[lxc-devel] [PATCH 1/1] make 'empty network' the default

Serge Hallyn serge.hallyn at ubuntu.com
Fri Dec 13 18:46:28 UTC 2013 

Currently if no lxc.network.type section is in the container
configuration, the container ends up sharing the host's network.
This is a dangerous default.

Instead, add 'lxc.network.type = none' as a valid type, and make
en empty network the default.

If none as well as another network type are specified, then the
none type will be ignored.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 src/lxc/conf.c    | 39 +++++++++++++++++++++++++++++++++++++++
 src/lxc/conf.h    |  2 ++
 src/lxc/confile.c |  2 ++
 src/lxc/start.c   |  5 +++--
 4 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 8206146..c8f0f7d 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -171,6 +171,7 @@ static int instanciate_macvlan(struct lxc_handler *, struct lxc_netdev *);
 static int instanciate_vlan(struct lxc_handler *, struct lxc_netdev *);
 static int instanciate_phys(struct lxc_handler *, struct lxc_netdev *);
 static int instanciate_empty(struct lxc_handler *, struct lxc_netdev *);
+static int instanciate_none(struct lxc_handler *, struct lxc_netdev *);
 
 static  instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
 	[LXC_NET_VETH]    = instanciate_veth,
@@ -178,6 +179,7 @@ static  instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
 	[LXC_NET_VLAN]    = instanciate_vlan,
 	[LXC_NET_PHYS]    = instanciate_phys,
 	[LXC_NET_EMPTY]   = instanciate_empty,
+	[LXC_NET_NONE]    = instanciate_none,
 };
 
 static int shutdown_veth(struct lxc_handler *, struct lxc_netdev *);
@@ -185,6 +187,7 @@ static int shutdown_macvlan(struct lxc_handler *, struct lxc_netdev *);
 static int shutdown_vlan(struct lxc_handler *, struct lxc_netdev *);
 static int shutdown_phys(struct lxc_handler *, struct lxc_netdev *);
 static int shutdown_empty(struct lxc_handler *, struct lxc_netdev *);
+static int shutdown_none(struct lxc_handler *, struct lxc_netdev *);
 
 static  instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = {
 	[LXC_NET_VETH]    = shutdown_veth,
@@ -192,6 +195,7 @@ static  instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = {
 	[LXC_NET_VLAN]    = shutdown_vlan,
 	[LXC_NET_PHYS]    = shutdown_phys,
 	[LXC_NET_EMPTY]   = shutdown_empty,
+	[LXC_NET_NONE]    = shutdown_none,
 };
 
 static struct mount_opt mount_opt[] = {
@@ -2911,6 +2915,12 @@ static int shutdown_phys(struct lxc_handler *handler, struct lxc_netdev *netdev)
 	return 0;
 }
 
+static int instanciate_none(struct lxc_handler *handler, struct lxc_netdev *netdev)
+{
+	netdev->ifindex = 0;
+	return 0;
+}
+
 static int instanciate_empty(struct lxc_handler *handler, struct lxc_netdev *netdev)
 {
 	netdev->ifindex = 0;
@@ -2937,6 +2947,35 @@ static int shutdown_empty(struct lxc_handler *handler, struct lxc_netdev *netdev
 	return 0;
 }
 
+static int shutdown_none(struct lxc_handler *handler, struct lxc_netdev *netdev)
+{
+	return 0;
+}
+
+int lxc_requests_empty_network(struct lxc_handler *handler)
+{
+	struct lxc_list *network = &handler->conf->network;
+	struct lxc_list *iterator;
+	struct lxc_netdev *netdev;
+	bool found_none = false, found_nic = false;
+
+	if (lxc_list_empty(network))
+		return 0;
+
+	lxc_list_for_each(iterator, network) {
+
+		netdev = iterator->elem;
+
+		if (netdev->type == LXC_NET_NONE)
+			found_none = true;
+		else
+			found_nic = true;
+	}
+	if (found_none && !found_nic)
+		return 1;
+	return 0;
+}
+
 int lxc_create_network(struct lxc_handler *handler)
 {
 	struct lxc_list *network = &handler->conf->network;
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index f272c91..f1e0903 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -45,6 +45,7 @@ enum {
 	LXC_NET_MACVLAN,
 	LXC_NET_PHYS,
 	LXC_NET_VLAN,
+	LXC_NET_NONE,
 	LXC_NET_MAXCONFTYPE,
 };
 
@@ -337,6 +338,7 @@ extern void lxc_conf_free(struct lxc_conf *conf);
 
 extern int pin_rootfs(const char *rootfs);
 
+extern int lxc_requests_empty_network(struct lxc_handler *handler);
 extern int lxc_create_network(struct lxc_handler *handler);
 extern void lxc_delete_network(struct lxc_handler *handler);
 extern int lxc_assign_network(struct lxc_list *networks, pid_t pid);
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 732a81a..19ea72a 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -334,6 +334,8 @@ static int config_network_type(const char *key, const char *value,
 		netdev->type = LXC_NET_PHYS;
 	else if (!strcmp(value, "empty"))
 		netdev->type = LXC_NET_EMPTY;
+	else if (!strcmp(value, "none"))
+		netdev->type = LXC_NET_NONE;
 	else {
 		ERROR("invalid network type %s", value);
 		return -1;
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 0727c2c..251bd26 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -734,10 +734,11 @@ int lxc_spawn(struct lxc_handler *handler)
 	}
 
 	if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
-		if (!lxc_list_empty(&handler->conf->network)) {
-
+		if (!lxc_requests_empty_network(handler))
 			handler->clone_flags |= CLONE_NEWNET;
 
+		if (!lxc_list_empty(&handler->conf->network)) {
+
 			/* Find gateway addresses from the link device, which is
 			 * no longer accessible inside the container. Do this
 			 * before creating network interfaces, since goto
-- 
1.8.5.1

More information about the lxc-devel mailing list