From: Serge Hallyn Date: Fri, 13 Dec 2013 18:46:28 +0000 (-0600) Subject: make 'empty network' the default X-Git-Tag: lxc-1.0.0.beta1~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26b797f3d29a4588c79d6b5ff77898d779b643f0;p=thirdparty%2Flxc.git make 'empty network' the default Currently if no lxc.network.type section is in the container configuration, the container ends up sharing the host's network. This is a dangerous default. Instead, add 'lxc.network.type = none' as a valid type, and make en empty network the default. If none as well as another network type are specified, then the none type will be ignored. Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 820614641..c8f0f7d1c 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -171,6 +171,7 @@ static int instanciate_macvlan(struct lxc_handler *, struct lxc_netdev *); static int instanciate_vlan(struct lxc_handler *, struct lxc_netdev *); static int instanciate_phys(struct lxc_handler *, struct lxc_netdev *); static int instanciate_empty(struct lxc_handler *, struct lxc_netdev *); +static int instanciate_none(struct lxc_handler *, struct lxc_netdev *); static instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = { [LXC_NET_VETH] = instanciate_veth, @@ -178,6 +179,7 @@ static instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = { [LXC_NET_VLAN] = instanciate_vlan, [LXC_NET_PHYS] = instanciate_phys, [LXC_NET_EMPTY] = instanciate_empty, + [LXC_NET_NONE] = instanciate_none, }; static int shutdown_veth(struct lxc_handler *, struct lxc_netdev *); @@ -185,6 +187,7 @@ static int shutdown_macvlan(struct lxc_handler *, struct lxc_netdev *); static int shutdown_vlan(struct lxc_handler *, struct lxc_netdev *); static int shutdown_phys(struct lxc_handler *, struct lxc_netdev *); static int shutdown_empty(struct lxc_handler *, struct lxc_netdev *); +static int shutdown_none(struct lxc_handler *, struct lxc_netdev *); static instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = { [LXC_NET_VETH] = shutdown_veth, @@ -192,6 +195,7 @@ static instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = { [LXC_NET_VLAN] = shutdown_vlan, [LXC_NET_PHYS] = shutdown_phys, [LXC_NET_EMPTY] = shutdown_empty, + [LXC_NET_NONE] = shutdown_none, }; static struct mount_opt mount_opt[] = { @@ -2911,6 +2915,12 @@ static int shutdown_phys(struct lxc_handler *handler, struct lxc_netdev *netdev) return 0; } +static int instanciate_none(struct lxc_handler *handler, struct lxc_netdev *netdev) +{ + netdev->ifindex = 0; + return 0; +} + static int instanciate_empty(struct lxc_handler *handler, struct lxc_netdev *netdev) { netdev->ifindex = 0; @@ -2937,6 +2947,35 @@ static int shutdown_empty(struct lxc_handler *handler, struct lxc_netdev *netdev return 0; } +static int shutdown_none(struct lxc_handler *handler, struct lxc_netdev *netdev) +{ + return 0; +} + +int lxc_requests_empty_network(struct lxc_handler *handler) +{ + struct lxc_list *network = &handler->conf->network; + struct lxc_list *iterator; + struct lxc_netdev *netdev; + bool found_none = false, found_nic = false; + + if (lxc_list_empty(network)) + return 0; + + lxc_list_for_each(iterator, network) { + + netdev = iterator->elem; + + if (netdev->type == LXC_NET_NONE) + found_none = true; + else + found_nic = true; + } + if (found_none && !found_nic) + return 1; + return 0; +} + int lxc_create_network(struct lxc_handler *handler) { struct lxc_list *network = &handler->conf->network; diff --git a/src/lxc/conf.h b/src/lxc/conf.h index f272c91c4..f1e09035e 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -45,6 +45,7 @@ enum { LXC_NET_MACVLAN, LXC_NET_PHYS, LXC_NET_VLAN, + LXC_NET_NONE, LXC_NET_MAXCONFTYPE, }; @@ -337,6 +338,7 @@ extern void lxc_conf_free(struct lxc_conf *conf); extern int pin_rootfs(const char *rootfs); +extern int lxc_requests_empty_network(struct lxc_handler *handler); extern int lxc_create_network(struct lxc_handler *handler); extern void lxc_delete_network(struct lxc_handler *handler); extern int lxc_assign_network(struct lxc_list *networks, pid_t pid); diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 732a81ab1..19ea72a8f 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -334,6 +334,8 @@ static int config_network_type(const char *key, const char *value, netdev->type = LXC_NET_PHYS; else if (!strcmp(value, "empty")) netdev->type = LXC_NET_EMPTY; + else if (!strcmp(value, "none")) + netdev->type = LXC_NET_NONE; else { ERROR("invalid network type %s", value); return -1; diff --git a/src/lxc/start.c b/src/lxc/start.c index 0727c2ce7..251bd26bb 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -734,10 +734,11 @@ int lxc_spawn(struct lxc_handler *handler) } if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) { - if (!lxc_list_empty(&handler->conf->network)) { - + if (!lxc_requests_empty_network(handler)) handler->clone_flags |= CLONE_NEWNET; + if (!lxc_list_empty(&handler->conf->network)) { + /* Find gateway addresses from the link device, which is * no longer accessible inside the container. Do this * before creating network interfaces, since goto