Bug 1477365 - Fedora-25 HOST + CentOS-6 GUESTS Linux/LXC: Guests can't connect to each other or to default router ...
Fedora-25 HOST + CentOS-6 GUESTS Linux/LXC: Guests can't connect to each othe...
Status: NEW
Product: Fedora
Classification: Fedora
Component: lxc (Show other bugs)
25
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Thomas Moschny
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-01 17:48 EDT by prismalytics
Modified: 2017-08-02 20:05 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Command output from the Fedora-25 HOST (12.12 KB, text/plain)
2017-08-01 17:48 EDT, prismalytics
no flags Details
Command output from a CentOS-6.9 Final GUEST (2.21 KB, text/plain)
2017-08-01 17:50 EDT, prismalytics
no flags Details

  None (edit)
Description prismalytics 2017-08-01 17:48:54 EDT
Created attachment 1307821 [details]
Command output from the Fedora-25 HOST

Hello Friends:

I'm not sure if this is a bug, but here is my sudden issue.

----------------------------------------
The Linux/LXC single-box cluster setup:
----------------------------------------
1) I use Fedora x86_64 (currently Fedora-25) as the LXC/HOST O/S.
   I use CentOS-6 x86_64 (currently CentOS-6.9 Final) for the six (qty. 6) LXC/GUEST O/S'.

2) This was working for a long time (a few years), but suddenly does not after a
   'sudo dnf -y update' (HOST) and 'sudo yum -y update' (GUESTS).

   It has been a few months since I booted this HOST/GUESTS LXC "cluster" and, as
   usual, O/S updates are the first thing that I perform. This may provide a hint if
   some underlying system-level component(s)/behavior(s) changed during that time.

3) The Fedora HOST and CentOS-6 GUESTS are on the same subnet, and share the same
   default router: 192.168.0.0/24; 192.168.0.1 (all standard stuff).

4) The Fedora Host does not have any firewall/firewalld RPM packages installed, and
   therefore doesn't not run a firewall. I removed this long ago to simplify things.
----------------------------------------


----------------------------------------
The issue
----------------------------------------
1) After performing the above O/S updates to the HOST and GUESTS, from within any
   GUEST, I can no longer (a) successfully ping/ssh guest-to-guest or (b) ping the
   default router.

2) I can, however, ping/ssh HOST-to-GUEST and GUEST-to-HOST with no issue.

3) From any computer outside this setup -- which, by the way, are also on the same
   subnet and share the same default router as above -- I can ping/ssh to the
   HOST but cannot to any of the GUESTS.

3) Other than performing the aforementioned O/S updates, I didn't alter anything.
----------------------------------------


 
----------------------------------------
Some output
----------------------------------------
I attached some command output to this submission. Note that the GUESTS are named
vps00, vps01, vps02, vps03, vps04 and vps10. While the HOST is named lxc-host.
Throughout the attachment, you'll see some notes that I annotated it with.
----------------------------------------

Any ideas? Thank you in advance.
Comment 1 prismalytics 2017-08-01 17:50 EDT
Created attachment 1307822 [details]
Command output from a CentOS-6.9 Final GUEST
Comment 2 prismalytics 2017-08-01 17:55:36 EDT
P.S. There are two attachments (with some annotations within them):

   - HOST.txt
   - ONE_GUEST.txt

Thank you! :)
Comment 3 prismalytics 2017-08-02 20:05:21 EDT
SOLVED ...

Thanks to the accepted answer in this POST https://unix.stackexchange.com/questions/125599/settings-when-using-a-bridge, I was able to finally figure out the iptables(1M) entries that were missing. 

Here they are:

    sudo iptables -A INPUT -i eth0 -j ACCEPT
    sudo iptables -A INPUT -i br0 -j ACCEPT
    sudo iptables -A FORWARD -i br0 -j ACCEPT

I don't know what Fedora HOST O/S changes occurred to make these entries not be there suddenly (meaning after doing "dnf -y update; reboot" after a few months of not doing that), but would sure love to know because now I have to hardcode these entries in somewhere (which I'm not thrilled about). :)

Any insight from friends here would be appreciated because maybe I can avoid doing that with some guidance (thanks).

I hope this helps others who bridge their LXC guests like I do.

Note You need to log in before you can comment on or make changes to this bug.