[lxc-devel] [PATCH] lxc-net: Rework/cleanup

Stéphane Graber stgraber at ubuntu.com
Mon Apr 27 06:58:33 UTC 2015 

On Mon, Apr 27, 2015 at 03:28:29AM +0000, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > This updates lxc-net with the following changes:
> >  - Better recover from crashes/partial runs
> >  - Better error detection and reporting
> >  - Less code duplication (use the stop code on crash)
> >  - Better state tracking
> >  - Allow for restart of all of lxc-net except for the bridge itself
> >  - Only support iproute from this point on (ifconfig's been deprecated
> >    for years)
> > 
> > Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
> 
> Thanks - hopefully this will improve the lxc-net robustness under
> systemd for me.
> 
> > ---
> >  config/init/common/lxc-net.in | 101 +++++++++++++++---------------------------
> >  1 file changed, 36 insertions(+), 65 deletions(-)
> > 
> > diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
> > index ea115a4..700ff82 100644
> > --- a/config/init/common/lxc-net.in
> > +++ b/config/init/common/lxc-net.in
> > @@ -1,11 +1,10 @@
> >  #!/bin/sh -
> >  
> >  distrosysconfdir="@LXC_DISTRO_SYSCONF@"
> > -localstatedir="@LOCALSTATEDIR@"
> >  varrun="@RUNTIME_PATH@/lxc"
> >  
> > -# These can be overridden in @LXC_DISTRO_SYSCONF@/lxc
> > -#   or in @LXC_DISTRO_SYSCONF@/lxc-net
> > +# These can be overridden in /etc/default/lxc
> > +#   or in /etc/default/lxc-net
> 
> This isn't described in the changelog.  Why are you changing this
> to hardcode the path?  (It's a lot easier to read this way, that's
> for sure)

Oops.

I usually iterate by modifying my local copy and then re-apply the
template variables, looks like I forgot those lines. Will send a V2.

> 
> Otherwise looks good to me
> 
> >  
> >  USE_LXC_BRIDGE="true"
> >  LXC_BRIDGE="lxcbr0"
> > @@ -24,11 +23,8 @@ LXC_IPV6_NAT="false"
> >  
> >  [ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc
> >  
> > -if [ -d "$localstatedir"/lock/subsys ]; then
> > -    lockdir="$localstatedir"/lock/subsys
> > -else
> > -    lockdir="$localstatedir"/lock
> > -fi
> > +use_iptables_lock="-w"
> > +iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> >  
> >  _netmask2cidr ()
> >  {
> > @@ -40,67 +36,43 @@ _netmask2cidr ()
> >  }
> >  
> >  ifdown() {
> > -    which ip >/dev/null 2>&1
> > -    if [ $? = 0 ]; then
> > -        ip link set dev $1 down
> > -        return
> > -    fi
> > -    which ifconfig >/dev/null 2>&1
> > -    if [ $? = 0 ]; then
> > -        ifconfig $1 down
> > -        return
> > -    fi
> > +    ip addr flush dev $1
> > +    ip link set dev $1 down
> >  }
> >  
> >  ifup() {
> > -    which ip >/dev/null 2>&1
> > -    if [ $? = 0 ]; then
> > -        MASK=`_netmask2cidr ${LXC_NETMASK}`
> > -        CIDR_ADDR="${LXC_ADDR}/${MASK}"
> > -        ip addr add ${CIDR_ADDR} dev $1
> > -        ip link set dev $1 up
> > -        return
> > -    fi
> > -    which ifconfig >/dev/null 2>&1
> > -    if [ $? = 0 ]; then
> > -        ifconfig $1 $2 netmask $3 up
> > -        return
> > -    fi
> > +    MASK=`_netmask2cidr ${LXC_NETMASK}`
> > +    CIDR_ADDR="${LXC_ADDR}/${MASK}"
> > +    ip addr add ${CIDR_ADDR} dev $1
> > +    ip link set dev $1 up
> >  }
> >  
> >  start() {
> > -    [ ! -f "${lockdir}"/lxc-net ] || { exit 0; }
> > -
> >      [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
> >  
> > -    use_iptables_lock="-w"
> > -    iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> > -    cleanup() {
> > -        # dnsmasq failed to start, clean up the bridge
> > -        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> > -        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> > -        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> > -        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> > -        iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> > -        iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> > -        iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> > -        iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> > +    [ ! -f "${varrun}/network_up" ] || { echo "lxc-net is already running"; exit 1; }
> >  
> > -        if [ "$LXC_IPV6_NAT" = "true" ]; then
> > -            ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE || true
> > -        fi
> > +    if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> > +        stop force || true
> > +    fi
> >  
> > -        ifdown ${LXC_BRIDGE}
> > -        brctl delbr ${LXC_BRIDGE} || true
> > +    FAILED=1
> > +
> > +    cleanup() {
> > +        set +e
> > +        if [ "$FAILED" = "1" ]; then
> > +            echo "Failed to setup lxc-net." >&2
> > +            stop force
> > +        fi
> >      }
> >  
> > -    if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> > -        exit 0;
> > -    fi
> > +    trap cleanup EXIT HUP INT TERM
> > +    set -e
> >  
> >      # set up the lxc network
> > -    brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; }
> > +    [ ! -d /sys/class/net/${LXC_BRIDGE} ] && brctl addbr ${LXC_BRIDGE}
> >      echo 1 > /proc/sys/net/ipv4/ip_forward
> > +    echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/accept_dad || true
> >  
> >      # if we are run from systemd on a system with selinux enabled,
> >      # the mkdir will create /run/lxc as init_var_run_t which dnsmasq
> > @@ -146,21 +118,19 @@ start() {
> >              break
> >          fi
> >      done
> > +
> >      dnsmasq $LXC_DOMAIN_ARG -u ${DNSMASQ_USER} --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative $LXC_IPV6_ARG || cleanup
> > +
> >      touch "${varrun}"/network_up
> > -    touch "${lockdir}"/lxc-net
> > +    FAILED=0
> >  }
> >  
> >  stop() {
> >      [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
> >  
> > -    [ -f "${varrun}/network_up" ] || { exit 0; }
> > -    # if $LXC_BRIDGE has attached interfaces, don't shut it down
> > -    ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;
> > +    [ -f "${varrun}/network_up" ] || [ "$1" = "force" ] || { echo "lxc-net isn't running"; exit 1; }
> >  
> >      if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> > -        use_iptables_lock="-w"
> > -        iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> >          ifdown ${LXC_BRIDGE}
> >          iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> >          iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> > @@ -168,19 +138,20 @@ stop() {
> >          iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> >          iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> >          iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> > -        iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> > +        iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
> >          iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> >  
> >          if [ "$LXC_IPV6_NAT" = "true" ]; then
> > -            ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE || true
> > +            ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
> >          fi
> >  
> > -        pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true
> > +        pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid
> >          rm -f "${varrun}"/dnsmasq.pid
> > -        brctl delbr ${LXC_BRIDGE}
> > +        # if $LXC_BRIDGE has attached interfaces, don't destroy the bridge
> > +        ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 || brctl delbr ${LXC_BRIDGE}
> >      fi
> > +
> >      rm -f "${varrun}"/network_up
> > -    rm -f "${lockdir}"/lxc-net
> >  }
> >  
> >  # See how we were called.
> > -- 
> > 2.1.4
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150427/529f7644/attachment.sig>

More information about the lxc-devel mailing list