Add distro/ubuntuCore for UC26 snap and image builds.
Centralize salmanoff snapcraft, dangerous-model image scripts, and QEMU workflow so UC26 can be reproduced from the SMO repo without ubuntu-core-practice. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Executable
+68
@@ -0,0 +1,68 @@
|
||||
#!/usr/bin/env bash
|
||||
# Restore outbound internet for LXD containers (common Docker + LXD conflict on Ubuntu).
|
||||
set -euo pipefail
|
||||
|
||||
if [[ "${EUID}" -ne 0 ]]; then
|
||||
echo "Run with sudo: sudo $0" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
LXD_BRIDGE="${LXD_BRIDGE:-lxdbr0}"
|
||||
LXD_SUBNET="$(lxc network get "${LXD_BRIDGE}" ipv4.address 2>/dev/null | cut -d/ -f1 | awk -F. '{print $1"."$2"."$3".0/24"}')"
|
||||
if [[ -z "${LXD_SUBNET}" || "${LXD_SUBNET}" == ".0/24" ]]; then
|
||||
LXD_SUBNET="10.239.141.0/24"
|
||||
fi
|
||||
|
||||
echo "LXD bridge: ${LXD_BRIDGE}"
|
||||
echo "LXD subnet: ${LXD_SUBNET}"
|
||||
|
||||
echo "==> Allow LXD traffic through Docker's DOCKER-USER chain (if present)"
|
||||
if iptables -L DOCKER-USER -n &>/dev/null; then
|
||||
iptables -C DOCKER-USER -i "${LXD_BRIDGE}" -j ACCEPT 2>/dev/null \
|
||||
|| iptables -I DOCKER-USER 1 -i "${LXD_BRIDGE}" -j ACCEPT
|
||||
iptables -C DOCKER-USER -o "${LXD_BRIDGE}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null \
|
||||
|| iptables -I DOCKER-USER 2 -o "${LXD_BRIDGE}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
echo " DOCKER-USER rules added"
|
||||
else
|
||||
echo " No DOCKER-USER chain (Docker may not be managing iptables)"
|
||||
fi
|
||||
|
||||
echo "==> Ensure FORWARD accepts ${LXD_BRIDGE}"
|
||||
iptables -C FORWARD -i "${LXD_BRIDGE}" -j ACCEPT 2>/dev/null \
|
||||
|| iptables -I FORWARD 1 -i "${LXD_BRIDGE}" -j ACCEPT
|
||||
iptables -C FORWARD -o "${LXD_BRIDGE}" -j ACCEPT 2>/dev/null \
|
||||
|| iptables -I FORWARD 1 -o "${LXD_BRIDGE}" -j ACCEPT
|
||||
|
||||
echo "==> Ensure MASQUERADE for ${LXD_SUBNET}"
|
||||
if ! iptables -t nat -C POSTROUTING -s "${LXD_SUBNET}" ! -d "${LXD_SUBNET}" -j MASQUERADE 2>/dev/null; then
|
||||
iptables -t nat -A POSTROUTING -s "${LXD_SUBNET}" ! -d "${LXD_SUBNET}" -j MASQUERADE
|
||||
fi
|
||||
|
||||
echo "==> LXD network: disable per-network firewall, refresh NAT"
|
||||
lxc network set "${LXD_BRIDGE}" ipv4.firewall false
|
||||
lxc network set "${LXD_BRIDGE}" ipv6.firewall false
|
||||
lxc network set "${LXD_BRIDGE}" ipv4.nat false
|
||||
lxc network set "${LXD_BRIDGE}" ipv4.nat true
|
||||
|
||||
echo "==> Restart LXD daemon"
|
||||
if command -v snap >/dev/null 2>&1 && snap list lxd &>/dev/null; then
|
||||
snap restart lxd
|
||||
else
|
||||
systemctl restart lxd || systemctl restart snap.lxd.daemon
|
||||
fi
|
||||
sleep 2
|
||||
|
||||
echo "==> Smoke test (ephemeral container in project snapcraft)"
|
||||
TEST_NAME="lxd-net-test-$$"
|
||||
lxc launch ubuntu:26.04 "${TEST_NAME}" --project snapcraft
|
||||
trap 'lxc delete -f --project snapcraft "${TEST_NAME}" 2>/dev/null || true' EXIT
|
||||
if lxc exec --project snapcraft "${TEST_NAME}" -- curl -fsSI --max-time 15 https://github.com | head -1; then
|
||||
echo "OK: container outbound HTTPS works"
|
||||
else
|
||||
echo "FAIL: container still cannot reach github.com" >&2
|
||||
echo "Consider permanent Docker fix: add \"iptables\": false to /etc/docker/daemon.json and restart docker" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "Done. LXD containers should have outbound internet now."
|
||||
Reference in New Issue
Block a user