From: Martin Pitt Date: Thu, 31 Jul 2014 06:53:51 +0000 (+0200) Subject: Move lxcbr0 setup logic into lxc.net script X-Git-Tag: lxc-1.1.0.alpha2~111 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ed776214a3c2b63c87c028582e68a881d5e2a46;p=thirdparty%2Flxc.git Move lxcbr0 setup logic into lxc.net script Factor this out of the lxc-net.conf upstart job, so that it can be used by init.d scripts and systemd units, too. Part of https://launchpad.net/bugs/1312532 Signed-off-by: Martin Pitt Acked-by: Serge E. Hallyn --- diff --git a/config/init/upstart/lxc-net.conf b/config/init/upstart/lxc-net.conf index 279cd1eeb..38f6ea3d3 100644 --- a/config/init/upstart/lxc-net.conf +++ b/config/init/upstart/lxc-net.conf @@ -4,89 +4,5 @@ author "Serge Hallyn " start on starting lxc stop on stopped lxc -env USE_LXC_BRIDGE="true" -env LXC_BRIDGE="lxcbr0" -env LXC_ADDR="10.0.3.1" -env LXC_NETMASK="255.255.255.0" -env LXC_NETWORK="10.0.3.0/24" -env LXC_DHCP_RANGE="10.0.3.2,10.0.3.254" -env LXC_DHCP_MAX="253" -env LXC_DHCP_CONFILE="" -env varrun="/run/lxc" -env LXC_DOMAIN="" - -pre-start script - [ -f /etc/default/lxc ] && . /etc/default/lxc - - [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; } - - use_iptables_lock="-w" - iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock="" - cleanup() { - # dnsmasq failed to start, clean up the bridge - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT - iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT - iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT - iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true - iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill - ifconfig ${LXC_BRIDGE} down || true - brctl delbr ${LXC_BRIDGE} || true - } - - if [ -d /sys/class/net/${LXC_BRIDGE} ]; then - if [ ! -f ${varrun}/network_up ]; then - # bridge exists, but we didn't start it - stop; - fi - exit 0; - fi - - # set up the lxc network - brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; } - echo 1 > /proc/sys/net/ipv4/ip_forward - mkdir -p ${varrun} - ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up - iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT - iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT - iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT - iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT - iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT - iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT - iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE - iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill - - LXC_DOMAIN_ARG="" - if [ -n "$LXC_DOMAIN" ]; then - LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/" - fi - dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup - touch ${varrun}/network_up -end script - -post-stop script - [ -f /etc/default/lxc ] && . /etc/default/lxc - [ -f "${varrun}/network_up" ] || exit 0; - # if $LXC_BRIDGE has attached interfaces, don't shut it down - ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0; - - if [ -d /sys/class/net/${LXC_BRIDGE} ]; then - use_iptables_lock="-w" - iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock="" - ifconfig ${LXC_BRIDGE} down - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT - iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT - iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT - iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT - iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true - iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill - pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true - rm -f ${varrun}/dnsmasq.pid - brctl delbr ${LXC_BRIDGE} - fi - rm -f ${varrun}/network_up -end script +pre-start exec /usr/share/lxc/lxc.net start +post-stop exec /usr/share/lxc/lxc.net stop diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index cdc6833fb..ee74e3c5b 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -255,6 +255,7 @@ endif install-exec-local: install-soPROGRAMS mkdir -p $(DESTDIR)$(datadir)/lxc install -c -m 644 lxc.functions $(DESTDIR)$(datadir)/lxc + install -c -m 755 lxc.net $(DESTDIR)$(datadir)/lxc mv $(DESTDIR)$(libdir)/liblxc.so $(DESTDIR)$(libdir)/liblxc.so.$(VERSION) cd $(DESTDIR)$(libdir); \ ln -sf liblxc.so.$(VERSION) liblxc.so.$(firstword $(subst ., ,$(VERSION))); \ diff --git a/src/lxc/lxc.net b/src/lxc/lxc.net new file mode 100755 index 000000000..5ea4f1d43 --- /dev/null +++ b/src/lxc/lxc.net @@ -0,0 +1,99 @@ +#!/bin/sh +set -eu + +USE_LXC_BRIDGE="true" +LXC_BRIDGE="lxcbr0" +LXC_ADDR="10.0.3.1" +LXC_NETMASK="255.255.255.0" +LXC_NETWORK="10.0.3.0/24" +LXC_DHCP_RANGE="10.0.3.2,10.0.3.254" +LXC_DHCP_MAX="253" +LXC_DHCP_CONFILE="" +varrun="/run/lxc" +LXC_DOMAIN="" + +start() { + [ -f /etc/default/lxc ] && . /etc/default/lxc + + [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; } + + use_iptables_lock="-w" + iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock="" + cleanup() { + # dnsmasq failed to start, clean up the bridge + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT + iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT + iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT + iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true + iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill + ifconfig ${LXC_BRIDGE} down || true + brctl delbr ${LXC_BRIDGE} || true + } + + if [ -d /sys/class/net/${LXC_BRIDGE} ]; then + if [ ! -f ${varrun}/network_up ]; then + # bridge exists, but we didn't start it + stop; + fi + exit 0; + fi + + # set up the lxc network + brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; } + echo 1 > /proc/sys/net/ipv4/ip_forward + mkdir -p ${varrun} + ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up + iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT + iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT + iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT + iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT + iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT + iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT + iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE + iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill + + LXC_DOMAIN_ARG="" + if [ -n "$LXC_DOMAIN" ]; then + LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/" + fi + dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup + touch ${varrun}/network_up +} + +stop() { + [ -f /etc/default/lxc ] && . /etc/default/lxc + [ -f "${varrun}/network_up" ] || exit 0; + # if $LXC_BRIDGE has attached interfaces, don't shut it down + ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0; + + if [ -d /sys/class/net/${LXC_BRIDGE} ]; then + use_iptables_lock="-w" + iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock="" + ifconfig ${LXC_BRIDGE} down + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT + iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT + iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT + iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT + iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true + iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill + pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true + rm -f ${varrun}/dnsmasq.pid + brctl delbr ${LXC_BRIDGE} + fi + rm -f ${varrun}/network_up +} + +if [ "$1" = start ]; then + start +elif [ "$1" = stop ]; then + stop +else + echo "Usage: $0 start|stop" >&2 + exit 1 +fi +