Re: [lxc-users] Problem with lxc.network.script...

Thu, 29 Jan 2015 03:54:15 -0800 

Le 29/01/2015 12:30, Serge Hallyn a écrit :

Quoting PONCET Anthony ([email protected]):

Dear,
I'm using LXC on Ubuntu 14.04 (version : 1.0.7), with unprivileged
containers.
I try to use the lxc.network.script.up and lxc.network.script.down
for allow one container in my firewall (iptables/ip6tables).
I've allowed a user to execute /sbin/iptables and /sbin/ip6tables
with sudo, and if I run my script manually, it run without problem.
But when I started my container, my script doesn't run (I added
"echo "test" >> test.log" on top of the script and test.log never
created, and no rules added to iptables).
I used the veth network mode, and I added my user in /etc/lxc/lxc-usernet.
I define the lxc.logfile and lxc.loglevel = 1 but not error are logged.
Do you have an idea to solve my problem?

Can you please show the exact commands you used to create and
start the container, the container config file, the script
contents, and the script file owner/mode (ls -l output)?
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users

Yes,
lxc-create -t download -n ct_name -- -d ubuntu -r trusty -a amd64

user@host:~$ cat .local/share/lxc/ct_name/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download 
# Parameters passed to the template: -d ubuntu -r trusty -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Distribution configuration
lxc.logfile = /home/user/lxc.log
lxc.loglevel = 1

lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 X00000 65536
lxc.id_map = g 0 X00000 65536
lxc.rootfs = /home/user/.local/share/lxc/ct_name/rootfs
lxc.utsname = host_name

# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = XX...
lxc.network.script.up = /home/user/network/add_vm.sh
lxc.network.script.down = /home/user/network/rm_vm.sh

add_vm.sh :
#!/bin/bash

# log
echo $1 $2 $3 $4 $5 >> /home/user/test.log
# Création de la chaîne ipv4
sudo /sbin/iptables -N $1
# Création de la chaîne ipv6
sudo /sbin/ip6tables -N $1
# Ajout des règles de base.
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 --physdev-out $5 -m state --state ESTABLISHED,RELATED -j ACCEPT sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 --physdev-out $5 -m state --state ESTABLISHED,RELATED -j ACCEPT sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 --physdev-out $5 -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 --physdev-out $5 -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 --physdev-out $5 -m state --state INVALID -j DROP sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 --physdev-out $5 -m state --state INVALID -j DROP sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -m state --state ESTABLISHED,RELATED -j ACCEPT sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -m state --state ESTABLISHED,RELATED -j ACCEPT sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -m state --state INVALID -j DROP sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -m state --state INVALID -j DROP 

#Autorisation dns en sortie.
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -p udp --dport 53 -j ACCEPT sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -p udp --dport 53 -j ACCEPT 

# Autorisation http et https en sortie.
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -p tcp --dport 80 -j ACCEPT sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -p tcp --dport 80 -j ACCEPT sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -p tcp --dport 443 -j ACCEPT sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -p tcp --dport 443 -j ACCEPT 

# Ajout de la règles de redirection dans la chaîne FORWARD
sudo /sbin/iptables -I FORWARD -i br0 -o br0 -m physdev --physdev-in em1 --physdev-out $5 -j $1 sudo /sbin/ip6tables -I FORWARD -i br0 -o br0 -m physdev --physdev-in em1 --physdev-out $5 -j $1 sudo /sbin/iptables -I FORWARD -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -j $1 sudo /sbin/ip6tables -I FORWARD -i br0 -o br0 -m physdev --physdev-in $5 --physdev-out em1 -j $1 


user@host:~/network$ ls -l
total 8
-rwxrwxrwx 1 user user 3049 janv. 29 10:55 add_vm.sh
-rwxrwxrwx 1 user user  508 janv. 29 09:59 rm_vm.sh


I'm trying 755, 700, 770, 775, and 777 without more result.
I've replaced value of user, host and container name, because it's similar for all containers. 
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users

Reply via email to