[lxc-devel] [PATCH 1/1] Fix unprivileged networking

Serge Hallyn serge.hallyn at ubuntu.com
Wed Feb 19 05:31:35 UTC 2014


Quoting S.Çağlar Onur (caglar at 10ur.org):
> Hey Serge,
> 
> On Tue, Feb 18, 2014 at 11:55 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Quoting Stéphane Graber (stgraber at ubuntu.com):
> >> On Tue, Feb 18, 2014 at 04:32:02PM -0600, Serge Hallyn wrote:
> >> Right, I'd be fine with us just having:
> >>  - lxc discard lxc.network.mtu for unpriv containers
> >
> > Done implicitly by unpriv users not calling lxc_create_network(),
> > which calls instantiate_veth() where mtu is set.  So unpriv veths
> > always have mtu set to 1500.
> >
> >>  - lxc-user-nic mirror the bridge mtu to both interfaces of the veth pair
> >
> > the patch below does that.
> >
> >>  - ensure that privileged lxc will always set the same mtu on both
> >>    interfaces in a veth pair
> >
> > I was wrong before, that's being done now.
> >
> > From 99b3648323a468341f35e84ed9417b344b6fb8a7 Mon Sep 17 00:00:00 2001
> > From: Serge Hallyn <serge.hallyn at ubuntu.com>
> > Date: Tue, 18 Feb 2014 22:42:34 -0600
> > Subject: [PATCH 1/1] network: set mtu of unpriv veth to the bridge's mtu
> >
> > That's to make sure that if the bridge has a higher than 1500
> > mtu, the new veth (defaulting to 1500) doesn't lower it.
> >
> > The netlink get_mtu fn is ugly.  If it causes us any problems we should
> > ditch it in favor of /sys/class/net/$name/mtu.
> 
> Then why we are not reading that file instead? I've no objection but
> just trying to learn the reason :)

I haven't yet thought of a good reason.  I started the netlink route
because the rest of the networking code is doing it.  I have this
nagging feeling that it should be more reliable.  But if there is
any subtle bug in the netlink version it'll be tough to spot, so
that's a big downside.

-serge


More information about the lxc-devel mailing list