[lxc-devel] [PATCH 1/6] Move lxcbr0 setup logic into lxc.net script
Martin Pitt
martin.pitt at ubuntu.com
Thu Jul 31 06:53:51 UTC 2014
Factor this out of the lxc-net.conf upstart job, so that it can be used by
init.d scripts and systemd units, too.
Part of https://launchpad.net/bugs/1312532
---
config/init/upstart/lxc-net.conf | 88 +----------------------------------
src/lxc/Makefile.am | 1 +
src/lxc/lxc.net | 99 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 102 insertions(+), 86 deletions(-)
create mode 100755 src/lxc/lxc.net
diff --git a/config/init/upstart/lxc-net.conf b/config/init/upstart/lxc-net.conf
index 279cd1e..38f6ea3 100644
--- a/config/init/upstart/lxc-net.conf
+++ b/config/init/upstart/lxc-net.conf
@@ -4,89 +4,5 @@ author "Serge Hallyn <serge.hallyn at canonical.com>"
start on starting lxc
stop on stopped lxc
-env USE_LXC_BRIDGE="true"
-env LXC_BRIDGE="lxcbr0"
-env LXC_ADDR="10.0.3.1"
-env LXC_NETMASK="255.255.255.0"
-env LXC_NETWORK="10.0.3.0/24"
-env LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
-env LXC_DHCP_MAX="253"
-env LXC_DHCP_CONFILE=""
-env varrun="/run/lxc"
-env LXC_DOMAIN=""
-
-pre-start script
- [ -f /etc/default/lxc ] && . /etc/default/lxc
-
- [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }
-
- use_iptables_lock="-w"
- iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
- cleanup() {
- # dnsmasq failed to start, clean up the bridge
- iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
- iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
- iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
- iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
- iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
- iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
- iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
- iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
- ifconfig ${LXC_BRIDGE} down || true
- brctl delbr ${LXC_BRIDGE} || true
- }
-
- if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
- if [ ! -f ${varrun}/network_up ]; then
- # bridge exists, but we didn't start it
- stop;
- fi
- exit 0;
- fi
-
- # set up the lxc network
- brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; }
- echo 1 > /proc/sys/net/ipv4/ip_forward
- mkdir -p ${varrun}
- ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
- iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
- iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
- iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
- iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
- iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
- iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
- iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
- iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-
- LXC_DOMAIN_ARG=""
- if [ -n "$LXC_DOMAIN" ]; then
- LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
- fi
- dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
- touch ${varrun}/network_up
-end script
-
-post-stop script
- [ -f /etc/default/lxc ] && . /etc/default/lxc
- [ -f "${varrun}/network_up" ] || exit 0;
- # if $LXC_BRIDGE has attached interfaces, don't shut it down
- ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;
-
- if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
- use_iptables_lock="-w"
- iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
- ifconfig ${LXC_BRIDGE} down
- iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
- iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
- iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
- iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
- iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
- iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
- iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
- iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
- pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true
- rm -f ${varrun}/dnsmasq.pid
- brctl delbr ${LXC_BRIDGE}
- fi
- rm -f ${varrun}/network_up
-end script
+pre-start exec /usr/share/lxc/lxc.net start
+post-stop exec /usr/share/lxc/lxc.net stop
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index cdc6833..ee74e3c 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -255,6 +255,7 @@ endif
install-exec-local: install-soPROGRAMS
mkdir -p $(DESTDIR)$(datadir)/lxc
install -c -m 644 lxc.functions $(DESTDIR)$(datadir)/lxc
+ install -c -m 755 lxc.net $(DESTDIR)$(datadir)/lxc
mv $(DESTDIR)$(libdir)/liblxc.so $(DESTDIR)$(libdir)/liblxc.so.$(VERSION)
cd $(DESTDIR)$(libdir); \
ln -sf liblxc.so.$(VERSION) liblxc.so.$(firstword $(subst ., ,$(VERSION))); \
diff --git a/src/lxc/lxc.net b/src/lxc/lxc.net
new file mode 100755
index 0000000..5ea4f1d
--- /dev/null
+++ b/src/lxc/lxc.net
@@ -0,0 +1,99 @@
+#!/bin/sh
+set -eu
+
+USE_LXC_BRIDGE="true"
+LXC_BRIDGE="lxcbr0"
+LXC_ADDR="10.0.3.1"
+LXC_NETMASK="255.255.255.0"
+LXC_NETWORK="10.0.3.0/24"
+LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
+LXC_DHCP_MAX="253"
+LXC_DHCP_CONFILE=""
+varrun="/run/lxc"
+LXC_DOMAIN=""
+
+start() {
+ [ -f /etc/default/lxc ] && . /etc/default/lxc
+
+ [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }
+
+ use_iptables_lock="-w"
+ iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
+ cleanup() {
+ # dnsmasq failed to start, clean up the bridge
+ iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
+ iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
+ iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
+ iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
+ iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
+ iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
+ iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
+ iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+ ifconfig ${LXC_BRIDGE} down || true
+ brctl delbr ${LXC_BRIDGE} || true
+ }
+
+ if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
+ if [ ! -f ${varrun}/network_up ]; then
+ # bridge exists, but we didn't start it
+ stop;
+ fi
+ exit 0;
+ fi
+
+ # set up the lxc network
+ brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; }
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+ mkdir -p ${varrun}
+ ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
+ iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
+ iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
+ iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
+ iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
+ iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
+ iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
+ iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
+ iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+
+ LXC_DOMAIN_ARG=""
+ if [ -n "$LXC_DOMAIN" ]; then
+ LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
+ fi
+ dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
+ touch ${varrun}/network_up
+}
+
+stop() {
+ [ -f /etc/default/lxc ] && . /etc/default/lxc
+ [ -f "${varrun}/network_up" ] || exit 0;
+ # if $LXC_BRIDGE has attached interfaces, don't shut it down
+ ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;
+
+ if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
+ use_iptables_lock="-w"
+ iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
+ ifconfig ${LXC_BRIDGE} down
+ iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
+ iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
+ iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
+ iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
+ iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
+ iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
+ iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
+ iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+ pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true
+ rm -f ${varrun}/dnsmasq.pid
+ brctl delbr ${LXC_BRIDGE}
+ fi
+ rm -f ${varrun}/network_up
+}
+
+if [ "$1" = start ]; then
+ start
+elif [ "$1" = stop ]; then
+ stop
+else
+ echo "Usage: $0 start|stop" >&2
+ exit 1
+fi
+
--
2.0.1
More information about the lxc-devel
mailing list