Regretfully, this bug is still active and it's trivial to reproduce with
this configuration:
* apt-get install docker.io (ensure that the docker daemon is running
afterwards. Tested with 20.10.22+dfsg1-2 locally)
* apt-get install lxd (tested with 5.0.1-5)
Then, "lxc launch ubuntu:22.04" (accepting the defaults for LXD
configuration). Networking will be broken inside the newly created LXD
container.
The workaround for me is to run "sudo iptables -P FORWARD ACCEPT" after
bootup (and after Docker has started). But I agree with previous
comments; it's EXTREMELY BAD and unacceptable for a program like Docker
to misbehave like this.
On the LXD side, this has been discussed and is a known issue:
*
https://discuss.linuxcontainers.org/t/lxd-and-docker-firewall-redux-how-to-deal-with-forward-policy-set-to-drop/9953/9
*
https://linuxcontainers.org/lxd/docs/master/howto/network_bridge_firewalld/#prevent-issues-with-lxd-and-docker
(The suggestion given there is to insert firewall rules into the
DOCKER-USER chain.)
I suggest we would consider patching the Docker package in Debian to
remove the FORWARD DROP nonsense until this has been properly resolved
upstream. We can't have programs that misbehave this badly in the
distribution, IMO.
Best regards,
Per Lundberg
