waydroid
waydroid copied to clipboard
waydroid
No network connection with Ubuntu 22.10
I installed waydroid on a DELL running Ubuntu 22.10. Waydroid runs fine except the network connection. I saw that I am not the only one to have this issue. Is it solved ? or should I use 22.04 instead ?
Please run the following commands inside the Waydroid container and paste the output.
You can open a shell inside the container with sudo waydroid shell.
ip route
ip addr show
Also, to decide if it's only a DNS resolution failure or incorrect routing, please run the following commands. Note that the terminal inside the container will possibly ignore the Ctrl+C combination, so you will have to use killall ping from another root shell.
# ping a domain name
ping github.com
# ping an IP address outside of LAN
ping 1.1.1.1
Thanks for the help. I did this before mentioning the issue and forgot to include them in my post. Here is the output of the commands:
[sudo] Mot de passe de xxx :
/system/bin/sh: No controlling tty: open /dev/tty: No such file or directory
/system/bin/sh: warning: won't have full job control
:/ # ip route
So no output for "ip route"
:/ # ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:16:3e:f9:d3:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::28f4:e283:7627:5d7f/64 scope link stable-privacy
valid_lft forever preferred_lft forever
To test the DNS:
:/ # ping github.com
ping: unknown host github.com
2|:/ #
And for ping with an IP address:
2|:/ # ping 1.1.1.1
connect: Network is unreachable
From what I read from the web, I am not the only one facing this issue. Would it be a kernel issue ?
Thanks again
Since the container doesn't have an IP address, it seems that your firewall is blocking the DHCP port (UDP 67 from the waydroid0 interface to localhost).
https://wiki.archlinux.org/title/Waydroid#Network
Thanks for the URL. I am not an expert in firewall. I executed the following command:
# firewall-cmd --zone=trusted --add-port=67/udp
# firewall-cmd --zone=trusted --add-port=53/udp
# firewall-cmd --zone=trusted --add-forward
But this does not solve the problem. I replaced trusted by waydroid0 as indicated in the wiki. But the commands failed. waydroid0 is not known. I thus executed the following command:
# firewall-cmd --list-all-zones
waydroid0 does not appear as a zone.
I removed the zone option (but this is not probably safe to do it...).
# firewall-cmd --add-port=67/udp
# firewall-cmd --add-port=53/udp
# firewall-cmd --add-forward
And ... it worked. I have thus the internet connection inside the container. The android web browser just runs fine. I have still problems of internet connection with some android applications. Maybe they used other ports... I will investigate the problem later. I am very happy to have made progress thanks to your help.
Issues fully solved ! I used the gapps image. Now, the google play store works fine and the apps as well. I really thank you for your help. I have now a 2in1 laptop working fine with linux and android. I can enjoy both worlds at the same time.
The waydroid0 interface is not known because it is created when the Waydroid session is started. I use nftables, so I have to use the iifname criteria instead of iif.
Maybe you can filter by the Waydroid container IP range if you are worrying about exposing 67 and 53 ports to the outside (howewer, the dnsmasq service doesn't listen on the external interface).
Since the container doesn't have an IP address, it seems that your firewall is blocking the DHCP port (UDP 67 from the waydroid0 interface to localhost).
https://wiki.archlinux.org/title/Waydroid#Network
I had the same output and this turned out to be the answer. For Ubuntu the ufw firewall was blocking, so sudo ufw disable + restart waydroid worked instantly.
@ddxv, disabling the firewall is not a solution. You solve one problem with another? You can do it yourself, but don't recommend it to others.
@notramo thanks and noted, don't want to cause another problem. I had misunderstood that Waydroid required a firewall, which was incorrect, so I incorrectly added one to the host environment without opening it's ports. As you pointed out the ports can be opened by following these steps:
https://wiki.archlinux.org/title/Waydroid#Network
@ddxv I followed those steps, it didn't work. Only disabling firewall completely worked for me.
even disabling the firewall didn't work for me. My issue may be different DNS look up works but nothing else seems to
:/ # ping google.com
PING google.com (142.250.217.142) 56(84) bytes of data.
@JamesOsborn-SE if you're using a VPN then try to disable that also, some VPN software behave badly, not related to Waydroid but just in general. (Example: ProtonVPN causes some problems even when uninstalled on some systems)
In my case, DNS worked and my android had an IP. I could ping my Ubuntu's IP from android, but could not ping my router.
ping 192.168.169.111 # my Ubuntu host's IP, works
ping 192.168.169.1 # my router's IP, works
sudo waydroid shell
ping 192.168.169.111 # my Ubuntu host's IP, works
ping 192.168.169.1 # my router's IP, DOES NOT WORK
So my Ubuntu did not forward the traffic.
Fixing /usr/lib/waydroid/data/scripts/waydroid-net.sh and restarting the waydroid network interface worked: https://unix.stackexchange.com/a/743946
sudo sed -i~ -E 's/=.\$\(command -v (nft|ip6?tables-legacy).*/=/g' /usr/lib/waydroid/data/scripts/waydroid-net.sh
sudo /usr/lib/waydroid/data/scripts/waydroid-net.sh restart
sudo waydroid shell
ping 192.168.169.111 # my Ubuntu host's IP, works
ping 192.168.169.1 # my router's IP, THIS NOW WORKS
The script after that sed command, just incase others need it.
This means waydroid will be FIXED to requiring iptables / ip6tables and no other.
PS: This is NOT NEEDED on Kubuntu 23.04, as it works without it for me...
/usr/lib/waydroid/data/scripts/waydroid-net.sh
#!/bin/sh -
varrun="/run/waydroid-lxc"
varlib="/var/lib"
net_link_key="lxc.net.0.link"
case "$(lxc-info --version)" in [012].*) net_link_key="lxc.network.link" ;; esac
vnic=$(awk "\$1 == \"$net_link_key\" {print \$3}" /var/lib/waydroid/lxc/waydroid/config)
: ${vnic:=waydroid0}
if [ "$vnic" != "waydroid0" ]; then
echo "vnic is $vnic, bailing out"
exit 0
else
echo "vnic is waydroid0"
fi
USE_LXC_BRIDGE="true"
LXC_BRIDGE="${vnic}"
LXC_BRIDGE_MAC="00:16:3e:00:00:01"
LXC_ADDR="192.168.240.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="192.168.240.0/24"
LXC_DHCP_RANGE="192.168.240.2,192.168.240.254"
LXC_DHCP_MAX="253"
LXC_DHCP_CONFILE=""
LXC_DHCP_PING="true"
LXC_DOMAIN=""
LXC_USE_NFT="false"
LXC_IPV6_ADDR=""
LXC_IPV6_MASK=""
LXC_IPV6_NETWORK=""
LXC_IPV6_NAT="false"
IPTABLES_BIN=
if [ ! -n "$IPTABLES_BIN" ]; then
IPTABLES_BIN="$(command -v iptables)"
fi
IP6TABLES_BIN=
if [ ! -n "$IP6TABLES_BIN" ]; then
IP6TABLES_BIN="$(command -v ip6tables)"
fi
use_nft() {
[ -n "$NFT" ] && nft list ruleset > /dev/null 2>&1 && [ "$LXC_USE_NFT" = "true" ]
}
NFT=
if ! use_nft; then
use_iptables_lock="-w"
$IPTABLES_BIN -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
fi
_netmask2cidr ()
{
# Assumes there's no "255." after a non-255 byte in the mask
local x=${1##*255.}
set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#x})*2 )) ${x%%.*}
x=${1%%$3*}
echo $(( $2 + (${#x}/4) ))
}
_ifdown() {
ip addr flush dev ${LXC_BRIDGE}
ip link set dev ${LXC_BRIDGE} down
}
_ifup() {
MASK=`_netmask2cidr ${LXC_NETMASK}`
CIDR_ADDR="${LXC_ADDR}/${MASK}"
ip addr add ${CIDR_ADDR} broadcast + dev ${LXC_BRIDGE}
ip link set dev ${LXC_BRIDGE} address $LXC_BRIDGE_MAC
ip link set dev ${LXC_BRIDGE} up
}
start_ipv6() {
LXC_IPV6_ARG=""
if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/autoconf
ip -6 addr add dev ${LXC_BRIDGE} ${LXC_IPV6_ADDR}/${LXC_IPV6_MASK}
LXC_IPV6_ARG="--dhcp-range=${LXC_IPV6_ADDR},ra-only --listen-address ${LXC_IPV6_ADDR}"
fi
}
start_iptables() {
start_ipv6
if [ -n "$LXC_IPV6_ARG" ] && [ "$LXC_IPV6_NAT" = "true" ]; then
$IP6TABLES_BIN $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
fi
$IPTABLES_BIN $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
$IPTABLES_BIN $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
}
start_nftables() {
start_ipv6
NFT_RULESET=""
if [ -n "$LXC_IPV6_ARG" ] && [ "$LXC_IPV6_NAT" = "true" ]; then
NFT_RULESET="${NFT_RULESET}
add table ip6 lxc;
flush table ip6 lxc;
add chain ip6 lxc postrouting { type nat hook postrouting priority 100; };
add rule ip6 lxc postrouting ip saddr ${LXC_IPV6_NETWORK} ip daddr != ${LXC_IPV6_NETWORK} counter masquerade;
"
fi
NFT_RULESET="${NFT_RULESET};
add table inet lxc;
flush table inet lxc;
add chain inet lxc input { type filter hook input priority 0; };
add rule inet lxc input iifname ${LXC_BRIDGE} udp dport { 53, 67 } accept;
add rule inet lxc input iifname ${LXC_BRIDGE} tcp dport { 53, 67 } accept;
add chain inet lxc forward { type filter hook forward priority 0; };
add rule inet lxc forward iifname ${LXC_BRIDGE} accept;
add rule inet lxc forward oifname ${LXC_BRIDGE} accept;
add table ip lxc;
flush table ip lxc;
add chain ip lxc postrouting { type nat hook postrouting priority 100; };
add rule ip lxc postrouting ip saddr ${LXC_NETWORK} ip daddr != ${LXC_NETWORK} counter masquerade"
nft "${NFT_RULESET}"
}
start() {
[ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
[ ! -f "${varrun}/network_up" ] || { echo "waydroid-net is already running"; exit 0; }
if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
stop force || true
fi
FAILED=1
cleanup() {
set +e
if [ "$FAILED" = "1" ]; then
echo "Failed to setup waydroid-net." >&2
stop force
exit 1
fi
}
trap cleanup EXIT HUP INT TERM
set -e
# set up the lxc network
[ ! -d /sys/class/net/${LXC_BRIDGE} ] && ip link add dev ${LXC_BRIDGE} type bridge
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/accept_dad || true
# if we are run from systemd on a system with selinux enabled,
# the mkdir will create /run/lxc as init_var_run_t which dnsmasq
# can't write its pid into, so we restorecon it (to var_run_t)
if [ ! -d "${varrun}" ]; then
mkdir -p "${varrun}"
if command -v restorecon >/dev/null 2>&1; then
restorecon "${varrun}"
fi
fi
_ifup
if use_nft; then
start_nftables
else
start_iptables
fi
LXC_DOMAIN_ARG=""
if [ -n "$LXC_DOMAIN" ]; then
LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
fi
# lxc's dnsmasq should be hermetic and not read `/etc/dnsmasq.conf` (which
# it does by default if `--conf-file` is not present
LXC_DHCP_CONFILE_ARG="--conf-file=${LXC_DHCP_CONFILE:-/dev/null}"
# https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-October/010561.html
for DNSMASQ_USER in lxc-dnsmasq dnsmasq nobody
do
if getent passwd ${DNSMASQ_USER} >/dev/null; then
break
fi
done
LXC_DHCP_PING_ARG=""
if [ "x$LXC_DHCP_PING" = "xfalse" ]; then
LXC_DHCP_PING_ARG="--no-ping"
fi
if [ ! -d "${varlib}"/misc ]; then
mkdir "${varlib}"/misc
fi
dnsmasq $LXC_DHCP_CONFILE_ARG $LXC_DOMAIN_ARG $LXC_DHCP_PING_ARG -u ${DNSMASQ_USER} \
--strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid \
--listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} \
--dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \
--except-interface=lo --interface=${LXC_BRIDGE} \
--dhcp-leasefile="${varlib}"/misc/dnsmasq.${LXC_BRIDGE}.leases \
--dhcp-authoritative $LXC_IPV6_ARG || cleanup
touch "${varrun}"/network_up
FAILED=0
}
stop_iptables() {
$IPTABLES_BIN $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
$IPTABLES_BIN $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
$IPTABLES_BIN $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
if [ "$LXC_IPV6_NAT" = "true" ]; then
$IP6TABLES_BIN $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
fi
}
stop_nftables() {
# Adding table before removing them is just to avoid
# delete error for non-existent table
NFT_RULESET="add table inet lxc;
delete table inet lxc;
add table ip lxc;
delete table ip lxc;
"
if [ "$LXC_IPV6_NAT" = "true" ]; then
NFT_RULESET="${NFT_RULESET};
add table ip6 lxc;
delete table ip6 lxc;"
fi
nft "${NFT_RULESET}"
}
stop() {
[ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
[ -f "${varrun}/network_up" ] || [ "$1" = "force" ] || { echo "waydroid-net isn't running"; exit 1; }
if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
_ifdown
if use_nft; then
stop_nftables
else
stop_iptables
fi
pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid
rm -f "${varrun}"/dnsmasq.pid
# if $LXC_BRIDGE has attached interfaces, don't destroy the bridge
ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 || ip link delete ${LXC_BRIDGE}
fi
rm -f "${varrun}"/network_up
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload|force-reload)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload|force-reload}"
exit 2
esac
exit $?
The main issue with Ubuntu is that the FORWARD chain is set to DROP by default and somehow /usr/lib/waydroid/data/scripts/waydroid-net.sh script fails to set to to ACCEPT or setup the required rules.
You only need to follow the steps from the docs https://docs.waydro.id/debugging/networking-issues
sudo ufw allow 53
sudo ufw allow 67
sudo ufw default allow FORWARD
