[lxc-users] Problem with lxc.network.script...

PONCET Anthony ff240 at msn.com
Thu Jan 29 11:53:47 UTC 2015 

Le 29/01/2015 12:30, Serge Hallyn a écrit :
> Quoting PONCET Anthony (ff240 at msn.com):
>> Dear,
>> I'm using LXC on Ubuntu 14.04 (version : 1.0.7), with unprivileged
>> containers.
>> I try to use the lxc.network.script.up and lxc.network.script.down
>> for allow one container in my firewall (iptables/ip6tables).
>> I've allowed a user to execute /sbin/iptables and /sbin/ip6tables
>> with sudo, and if I run my script manually, it run without problem.
>> But when I started my container, my script doesn't run (I added
>> "echo "test" >> test.log" on top of the script and test.log never
>> created, and no rules added to iptables).
>> I used the veth network mode, and I added my user in /etc/lxc/lxc-usernet.
>> I define the lxc.logfile and lxc.loglevel = 1 but not error are logged.
>> Do you have an idea to solve my problem?
> Can you please show the exact commands you used to create and
> start the container, the container config file, the script
> contents, and the script file owner/mode (ls -l output)?
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
Yes,
lxc-create -t download -n ct_name -- -d ubuntu -r trusty -a amd64

user at host:~$ cat .local/share/lxc/ct_name/config
# Template used to create this container: 
/usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r trusty -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Distribution configuration
lxc.logfile = /home/user/lxc.log
lxc.loglevel = 1

lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 X00000 65536
lxc.id_map = g 0 X00000 65536
lxc.rootfs = /home/user/.local/share/lxc/ct_name/rootfs
lxc.utsname = host_name

# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = XX...
lxc.network.script.up = /home/user/network/add_vm.sh
lxc.network.script.down = /home/user/network/rm_vm.sh

add_vm.sh :
#!/bin/bash

# log
echo $1 $2 $3 $4 $5 >> /home/user/test.log
# Création de la chaîne ipv4
sudo /sbin/iptables -N $1
# Création de la chaîne ipv6
sudo /sbin/ip6tables -N $1
# Ajout des règles de base.
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 
--physdev-out $5 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 
--physdev-out $5 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 
--physdev-out $5 -p tcp ! --syn  -m state --state NEW -j REJECT 
--reject-with tcp-reset
sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 
--physdev-out $5 -p tcp ! --syn  -m state --state NEW -j REJECT 
--reject-with tcp-reset
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 
--physdev-out $5 -m state --state INVALID -j DROP
sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in em1 
--physdev-out $5 -m state --state INVALID -j DROP
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -p tcp ! --syn  -m state --state NEW -j REJECT 
--reject-with tcp-reset
sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -p tcp ! --syn  -m state --state NEW -j REJECT 
--reject-with tcp-reset
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -m state --state INVALID -j DROP
sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -m state --state INVALID -j DROP

#Autorisation dns en sortie.
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -p udp --dport 53 -j ACCEPT
sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -p udp --dport 53 -j ACCEPT

# Autorisation http et https en sortie.
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -p tcp --dport 80 -j ACCEPT
sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -p tcp --dport 80 -j ACCEPT
sudo /sbin/iptables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -p tcp --dport 443 -j ACCEPT
sudo /sbin/ip6tables -A $1 -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -p tcp --dport 443 -j ACCEPT

# Ajout de la règles de redirection dans la chaîne FORWARD
sudo /sbin/iptables -I FORWARD -i br0 -o br0 -m physdev --physdev-in em1 
--physdev-out $5 -j $1
sudo /sbin/ip6tables -I FORWARD -i br0 -o br0 -m physdev --physdev-in 
em1 --physdev-out $5 -j $1
sudo /sbin/iptables -I FORWARD -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -j $1
sudo /sbin/ip6tables -I FORWARD -i br0 -o br0 -m physdev --physdev-in $5 
--physdev-out em1 -j $1


user at host:~/network$ ls -l
total 8
-rwxrwxrwx 1 user user 3049 janv. 29 10:55 add_vm.sh
-rwxrwxrwx 1 user user  508 janv. 29 09:59 rm_vm.sh


I'm trying 755, 700, 770, 775, and 777 without more result.

I've replaced value of user, host and container name, because it's 
similar for all containers.

More information about the lxc-users mailing list