Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LXC cannot reach the Internets #3

Open
pikesley opened this issue Jun 4, 2013 · 4 comments
Open

LXC cannot reach the Internets #3

pikesley opened this issue Jun 4, 2013 · 4 comments

Comments

@pikesley
Copy link

pikesley commented Jun 4, 2013

Never bet against me having done something wrong, but the containers don't seem to be able to get the wider internet, and so cannot retrieve any packages. Using the devop-test-1 container from this repo:

root@devop-test-1:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.255.254 0.0.0.0         UG        0 0          0 eth0
192.168.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0

root@devop-test-1:~# ping -c 1 192.168.255.254
PING 192.168.255.254 (192.168.255.254) 56(84) bytes of data.
64 bytes from 192.168.255.254: icmp_seq=1 ttl=64 time=0.067 ms

--- 192.168.255.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.067/0.067/0.067/0.000 ms

root@devop-test-1:~# ping -c 1 -w 10 pikesley.org
PING pikesley.org (82.113.146.98) 56(84) bytes of data.

--- pikesley.org ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9069ms

I guess that gateway (the test-lab) should be forwarding packets. Have I done something dumb?

S
@pikesley
Copy link
Author

pikesley commented Jun 5, 2013

I got a fix. An ugly, ugly fix. Once your test-lab is up:

bundle exec cucumber-chef ssh

(or via binstubs, or however you roll). Then on that box:

head -$((`wc -l /etc/rc.local | cut -d ' ' -f 1` - 1)) /etc/rc.local > /tmp/rc.local && for line in "/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" "/sbin/iptables -A FORWARD -i eth0 -o br1 -m state --state RELATED,ESTABLISHED -j ACCEPT" "/sbin/iptables -A FORWARD -i eth1 -o br1 -j ACCEPT" ; do echo ${line} >> /tmp/rc.local ; done && echo "exit 0" >> /tmp/rc.local && sudo cp /tmp/rc.local /etc/ 
sudo /etc/rc.local 2> /dev/null
echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward

and then to make sure this survives a reboot:

echo net.ipv4.ip_forward=1 | sudo tee -a /etc/sysctl.conf > /dev/null

and now your containers can reach the outside world.

I'm sure this should be baked into the cuke-chef provisioning somehow, but I know not where.

@pikesley
Copy link
Author

pikesley commented Jun 5, 2013

The iptables commands are fully cargo-culted from various howtos, there may well be better ways to achieve the same result.

@pikesley
Copy link
Author

pikesley commented Jun 6, 2013

Also, this is on Vagrant/VirtualBox. Maybe this all works fine on AWS.

@pikesley pikesley mentioned this issue Aug 2, 2013
Closed
@ixnu
Copy link

ixnu commented Aug 27, 2014

Thanks John Frum.

I am confounded why this cult knowledge is so obscure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pikesley @ixnu