[Caracal][Debian 12] IPs missing in k8s-container with "sys:rw"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
New
|
Undecided
|
Unassigned |
Bug Description
When "sys:rw" is set in `lxc_container_
```
# lxc-attach -n aio1-k8s-
1: lo: <LOOPBACK,
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if90: <BROADCAST,
link/ether 00:16:3e:b0:18:7c brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::216:
valid_lft forever preferred_lft forever
3: eth1@if91: <BROADCAST,
link/ether 00:16:3e:92:d6:80 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::216:
valid_lft forever preferred_lft forever
```
I can see that both veths are connected to the bridges the way they should be (so L2 connectivity seems to be fine) and if I switch back to the default "sys:ro" and recreate the container, interfaces get IPs.
Do you know why read-write `/sys` affects the DHCP this way and what adverse effects should be expected if this mountpoint is left read-only?
Debian 12.5 (minbase), kernel 6.1.76-1 (2024-02-01) x86_64, LXC version 5.0.2, bridge-utils version 1.7.1, OSA release: 2024.1 (commit 729a95e90329f17
Also, please keep in mind that I disable the osbpo.debian.net on the host. Could this be related?
Hi Mariusz,
So far the mcapi driver has only been tested on ubuntu, though it would be great if it was also working on debian so thanks for the bug report.
I don't know why the network interfaces is affected, but if i remember correctly sys:rw was needed to allow the cilium cni to use ebpf inside the lxc container.
I think that the IP for the container interfaces should be statically configured with systemd-networkd, apart from eth0 which should dhcp.
root@aio1- cinder- api-container- c5bc4396: /# networkctl -l
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback carrier unmanaged
2 eth0 ether routable configured
3 eth1 ether routable configured
4 eth2 ether routable configured
4 links listed. cinder- api-container- c5bc4396: /# networkctl status
172.29. 237.98 on eth1
172.29. 245.6 on eth2
fe80: :216:3eff: fee4:617 on eth0
fe80: :216:3eff: fe8c:503c on eth1
fe80: :216:3eff: fe1d:7a0b on eth2
root@aio1-
● State: routable
Online state: online
Address: 10.255.255.119 on eth0
Gateway: 10.255.255.1 on eth0
DNS: 10.255.255.1
Jun 20 09:34:35 aio1-cinder- api-container- c5bc4396 systemd- networkd[ 27]: eth0: Gained carrier api-container- c5bc4396 systemd- networkd[ 27]: lo: Link UP api-container- c5bc4396 systemd- networkd[ 27]: lo: Gained carrier api-container- c5bc4396 systemd- networkd[ 27]: Enumeration completed api-container- c5bc4396 systemd[1]: Started Network Configuration. api-container- c5bc4396 systemd- networkd[ 27]: eth0: DHCPv4 address 10.255.255.119/24 via 10.255.255.1 api-container- c5bc4396 systemd- networkd[ 27]: Could not set hostname: Access denied api-container- c5bc4396 systemd- networkd[ 27]: eth0: Gained IPv6LL api-container- c5bc4396 systemd- networkd[ 27]: eth1: Gained IPv6LL api-container- c5bc4396 systemd- networkd[ 27]: eth2: Gained IPv6LL
Jun 20 09:34:35 aio1-cinder-
Jun 20 09:34:35 aio1-cinder-
Jun 20 09:34:35 aio1-cinder-
Jun 20 09:34:35 aio1-cinder-
Jun 20 09:34:35 aio1-cinder-
Jun 20 09:34:35 aio1-cinder-
Jun 20 09:34:36 aio1-cinder-
Jun 20 09:34:36 aio1-cinder-
Jun 20 09:34:36 aio1-cinder-