[lxc-devel] [PATCH 1/6] Move lxcbr0 setup logic into lxc.net script

Mon Aug 11 14:49:24 UTC 2014

On Thu, 31 Jul 2014 08:53:51 +0200
Martin Pitt <martin.pitt at ubuntu.com> wrote:

> Factor this out of the lxc-net.conf upstart job, so that it can be
> used by init.d scripts and systemd units, too.
> 
> Part of https://launchpad.net/bugs/1312532
> ---
>  config/init/upstart/lxc-net.conf | 88
> +---------------------------------- src/lxc/Makefile.am
> |  1 + src/lxc/lxc.net                  | 99
> ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 102
> insertions(+), 86 deletions(-) create mode 100755 src/lxc/lxc.net
> 
> diff --git a/config/init/upstart/lxc-net.conf
> b/config/init/upstart/lxc-net.conf index 279cd1e..38f6ea3 100644
> --- a/config/init/upstart/lxc-net.conf
> +++ b/config/init/upstart/lxc-net.conf
> @@ -4,89 +4,5 @@ author "Serge Hallyn <serge.hallyn at canonical.com>"
>  start on starting lxc
>  stop on stopped lxc
>  
> -env USE_LXC_BRIDGE="true"
> -env LXC_BRIDGE="lxcbr0"
> -env LXC_ADDR="10.0.3.1"
> -env LXC_NETMASK="255.255.255.0"
> -env LXC_NETWORK="10.0.3.0/24"
> -env LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
> -env LXC_DHCP_MAX="253"
> -env LXC_DHCP_CONFILE=""
> -env varrun="/run/lxc"
> -env LXC_DOMAIN=""
> -
> -pre-start script
> -	[ -f /etc/default/lxc ] && . /etc/default/lxc
> -
> -	[ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }
> -
> -	use_iptables_lock="-w"
> -	iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> -	cleanup() {
> -		# dnsmasq failed to start, clean up the bridge
> -		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> -		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> -		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> -		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> -		iptables $use_iptables_lock -D FORWARD -i
> ${LXC_BRIDGE} -j ACCEPT
> -		iptables $use_iptables_lock -D FORWARD -o
> ${LXC_BRIDGE} -j ACCEPT
> -		iptables $use_iptables_lock -t nat -D POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> -		iptables $use_iptables_lock -t mangle -D POSTROUTING
> -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -		ifconfig ${LXC_BRIDGE} down || true
> -		brctl delbr ${LXC_BRIDGE} || true
> -	}
> -
> -	if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> -		if [ ! -f ${varrun}/network_up ]; then
> -			# bridge exists, but we didn't start it
> -			stop;
> -		fi
> -		exit 0;
> -	fi
> -
> -	# set up the lxc network
> -	brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support
> in kernel"; stop; exit 0; }
> -	echo 1 > /proc/sys/net/ipv4/ip_forward
> -	mkdir -p ${varrun}
> -	ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
> -	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp
> --dport 67 -j ACCEPT
> -	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp
> --dport 67 -j ACCEPT
> -	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp
> --dport 53 -j ACCEPT
> -	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp
> --dport 53 -j ACCEPT
> -	iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j
> ACCEPT
> -	iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j
> ACCEPT
> -	iptables $use_iptables_lock -t nat -A POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
> -	iptables $use_iptables_lock -t mangle -A POSTROUTING -o
> ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -
> -	LXC_DOMAIN_ARG=""
> -	if [ -n "$LXC_DOMAIN" ]; then
> -		LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
> -	fi
> -	dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order
> --bind-interfaces --pid-file=${varrun}/dnsmasq.pid
> --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR}
> --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX}
> --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE}
> --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases
> --dhcp-authoritative || cleanup
> -	touch ${varrun}/network_up
> -end script
> -
> -post-stop script
> -	[ -f /etc/default/lxc ] && . /etc/default/lxc
> -	[ -f "${varrun}/network_up" ] || exit 0;
> -	# if $LXC_BRIDGE has attached interfaces, don't shut it down
> -	ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 &&
> exit 0; -
> -	if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> -		use_iptables_lock="-w"
> -		iptables -w -L -n > /dev/null 2>&1 ||
> use_iptables_lock=""
> -		ifconfig ${LXC_BRIDGE} down
> -		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> -		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> -		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> -		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> -		iptables $use_iptables_lock -D FORWARD -i
> ${LXC_BRIDGE} -j ACCEPT
> -		iptables $use_iptables_lock -D FORWARD -o
> ${LXC_BRIDGE} -j ACCEPT
> -		iptables $use_iptables_lock -t nat -D POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> -		iptables $use_iptables_lock -t mangle -D POSTROUTING
> -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -		pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill
> -9 $pid || true
> -		rm -f ${varrun}/dnsmasq.pid
> -		brctl delbr ${LXC_BRIDGE}
> -	fi
> -	rm -f ${varrun}/network_up
> -end script
> +pre-start exec /usr/share/lxc/lxc.net start
> +post-stop exec /usr/share/lxc/lxc.net stop
> diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
> index cdc6833..ee74e3c 100644
> --- a/src/lxc/Makefile.am
> +++ b/src/lxc/Makefile.am
> @@ -255,6 +255,7 @@ endif
>  install-exec-local: install-soPROGRAMS
>  	mkdir -p $(DESTDIR)$(datadir)/lxc
>  	install -c -m 644 lxc.functions $(DESTDIR)$(datadir)/lxc
> +	install -c -m 755 lxc.net $(DESTDIR)$(datadir)/lxc
>  	mv $(DESTDIR)$(libdir)/liblxc.so
> $(DESTDIR)$(libdir)/liblxc.so.$(VERSION) cd $(DESTDIR)$(libdir); \
>  	ln -sf liblxc.so.$(VERSION) liblxc.so.$(firstword
> $(subst ., ,$(VERSION))); \ diff --git a/src/lxc/lxc.net
> b/src/lxc/lxc.net new file mode 100755
> index 0000000..5ea4f1d
> --- /dev/null
> +++ b/src/lxc/lxc.net
> @@ -0,0 +1,99 @@
> +#!/bin/sh
> +set -eu
> +
> +USE_LXC_BRIDGE="true"
> +LXC_BRIDGE="lxcbr0"
> +LXC_ADDR="10.0.3.1"
> +LXC_NETMASK="255.255.255.0"
> +LXC_NETWORK="10.0.3.0/24"
> +LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
> +LXC_DHCP_MAX="253"
> +LXC_DHCP_CONFILE=""
> +varrun="/run/lxc"
> +LXC_DOMAIN=""
> +
> +start() {
> +	[ -f /etc/default/lxc ] && . /etc/default/lxc
> +
> +	[ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }
> +
> +	use_iptables_lock="-w"
> +	iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> +	cleanup() {
> +		# dnsmasq failed to start, clean up the bridge
> +		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> +		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> +		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> +		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> +		iptables $use_iptables_lock -D FORWARD -i
> ${LXC_BRIDGE} -j ACCEPT
> +		iptables $use_iptables_lock -D FORWARD -o
> ${LXC_BRIDGE} -j ACCEPT
> +		iptables $use_iptables_lock -t nat -D POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> +		iptables $use_iptables_lock -t mangle -D POSTROUTING
> -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> +		ifconfig ${LXC_BRIDGE} down || true
> +		brctl delbr ${LXC_BRIDGE} || true
> +	}
> +
> +	if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> +		if [ ! -f ${varrun}/network_up ]; then
> +			# bridge exists, but we didn't start it
> +			stop;
> +		fi
> +		exit 0;
> +	fi
> +
> +	# set up the lxc network
> +	brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support
> in kernel"; stop; exit 0; }
> +	echo 1 > /proc/sys/net/ipv4/ip_forward
> +	mkdir -p ${varrun}
> +	ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
> +	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp
> --dport 67 -j ACCEPT
> +	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp
> --dport 67 -j ACCEPT
> +	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp
> --dport 53 -j ACCEPT
> +	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp
> --dport 53 -j ACCEPT
> +	iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j
> ACCEPT
> +	iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j
> ACCEPT
> +	iptables $use_iptables_lock -t nat -A POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
> +	iptables $use_iptables_lock -t mangle -A POSTROUTING -o
> ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +
> +	LXC_DOMAIN_ARG=""
> +	if [ -n "$LXC_DOMAIN" ]; then
> +		LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
> +	fi
> +	dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order
> --bind-interfaces --pid-file=${varrun}/dnsmasq.pid
> --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR}
> --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX}
> --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE}
> --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases
> --dhcp-authoritative || cleanup
> +	touch ${varrun}/network_up
> +}
> +
> +stop() {
> +	[ -f /etc/default/lxc ] && . /etc/default/lxc
> +	[ -f "${varrun}/network_up" ] || exit 0;

Even though network_up probably won't ever exist, it might be a good
idea to check for USE_LXC_BRIDGE here too, or better yet in general
before doing anything.

> +	# if $LXC_BRIDGE has attached interfaces, don't shut it down
> +	ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 &&
> exit 0; +
> +	if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> +		use_iptables_lock="-w"
> +		iptables -w -L -n > /dev/null 2>&1 ||
> use_iptables_lock=""
> +		ifconfig ${LXC_BRIDGE} down
> +		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> +		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> +		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> +		iptables $use_iptables_lock -D INPUT -i
> ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> +		iptables $use_iptables_lock -D FORWARD -i
> ${LXC_BRIDGE} -j ACCEPT
> +		iptables $use_iptables_lock -D FORWARD -o
> ${LXC_BRIDGE} -j ACCEPT
> +		iptables $use_iptables_lock -t nat -D POSTROUTING -s
> ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> +		iptables $use_iptables_lock -t mangle -D POSTROUTING
> -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> +		pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill
> -9 $pid || true
> +		rm -f ${varrun}/dnsmasq.pid
> +		brctl delbr ${LXC_BRIDGE}
> +	fi
> +	rm -f ${varrun}/network_up
> +}
> +
> +if [ "$1" = start ]; then
> +	start
> +elif [ "$1" = stop ]; then
> +	stop
> +else
> +	echo "Usage: $0 start|stop" >&2
> +	exit 1
> +fi
> +