_pid: 8410
server_version: 4.0.0
storage: ""
storage_version: ""

Issue description

Issue 1:

When I do lxd init it fails to create the bridge lxdbr0.

Extracted from syslog :

Apr 16 18:33:51 ubuntu lxd.daemon[8410]: t=2020-04-16T18:33:51+0000 lvl=warn msg="Failed getting list of tables from \"/proc/self/net/ip_tables_names\", assuming all requested tables exist"

I noticed I do not have a /proc/self/net/ip_tables_names file. But I have no clue how to get it, or if it is ok not to have it on ubuntu 20.04.

Issue 2:

Because creating the bridge failed, but it got registered in lxd, I have to do lxc network delete lxdbr0 before trying lxd init again or it tells me the device already exist. Which is wrong because as the creation failed, it never existed.

tomponline commented 4 years ago

That warning should not prevent the bridge from being created, in fact the fact it exists and you have to remove it suggests it is being created.

What is the actual error or problem that is occuring? Thanks

jyte commented 4 years ago

I have read that it can happen that the bridge does not exist, and yet be registered in lxd according to this thread and that is how i found about the lxc network delete command.

ip a doesn't list the bridge.

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether dc:a6:32:6e:b2:bc brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 brd 192.168.0.255 scope global dynamic eth0
       valid_lft 86349sec preferred_lft 86349sec
    inet6 fe80::dea6:32ff:fe6e:b2bc/64 scope link 
       valid_lft forever preferred_lft forever

here is the full output of lxd init

$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 

Name of the new storage pool [default=default]: Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing block device? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=91GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like LXD to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 

Error: Failed to create network 'lxdbr0': Failed to list IPv4 rules for LXD network lxdbr0 (table filter)

tomponline commented 4 years ago

Thanks for that I will take a look. The error suggests you havent got iptables or nftables available though.

stgraber commented 4 years ago

Yeah, this suggests a kernel without the needed netfilter modules, LXD appears to be correct to fail in this case.

Closing as it's unlikely to be LXD bug, we can still chat about it though.

@jyte please run lxd.check-kernel

jyte commented 4 years ago

$ lxd.check-kernel
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-5.4.0-1008-raspi
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
newuidmap is not installed
newgidmap is not installed
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points: 
/sys/fs/cgroup/systemd
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/rdma
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/blkio
/sys/fs/cgroup/devices
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/pids
/sys/fs/cgroup/freezer

Cgroup v2 mount points: 
/sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: missing
CONFIG_NF_NAT_IPV6: missing
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: 

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /snap/lxd/14659/bin/lxc-checkconfig

stgraber commented 4 years ago

Right so your current kernel has no support for ipv4/ipv6 NAT which is required for LXD bridges.

edacval commented 4 years ago

Right so your current kernel has no support for ipv4/ipv6 NAT which is required for LXD bridges.

lxc-checkconfig NAT detection is not working properly since this commit : uname -r 5.4.32-1-lts , lxc version 4.0.2

zgrep -i nf_nat /proc/config.gz
CONFIG_NF_NAT=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_IP_NF_NAT=m
CONFIG_IP6_NF_NAT=m

stgraber commented 4 years ago

Ah, good point.

Still the error above shows a lack of netfilter on the system.

@jyte can you show (all run as root):

lsmod
iptables -L -n -v
ip6tables -L -n -v

jyte commented 4 years ago

# lsmod
Module                  Size  Used by
hid_generic            16384  0
usbhid                 73728  0
scsi_dh_rdac           16384  0
scsi_dh_emc            16384  0
scsi_dh_alua           24576  0
drm                   569344  0
btrfs                1425408  0
zstd_compress         163840  1 btrfs
raid10                 73728  0
raid456               192512  0
async_raid6_recov      20480  1 raid456
async_memcpy           20480  2 raid456,async_raid6_recov
async_pq               20480  2 raid456,async_raid6_recov
async_xor              20480  3 async_pq,raid456,async_raid6_recov
async_tx               20480  5 async_pq,async_memcpy,async_xor,raid456,async_raid6_recov
xor                    20480  2 async_xor,btrfs
xor_neon               16384  1 xor
raid6_pq              114688  4 async_pq,btrfs,raid456,async_raid6_recov
libcrc32c              16384  2 btrfs,raid456
raid1                  53248  0
raid0                  24576  0
multipath              24576  0
linear                 20480  0
crct10dif_ce           16384  1
spidev                 28672  0
phy_generic            20480  0
uas                    32768  0
usb_storage            81920  2 uas
aes_neon_bs            28672  1
aes_neon_blk           32768  1 aes_neon_bs
crypto_simd            20480  2 aes_neon_bs,aes_neon_blk
cryptd                 24576  1 crypto_simd

# iptables -L -n -v
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/5.4.0-1008-raspi
iptables v1.8.4 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

# ip6tables -L -n -v
modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/5.4.0-1008-raspi
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

canonical / lxd

Fail to generate lxdbr0 on lxd init #7207

Required information

Issue description

Issue 1:

Issue 2: