Re: [lxc-devel] [PATCH 1/6] Move lxcbr0 setup logic into lxc.net script

Dwight Engen Mon, 11 Aug 2014 07:49:53 -0700

On Thu, 31 Jul 2014 08:53:51 +0200
Martin Pitt <[email protected]> wrote:


> Factor this out of the lxc-net.conf upstart job, so that it can be
> used by init.d scripts and systemd units, too.
> 
> Part of https://launchpad.net/bugs/1312532
> ---
>  config/init/upstart/lxc-net.conf | 88
> +---------------------------------- src/lxc/Makefile.am
> |  1 + src/lxc/lxc.net                  | 99
> ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 102
> insertions(+), 86 deletions(-) create mode 100755 src/lxc/lxc.net
> 
> diff --git a/config/init/upstart/lxc-net.conf
> b/config/init/upstart/lxc-net.conf index 279cd1e..38f6ea3 100644
> --- a/config/init/upstart/lxc-net.conf
> +++ b/config/init/upstart/lxc-net.conf
> @@ -4,89 +4,5 @@ author "Serge Hallyn <[email protected]>"
>  start on starting lxc
>  stop on stopped lxc
>  
> -env USE_LXC_BRIDGE="true"
> -env LXC_BRIDGE="lxcbr0"
> -env LXC_ADDR="10.0.3.1"
> -env LXC_NETMASK="255.255.255.0"
> -env LXC_NETWORK="10.0.3.0/24"
> -env LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
> -env LXC_DHCP_MAX="253"
> -env LXC_DHCP_CONFILE=""
> -env varrun="/run/lxc"
> -env LXC_DOMAIN=""
> -
> -pre-start script
> -     [ -f /etc/default/lxc ] && . /etc/default/lxc
> -
> -     [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }
> -
> -     use_iptables_lock="-w"
> -     iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> -     cleanup() {
> -             # dnsmasq failed to start, clean up the bridge
> -             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> -             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> -             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> -             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> -             iptables $use_iptables_lock -D FORWARD -i
> ${LXC_BRIDGE} -j ACCEPT
> -             iptables $use_iptables_lock -D FORWARD -o
> ${LXC_BRIDGE} -j ACCEPT
> -             iptables $use_iptables_lock -t nat -D POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> -             iptables $use_iptables_lock -t mangle -D POSTROUTING
> -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -             ifconfig ${LXC_BRIDGE} down || true
> -             brctl delbr ${LXC_BRIDGE} || true
> -     }
> -
> -     if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> -             if [ ! -f ${varrun}/network_up ]; then
> -                     # bridge exists, but we didn't start it
> -                     stop;
> -             fi
> -             exit 0;
> -     fi
> -
> -     # set up the lxc network
> -     brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support
> in kernel"; stop; exit 0; }
> -     echo 1 > /proc/sys/net/ipv4/ip_forward
> -     mkdir -p ${varrun}
> -     ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
> -     iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp
> --dport 67 -j ACCEPT
> -     iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp
> --dport 67 -j ACCEPT
> -     iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp
> --dport 53 -j ACCEPT
> -     iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp
> --dport 53 -j ACCEPT
> -     iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j
> ACCEPT
> -     iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j
> ACCEPT
> -     iptables $use_iptables_lock -t nat -A POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
> -     iptables $use_iptables_lock -t mangle -A POSTROUTING -o
> ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -
> -     LXC_DOMAIN_ARG=""
> -     if [ -n "$LXC_DOMAIN" ]; then
> -             LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
> -     fi
> -     dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order
> --bind-interfaces --pid-file=${varrun}/dnsmasq.pid
> --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR}
> --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX}
> --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE}
> --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases
> --dhcp-authoritative || cleanup
> -     touch ${varrun}/network_up
> -end script
> -
> -post-stop script
> -     [ -f /etc/default/lxc ] && . /etc/default/lxc
> -     [ -f "${varrun}/network_up" ] || exit 0;
> -     # if $LXC_BRIDGE has attached interfaces, don't shut it down
> -     ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 &&
> exit 0; -
> -     if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> -             use_iptables_lock="-w"
> -             iptables -w -L -n > /dev/null 2>&1 ||
> use_iptables_lock=""
> -             ifconfig ${LXC_BRIDGE} down
> -             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> -             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> -             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> -             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> -             iptables $use_iptables_lock -D FORWARD -i
> ${LXC_BRIDGE} -j ACCEPT
> -             iptables $use_iptables_lock -D FORWARD -o
> ${LXC_BRIDGE} -j ACCEPT
> -             iptables $use_iptables_lock -t nat -D POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> -             iptables $use_iptables_lock -t mangle -D POSTROUTING
> -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -             pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill
> -9 $pid || true
> -             rm -f ${varrun}/dnsmasq.pid
> -             brctl delbr ${LXC_BRIDGE}
> -     fi
> -     rm -f ${varrun}/network_up
> -end script
> +pre-start exec /usr/share/lxc/lxc.net start
> +post-stop exec /usr/share/lxc/lxc.net stop
> diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
> index cdc6833..ee74e3c 100644
> --- a/src/lxc/Makefile.am
> +++ b/src/lxc/Makefile.am
> @@ -255,6 +255,7 @@ endif
>  install-exec-local: install-soPROGRAMS
>       mkdir -p $(DESTDIR)$(datadir)/lxc
>       install -c -m 644 lxc.functions $(DESTDIR)$(datadir)/lxc
> +     install -c -m 755 lxc.net $(DESTDIR)$(datadir)/lxc
>       mv $(DESTDIR)$(libdir)/liblxc.so
> $(DESTDIR)$(libdir)/liblxc.so.$(VERSION) cd $(DESTDIR)$(libdir); \
>       ln -sf liblxc.so.$(VERSION) liblxc.so.$(firstword
> $(subst ., ,$(VERSION))); \ diff --git a/src/lxc/lxc.net
> b/src/lxc/lxc.net new file mode 100755
> index 0000000..5ea4f1d
> --- /dev/null
> +++ b/src/lxc/lxc.net
> @@ -0,0 +1,99 @@
> +#!/bin/sh
> +set -eu
> +
> +USE_LXC_BRIDGE="true"
> +LXC_BRIDGE="lxcbr0"
> +LXC_ADDR="10.0.3.1"
> +LXC_NETMASK="255.255.255.0"
> +LXC_NETWORK="10.0.3.0/24"
> +LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
> +LXC_DHCP_MAX="253"
> +LXC_DHCP_CONFILE=""
> +varrun="/run/lxc"
> +LXC_DOMAIN=""
> +
> +start() {
> +     [ -f /etc/default/lxc ] && . /etc/default/lxc
> +
> +     [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }
> +
> +     use_iptables_lock="-w"
> +     iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> +     cleanup() {
> +             # dnsmasq failed to start, clean up the bridge
> +             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> +             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> +             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> +             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> +             iptables $use_iptables_lock -D FORWARD -i
> ${LXC_BRIDGE} -j ACCEPT
> +             iptables $use_iptables_lock -D FORWARD -o
> ${LXC_BRIDGE} -j ACCEPT
> +             iptables $use_iptables_lock -t nat -D POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> +             iptables $use_iptables_lock -t mangle -D POSTROUTING
> -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> +             ifconfig ${LXC_BRIDGE} down || true
> +             brctl delbr ${LXC_BRIDGE} || true
> +     }
> +
> +     if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> +             if [ ! -f ${varrun}/network_up ]; then
> +                     # bridge exists, but we didn't start it
> +                     stop;
> +             fi
> +             exit 0;
> +     fi
> +
> +     # set up the lxc network
> +     brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support
> in kernel"; stop; exit 0; }
> +     echo 1 > /proc/sys/net/ipv4/ip_forward
> +     mkdir -p ${varrun}
> +     ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
> +     iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp
> --dport 67 -j ACCEPT
> +     iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp
> --dport 67 -j ACCEPT
> +     iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp
> --dport 53 -j ACCEPT
> +     iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp
> --dport 53 -j ACCEPT
> +     iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j
> ACCEPT
> +     iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j
> ACCEPT
> +     iptables $use_iptables_lock -t nat -A POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
> +     iptables $use_iptables_lock -t mangle -A POSTROUTING -o
> ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +
> +     LXC_DOMAIN_ARG=""
> +     if [ -n "$LXC_DOMAIN" ]; then
> +             LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
> +     fi
> +     dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order
> --bind-interfaces --pid-file=${varrun}/dnsmasq.pid
> --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR}
> --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX}
> --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE}
> --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases
> --dhcp-authoritative || cleanup
> +     touch ${varrun}/network_up
> +}
> +
> +stop() {
> +     [ -f /etc/default/lxc ] && . /etc/default/lxc
> +     [ -f "${varrun}/network_up" ] || exit 0;

Even though network_up probably won't ever exist, it might be a good
idea to check for USE_LXC_BRIDGE here too, or better yet in general
before doing anything.

> +     # if $LXC_BRIDGE has attached interfaces, don't shut it down
> +     ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 &&
> exit 0; +
> +     if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> +             use_iptables_lock="-w"
> +             iptables -w -L -n > /dev/null 2>&1 ||
> use_iptables_lock=""
> +             ifconfig ${LXC_BRIDGE} down
> +             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> +             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> +             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> +             iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> +             iptables $use_iptables_lock -D FORWARD -i
> ${LXC_BRIDGE} -j ACCEPT
> +             iptables $use_iptables_lock -D FORWARD -o
> ${LXC_BRIDGE} -j ACCEPT
> +             iptables $use_iptables_lock -t nat -D POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> +             iptables $use_iptables_lock -t mangle -D POSTROUTING
> -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> +             pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill
> -9 $pid || true
> +             rm -f ${varrun}/dnsmasq.pid
> +             brctl delbr ${LXC_BRIDGE}
> +     fi
> +     rm -f ${varrun}/network_up
> +}
> +
> +if [ "$1" = start ]; then
> +     start
> +elif [ "$1" = stop ]; then
> +     stop
> +else
> +     echo "Usage: $0 start|stop" >&2
> +     exit 1
> +fi
> +

_______________________________________________
lxc-devel mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-devel

Re: [lxc-devel] [PATCH 1/6] Move lxcbr0 setup logic into lxc.net script

Reply via email to