[lxc-devel] [PATCH 1/1] Fix unprivileged networking
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Feb 18 22:19:58 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Tue, Feb 18, 2014 at 03:12:52PM -0600, Serge Hallyn wrote:
> > If we are unprivileged and have asked for a veth device, then create
> > a pipe over which to pass the veth names.
> >
> > Network-related todos:
> > 1. set mtu on the container side of veth device
>
> > 2. set mtu in lxc-user-nic. Note that this probably requires an
> > update to the /etc/lxc/lxc-usernet file :(
>
> Hmm, that's an interesting problem and even without that change, we
> actually have a bug at the moment which may or may not qualify as a
> security issue.
>
> The bridge will set its own MTU to the lowest of all devices inside it
> (or so it looks like anyway), so say that a bridge has an MTU of 9000
> (jumbo) and a user can join a container to it, that'll decrease the MTU
> to 1500 possibly breaking the other containers in the bridge.
>
> To fix that it looks like we indeed want an extra column in lxc-usernet
> which would specify the min and max MTU, a value of 0 (same as no value)
> would tell lxc-user-nic to copy that of the bridge, an value of
> 1500:4000 would mean that the mtu may not be set below 1500 or above
> 4000.
>
> Unfortunately as this would result in a rather user visible change as
> well as documentation changes, if we are going to do this, we really
> should do it before 1.0.
>
>
> Alternatively we could state that unprivileged containers may not use a
> custom MTU and that they will always default to the bridge's MTU value
> for both sides of the veth device.
>
> In which case we still need to change both lxc and lxc-user-nic to get
> the current MTU from the bridge and set it on both side of the veth
> device.
Does lxc need to do it? We should just be able to have lxc-user-nic
copy the bridge's value right?
More information about the lxc-devel
mailing list