[lxc-devel] [PATCH] systemd/selinux init scripts fixups

Michael H. Warfield mhw at WittsEnd.com
Thu Oct 2 21:44:07 UTC 2014 

On Thu, 2014-10-02 at 16:56 -0400, Dwight Engen wrote:
> - RHEL/OL 7 doesn't have the ifconfig command by default so have the
>   lxc-net script check for its existence before use, and fall back
>   to using the ip command if ifconfig is not available
> 
> - When lxc-net is run from systemd on a system with selinux enabled,
>   the mkdir -p ${varrun} will create /run/lxc as init_var_run_t which
>   dnsmasq can't write its pid into, so we restorecon it
>   after creation (to var_run_t)
> 
> - The lxc-net systemd .service file needs an [Install] section so that
>   "systemctl enable lxc-net" will work

+1

> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>

Acked-by:  Michael H. Warfield <mhw at WittsEnd.com>

> ---
>  config/init/common/lxc-net.in          | 55 +++++++++++++++++++++++++++++++---
>  config/init/systemd/lxc-net.service.in |  3 ++
>  2 files changed, 54 insertions(+), 4 deletions(-)
> 
> diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
> index c921ab7..5567fee 100644
> --- a/config/init/common/lxc-net.in
> +++ b/config/init/common/lxc-net.in
> @@ -25,6 +25,42 @@ else
>      lockdir="$localstatedir"/lock
>  fi
>  
> +_netmask2cidr ()
> +{
> +    # Assumes there's no "255." after a non-255 byte in the mask
> +    local x=${1##*255.}
> +    set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#x})*2 )) ${x%%.*}
> +    x=${1%%$3*}
> +    echo $(( $2 + (${#x}/4) ))
> +}
> +
> +ifdown() {
> +    which ifconfig >/dev/null 2>&1
> +    if [ $? = 0 ]; then
> +        ifconfig $1 down
> +        return
> +    fi
> +    which ip >/dev/null 2>&1
> +    if [ $? = 0 ]; then
> +        ip link set dev $1 down
> +    fi
> +}
> +
> +ifup() {
> +    which ifconfig >/dev/null 2>&1
> +    if [ $? = 0 ]; then
> +        ifconfig $1 $2 netmask $3 up
> +        return
> +    fi
> +    which ip >/dev/null 2>&1
> +    if [ $? = 0 ]; then
> +        MASK=`_netmask2cidr ${LXC_NETMASK}`
> +        CIDR_ADDR="${LXC_ADDR}/${MASK}"
> +        ip addr add ${CIDR_ADDR} dev $1
> +        ip link set dev $1 up
> +    fi
> +}
> +
>  start() {
>      [ ! -f "${lockdir}"/lxc-net ] || { exit 0; }
>  
> @@ -42,7 +78,7 @@ start() {
>          iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
>          iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
>          iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -        ifconfig ${LXC_BRIDGE} down || true
> +        ifdown ${LXC_BRIDGE}
>          brctl delbr ${LXC_BRIDGE} || true
>      }
>  
> @@ -53,8 +89,19 @@ start() {
>      # set up the lxc network
>      brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; }
>      echo 1 > /proc/sys/net/ipv4/ip_forward
> -    mkdir -p "${varrun}"
> -    ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
> +
> +    # if we are run from systemd on a system with selinux enabled,
> +    # the mkdir will create /run/lxc as init_var_run_t which dnsmasq
> +    # can't write its pid into, so we restorecon it (to var_run_t)
> +    if [ ! -d "${varrun}" ]; then
> +        mkdir -p "${varrun}"
> +        which restorecon >/dev/null 2>&1
> +        if [ $? = 0 ]; then
> +            restorecon "${varrun}"
> +        fi
> +    fi
> +
> +    ifup ${LXC_BRIDGE} ${LXC_ADDR} ${LXC_NETMASK}
>      iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
>      iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
>      iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> @@ -83,7 +130,7 @@ stop() {
>      if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
>          use_iptables_lock="-w"
>          iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> -        ifconfig ${LXC_BRIDGE} down
> +        ifdown ${LXC_BRIDGE}
>          iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
>          iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
>          iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> diff --git a/config/init/systemd/lxc-net.service.in b/config/init/systemd/lxc-net.service.in
> index c054702..0467c0f 100644
> --- a/config/init/systemd/lxc-net.service.in
> +++ b/config/init/systemd/lxc-net.service.in
> @@ -8,3 +8,6 @@ Type=oneshot
>  RemainAfterExit=yes
>  ExecStart=@LIBEXECDIR@/lxc/lxc-net start
>  ExecStop=@LIBEXECDIR@/lxc/lxc-net stop
> +
> +[Install]
> +WantedBy=multi-user.target

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20141002/cfaf4dfd/attachment.sig>

More information about the lxc-devel mailing list