The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7158
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Fixes #7150
Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
From c8c1f4ba2e769abdd1f06babe64370e30633ab90 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Wed, 8 Apr 2020 12:01:53 +0100
Subject: [PATCH] doc/networks: Adds note about firewalld and DHCP/DNS
Fixes #7150
Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
doc/networks.md | 35 +++++++++++++++++++++++++++--------
1 file changed, 27 insertions(+), 8 deletions(-)
diff --git a/doc/networks.md b/doc/networks.md
index bb221bf575..af5b7a5dc2 100644
--- a/doc/networks.md
+++ b/doc/networks.md
@@ -15,13 +15,13 @@ currently supported:
## Bridges
As one of the possible network configuration types under LXD,
-LXD supports creating and managing network bridges. LXD bridges
-can leverage underlying native Linux bridges and Open vSwitch.
+LXD supports creating and managing network bridges. LXD bridges
+can leverage underlying native Linux bridges and Open vSwitch.
Creation and management of LXD bridges is performed via the `lxc network`
-command. A bridge created by LXD is by default "managed" which
-means that LXD also will additionally set up a local `dnsmasq`
-DHCP server and if desired also perform NAT for the bridge (this
+command. A bridge created by LXD is by default "managed" which
+means that LXD also will additionally set up a local `dnsmasq`
+DHCP server and if desired also perform NAT for the bridge (this
is the default.)
When a bridge is managed by LXD, configuration values
@@ -46,9 +46,9 @@ devices:
A complete list of configuration settings for LXD networks can
be found below.
-It is expected that IP addresses and subnets are given using CIDR
-notation (`1.1.1.1/24` or `fd80:1234::1/64`). The exception being
-tunnel local and remote addresses which are just plain addresses
+It is expected that IP addresses and subnets are given using CIDR
+notation (`1.1.1.1/24` or `fd80:1234::1/64`). The exception being
+tunnel local and remote addresses which are just plain addresses
(`1.1.1.1` or `fd80:1234::1`).
Key | Type | Condition | Default
| Description
@@ -145,3 +145,22 @@ This resolved configuration will persist as long as the
bridge
exists, so you must repeat this command each reboot and after
LXD is restarted. Also note this only works if the bridge
`dns.mode` is not `none`.
+
+## Allow DHCP, DNS with Firewalld
+
+In order to allow instances to access the DHCP and DNS server that LXD runs on
the host when using firewalld
+you need to add the host's bridge interface to the `trusted` zone in firewalld.
+
+To do this permanently (so that it persists after a reboot) run the following
command:
+
+```
+firewall-cmd --zone=trusted --change-interface=<LXD network name> --permanent
+```
+
+E.g. for a bridged network called `lxdbr0` run the command:
+
+```
+firewall-cmd --zone=trusted --change-interface=lxdbr0 --permanent
+```
+
+This will then allow LXD's own firewall rules to take effect.
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
