- On unprivileged veth network creation have lxc-user-nic send the names of the
veth devices and their respective ifindeces. The advantage of retrieving this
information from lxc-user-nic is that we spare us sending around more stuff
via the netpipe in start.c. Also, lxc-user-nic operates in both namespaces
(the container's namespace and the hosts's namespace) via setns and so is
guaranteed to retrieve the correct ifindex via if_nametoindex() which is an
network namespace aware ioctl() call. While I'm pretty sure the ifindeces for
veth devices are identical across network namespaces I'm weary to rely on
this. We need the ifindexes to guarantee safe deletion of unprivileged
network devices via lxc-user-nic later on since we use them to identify the
network devices in their corresponding network namespaces.
- Move the network device logging from the child to the parent. The child does
not have all of the information about the network devices available only the
few bits it actually needs to now. The monitor process is the only process
that needs all this information.
- The network creation code for privileged and unprivileged networks was
previously mangled into one single function but at the same time some of the
privileged code had additional functions that were called in other places in
start.c. Let's divide and conquer and split out the privileged and
unprivileged network creation into completely separate functions. This makes
what's happening way more clear. This will also have no performance impact
since either you are privileged and only execute the privileged network
creation functions or you are unprivileged and only execute the unprivileged
network creation functions.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
projects / thirdparty / lxc.git / commit
