Cannot ssh from container to host

[Jim_Lynch]

This might not be the best forum but since it involves networking, I'm going to start here.

Running Ubuntu 20.04 on the host, Ubuntu 22.04 on the container. I installed lxd with snap. I used a macvlan profile to allow the container to get an IP from the local lan and I can reach other systems on the lan from the container and vice versa.

Code:

$ lxc profile list+---------+---------------------+---------+
|  NAME   |     DESCRIPTION     | USED BY |
+---------+---------------------+---------+
| default | Default LXD profile | 1       |
+---------+---------------------+---------+
| macvlan |                     | 1       |
+---------+---------------------+---------+
$ lxc profile show macvlan
name: macvlan
description: ""
config: {}
devices:
  eth0:
    nictype: macvlan
    parent: eno1
    type: nic
used_by:
- /1.0/instances/mailplus

However I cannot ssh to the host. The host has a mysql database that I would like to be able to access from an app on the container. I’m trying to set up a ssh tunnel to port 3306 on the host. Any ideas?

ssh: connect to host 192.168.2.25 port 22: No route to host
Thanks,
Jim.

[TheFu]

What are the IPs for the container and the host?
Can the container ping the host IP?

I've never used macvlan. I use normal Linux bridges for my lxd managed lxc containers. I have to admit, I've never tried to ssh OUT of a container to the host. Seems to work, though I don't have any key's exchanged in that way. Between the container and the host, why use ssh? Why not just go direct to the MariaDB server port for the queries? It isn't like security will be any better. Plus, intra-machine the networking throughput should be 25-45 Gbps.

[ian-weisser]

I cannot ssh to the host.

LXD containers using macvlan cannot access the host. That's just a baked-in limitation of using macvlan.
You seem to be using the wrong networking method for what you want to accomplish.

You can change to bridged networking, or you can put the host database into a different container, or you can redesign your setup some other way.

[Jim_Lynch]

The container has a dhcp furnished address of 192.168.2.105 and the host is 192.168.2.25. Ping fails in both directions as does ssh. I only know how to access the MariaDB port via a hostort method. I haven't actually tried to connect the db via the port I'm guessing it won't be able to do so. Or are you suggesting I can access the port some other way? I'd be interested in how to share ports. I'm not worried about security.

Thanks,
Jim.

[Jim_Lynch]

Last time I did a bridged network it worked for a while and then quit. I never did figure out how to fix it or how to start over. Seems like installing bridging is a one way street. I had to re-image the system to get it back working. Since then I've shied away from a traditional bridge.

Thanks for the info on the limitations of macvlan.

Can I share a port between a host and a container? I didn't think about that. I'll have to search for that.

Jim.

[TheFu]

If you can't ping, then no other protocol will work either.

[ian-weisser]

Bridging and LXD became considerably easier a few years ago.

1. Set up the bridge in Netplan

In this example, the IP addresses are all set by the router (dhcp=true) merely to keep the example simple.

Code:

network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s7:           <---- Real-world name of the hardware interface
      dhcp4: false    <---- DON'T create a host IP address here. The host uses the Bridge IP address.
      dhcp6: false

  bridges:
    br0:                    <---- LXD needs to know this name
      interfaces: [enp0s7]  <---- Matches the name of the real hardware interface above
      dhcp4: true           <---- This bridge IP address will be used by the host
      dhcp6: true

2. Tell LXD to use the bridge by adding this to your LXD profile(s)

Code:

config: {}
devices:
  eth0:
    name: eth0       <----- Name inside the container. DON'T use the real-world interface name.
    nictype: bridged
    parent: br0      <----- Matches the actual real-world bridge name
    type: nic

[TheFu]

You can also set static IPs inside containers or VM, which is best to avoid DHCP failures. Those can prevent system-to-system configs from working.

[Jim_Lynch]

Thanks, I'll give that a try. My proxy solutions don't seem to work. Time to start over.
Jim

[Jim_Lynch]

I tend to assign static IPs from the router. It just seems more convenient
Jim