You are not logged in.

#1 2024-09-03 19:00:36

retroactive
Member
Registered: 2024-09-03
Posts: 4

No virtualization/containers have internet access (no ipv4?)

I have tested on Incus and Qemu + libvirt, and neither has had internet access despite me troubleshooting both programs extensively. I do not have Docker installed, and the issue persists even if I disable my firewall. I have tested on both the Arch ISO and Debian, and neither had connectivity. I was able to connect on my previous installation on the same computer, but I recently reinstalled Arch entirely, and neither Incus nor Qemu work. If I Chroot into a Qemu image, I do have internet (although I can't do very much, because it complains of a missing file called "mtab?" But I don't plan on using Chroot much, so as long as it works in the actual VM, I don't care). When I launch from Qemu, testing using `curl 1.1.1.1 -v` (since my university network is strange and blocks ICMP...) results in "network unreachable" after 0ms.

Before I realized it was universal, I gave up on Incus and switched to Qemu, so I don't have Incus installed right now.

Information on the host, which is able to connect to the internet fine:

'ip link list'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 14:ab:c5:05:a3:a2 brd ff:ff:ff:ff:ff:ff
4: incusbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 00:16:3e:21:3b:39 brd ff:ff:ff:ff:ff:ff
6: veth8cae8599@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master incusbr0 state UP mode DEFAULT group default qlen 1000
    link/ether a2:6b:4a:53:6a:73 brd ff:ff:ff:ff:ff:ff link-netnsid 0
8: vethbb5474a3@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master incusbr0 state UP mode DEFAULT group default qlen 1000
    link/ether ba:04:2c:ac:aa:a8 brd ff:ff:ff:ff:ff:ff link-netnsid 1
9: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:11:86:de brd ff:ff:ff:ff:ff:ff
21: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether fe:54:00:e1:08:86 brd ff:ff:ff:ff:ff:ff

I assume links 4, 6, and 8 are remnants from trying to make Incus work. Note I do not have an ethernet port on my laptop, so I can only test + use wlan0.

`ip addr list`

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 14:ab:c5:05:a3:a2 brd ff:ff:ff:ff:ff:ff
    inet 129.161.39.146/23 brd 129.161.39.255 scope global dynamic noprefixroute wlan0
       valid_lft 334sec preferred_lft 334sec
    inet6 fe80::496:1d0:1d71:6237/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: incusbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:21:3b:39 brd ff:ff:ff:ff:ff:ff
    inet 10.37.149.1/24 scope global incusbr0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1234:1234::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe21:3b39/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
6: veth8cae8599@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master incusbr0 state UP group default qlen 1000
    link/ether a2:6b:4a:53:6a:73 brd ff:ff:ff:ff:ff:ff link-netnsid 0
8: vethbb5474a3@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master incusbr0 state UP group default qlen 1000
    link/ether ba:04:2c:ac:aa:a8 brd ff:ff:ff:ff:ff:ff link-netnsid 1
9: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:11:86:de brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
21: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN group default qlen 1000
    link/ether fe:54:00:e1:08:86 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fee1:886/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

On the guest machine, this is the configuration for the network:

<interface type="network">
  <mac address="52:54:00:e1:08:86"/>
  <source network="default" portid="d26b8fea-3711-4366-b574-182bdc7854eb" bridge="virbr0"/>
  <target dev="vnet0"/>
  <model type="virtio"/>
  <alias name="net0"/>
  <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>

From the details window, it shows "IP address: Unknown". I think this is related to the issue.

I can't copy text from the guest system, so I'll try to summarize the output without getting carpal tunnel syndrome:

`ip addr list`

1. lo, I don't think this would effect external connectivity

2. enp1s0: <Broadcast, multicast, up, lower_up> mtu 1500 qdisk fq_codel state UP group default qlen 1000
link/ether 52:54:00:e1:08:86 brd ff:ff:ff:ff:ff:ff
inet6 fe80:5054:ff:fee1:886/64 scope link proto kernel_11
valid_lft forever preferred_lft forever

I noticed that I have inet6, but not inet listed. However, I can't run `curl -6 -g 'https://[2a01:4f9:c010:6b1f::1]/'` on the host machine either, getting the same "Network is unreachable error."

So, while I was making this post, I became more convinced it's because I don't have ipv4 on the VM, but I don't know how to actually give it ipv4. Googling the problem mostly showed people trying to configure ipv6, not the other way around.

`ip route`

nuffin'

`ip -6 route`

fe80::/64 dev enp1s0 proto kernel metric 256 pref medium

I would appreciate help with this, since I've been struggling with it for a few days now.

(I did try turning it off and back on again sad )

Last edited by retroactive (2024-09-05 02:25:00)

Offline

#2 2024-09-04 07:42:26

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,433

Re: No virtualization/containers have internet access (no ipv4?)

Please use [code][/code] tags, the BBS predates markdown by approximately your age tongue
Edit your post in this regard.

fe80::/10 is a https://en.wikipedia.org/wiki/Link-local_address

So you've a NIC in the guest and a carrier - what's supposed to obtain the lease?
Can you scan for dhcp servers?

sudo nmap --script broadcast-dhcp-discover

Tried just running dhcpcd?

Online

#3 2024-09-05 02:48:57

retroactive
Member
Registered: 2024-09-03
Posts: 4

Re: No virtualization/containers have internet access (no ipv4?)

seth wrote:

Please use [code][/code] tags, the BBS predates markdown by approximately your age tongue
Edit your post in this regard.

Sorry! I guess I showed my gen-Z tongue

seth wrote:

fe80::/10 is a https://en.wikipedia.org/wiki/Link-local_address

So you've a NIC in the guest and a carrier - what's supposed to obtain the lease?
Can you scan for dhcp servers?

sudo nmap --script broadcast-dhcp-discover

Tried just running dhcpcd?

The Nmap command is having sort of unexpected results on both machines? It only outputs "No targets were specified, so 0 hosts scanned." The docs for that script say it should print something else, but it doesn't on either machine. I'm not sure if that should be interpreted as an error or not.

EDIT: After I connected to my phone's hotspot (F U university wifi), this command now works on the host, but not the guest (the guest has the "no targets specified" thing). Output:

Pre-scan script results:
| broadcast-dhcp-discover: 
|   Response 1 of 1: 
|     Interface: wlan0
|     IP Offered: 192.168.125.241
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 192.168.125.180
|     IP Address Lease Time: 59m59s
|     Renewal Time Value: 29m59s
|     Rebinding Time Value: 52m29s
|     Subnet Mask: 255.255.255.0
|     Broadcast Address: 192.168.125.255
|     Router: 192.168.125.180
|     Domain Name Server: 192.168.125.180
|_    Vendor Specific Information: ANDROID_METERED

On the host machine, sudo dhcpcd outputs the following:

dhcpcd-10.0.10 starting
dev: loaded udev
wlan0: connected to Access Point: rpi_wpa2
DUID 00:01:00:01:2e:6b:d3:53:14:ab:c5:05:a3:a2
wlan0: IAID c5:05:a3:a2
veth8cae8599: IAID 4a:53:6a:73
veth8cae8599: adding address fe80::d296:c60d:73a9:262a
ipv6_addaddr1: Permission denied
vethbb5474a3: IAID 2c:ac:aa:a8
vethbb5474a3: adding address fe80::69b1:b0f5:5d19:c9bb
ipv6_addaddr1: Permission denied
vethbb5474a3: soliciting a DHCP lease
wlan0: soliciting an IPv6 router
wlan0: Router Advertisement from fe80::6a79:9ff:fe8e:7d3f
wlan0: adding address 2620:0:2820:2208:a481:3e54:3140:cc70/64
wlan0: adding route to 2620:0:2820:2208::/64
wlan0: adding default route via fe80::6a79:9ff:fe8e:7d3f
veth8cae8599: soliciting a DHCP lease
wlan0: soliciting a DHCP lease
wlan0: offered 129.161.202.51 from 128.113.3.57
wlan0: probing address 129.161.202.51/24
wlan0: leased 129.161.202.51 for 3600 seconds
wlan0: adding route to 129.161.202.0/24
wlan0: adding default route via 129.161.202.254

However, on the guest machine:

dhcpcd-10.0.10 starting
dev: loaded udev
DVID 00:01:00:01:2e:6b:d3:58:52:54:00:e1:08:86
enp1s0: IAID 00:e1:08:86
enp1s0: soliciting a DHCP lease
enp1s0: soliciting an ipv6 router
enp1s0: no routers available 
timed out

Honestly, I don't know a lot about DHCP, but I assume that's why it's only giving the link-local address, since it can't find a router?

I briefly wondered if it was a network policy meant to make me miserable, so I reran dhcpcd on the guest while connected to my phone's hotspot, but nothing changed.

Last edited by retroactive (2024-09-05 02:59:11)

Offline

#4 2024-09-05 06:44:56

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,433

Re: No virtualization/containers have internet access (no ipv4?)

Honestly, I don't know a lot about DHCP, but I assume that's why it's only giving the link-local address, since it can't find a router?

More or less, but there're probably more issues, the host might not bridge/forward the guests.
There's a virbr0 in the host (which has an IPv4), do/did you try to setup a bridged network? Why?
It requires the vbox host modules to be loaded, https://wiki.archlinux.org/title/Virtua … el_modules

https://www.virtualbox.org/manual/ch06.html#network_nat
And probably make sure to clean up the host NICs from incus.

Online

#5 2024-09-05 07:53:53

-thc
Member
Registered: 2017-03-15
Posts: 1,005

Re: No virtualization/containers have internet access (no ipv4?)

Where does the VirtualBox angle come from?
The TO did only mention libvirt/QEMU  - and for QEMU VMs with full network access you actually need bridges.

Offline

#6 2024-09-05 12:50:37

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,433

Re: No virtualization/containers have internet access (no ipv4?)

https://bbs.archlinux.org/viewtopic.php?id=299131 - sorry, I lose track of the threads sad

@retroactive, make sure to have seen https://wiki.archlinux.org/title/Libvirt#Networking and https://jamielinux.com/docs/libvirt-net … twork.html
How do you configure dnsmasq? Do you run a separate instance?
Check the netfilter tables, pay attention to the iptables caveat - you're most likely looking for a misconfigured host.

Online

#7 2024-09-06 03:00:42

retroactive
Member
Registered: 2024-09-03
Posts: 4

Re: No virtualization/containers have internet access (no ipv4?)

seth wrote:

How do you configure dnsmasq? Do you run a separate instance?

I haven't messed with dnsmasq configuration, so I believe it is a separate instance. I haven't configured it to use the host dnsmasq.

seth wrote:

Check the netfilter tables, pay attention to the iptables caveat - you're most likely looking for a misconfigured host.

I'm not really sure how to read nft rules, but I see some relating to libvirt that I assume were configured initially (I'm on iptables-nft BTW):

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state invalid drop comment "early drop of invalid connections"
		ct state { established, related } accept comment "allow tracked connections"
		iif "lo" accept comment "allow from loopback"
		ip protocol icmp accept comment "allow icmp"
		meta l4proto ipv6-icmp accept comment "allow icmp v6"
		tcp dport 22 accept comment "allow sshd"
		meta pkttype host limit rate 5/second burst 5 packets counter packets 237 bytes 49508 reject with icmpx admin-prohibited
		counter packets 558 bytes 83822
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
	}
}
table ip libvirt_network {
	chain forward {
		type filter hook forward priority filter; policy accept;
		counter packets 50 bytes 16991 jump guest_cross
		counter packets 50 bytes 16991 jump guest_input
		counter packets 50 bytes 16991 jump guest_output
	}

	chain guest_output {
		ip saddr 192.168.122.0/24 iif "virbr0" oifname "wlan0" counter packets 0 bytes 0 accept
		iif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_input {
		iifname "wlan0" oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
		oif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_cross {
		iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept
	}

	chain guest_nat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "wlan0" ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		oifname "wlan0" ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 oifname "wlan0" counter packets 2 bytes 120 masquerade to :1024-65535
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 oifname "wlan0" counter packets 0 bytes 0 masquerade to :1024-65535
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 oifname "wlan0" counter packets 0 bytes 0 masquerade
	}
}
table ip6 libvirt_network {
	chain forward {
		type filter hook forward priority filter; policy accept;
		counter packets 112 bytes 11665 jump guest_cross
		counter packets 112 bytes 11665 jump guest_input
		counter packets 112 bytes 11665 jump guest_output
	}

	chain guest_output {
	}

	chain guest_input {
	}

	chain guest_cross {
	}

	chain guest_nat {
		type nat hook postrouting priority srcnat; policy accept;
	}
}
table inet incus {
	chain pstrt.incusbr0 {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.37.149.0/24 ip daddr != 10.37.149.0/24 masquerade
		ip6 saddr 2001:db8:1234:1234::/64 ip6 daddr != 2001:db8:1234:1234::/64 masquerade
	}
}
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
		tcp dport 80 counter packets 0 bytes 0 accept
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
	}
}
table ip6 filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
	}
}

I flushed all rulesets from nft to test, and that didn't have an effect.

I managed to get a different error message when I statically assigned an IP address (via the workaround in the first post of this thread. It now times out after a variable number of ms, not 0, and -v reveals "no route to host" as the error message. Googling this said it may be a firewall issue, but it persisted with my firewall disabled.

Something I realized, though:

On the wiki, it is instructed to run the networking commands such as net-list as a regular user. However, I am only able to see the networks as root (running it unprivileged returns a blank table). I couldn't find any explanation for this googling, but is it possible that there is some underlying permission error, maybe? From the command line, I'm also only able to start the VM as root. Otherwise, it says it cannot find the VM.

Typing this up just now, I remembered what I read in the arch wiki about unprivileged Incus containers requiring special configuration on linux-hardened (which I'm using, and if this is the issue, I'll feel like an idiot for not putting two and two together earlier...). I wasn't able to find anything about linux-hardened causing issues with libvirt, but I figure there's no reason not to mention it.

Offline

#8 2024-09-06 09:07:30

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,433

Re: No virtualization/containers have internet access (no ipv4?)

on linux-hardened (which I'm using

Have you tried the regular or LTS kernel?

Online

#9 2024-09-06 18:10:11

retroactive
Member
Registered: 2024-09-03
Posts: 4

Re: No virtualization/containers have internet access (no ipv4?)

seth wrote:

on linux-hardened (which I'm using

Have you tried the regular or LTS kernel?

No, just because I don't have the storage to spare to test on a whole other system, and installation is always a bit of a hassle. I might be able to sacrifice a flash drive, though. If that fixes it, I'll post that here for anyone else in my shoes.

Offline

#10 2024-09-06 19:16:13

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,433

Re: No virtualization/containers have internet access (no ipv4?)

You don't need "a whole other system", you just install the regular kernel (next to the hardened one) and boot that.
If you've not already done that you can disable the creation of the fallback image and save a lot of space on the boot partition this way.

Online

Board footer

Powered by FluxBB