The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7195
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Few documentation is better than nothing. There is maybe a better way to fix it.
From 11ce947e520c23e2cafd012cfd69198dfd5f4697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Gully?= <stephane.gu...@gmail.com> Date: Wed, 15 Apr 2020 15:55:18 +0200 Subject: [PATCH] firewalld & lxd : allow containers to access the internet Few documentation is better than nothing. There is maybe a better way to fix it. --- doc/networks.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/doc/networks.md b/doc/networks.md index af5b7a5dc2..be55b7d7f0 100644 --- a/doc/networks.md +++ b/doc/networks.md @@ -146,7 +146,9 @@ exists, so you must repeat this command each reboot and after LXD is restarted. Also note this only works if the bridge `dns.mode` is not `none`. -## Allow DHCP, DNS with Firewalld +## Integration with Firewalld + +### Allow DHCP, DNS In order to allow instances to access the DHCP and DNS server that LXD runs on the host when using firewalld you need to add the host's bridge interface to the `trusted` zone in firewalld. @@ -164,3 +166,22 @@ firewall-cmd --zone=trusted --change-interface=lxdbr0 --permanent ``` This will then allow LXD's own firewall rules to take effect. + +### Allow containers to access the internet + +When firewalld daemon is started after lxd daemon, it breaks LXC iptables rules and especially rules taking care of containers internet access. To fix it, you could force firewalld daemon to start before lxd daemon. + +When using systemd, you have to add the `Before` parameter in the `/lib/systemd/system/lxd.socket` systemd file: +``` +[Unit] +Description=LXD - unix socket +Documentation=man:lxd(1) +Before=firewalld.service + +[...] +``` +Then juste reboot your linux of restart lxd daemon: +``` +systemctl restart lxd +``` +Then you will be able to access internet from your containers. Ex: `lxc exec MyContainer apt update` (will then be ok)
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
