NethServer 7 networking support broken in LXD

NethServer Version: latest

EDIT: See post #2.

I am trying to setup it up in an LXD container, but I am running into some issues. The container itself is configured the same as for Zentyal, which worked fine with such configuration:

  1. physical NIC on host is given exclusively to the guest LXC so when the container boots, the NIC disappears from host and becomes visible as eht0 in CentOS with NethServer. This part works fine.

The problem is with the other nic:

  1. The second NIC is actually a bridge on host. LXC is configured to create a veth bridged to it. It is visible as eth1 in CentOS with NethServer.

The thing is, that even though it is well visible to the CentOS itself, NethServer does not seem to see it at all. Only eth0 is visible and configured, and when I go to add “New Logical Interface”, every option there can be only selected with eth0 as dependency. No eth1 whatsoever.

On Zentyal, eth1 was perfectly visible and configurable as just a regular NIC with connectivity to the bridge on host machine.

Here is the relevant part of lxd config file:

security.privileged: "true"
volatile.base_image: 3308e2ac8f649551cc5f3c40e2c9f64b20ea0ab7e5195de120853ca32c727583
volatile.eth0.name: eth0
volatile.eth1.name: eth1
volatile.last_state.idmap: '[]'
volatile.last_state.power: STOPPED
volatile.root.name: eth2
devices:
eth0:
nictype: physical
parent: enp2s0
type: nic
eth1:
nictype: bridged
parent: br0
type: nic
root:
path: /
type: disk
ephemeral: false

Ok, I did some testing and it turns out the problem exists on NethServer 7, but not on NethServer 6.

Here is the network config:

eth0=ethernet|bootproto|dhcp|gateway||hwaddr|00:90:EE:EE:EE:02|onboot|yes|role|red
eth1=ethernet|bootproto|none|hwaddr|00:16:3E:E2:EE:EE|ipaddr|192.168.7.1|netmask|255.255.255.0|network|192.168.7.0|onboot|yes|role|green

On NS 6 (CentOS 6) both interfaces get the IP: eth0 from ISP’s DHCP, eth1 from static settings in the config.
However, on NS7 (CentOS 7), while the eth0 is working fine and there is internet connectivity, the eth1 remains with IP unassigned. Even if I assign the IP manually using ifconfig eth1 192.168.7.1 there still is no connectivity and pinging other LAN hosts is impossible:

ping 192.168.7.2
PING 192.168.7.2 (192.168.7.2) 56(84) bytes of data.
From 192.168.7.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 192.168.7.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 192.168.7.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 192.168.7.1 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Operation not permitted

So there was either a change in configuration in NS7, or a bug. Can anyone comment?

The permission problem lead me to the firewall (shorewall).
Try to temporarily disable it with:
shorewall clear

If the problems comes from the firewall, the configuration stored in nethserver database is not correct.
Check with
db networks show,
adjust with
config setprop eth1 ipaddr x.x.x.x netmask x.x.x.x ...
Apply with
signal-event interface-update

This event will restart the firewall.

1 Like

It worked exactly as you described and now I have seemingly fully functional NethServer gateway. Splendid!

I did all the steps you listed, but is the firewall now disabled? Or was it reenabled when I rebooted the container?