ci: fix lxd vs docker connectivity issue

Running LXD and Docker on the same host has known connectivity issues. This caused CI failures when transitioning the GitHub action runner images from ubuntu-20.04 to ubuntu-24.04. The LXD documentation has a few recommended workarounds[1] and this one is the only one that worked well with GitHub CI. [1] https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker
canonical · Feb 21, 2025 · 7a2dace · 7a2dace
1 parent d4c4dd4
commit 7a2dace
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 3 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -20,7 +20,9 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: run
-      run: sudo ./scripts/test-in-lxd.sh ${{ matrix.image }} "make check"
+      run: |
+        sudo ./scripts/github-ci-lxd-setup.sh
+        sudo ./scripts/test-in-lxd.sh ${{ matrix.image }} "make check"
 
   lint:
     runs-on: ubuntu-24.04
@@ -33,7 +35,9 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: lint
-      run: sudo ./scripts/test-in-lxd.sh ${{ matrix.image }} "make lint"
+      run: |
+        sudo ./scripts/github-ci-lxd-setup.sh
+        sudo ./scripts/test-in-lxd.sh ${{ matrix.image }} "make lint"
 
   format-black:
     runs-on: ubuntu-24.04

diff --git a/scripts/github-ci-lxd-setup.sh b/scripts/github-ci-lxd-setup.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -eux
+
+# The purpose of this script is to separate out the actions needed to setup
+# LXD on the GitHub Actions CI runners from the actual test setup and 
+# execution. This way, test scripts can be mostly run locally without making
+# too many changes to the local system.
+
+# The runner images don't have lxd enabled by default.
+lxd init --auto
+
+# If the runner image uses docker, then work around a known connectivity issue
+# when using lxd and docker at the same time.
+# https://discuss.linuxcontainers.org/t/containers-do-not-have-outgoing-internet-access/10844/7
+# https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker
+if [ "active" == "$(systemctl is-active docker)" ]
+then
+    iptables  -I DOCKER-USER -i lxdbr0 -j ACCEPT
+    iptables  -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    # GitHub doesn't use IPV6 (yet?)
+    # ip6tables -I DOCKER-USER -i lxdbr0 -j ACCEPT
+    # ip6tables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+fi
diff --git a/scripts/test-in-lxd.sh b/scripts/test-in-lxd.sh
@@ -19,7 +19,6 @@ IMAGE=$1
 TEST_CMD=$2
 TESTER=subiquity-${IMAGE##*:}
 
-lxd init --auto
 
 if [ -z "$(lxc list -f csv -c n ^${TESTER}\$)" ]
 then