[lxc-devel] [PATCH] Rework init scripts
Stéphane Graber
stgraber at ubuntu.com
Wed Sep 24 17:17:28 UTC 2014
I've confirmed that the testsuite on all arches passes fine with that
change and close inspection of the resulting package looked good too.
It'd be nice to have someone confirm that make rpm works with that
change as I don't have an easy way to try that.
There's the issue of sysconfig/lxc-net which I dropped and will need
some other RPM-specific workaround if the file really needs to exist (as
shipping a file upstream for the sole purpose of making the rpm DB happy
isn't something I'm happy with).
Once this lands, I think we'll be good for alpha-2.
On Wed, Sep 24, 2014 at 01:05:26PM -0400, Stéphane Graber wrote:
> From: "Michael H. Warfield" <mhw at WittsEnd.com>
>
> This commit is based on the work of:
> Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
>
> A generic changelog would be:
> - Bring support for lxcbr0 to all distributions
> - Share the container startup and network configuration logic across
> distributions and init systems.
> - Have all the init scripts call the helper script.
> - Support for the various different distro-specific configuration
> locations to configure lxc-net and container startup.
>
> Changes on top of Mike's original version:
> - Remove sysconfig/lxc-net as it's apparently only there as a
> workaround for an RPM limitation and is breaking Debian systems by
> including a useless file which will get registered as a package provided
> conffile in the dpkg database and will therefore cause conffile prompts
> on upgrades...
> - Go with a consistant coding style in the various init scripts.
> - Split out the common logic from the sysvinit scripts and ship both in
> their respective location rather than have them be copies.
> - Fix the upstart jobs so they actually work (there's no such thing as
> libexec on Debian systems).
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> config/Makefile.am | 2 +-
> config/etc/Makefile.am | 2 +-
> config/etc/default.conf.lxcbr | 4 +
> config/etc/default.conf.ubuntu | 4 -
> config/init/Makefile.am | 2 +-
> config/init/common/Makefile.am | 2 +
> config/init/common/lxc-containers.in | 136 +++++++++++++++++++++++++++++++++
> config/init/common/lxc-net.in | 123 +++++++++++++++++++++++++++++
> config/init/systemd/Makefile.am | 17 +----
> config/init/systemd/lxc-net.service.in | 4 +-
> config/init/systemd/lxc.service.in | 4 +-
> config/init/sysvinit/Makefile.am | 23 ++++--
> config/init/sysvinit/lxc-containers.in | 45 +++++++++++
> config/init/sysvinit/lxc-net.in | 45 +++++++++++
> config/init/sysvinit/lxc.in | 131 -------------------------------
> config/init/upstart/Makefile.am | 2 +-
> config/init/upstart/lxc-net.conf | 8 --
> config/init/upstart/lxc-net.conf.in | 8 ++
> config/sysconfig/Makefile.am | 6 ++
> config/sysconfig/lxc.in | 29 +++++++
> configure.ac | 23 ++++--
> lxc.spec.in | 110 +++++++++++++++++++++++++-
> src/lxc/Makefile.am | 6 +-
> src/lxc/lxc.net | 103 -------------------------
> 24 files changed, 553 insertions(+), 286 deletions(-)
> create mode 100644 config/etc/default.conf.lxcbr
> delete mode 100644 config/etc/default.conf.ubuntu
> create mode 100644 config/init/common/Makefile.am
> create mode 100644 config/init/common/lxc-containers.in
> create mode 100644 config/init/common/lxc-net.in
> create mode 100644 config/init/sysvinit/lxc-containers.in
> create mode 100644 config/init/sysvinit/lxc-net.in
> delete mode 100644 config/init/sysvinit/lxc.in
> delete mode 100644 config/init/upstart/lxc-net.conf
> create mode 100644 config/init/upstart/lxc-net.conf.in
> create mode 100644 config/sysconfig/Makefile.am
> create mode 100644 config/sysconfig/lxc.in
> delete mode 100755 src/lxc/lxc.net
>
> diff --git a/config/Makefile.am b/config/Makefile.am
> index 37fd24b..54f8859 100644
> --- a/config/Makefile.am
> +++ b/config/Makefile.am
> @@ -1 +1 @@
> -SUBDIRS = apparmor bash etc init selinux templates yum
> +SUBDIRS = apparmor bash etc init selinux templates yum sysconfig
> diff --git a/config/etc/Makefile.am b/config/etc/Makefile.am
> index a830aef..d5d0a9a 100644
> --- a/config/etc/Makefile.am
> +++ b/config/etc/Makefile.am
> @@ -1,7 +1,7 @@
> configdir = $(sysconfdir)/lxc
> config_DATA = default.conf
>
> -EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown
> +EXTRA_DIST = default.conf.lxcbr default.conf.libvirt default.conf.unknown
>
> distclean-local:
> @$(RM) -f default.conf
> diff --git a/config/etc/default.conf.lxcbr b/config/etc/default.conf.lxcbr
> new file mode 100644
> index 0000000..661718b
> --- /dev/null
> +++ b/config/etc/default.conf.lxcbr
> @@ -0,0 +1,4 @@
> +lxc.network.type = veth
> +lxc.network.link = lxcbr0
> +lxc.network.flags = up
> +lxc.network.hwaddr = 00:16:3e:xx:xx:xx
> diff --git a/config/etc/default.conf.ubuntu b/config/etc/default.conf.ubuntu
> deleted file mode 100644
> index 661718b..0000000
> --- a/config/etc/default.conf.ubuntu
> +++ /dev/null
> @@ -1,4 +0,0 @@
> -lxc.network.type = veth
> -lxc.network.link = lxcbr0
> -lxc.network.flags = up
> -lxc.network.hwaddr = 00:16:3e:xx:xx:xx
> diff --git a/config/init/Makefile.am b/config/init/Makefile.am
> index e2ffe28..1a9c7b2 100644
> --- a/config/init/Makefile.am
> +++ b/config/init/Makefile.am
> @@ -1 +1 @@
> -SUBDIRS = systemd sysvinit upstart
> +SUBDIRS = common systemd sysvinit upstart
> diff --git a/config/init/common/Makefile.am b/config/init/common/Makefile.am
> new file mode 100644
> index 0000000..8c0134c
> --- /dev/null
> +++ b/config/init/common/Makefile.am
> @@ -0,0 +1,2 @@
> +EXTRA_DIST = lxc-containers.in lxc-net.in
> +pkglibexec_SCRIPTS = lxc-containers lxc-net
> diff --git a/config/init/common/lxc-containers.in b/config/init/common/lxc-containers.in
> new file mode 100644
> index 0000000..9d1d604
> --- /dev/null
> +++ b/config/init/common/lxc-containers.in
> @@ -0,0 +1,136 @@
> +#!/bin/sh
> +
> +sysconfdir="@SYSCONFDIR@"
> +distrosysconfdir="@LXC_DISTRO_SYSCONF@"
> +bindir="@BINDIR@"
> +localstatedir="@LOCALSTATEDIR@"
> +
> +# These can be overridden in @LXC_DISTRO_SYSCONF@/lxc
> +
> +# Autostart containers?
> +LXC_AUTO="true"
> +
> +# BOOTGROUPS - What groups should start on bootup?
> +# Comma separated list of groups.
> +# Leading comma, trailing comma or embedded double
> +# comma indicates when the NULL group should be run.
> +# Example (default): boot the onboot group first then the NULL group
> +BOOTGROUPS="onboot,"
> +
> +# SHUTDOWNDELAY - Wait time for a container to shut down.
> +# Container shutdown can result in lengthy system
> +# shutdown times. Even 5 seconds per container can be
> +# too long.
> +SHUTDOWNDELAY=5
> +
> +# OPTIONS can be used for anything else.
> +# If you want to boot everything then
> +# options can be "-a" or "-a -A".
> +OPTIONS=
> +
> +# STOPOPTS are stop options. The can be used for anything else to stop.
> +# If you want to kill containers fast, use -k
> +STOPOPTS="-a -A -s"
> +
> +# Source function library.
> +test ! -r "$sysconfdir"/rc.d/init.d/functions ||
> + . "$sysconfdir"/rc.d/init.d/functions
> +
> +# provide action() fallback
> +if ! type action >/dev/null 2>&1; then
> + # Real basic fallback for sysvinit "action" verbage.
> + action() {
> + echo -n "$1 "
> + "$@" && echo "OK" || echo "Failed"
> + }
> +fi
> +
> +if [ -d "$localstatedir"/lock/subsys ]
> +then
> + lockdir="$localstatedir"/lock/subsys
> +else
> + lockdir="$localstatedir"/lock
> +fi
> +
> +# Source any configurable options
> +[ ! -f "$distrosysconfdir"/lxc ] || . "$distrosysconfdir"/lxc
> +
> +# Check for needed utility program
> +[ -x "$bindir"/lxc-autostart ] || exit 1
> +
> +# If libvirtd is providing the bridge, it might not be
> +# immediately available, so wait a bit for it before starting
> +# up the containers or else any that use the bridge will fail
> +# to start
> +wait_for_bridge()
> +{
> + [ -f "$sysconfdir"/lxc/default.conf ] || { return 0; }
> +
> + which ifconfig >/dev/null 2>&1
> + if [ $? = 0 ]; then
> + cmd="ifconfig -a"
> + else
> + which ip >/dev/null 2>&1
> + if [ $? = 0 ]; then
> + cmd="ip link list"
> + fi
> + fi
> + [ -n cmd ] || { return 0; }
> +
> + BRNAME=`grep '^[ ]*lxc.network.link' "$sysconfdir"/lxc/default.conf | sed 's/^.*=[ ]*//'`
> + if [ -z "$BRNAME" ]; then
> + return 0
> + fi
> +
> + for try in `seq 1 30`; do
> + eval $cmd |grep "^$BRNAME" >/dev/null 2>&1
> + if [ $? = 0 ]; then
> + return
> + fi
> + sleep 1
> + done
> +}
> +
> +# See how we were called.
> +case "$1" in
> + start)
> + [ "x$LXC_AUTO" = "xtrue" ] || { exit 0; }
> +
> + [ ! -f "$lockdir"/lxc ] || { exit 0; }
> +
> + if [ -n "$BOOTGROUPS" ]; then
> + BOOTGROUPS="-g $BOOTGROUPS"
> + fi
> +
> + # Start containers
> + wait_for_bridge
> +
> + # Start autoboot containers first then the NULL group "onboot,".
> + action $"Starting LXC autoboot containers: " "$bindir"/lxc-autostart $OPTIONS $BOOTGROUPS
> + touch "$lockdir"/lxc
> + ;;
> +
> + stop)
> + if [ -n "$SHUTDOWNDELAY" ]; then
> + SHUTDOWNDELAY="-t $SHUTDOWNDELAY"
> + fi
> +
> + # The stop is serialized and can take excessive time. We need to avoid
> + # delaying the system shutdown / reboot as much as we can since it's not
> + # parallelized... Even 5 second timout may be too long.
> + action $"Stopping LXC containers: " "$bindir"/lxc-autostart $STOPOPTS $SHUTDOWNDELAY
> + rm -f "$lockdir"/lxc
> + ;;
> +
> + restart|reload|force-reload)
> + $0 stop
> + $0 start
> + ;;
> +
> + *)
> + echo "Usage: $0 {start|stop|restart|reload|force-reload}"
> + exit 2
> + ;;
> +esac
> +
> +exit $?
> diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
> new file mode 100644
> index 0000000..c921ab7
> --- /dev/null
> +++ b/config/init/common/lxc-net.in
> @@ -0,0 +1,123 @@
> +#!/bin/sh -
> +
> +distrosysconfdir="@LXC_DISTRO_SYSCONF@"
> +localstatedir="@LOCALSTATEDIR@"
> +varrun="@RUNTIME_PATH@/lxc"
> +
> +# These can be overridden in @LXC_DISTRO_SYSCONF@/lxc
> +# or in @LXC_DISTRO_SYSCONF@/lxc-net
> +
> +USE_LXC_BRIDGE="true"
> +LXC_BRIDGE="lxcbr0"
> +LXC_ADDR="10.0.3.1"
> +LXC_NETMASK="255.255.255.0"
> +LXC_NETWORK="10.0.3.0/24"
> +LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
> +LXC_DHCP_MAX="253"
> +LXC_DHCP_CONFILE=""
> +LXC_DOMAIN=""
> +
> +[ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc
> +
> +if [ -d "$localstatedir"/lock/subsys ]; then
> + lockdir="$localstatedir"/lock/subsys
> +else
> + lockdir="$localstatedir"/lock
> +fi
> +
> +start() {
> + [ ! -f "${lockdir}"/lxc-net ] || { exit 0; }
> +
> + [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
> +
> + use_iptables_lock="-w"
> + iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> + cleanup() {
> + # dnsmasq failed to start, clean up the bridge
> + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> + iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> + iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> + iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> + iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> + ifconfig ${LXC_BRIDGE} down || true
> + brctl delbr ${LXC_BRIDGE} || true
> + }
> +
> + if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> + exit 0;
> + fi
> +
> + # set up the lxc network
> + brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; }
> + echo 1 > /proc/sys/net/ipv4/ip_forward
> + mkdir -p "${varrun}"
> + ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
> + iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> + iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> + iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> + iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> + iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> + iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> + iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
> + iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> +
> + LXC_DOMAIN_ARG=""
> + if [ -n "$LXC_DOMAIN" ]; then
> + LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
> + fi
> + dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
> + touch "${varrun}"/network_up
> + touch "${lockdir}"/lxc-net
> +}
> +
> +stop() {
> + [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
> +
> + [ -f "${varrun}/network_up" ] || { exit 0; }
> + # if $LXC_BRIDGE has attached interfaces, don't shut it down
> + ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;
> +
> + if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> + use_iptables_lock="-w"
> + iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> + ifconfig ${LXC_BRIDGE} down
> + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> + iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> + iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> + iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> + iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> + pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true
> + rm -f "${varrun}"/dnsmasq.pid
> + brctl delbr ${LXC_BRIDGE}
> + fi
> + rm -f "${varrun}"/network_up
> + rm -f "${lockdir}"/lxc-net
> +}
> +
> +# See how we were called.
> +case "$1" in
> + start)
> + start
> + ;;
> +
> + stop)
> + stop
> + ;;
> +
> + restart|reload|force-reload)
> + $0 stop
> + $0 start
> + ;;
> +
> + *)
> + echo "Usage: $0 {start|stop|restart|reload|force-reload}"
> + exit 2
> +esac
> +
> +exit $?
> diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am
> index 5959cd8..4201d98 100644
> --- a/config/init/systemd/Makefile.am
> +++ b/config/init/systemd/Makefile.am
> @@ -2,21 +2,12 @@ EXTRA_DIST = \
> lxc-devsetup \
> lxc-apparmor-load \
> lxc.service.in \
> - lxc-net.service.in \
> - $(NULL)
> + lxc-net.service.in
>
> if INIT_SCRIPT_SYSTEMD
> -lxc-autostart-helper: ../sysvinit/lxc.in $(top_builddir)/config.status
> - $(AM_V_GEN)sed \
> - -e 's|[@]SYSCONFDIR[@]|$(sysconfdir)|g' \
> - -e 's|[@]LOCALSTATEDIR[@]|$(localstatedir)|g' \
> - -e 's|[@]BINDIR[@]|$(bindir)|g' \
> - < $< > $@-t && \
> - chmod a+x $@-t && \
> - mv $@-t $@
> -BUILT_SOURCES = lxc-autostart-helper lxc.service lxc-net.service
> +BUILT_SOURCES = lxc.service lxc-net.service
>
> -install-systemd: lxc.service lxc-net.service lxc-devsetup lxc-apparmor-load lxc-autostart-helper
> +install-systemd: lxc.service lxc-net.service lxc-devsetup lxc-apparmor-load
> $(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
> $(INSTALL_DATA) lxc.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
>
> @@ -25,7 +16,7 @@ uninstall-systemd:
> rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service
> rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
>
> -pkglibexec_SCRIPTS = lxc-devsetup lxc-apparmor-load lxc-autostart-helper
> +pkglibexec_SCRIPTS = lxc-devsetup lxc-apparmor-load
>
> install-data-local: install-systemd
> uninstall-local: uninstall-systemd
> diff --git a/config/init/systemd/lxc-net.service.in b/config/init/systemd/lxc-net.service.in
> index 37d1d69..c054702 100644
> --- a/config/init/systemd/lxc-net.service.in
> +++ b/config/init/systemd/lxc-net.service.in
> @@ -6,5 +6,5 @@ Before=lxc.service
> [Service]
> Type=oneshot
> RemainAfterExit=yes
> -ExecStart=@DATADIR@/lxc/lxc.net start
> -ExecStop=@DATADIR@/lxc/lxc.net stop
> +ExecStart=@LIBEXECDIR@/lxc/lxc-net start
> +ExecStop=@LIBEXECDIR@/lxc/lxc-net stop
> diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
> index f64610f..33da987 100644
> --- a/config/init/systemd/lxc.service.in
> +++ b/config/init/systemd/lxc.service.in
> @@ -8,8 +8,8 @@ Type=oneshot
> RemainAfterExit=yes
> ExecStartPre=@LIBEXECDIR@/lxc/lxc-devsetup
> ExecStartPre=@LIBEXECDIR@/lxc/lxc-apparmor-load
> -ExecStart=@LIBEXECDIR@/lxc/lxc-autostart-helper start
> -ExecStop=@LIBEXECDIR@/lxc/lxc-autostart-helper stop
> +ExecStart=@LIBEXECDIR@/lxc/lxc-containers start
> +ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop
> # Environment=BOOTUP=serial
> # Environment=CONSOLETYPE=serial
> StandardOutput=syslog
> diff --git a/config/init/sysvinit/Makefile.am b/config/init/sysvinit/Makefile.am
> index 66c190d..d166400 100644
> --- a/config/init/sysvinit/Makefile.am
> +++ b/config/init/sysvinit/Makefile.am
> @@ -1,13 +1,24 @@
> -EXTRA_DIST = lxc
> +EXTRA_DIST = lxc-containers.in lxc-net.in
>
> if INIT_SCRIPT_SYSV
> -install-sysvinit: lxc
> - $(MKDIR_P) $(DESTDIR)$(sysconfdir)/rc.d/init.d
> - $(INSTALL_SCRIPT) lxc $(DESTDIR)$(sysconfdir)/rc.d/init.d/lxc
> +# If we're installing for sysv init, install the helper scripts
> +# directly to the rc directory under the appropriate name.
> +
> +if HAVE_DEBIAN
> + initdir = "init.d"
> +else
> + initdir = "rc.d/init.d"
> +endif
> +
> +install-sysvinit: lxc-containers lxc-net
> + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/$(initdir)
> + $(INSTALL_SCRIPT) lxc-containers $(DESTDIR)$(sysconfdir)/$(initdir)/lxc
> + $(INSTALL_SCRIPT) lxc-net $(DESTDIR)$(sysconfdir)/$(initdir)/lxc-net
>
> uninstall-sysvinit:
> - rm -f $(DESTDIR)$(sysconfdir)/rc.d/init.d/lxc
> - rmdir $(DESTDIR)$(sysconfdir)/rc.d/init.d || :
> + rm -f $(DESTDIR)$(sysconfdir)/$(initdir)/lxc
> + rm -f $(DESTDIR)$(sysconfdir)/$(initdir)/lxc-net
> + rmdir $(DESTDIR)$(sysconfdir)/$(initdir) || :
>
> install-data-local: install-sysvinit
> uninstall-local: uninstall-sysvinit
> diff --git a/config/init/sysvinit/lxc-containers.in b/config/init/sysvinit/lxc-containers.in
> new file mode 100644
> index 0000000..9d92115
> --- /dev/null
> +++ b/config/init/sysvinit/lxc-containers.in
> @@ -0,0 +1,45 @@
> +#!/bin/sh
> +#
> +# lxc Start/Stop LXC autoboot containers
> +#
> +# chkconfig: 345 99 01
> +# description: Starts/Stops all LXC containers configured for autostart.
> +#
> +### BEGIN INIT INFO
> +# Provides: lxc
> +# Default-Start: 2 3 4 5
> +# Default-Stop: 0 1 6
> +# Short-Description: Bring up/down LXC autostart containers
> +# Description: Bring up/down LXC autostart containers
> +### END INIT INFO
> +
> +start() {
> + @LIBEXECDIR@/lxc/lxc-containers start
> +}
> +
> +stop() {
> + @LIBEXECDIR@/lxc/lxc-containers stop
> +}
> +
> +# See how we were called.
> +case "$1" in
> + start)
> + start
> + ;;
> +
> + stop)
> + stop
> + ;;
> +
> + restart|reload|force-reload)
> + $0 stop
> + $0 start
> + ;;
> +
> + *)
> + echo "Usage: $0 {start|stop|restart|reload|force-reload}"
> + exit 2
> + ;;
> +esac
> +
> +exit $?
> diff --git a/config/init/sysvinit/lxc-net.in b/config/init/sysvinit/lxc-net.in
> new file mode 100644
> index 0000000..6e22505
> --- /dev/null
> +++ b/config/init/sysvinit/lxc-net.in
> @@ -0,0 +1,45 @@
> +#!/bin/sh -
> +#
> +# lxc-net Start/Stop LXC Networking
> +#
> +# chkconfig: 345 99 01
> +# description: Starts/Stops LXC Network Bridge
> +#
> +### BEGIN INIT INFO
> +# Provides: lxc-net
> +# Default-Start: 2 3 4 5
> +# Default-Stop: 1
> +# Short-Description: Bring up/down LXC Network Bridge
> +# Description: Bring up/down LXC Network Bridge
> +### END INIT INFO
> +
> +start() {
> + @LIBEXECDIR@/lxc/lxc-net start
> +}
> +
> +stop() {
> + @LIBEXECDIR@/lxc/lxc-net stop
> +}
> +
> +# See how we were called.
> +case "$1" in
> + start)
> + start
> + ;;
> +
> + stop)
> + stop
> + ;;
> +
> + restart|reload|force-reload)
> + $0 stop
> + $0 start
> + ;;
> +
> + *)
> + echo "Usage: $0 {start|stop|restart|reload|force-reload}"
> + exit 2
> + ;;
> +esac
> +
> +exit $?
> diff --git a/config/init/sysvinit/lxc.in b/config/init/sysvinit/lxc.in
> deleted file mode 100644
> index 7cad8c8..0000000
> --- a/config/init/sysvinit/lxc.in
> +++ /dev/null
> @@ -1,131 +0,0 @@
> -#!/bin/sh
> -#
> -# lxc Start/Stop LXC autoboot containers
> -#
> -# chkconfig: 345 99 01
> -# description: Starts/Stops all LXC containers configured for autostart.
> -#
> -### BEGIN INIT INFO
> -# Provides: lxc
> -# Default-Start: 3 4 5
> -# Default-Stop: 0 1 6
> -# Short-Description: Bring up/down LXC autostart containers
> -# Description: Bring up/down LXC autostart containers
> -### END INIT INFO
> -
> -sysconfdir="@SYSCONFDIR@"
> -bindir="@BINDIR@"
> -localstatedir="@LOCALSTATEDIR@"
> -
> -# These can be overridden in @SYSCONFDIR@/sysconfig/lxc
> -
> -# BOOTGROUPS - What groups should start on bootup?
> -# Comma separated list of groups.
> -# Leading comma, trailing comma or embedded double
> -# comma indicates when the NULL group should be run.
> -# Example (default): boot the onboot group first then the NULL group
> -BOOTGROUPS="onboot,"
> -
> -# SHUTDOWNDELAY - Wait time for a container to shut down.
> -# ner shutdown can result in lengthy system
> -# shutdown times. Even 5 seconds per container can be
> -# too long.
> -SHUTDOWNDELAY=5
> -
> -# OPTIONS can be used for anything else.
> -# If you want to boot everything then
> -# options can be "-a" or "-a -A".
> -OPTIONS=
> -
> -# STOPOPTS are stop options. The can be used for anything else to stop.
> -# If you want to kill containers fast, use -k
> -STOPOPTS="-a -A -s"
> -
> -# Source function library.
> -test ! -r "$sysconfdir"/rc.d/init.d/functions ||
> - . "$sysconfdir"/rc.d/init.d/functions
> -
> -# provide action() fallback
> -if ! type action >/dev/null 2>&1; then
> - action() {
> - echo "$@"
> - }
> -fi
> -
> -# Source any configurable options
> -test ! -r "$sysconfdir"/sysconfig/lxc ||
> - . "$sysconfdir"/sysconfig/lxc
> -
> -# Check for needed utility program
> -[ -x "$bindir"/lxc-autostart ] || exit 1
> -
> -# If libvirtd is providing the bridge, it might not be
> -# immediately available, so wait a bit for it before starting
> -# up the containers or else any that use the bridge will fail
> -# to start
> -wait_for_bridge()
> -{
> - [ -f "$sysconfdir"/lxc/default.conf ] || { return 0; }
> -
> - which ifconfig >/dev/null 2>&1
> - if [ $? = 0 ]; then
> - cmd="ifconfig -a"
> - else
> - which ip >/dev/null 2>&1
> - if [ $? = 0 ]; then
> - cmd="ip link list"
> - fi
> - fi
> - [ -n cmd ] || { return 0; }
> -
> - BRNAME=`grep '^[ ]*lxc.network.link' "$sysconfdir"/lxc/default.conf | sed 's/^.*=[ ]*//'`
> - if [ -z "$BRNAME" ]; then
> - return 0
> - fi
> -
> - for try in `seq 1 30`; do
> - eval $cmd |grep "^$BRNAME" >/dev/null 2>&1
> - if [ $? = 0 ]; then
> - return
> - fi
> - sleep 1
> - done
> -}
> -
> -# See how we were called.
> -case "$1" in
> - start)
> - [ ! -f "$localstatedir"/lock/subsys/lxc ] || { exit 0; }
> -
> - if [ -n "$BOOTGROUPS" ]
> - then
> - BOOTGROUPS="-g $BOOTGROUPS"
> - fi
> -
> - # Start containers
> - wait_for_bridge
> - # Start autoboot containers first then the NULL group "onboot,".
> - action $"Starting LXC autoboot containers: " "$bindir"/lxc-autostart $OPTIONS $BOOTGROUPS
> - touch "$localstatedir"/lock/subsys/lxc
> - ;;
> - stop)
> - if [ -n "$SHUTDOWNDELAY" ]
> - then
> - SHUTDOWNDELAY="-t $SHUTDOWNDELAY"
> - fi
> -
> - # The stop is serialized and can take excessive time. We need to avoid
> - # delaying the system shutdown / reboot as much as we can since it's not
> - # parallelized... Even 5 second timout may be too long.
> - action $"Stopping LXC containers: " "$bindir"/lxc-autostart $STOPOPTS $SHUTDOWNDELAY
> - rm -f "$localstatedir"/lock/subsys/lxc
> - ;;
> - restart|reload|force-reload)
> - $0 stop
> - $0 start
> - ;;
> - *)
> - echo "Usage: $0 {start|stop|restart|reload|force-reload}"
> - exit 2
> -esac
> -exit $?
> diff --git a/config/init/upstart/Makefile.am b/config/init/upstart/Makefile.am
> index 32b90b9..916b850 100644
> --- a/config/init/upstart/Makefile.am
> +++ b/config/init/upstart/Makefile.am
> @@ -1,4 +1,4 @@
> -EXTRA_DIST = lxc.conf lxc-instance.conf lxc-net.conf
> +EXTRA_DIST = lxc.conf lxc-instance.conf lxc-net.conf.in
>
> if INIT_SCRIPT_UPSTART
> install-upstart: lxc.conf lxc-instance.conf lxc-net.conf
> diff --git a/config/init/upstart/lxc-net.conf b/config/init/upstart/lxc-net.conf
> deleted file mode 100644
> index 38f6ea3..0000000
> --- a/config/init/upstart/lxc-net.conf
> +++ /dev/null
> @@ -1,8 +0,0 @@
> -description "lxc network"
> -author "Serge Hallyn <serge.hallyn at canonical.com>"
> -
> -start on starting lxc
> -stop on stopped lxc
> -
> -pre-start exec /usr/share/lxc/lxc.net start
> -post-stop exec /usr/share/lxc/lxc.net stop
> diff --git a/config/init/upstart/lxc-net.conf.in b/config/init/upstart/lxc-net.conf.in
> new file mode 100644
> index 0000000..71c5499
> --- /dev/null
> +++ b/config/init/upstart/lxc-net.conf.in
> @@ -0,0 +1,8 @@
> +description "lxc network"
> +author "Serge Hallyn <serge.hallyn at canonical.com>"
> +
> +start on starting lxc
> +stop on stopped lxc
> +
> +pre-start exec @LIBEXECDIR@/lxc/lxc-net start
> +post-stop exec @LIBEXECDIR@/lxc/lxc-net stop
> diff --git a/config/sysconfig/Makefile.am b/config/sysconfig/Makefile.am
> new file mode 100644
> index 0000000..3829a01
> --- /dev/null
> +++ b/config/sysconfig/Makefile.am
> @@ -0,0 +1,6 @@
> +sysconfigdir="@LXC_DISTRO_SYSCONF@"
> +
> +sysconfig_DATA = \
> + lxc
> +
> +EXTRA_DIST = $(sysconfig_DATA)
> diff --git a/config/sysconfig/lxc.in b/config/sysconfig/lxc.in
> new file mode 100644
> index 0000000..c5b9aca
> --- /dev/null
> +++ b/config/sysconfig/lxc.in
> @@ -0,0 +1,29 @@
> +# LXC_AUTO - whether or not to start containers at boot
> +LXC_AUTO="true"
> +
> +# BOOTGROUPS - What groups should start on bootup?
> +# Comma separated list of groups.
> +# Leading comma, trailing comma or embedded double
> +# comma indicates when the NULL group should be run.
> +# Example (default): boot the onboot group first then the NULL group
> +BOOTGROUPS="onboot,"
> +
> +# SHUTDOWNDELAY - Wait time for a container to shut down.
> +# Container shutdown can result in lengthy system
> +# shutdown times. Even 5 seconds per container can be
> +# too long.
> +SHUTDOWNDELAY=5
> +
> +# OPTIONS can be used for anything else.
> +# If you want to boot everything then
> +# options can be "-a" or "-a -A".
> +OPTIONS=
> +
> +# STOPOPTS are stop options. The can be used for anything else to stop.
> +# If you want to kill containers fast, use -k
> +STOPOPTS="-a -A -s"
> +
> +USE_LXC_BRIDGE="false" # overridden in lxc-net
> +
> +[ -f @LXC_DISTRO_SYSCONF@/lxc-net ] && . @LXC_DISTRO_SYSCONF@/lxc-net
> +
> diff --git a/configure.ac b/configure.ac
> index 3e73d49..7b54587 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -60,13 +60,16 @@ if test "z$with_distro" = "z"; then
> fi
> case $with_distro in
> ubuntu|raspbian)
> - distroconf=default.conf.ubuntu
> + distroconf=default.conf.lxcbr
> + distrosysconf="$sysconfdir/default"
> ;;
> - redhat|centos|fedora|oracle|oracleserver)
> - distroconf=default.conf.libvirt
> + redhat|centos|fedora|oracle|oracleserver|suse|opensuse*)
> + distroconf=default.conf.lxcbr
> + distrosysconf="$sysconfdir/sysconfig"
> ;;
> *)
> distroconf=default.conf.unknown
> + distrosysconf="$sysconfdir/default"
> ;;
> esac
> AC_MSG_RESULT([$with_distro])
> @@ -84,7 +87,7 @@ AC_ARG_WITH([init-script],
> case "$with_init_script" in
> distro)
> case $with_distro in
> - fedora)
> + fedora|opensuse*)
> init_script=systemd
> ;;
> redhat|centos|oracle|oracleserver)
> @@ -520,6 +523,7 @@ AS_AC_EXPAND(LXCPATH, "$with_config_path")
> AS_AC_EXPAND(LXC_GLOBAL_CONF, "$with_global_conf")
> AS_AC_EXPAND(LXC_USERNIC_CONF, "$with_usernic_conf")
> AS_AC_EXPAND(LXC_USERNIC_DB, "$with_usernic_db")
> +AS_AC_EXPAND(LXC_DISTRO_SYSCONF, "$distrosysconf")
> AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path")
> AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates")
> AS_AC_EXPAND(LXCTEMPLATECONFIG, "$datadir/lxc/config")
> @@ -602,11 +606,16 @@ AC_CONFIG_FILES([
> config/bash/Makefile
> config/bash/lxc
> config/init/Makefile
> - config/init/sysvinit/Makefile
> - config/init/sysvinit/lxc
> + config/init/common/Makefile
> + config/init/common/lxc-containers
> + config/init/common/lxc-net
> config/init/systemd/Makefile
> config/init/systemd/lxc.service
> config/init/systemd/lxc-net.service
> + config/init/sysvinit/Makefile
> + config/init/sysvinit/lxc-containers
> + config/init/sysvinit/lxc-net
> + config/init/upstart/lxc-net.conf
> config/init/upstart/Makefile
> config/etc/Makefile
> config/templates/Makefile
> @@ -636,6 +645,8 @@ AC_CONFIG_FILES([
> config/templates/ubuntu.userns.conf
> config/templates/userns.conf
> config/yum/Makefile
> + config/sysconfig/Makefile
> + config/sysconfig/lxc
>
> doc/Makefile
> doc/api/Makefile
> diff --git a/lxc.spec.in b/lxc.spec.in
> index 57912a1..52b6326 100644
> --- a/lxc.spec.in
> +++ b/lxc.spec.in
> @@ -28,7 +28,16 @@
> %if 0%{?fedora} >= 14 || 0%{?rhel} >= 7 || 0%{?suse_version} >= 1210
> %global with_systemd 1
> %define init_script systemd
> +#
> +# BuildRequires systemd-units on fedora and rhel
> +%if 0%{?fedora} >= 14 || 0%{?rhel} >= 7
> BuildRequires: systemd-units
> +#
> +# BuildRequires systemd on openSUSE and SUSE
> +%endif
> +%if 0%{?suse_version} >= 1210
> +BuildRequires: systemd
> +%endif
> %else
> %global with_systemd 0
> %define init_script sysvinit
> @@ -53,8 +62,25 @@ Summary: Linux Containers userspace tools
> Group: Applications/System
> License: LGPLv2+
> BuildRoot: %{_tmppath}/%{name}-%{version}-build
> -Requires: openssl rsync
> -BuildRequires: libcap libcap-devel docbook2X graphviz
> +Requires: openssl rsync dnsmasq
> +# Note for Suse. The "docbook2X" BuildRequires does properly
> +# match docbook2x on Suse in a case insensitive manner
> +BuildRequires: libcap libcap-devel docbook2X graphviz libxslt pkgconfig
> +
> +#
> +# Additional packages for openSUSE and SUSE
> +#
> +%if 0%{?suse_version} >= 1210
> +PreReq: permissions
> +BuildRequires: libapparmor-devel linux-glibc-devel lsb-release docbook-utils
> +
> +#
> +# libseccomp-devel only needed on i386/i586/i686 and X86_64
> +#
> +%ifarch %ix86 x86_64
> +BuildRequires: libseccomp-devel
> +%endif
> +%endif
>
> %if %{with_python}
> Requires: python3
> @@ -105,6 +131,9 @@ PATH=$PATH:/usr/sbin:/sbin %configure $args \
> %if %{with_python}
> --enable-python \
> %endif
> +%if "x%{_unitdir}" != "x"
> + --with-systemdsystemunitdir=%{_unitdir} \
> +%endif
> --disable-rpath \
> --with-init-script=%{init_script}
> make %{?_smp_mflags}
> @@ -117,28 +146,102 @@ find %{buildroot} -type f -name '*.la' -exec rm -f {} ';'
> %clean
> rm -rf %{buildroot}
>
> +%pre
> +# Ensure that lxcdnsmasq uid & gid gets correctly allocated
> +if getent passwd lxc-dnsmasq >/dev/null 2>&1 ; then : ; else \
> + /usr/sbin/useradd -M -r -s /sbin/nologin \
> + -c "LXC Networking Service" -d %_localstatedir/%name lxc-dnsmasq 2> /dev/null \
> + || exit 1
> +fi
> +
> %post
> +# This test should trigger a network configure on a new install.
> +if [ ! -f %{_sysconfdir}/sysconfig/lxc-net ] || ! grep -q 'USE_LXC_BRIDGE=' %{_sysconfdir}/sysconfig/lxc-net
> +then
> + # Grab a random 10net subnet. Need to add test logic...
> + while [ true ]
> + do
> + SUBNET=10.$(($RANDOM % 256)).$(($RANDOM % 256))
> + if ! ip -4 route ls | grep -q "^$SUBNET"
> + then
> + break
> + fi
> + done
> +
> + cat > %{_sysconfdir}/sysconfig/lxc-net <<EOF
> +# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
> +# containers. Set to "false" if you'll use virbr0 or another existing
> +# bridge, or mavlan to your host's NIC.
> +USE_LXC_BRIDGE="true"
> +
> +# If you change the LXC_BRIDGE to something other than lxcbr0, then
> +# you will also need to update your /etc/lxc/default.conf as well as the
> +# configuration (/var/lib/lxc/<container>/config) for any containers
> +# already created using the default config to reflect the new bridge
> +# name.
> +# If you have the dnsmasq daemon installed, you'll also have to update
> +# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.
> +LXC_BRIDGE="lxcbr0"
> +LXC_ADDR="$SUBNET.1"
> +LXC_NETMASK="255.255.255.0"
> +LXC_NETWORK="$SUBNET.0/24"
> +LXC_DHCP_RANGE="$SUBNET.2,$SUBNET.254"
> +LXC_DHCP_MAX="253"
> +# Uncomment the next line if you'd like to use a conf-file for the lxcbr0
> +# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have
> +# container 'mail1' always get ip address 10.0.3.100.
> +#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf
> +
> +# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc
> +# domain. You can then add "server=/lxc/10.0.3.1' (or your actual $LXC_ADDR)
> +# to /etc/dnsmasq.conf, after which 'container1.lxc' will resolve on your
> +# host.
> +#LXC_DOMAIN="lxc"
> +EOF
> +fi
> +
> %post libs -p /sbin/ldconfig
> %postun libs -p /sbin/ldconfig
>
> %files
> %defattr(-,root,root)
> %{_bindir}/*
> +# openSUSE/SUSE
> +%if 0%{?suse_version} >= 1210
> +%dir %{_sysconfdir}/apparmor.d
> +%dir %{_sysconfdir}/apparmor.d/abstractions
> +%dir %{_sysconfdir}/apparmor.d/abstractions/%{name}
> +%config %{_sysconfdir}/apparmor.d/abstractions/%{name}/container-base
> +%config %{_sysconfdir}/apparmor.d/abstractions/%{name}/start-container
> +%config %{_sysconfdir}/apparmor.d/%{name}-containers
> +%dir %{_sysconfdir}/apparmor.d/%{name}
> +%config %{_sysconfdir}/apparmor.d/%{name}/%{name}-default
> +%config %{_sysconfdir}/apparmor.d/%{name}/%{name}-default-with-mounting
> +%config %{_sysconfdir}/apparmor.d/%{name}/%{name}-default-with-nesting
> +%config %{_sysconfdir}/apparmor.d/usr.bin.%{name}-start
> +%endif
> %{_mandir}/man1/lxc*
> %{_mandir}/man5/lxc*
> %{_mandir}/man7/lxc*
> +# not openSUSE/SUSE
> +%if %{undefined suse_version}
> %{_mandir}/ja/man1/lxc*
> %{_mandir}/ja/man5/lxc*
> %{_mandir}/ja/man7/lxc*
> +%endif
> %{_datadir}/doc/*
> %{_datadir}/lxc/*
> %{_sysconfdir}/bash_completion.d
> +%{_sysconfdir}/sysconfig/*
> %config(noreplace) %{_sysconfdir}/lxc/*
> +%config(noreplace) %{_sysconfdir}/sysconfig/*
>
> %if %{with_systemd}
> +%{_unitdir}/lxc-net.service
> %{_unitdir}/lxc.service
> %else
> %{_sysconfdir}/rc.d/init.d/lxc
> +%{_sysconfdir}/rc.d/init.d/lxc-net
> %endif
>
> %files libs
> @@ -154,7 +257,8 @@ rm -rf %{buildroot}
> %attr(4111,root,root) %{_libexecdir}/%{name}/lxc-user-nic
> %if %{with_systemd}
> %attr(555,root,root) %{_libexecdir}/%{name}/lxc-devsetup
> -%attr(555,root,root) %{_libexecdir}/%{name}/lxc-autostart-helper
> +%attr(555,root,root) %{_libexecdir}/%{name}/lxc-net
> +%attr(555,root,root) %{_libexecdir}/%{name}/lxc-containers
> %endif
>
> %if %{with_python}
> diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
> index c65a15d..da3f78e 100644
> --- a/src/lxc/Makefile.am
> +++ b/src/lxc/Makefile.am
> @@ -165,9 +165,8 @@ bin_SCRIPTS = lxc-checkconfig
> EXTRA_DIST = \
> lxc-device \
> lxc-ls \
> - lxc-top.lua \
> - lxc.net \
> - lxc-restore-net
> + lxc-restore-net \
> + lxc-top.lua
>
> if ENABLE_PYTHON
> bin_SCRIPTS += lxc-device
> @@ -256,7 +255,6 @@ endif
> install-exec-local: install-soPROGRAMS
> mkdir -p $(DESTDIR)$(datadir)/lxc
> install -c -m 644 lxc.functions $(DESTDIR)$(datadir)/lxc
> - install -c -m 755 lxc.net $(DESTDIR)$(datadir)/lxc
> mv $(DESTDIR)$(libdir)/liblxc.so $(DESTDIR)$(libdir)/liblxc.so.$(VERSION)
> cd $(DESTDIR)$(libdir); \
> ln -sf liblxc.so.$(VERSION) liblxc.so.$(firstword $(subst ., ,$(VERSION))); \
> diff --git a/src/lxc/lxc.net b/src/lxc/lxc.net
> deleted file mode 100755
> index 9ec9695..0000000
> --- a/src/lxc/lxc.net
> +++ /dev/null
> @@ -1,103 +0,0 @@
> -#!/bin/sh
> -set -eu
> -
> -USE_LXC_BRIDGE="true"
> -LXC_BRIDGE="lxcbr0"
> -LXC_ADDR="10.0.3.1"
> -LXC_NETMASK="255.255.255.0"
> -LXC_NETWORK="10.0.3.0/24"
> -LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
> -LXC_DHCP_MAX="253"
> -LXC_DHCP_CONFILE=""
> -varrun="/run/lxc"
> -LXC_DOMAIN=""
> -
> -start() {
> - [ -f /etc/default/lxc ] && . /etc/default/lxc
> -
> - [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }
> -
> - use_iptables_lock="-w"
> - iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> - cleanup() {
> - # dnsmasq failed to start, clean up the bridge
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> - iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> - iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> - iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> - iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> - ifconfig ${LXC_BRIDGE} down || true
> - brctl delbr ${LXC_BRIDGE} || true
> - }
> -
> - if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> - if [ ! -f ${varrun}/network_up ]; then
> - # bridge exists, but we didn't start it
> - stop;
> - fi
> - exit 0;
> - fi
> -
> - # set up the lxc network
> - brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; }
> - echo 1 > /proc/sys/net/ipv4/ip_forward
> - mkdir -p ${varrun}
> - ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
> - iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> - iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> - iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> - iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> - iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> - iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> - iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
> - iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -
> - LXC_DOMAIN_ARG=""
> - if [ -n "$LXC_DOMAIN" ]; then
> - LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
> - fi
> - DNSMASQ_USER="lxc-dnsmasq"
> - if ! getent passwd ${DNSMASQ_USER} >/dev/null; then
> - DNSMASQ_USER="dnsmasq"
> - fi
> - dnsmasq $LXC_DOMAIN_ARG -u ${DNSMASQ_USER} --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
> - touch ${varrun}/network_up
> -}
> -
> -stop() {
> - [ -f /etc/default/lxc ] && . /etc/default/lxc
> - [ -f "${varrun}/network_up" ] || exit 0;
> - # if $LXC_BRIDGE has attached interfaces, don't shut it down
> - ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;
> -
> - if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> - use_iptables_lock="-w"
> - iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> - ifconfig ${LXC_BRIDGE} down
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> - iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> - iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> - iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> - iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> - pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true
> - rm -f ${varrun}/dnsmasq.pid
> - brctl delbr ${LXC_BRIDGE}
> - fi
> - rm -f ${varrun}/network_up
> -}
> -
> -if [ "$1" = start ]; then
> - start
> -elif [ "$1" = stop ]; then
> - stop
> -else
> - echo "Usage: $0 start|stop" >&2
> - exit 1
> -fi
> -
> --
> 1.9.1
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140924/c900c576/attachment-0001.sig>
More information about the lxc-devel
mailing list