Network is unreachable: connectivity issues when installing packages inside LXD VMs on GitHub shared runners #13003
Description
Description
Problem Summary
I'm experiencing "Network is unreachable" errors when trying to install packages (specifically Docker) inside LXD virtual machines running on GitHub shared runners. The VMs can be created successfully, but they cannot establish outbound network connections to package repositories.
Background Context
This issue is a follow-up to my previous investigation into virtualization support on GitHub runners:
- Original issue: Virtualization tools support in GitHub shared runners #12933
- Demo repository: github-actions-virtualization-support
After discovering that LXD works as a virtualization solution on GitHub shared runners, I'm now trying to install software inside the VMs but encountering network connectivity issues.
Current Investigation
Test repository: test-docker-install-inside-vm-in-runner
I'm investigating whether this is related to IPv6 connectivity issues, as GitHub runners have known IPv6 limitations:
Error Details
When running apt-get update inside an LXD VM, I get:
Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
Ign:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Ign:3 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Ign:4 http://security.ubuntu.com/ubuntu noble-security InRelease
Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
Ign:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Ign:3 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Ign:4 http://security.ubuntu.com/ubuntu noble-security InRelease
Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
Ign:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Ign:3 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Ign:4 http://security.ubuntu.com/ubuntu noble-security InRelease
Err:1 http://archive.ubuntu.com/ubuntu noble InRelease
Cannot initiate the connection to archive.ubuntu.com:80 (2620:2d:4000:1::16). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2620:2d:4000:1::101). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2620:2d:4000:1::103). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2620:2d:4000:1::102). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2620:2d:4002:1::101). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2620:2d:4002:1::103). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2620:2d:4000:1::19). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2620:2d:4002:1::102). - connect (101: Network is unreachable) Could not connect to archive.ubuntu.com:80 (185.125.190.81), connection timed out
Analysis
The error shows attempts to connect to IPv6 addresses (e.g., 2620:2d:4000:1::16) which fail with "Network is unreachable", and even the IPv4 fallback (185.125.190.81) times out.
Environment
- OS: ubuntu-latest (Ubuntu 22.04 LTS on GitHub Actions)
- LXD Version: Latest available on GitHub runners
- VM OS: Ubuntu 24.04 LTS (noble)
- Network Configuration: Default LXD networking (investigating IPv4-only configurations)
Reproduction
You can reproduce this issue using the workflows in my test repository:
Specific workflow: test-docker-ipv4-fix.yml
Investigation Status
🔍 Current hypothesis: VMs are getting IPv6-only addresses in an environment where IPv6 is not supported, causing all outbound connections to fail.
🧪 Testing approach:
- Configuring LXD to provide IPv4-only networking to VMs
- Forcing APT to use IPv4-only connections
- Comprehensive network diagnostics to identify routing issues
Questions
- Is this a known limitation of networking within VMs on GitHub runners?
- Are there specific network configurations recommended for LXD VMs on GitHub infrastructure?
- Should VMs inherit the host's network configuration, or do they need special routing setup?
- Are there any network policies that prevent VMs from establishing outbound connections?
Expected Behavior
VMs created with LXD should be able to establish outbound network connections to install packages and download resources, similar to how containers work on GitHub runners.
Actual Behavior
VMs cannot establish any outbound network connections, making it impossible to install software or update packages inside the virtual machines.
Technical Details
The VM gets proper IPv4 addresses (e.g., 10.0.0.98) from the LXD bridge, but all outbound connections fail:
- APT package manager cannot reach repositories
- curl commands timeout even with forced IPv4 (-4 flag)
- DNS resolution works but actual HTTP connections fail
This suggests a deeper networking issue beyond just IPv6/IPv4 addressing, possibly related to NAT, routing, or firewall policies affecting VM traffic.
Platforms affected
- Azure DevOps
- GitHub Actions - Standard Runners
- GitHub Actions - Larger Runners
Runner images affected
- Ubuntu 22.04
- Ubuntu 24.04
- macOS 13
- macOS 13 Arm64
- macOS 14
- macOS 14 Arm64
- macOS 15
- macOS 15 Arm64
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Image version and build link
Is it regression?
No
Expected behavior
I expect the VM to get access to external resources with: curl, wget, apt-get, etc.
Actual behavior
I can't connect to any external resources from inside the VM
Repro steps
A running workflow example: https://github.com/josecelano/test-docker-install-inside-vm-in-runner/actions/workflows/test-docker-standard-apt.yml