So, I have two Linux Containers on my PC running Fedora. Both are Arch containers.

Both have this configuration file for their containers:

# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

# Distribution configuration
lxc.include = /usr/share/lxc/config/archlinux.common.conf
lxc.arch = x86_64

# Container specific configuration
lxc.rootfs = /var/lib/lxc/-lxc_name-/rootfs
lxc.rootfs.backend = btrfs
lxc.utsname = -lxc_name-

# Network configuration
lxc.network.type = veth
lxc.network.link = br0
lxc.network.veth.pair = -lxc_name-.veth0
lxc.network.name = veth0
lxc.network.flags = up
lxc.network.hwaddr = -MAC Address-

I'm not using the default lxc bridge because it forces NAT'd networking and I need these containers to be visible on the LAN directly.

One has IP address 10.0.1.99 and one has IP address 10.0.1.101, both using /22 subnet mask. Both are configured either using iproute2 or netctl. I've tried both on both containers.

Both containers can ping the host's IP address (10.0.1.97). Both can access the internet through the LAN gateway. But neither can ping the other.

This is confusing to me because it was working just fine before I restarted the containers. I restarted the containers because I destroyed one and built it from scratch.

I need them to be able to communicate for various reasons, but I can't figure out what could've possibly changed.

Would you post the routing table on the host (ip route show)? Can the host ping the containers? And do you have some iptable rule on the containers, or the host, dropping icmp traffic?

Here is ip route show on the host:

default via 10.0.1.5 dev br0 proto static metric 425
10.0.1.0/22 dev br0 proto kernel scope link src 10.0.1.97 metric 425
10.0.1.5 dev br0 proto static scope link metric 425

Here it is on the containers (they both return the same, except the source IP is the container's static IP):

default via 10.0.1.5 dev veth0
10.0.1.0/22 dev veth0 proto kernel scope link src 10.0.1.101

The process I have to take to get this setup to work is a bit involved. If I run nmcli c on the host once it's done, I get:

NAME - UUID - TYPE - DEVICE
br0 - e37726ec-e18a-4785-ba29-d7545108962e - bridge - br0
br0-ether - f898c107-ac7f-4bd4-8068-f39ade069fee - 802-3-ethernet - enp7s0
br0-httpd.veth0 - 3418e958-f735-4143-b8af-d49e788be0f0 - 802-3-ethernet - httpd.veth0
br0-mysqld.veth0 - 54a6a2e3-2066-4294-aae0-4d8bc8df7e33 - 802-3-ethernet - mysqld.veth0

This is after I've rebooted the machine and completed the following steps:

1. Start both containers.
2. Enable both connections for br0 on host
   (the connections have to exist for this to work, so the containers have to be started already).
3. Set the veth0 device in both containers to "down" state with ip link.
   (netctl can't start a profile for an 'up' interface)
4. Start the netctl profile in both containers.

This will give me a static IP address on a device that's bridged on the host for the LAN. Can't use DHCP. Can't use NAT, and I can't figure out another way to make this work.

Anyway, if I try and ping the containers' IP addresses from the host:

So it seems the notables are the following information:

• The host cannot ping Container 2.
• Container 2 cannot ping Container 1.
• Container 1 cannot ping Container 2.
• The host can ping Container 1.
• Both Container 1 & 2 can ping the host.

I didn't manually configure any ip table rules, except for SSH, but I destroyed and recreated the container after doing so, and it worked before, so I don't know why that would've done something.

This issue started when I recreated Container 1 to restart my installation process for the services I'm working on. It was working 100% fine before I did that. After recreating the container, I restarted the machine.

This is bizarre.

So I restarted my machine and set up both containers. Now the host can ping either, but the containers can't ping each other.

I might guess LXC is doing something? Or SELinux? It'd be weird to me though, just because it was working fine before.

Nothing jumps out to me as obviously wrong with the routing table. Is it just icmp traffic that can't travel between the containers or is tcp or udp traffic between containers not going through?

The only other things I can think of would be to watch the traffic on the host and container interfaces by logging the traffic though the raw iptable (iptables -t raw -A PREROUTING -p tcmp -j TRACE or tcpdump -n -i icmp) and see where traffic gets dropped and maybe that would give you a clue. Another option might be to temporarily revert to the lxc default bridge and if that allows the containers to "ping" each then that might hint that the problem is with the custom bridge settings.

PHPMyAdmin in Container 1 can't get to the MariaDB MySQL Database in Container 2.

That is the PHPMyAdmin error it's giving.

... I found my problem.

I had copied one LXC config file to the other container to speed up setup. I must've forgotten to change the MAC address.

image.png1351x77 10.8 KB

At least I figured it out. Thanks for the help.