[lxc-devel] [PATCH] lxc-net: Rework/cleanup
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Apr 27 10:28:34 UTC 2015
Quoting Stéphane Graber (stgraber at ubuntu.com):
> This updates lxc-net with the following changes:
> - Better recover from crashes/partial runs
> - Better error detection and reporting
> - Less code duplication (use the stop code on crash)
> - Better state tracking
> - Allow for restart of all of lxc-net except for the bridge itself
> - Only support iproute from this point on (ifconfig's been deprecated
> for years)
>
> V2: Use template variables everywhere
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/init/common/lxc-net.in | 97 +++++++++++++++----------------------------
> 1 file changed, 34 insertions(+), 63 deletions(-)
>
> diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
> index ea115a4..9f50436 100644
> --- a/config/init/common/lxc-net.in
> +++ b/config/init/common/lxc-net.in
> @@ -1,7 +1,6 @@
> #!/bin/sh -
>
> distrosysconfdir="@LXC_DISTRO_SYSCONF@"
> -localstatedir="@LOCALSTATEDIR@"
> varrun="@RUNTIME_PATH@/lxc"
>
> # These can be overridden in @LXC_DISTRO_SYSCONF@/lxc
> @@ -24,11 +23,8 @@ LXC_IPV6_NAT="false"
>
> [ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc
>
> -if [ -d "$localstatedir"/lock/subsys ]; then
> - lockdir="$localstatedir"/lock/subsys
> -else
> - lockdir="$localstatedir"/lock
> -fi
> +use_iptables_lock="-w"
> +iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
>
> _netmask2cidr ()
> {
> @@ -40,67 +36,43 @@ _netmask2cidr ()
> }
>
> ifdown() {
> - which ip >/dev/null 2>&1
> - if [ $? = 0 ]; then
> - ip link set dev $1 down
> - return
> - fi
> - which ifconfig >/dev/null 2>&1
> - if [ $? = 0 ]; then
> - ifconfig $1 down
> - return
> - fi
> + ip addr flush dev $1
> + ip link set dev $1 down
> }
>
> ifup() {
> - which ip >/dev/null 2>&1
> - if [ $? = 0 ]; then
> - MASK=`_netmask2cidr ${LXC_NETMASK}`
> - CIDR_ADDR="${LXC_ADDR}/${MASK}"
> - ip addr add ${CIDR_ADDR} dev $1
> - ip link set dev $1 up
> - return
> - fi
> - which ifconfig >/dev/null 2>&1
> - if [ $? = 0 ]; then
> - ifconfig $1 $2 netmask $3 up
> - return
> - fi
> + MASK=`_netmask2cidr ${LXC_NETMASK}`
> + CIDR_ADDR="${LXC_ADDR}/${MASK}"
> + ip addr add ${CIDR_ADDR} dev $1
> + ip link set dev $1 up
> }
>
> start() {
> - [ ! -f "${lockdir}"/lxc-net ] || { exit 0; }
> -
> [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
>
> - use_iptables_lock="-w"
> - iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> - cleanup() {
> - # dnsmasq failed to start, clean up the bridge
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
> - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> - iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> - iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> - iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> - iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> + [ ! -f "${varrun}/network_up" ] || { echo "lxc-net is already running"; exit 1; }
>
> - if [ "$LXC_IPV6_NAT" = "true" ]; then
> - ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE || true
> - fi
> + if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> + stop force || true
> + fi
>
> - ifdown ${LXC_BRIDGE}
> - brctl delbr ${LXC_BRIDGE} || true
> + FAILED=1
> +
> + cleanup() {
> + set +e
> + if [ "$FAILED" = "1" ]; then
> + echo "Failed to setup lxc-net." >&2
> + stop force
> + fi
> }
>
> - if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> - exit 0;
> - fi
> + trap cleanup EXIT HUP INT TERM
> + set -e
>
> # set up the lxc network
> - brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; }
> + [ ! -d /sys/class/net/${LXC_BRIDGE} ] && brctl addbr ${LXC_BRIDGE}
> echo 1 > /proc/sys/net/ipv4/ip_forward
> + echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/accept_dad || true
>
> # if we are run from systemd on a system with selinux enabled,
> # the mkdir will create /run/lxc as init_var_run_t which dnsmasq
> @@ -146,21 +118,19 @@ start() {
> break
> fi
> done
> +
> dnsmasq $LXC_DOMAIN_ARG -u ${DNSMASQ_USER} --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative $LXC_IPV6_ARG || cleanup
> +
> touch "${varrun}"/network_up
> - touch "${lockdir}"/lxc-net
> + FAILED=0
> }
>
> stop() {
> [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
>
> - [ -f "${varrun}/network_up" ] || { exit 0; }
> - # if $LXC_BRIDGE has attached interfaces, don't shut it down
> - ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;
> + [ -f "${varrun}/network_up" ] || [ "$1" = "force" ] || { echo "lxc-net isn't running"; exit 1; }
>
> if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
> - use_iptables_lock="-w"
> - iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
> ifdown ${LXC_BRIDGE}
> iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
> iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
> @@ -168,19 +138,20 @@ stop() {
> iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
> iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
> iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
> - iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
> + iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
> iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
>
> if [ "$LXC_IPV6_NAT" = "true" ]; then
> - ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE || true
> + ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
> fi
>
> - pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true
> + pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid
> rm -f "${varrun}"/dnsmasq.pid
> - brctl delbr ${LXC_BRIDGE}
> + # if $LXC_BRIDGE has attached interfaces, don't destroy the bridge
> + ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 || brctl delbr ${LXC_BRIDGE}
> fi
> +
> rm -f "${varrun}"/network_up
> - rm -f "${lockdir}"/lxc-net
> }
>
> # See how we were called.
> --
> 2.1.4
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list