[lxc-devel] [PATCH 1/1] make 'empty network' the default

Stéphane Graber stgraber at ubuntu.com
Fri Dec 13 19:15:53 UTC 2013 

On Fri, Dec 13, 2013 at 12:46:28PM -0600, Serge Hallyn wrote:
> Currently if no lxc.network.type section is in the container
> configuration, the container ends up sharing the host's network.
> This is a dangerous default.
> 
> Instead, add 'lxc.network.type = none' as a valid type, and make
> en empty network the default.
> 
> If none as well as another network type are specified, then the
> none type will be ignored.
> 

Sounds good.

I'll have to be careful when landing the new LXC next week to have a
matching upload of lxc-android-config for Ubuntu Touch, otherwise the
Android container will loose access to the host's network (which would
be quite bad in that specific case...)

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
>  src/lxc/conf.c    | 39 +++++++++++++++++++++++++++++++++++++++
>  src/lxc/conf.h    |  2 ++
>  src/lxc/confile.c |  2 ++
>  src/lxc/start.c   |  5 +++--
>  4 files changed, 46 insertions(+), 2 deletions(-)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 8206146..c8f0f7d 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -171,6 +171,7 @@ static int instanciate_macvlan(struct lxc_handler *, struct lxc_netdev *);
>  static int instanciate_vlan(struct lxc_handler *, struct lxc_netdev *);
>  static int instanciate_phys(struct lxc_handler *, struct lxc_netdev *);
>  static int instanciate_empty(struct lxc_handler *, struct lxc_netdev *);
> +static int instanciate_none(struct lxc_handler *, struct lxc_netdev *);
>  
>  static  instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
>  	[LXC_NET_VETH]    = instanciate_veth,
> @@ -178,6 +179,7 @@ static  instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
>  	[LXC_NET_VLAN]    = instanciate_vlan,
>  	[LXC_NET_PHYS]    = instanciate_phys,
>  	[LXC_NET_EMPTY]   = instanciate_empty,
> +	[LXC_NET_NONE]    = instanciate_none,
>  };
>  
>  static int shutdown_veth(struct lxc_handler *, struct lxc_netdev *);
> @@ -185,6 +187,7 @@ static int shutdown_macvlan(struct lxc_handler *, struct lxc_netdev *);
>  static int shutdown_vlan(struct lxc_handler *, struct lxc_netdev *);
>  static int shutdown_phys(struct lxc_handler *, struct lxc_netdev *);
>  static int shutdown_empty(struct lxc_handler *, struct lxc_netdev *);
> +static int shutdown_none(struct lxc_handler *, struct lxc_netdev *);
>  
>  static  instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = {
>  	[LXC_NET_VETH]    = shutdown_veth,
> @@ -192,6 +195,7 @@ static  instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = {
>  	[LXC_NET_VLAN]    = shutdown_vlan,
>  	[LXC_NET_PHYS]    = shutdown_phys,
>  	[LXC_NET_EMPTY]   = shutdown_empty,
> +	[LXC_NET_NONE]    = shutdown_none,
>  };
>  
>  static struct mount_opt mount_opt[] = {
> @@ -2911,6 +2915,12 @@ static int shutdown_phys(struct lxc_handler *handler, struct lxc_netdev *netdev)
>  	return 0;
>  }
>  
> +static int instanciate_none(struct lxc_handler *handler, struct lxc_netdev *netdev)
> +{
> +	netdev->ifindex = 0;
> +	return 0;
> +}
> +
>  static int instanciate_empty(struct lxc_handler *handler, struct lxc_netdev *netdev)
>  {
>  	netdev->ifindex = 0;
> @@ -2937,6 +2947,35 @@ static int shutdown_empty(struct lxc_handler *handler, struct lxc_netdev *netdev
>  	return 0;
>  }
>  
> +static int shutdown_none(struct lxc_handler *handler, struct lxc_netdev *netdev)
> +{
> +	return 0;
> +}
> +
> +int lxc_requests_empty_network(struct lxc_handler *handler)
> +{
> +	struct lxc_list *network = &handler->conf->network;
> +	struct lxc_list *iterator;
> +	struct lxc_netdev *netdev;
> +	bool found_none = false, found_nic = false;
> +
> +	if (lxc_list_empty(network))
> +		return 0;
> +
> +	lxc_list_for_each(iterator, network) {
> +
> +		netdev = iterator->elem;
> +
> +		if (netdev->type == LXC_NET_NONE)
> +			found_none = true;
> +		else
> +			found_nic = true;
> +	}
> +	if (found_none && !found_nic)
> +		return 1;
> +	return 0;
> +}
> +
>  int lxc_create_network(struct lxc_handler *handler)
>  {
>  	struct lxc_list *network = &handler->conf->network;
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index f272c91..f1e0903 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -45,6 +45,7 @@ enum {
>  	LXC_NET_MACVLAN,
>  	LXC_NET_PHYS,
>  	LXC_NET_VLAN,
> +	LXC_NET_NONE,
>  	LXC_NET_MAXCONFTYPE,
>  };
>  
> @@ -337,6 +338,7 @@ extern void lxc_conf_free(struct lxc_conf *conf);
>  
>  extern int pin_rootfs(const char *rootfs);
>  
> +extern int lxc_requests_empty_network(struct lxc_handler *handler);
>  extern int lxc_create_network(struct lxc_handler *handler);
>  extern void lxc_delete_network(struct lxc_handler *handler);
>  extern int lxc_assign_network(struct lxc_list *networks, pid_t pid);
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index 732a81a..19ea72a 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -334,6 +334,8 @@ static int config_network_type(const char *key, const char *value,
>  		netdev->type = LXC_NET_PHYS;
>  	else if (!strcmp(value, "empty"))
>  		netdev->type = LXC_NET_EMPTY;
> +	else if (!strcmp(value, "none"))
> +		netdev->type = LXC_NET_NONE;
>  	else {
>  		ERROR("invalid network type %s", value);
>  		return -1;
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 0727c2c..251bd26 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -734,10 +734,11 @@ int lxc_spawn(struct lxc_handler *handler)
>  	}
>  
>  	if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
> -		if (!lxc_list_empty(&handler->conf->network)) {
> -
> +		if (!lxc_requests_empty_network(handler))
>  			handler->clone_flags |= CLONE_NEWNET;
>  
> +		if (!lxc_list_empty(&handler->conf->network)) {
> +
>  			/* Find gateway addresses from the link device, which is
>  			 * no longer accessible inside the container. Do this
>  			 * before creating network interfaces, since goto
> -- 
> 1.8.5.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131213/a8558b45/attachment.pgp>

More information about the lxc-devel mailing list