On Wed, Nov 9, 2016 at 1:33 PM, Saint Michael <vene...@gmail.com> wrote:
> It was working fine until a week ago. > I have two sites, it happened on both, so the issue is not on my router or > my switch, since they are different sites and we did not upgrade anything. > Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64) > LXC installed from apt-get install lxc1 > iptables off in both hosts and containers. I protect my network at the > perimeter. > > All my container networking is defined > > lxc.network.type=macvlan > ah, macvlan :) > lxc.network.macvlan.mode=bridge > lxc.network.link=eth1 > lxc.network.name = eth0 > lxc.network.flags=up > lxc.network.hwaddr = XX:XX:XX:XX:XX:XX > lxc.network.ipv4 = 0.0.0.0/24 > > Now suppose I have a machine, not a container, in the same broadcast > domain as the containers, same subnet. > It cannot ping or ssh into a container, which is accessible from outside > my network. > However, from inside the container the packets come and go perfectly, when > the connection is originated by the container. > A container can ping that host I mentioned, but the host cannot ping back > the container. > It all started a few days ago. > Also, from the host, this test works > arping -I eth0 (container IP address) > it shows that we share the same broadcast domain. > > My guess is that the most recent kernel update in the LXC host, is > blocking the communication to the containers, but it allows connections > from the containers or connections from IP addresses not on the same > broadcast domain. > Any idea? > > If you still have the old kernel, Janjaap's suggestion is relevant. Try downgrading your kernel. If downgrading works, file a bug (see https://wiki.ubuntu.com/Kernel/Bugs) Another way to check is using generic methods to test network connectivity: - from both the other machine and the container, ping each other, and then "arp -n". Verify that the mac listed there is correct, and not (for example) the hosts's MAC address. arping should also show which MAC address is replying. - ping from the other machine, and while its running, do a tcpdump on all relevant interfaces (e.g. on container's eth0, on host's eth1, etc), something like tcpdump -n -i eth1 "(icmp or arp) and host container_ip_address" and see where the traffic dissappears. I had problems with macvlan when combined with proxyarp on the same host. It works fine now with just macvlan on kernel 4.4.0-38-generic. -- Fajar
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users