On Fri, Dec 13, 2013 at 12:46:28PM -0600, Serge Hallyn wrote: > Currently if no lxc.network.type section is in the container > configuration, the container ends up sharing the host's network. > This is a dangerous default. > > Instead, add 'lxc.network.type = none' as a valid type, and make > en empty network the default. > > If none as well as another network type are specified, then the > none type will be ignored. >
Sounds good. I'll have to be careful when landing the new LXC next week to have a matching upload of lxc-android-config for Ubuntu Touch, otherwise the Android container will loose access to the host's network (which would be quite bad in that specific case...) Acked-by: Stéphane Graber <[email protected]> > Signed-off-by: Serge Hallyn <[email protected]> > --- > src/lxc/conf.c | 39 +++++++++++++++++++++++++++++++++++++++ > src/lxc/conf.h | 2 ++ > src/lxc/confile.c | 2 ++ > src/lxc/start.c | 5 +++-- > 4 files changed, 46 insertions(+), 2 deletions(-) > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > index 8206146..c8f0f7d 100644 > --- a/src/lxc/conf.c > +++ b/src/lxc/conf.c > @@ -171,6 +171,7 @@ static int instanciate_macvlan(struct lxc_handler *, > struct lxc_netdev *); > static int instanciate_vlan(struct lxc_handler *, struct lxc_netdev *); > static int instanciate_phys(struct lxc_handler *, struct lxc_netdev *); > static int instanciate_empty(struct lxc_handler *, struct lxc_netdev *); > +static int instanciate_none(struct lxc_handler *, struct lxc_netdev *); > > static instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = { > [LXC_NET_VETH] = instanciate_veth, > @@ -178,6 +179,7 @@ static instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + > 1] = { > [LXC_NET_VLAN] = instanciate_vlan, > [LXC_NET_PHYS] = instanciate_phys, > [LXC_NET_EMPTY] = instanciate_empty, > + [LXC_NET_NONE] = instanciate_none, > }; > > static int shutdown_veth(struct lxc_handler *, struct lxc_netdev *); > @@ -185,6 +187,7 @@ static int shutdown_macvlan(struct lxc_handler *, struct > lxc_netdev *); > static int shutdown_vlan(struct lxc_handler *, struct lxc_netdev *); > static int shutdown_phys(struct lxc_handler *, struct lxc_netdev *); > static int shutdown_empty(struct lxc_handler *, struct lxc_netdev *); > +static int shutdown_none(struct lxc_handler *, struct lxc_netdev *); > > static instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = { > [LXC_NET_VETH] = shutdown_veth, > @@ -192,6 +195,7 @@ static instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE > + 1] = { > [LXC_NET_VLAN] = shutdown_vlan, > [LXC_NET_PHYS] = shutdown_phys, > [LXC_NET_EMPTY] = shutdown_empty, > + [LXC_NET_NONE] = shutdown_none, > }; > > static struct mount_opt mount_opt[] = { > @@ -2911,6 +2915,12 @@ static int shutdown_phys(struct lxc_handler *handler, > struct lxc_netdev *netdev) > return 0; > } > > +static int instanciate_none(struct lxc_handler *handler, struct lxc_netdev > *netdev) > +{ > + netdev->ifindex = 0; > + return 0; > +} > + > static int instanciate_empty(struct lxc_handler *handler, struct lxc_netdev > *netdev) > { > netdev->ifindex = 0; > @@ -2937,6 +2947,35 @@ static int shutdown_empty(struct lxc_handler *handler, > struct lxc_netdev *netdev > return 0; > } > > +static int shutdown_none(struct lxc_handler *handler, struct lxc_netdev > *netdev) > +{ > + return 0; > +} > + > +int lxc_requests_empty_network(struct lxc_handler *handler) > +{ > + struct lxc_list *network = &handler->conf->network; > + struct lxc_list *iterator; > + struct lxc_netdev *netdev; > + bool found_none = false, found_nic = false; > + > + if (lxc_list_empty(network)) > + return 0; > + > + lxc_list_for_each(iterator, network) { > + > + netdev = iterator->elem; > + > + if (netdev->type == LXC_NET_NONE) > + found_none = true; > + else > + found_nic = true; > + } > + if (found_none && !found_nic) > + return 1; > + return 0; > +} > + > int lxc_create_network(struct lxc_handler *handler) > { > struct lxc_list *network = &handler->conf->network; > diff --git a/src/lxc/conf.h b/src/lxc/conf.h > index f272c91..f1e0903 100644 > --- a/src/lxc/conf.h > +++ b/src/lxc/conf.h > @@ -45,6 +45,7 @@ enum { > LXC_NET_MACVLAN, > LXC_NET_PHYS, > LXC_NET_VLAN, > + LXC_NET_NONE, > LXC_NET_MAXCONFTYPE, > }; > > @@ -337,6 +338,7 @@ extern void lxc_conf_free(struct lxc_conf *conf); > > extern int pin_rootfs(const char *rootfs); > > +extern int lxc_requests_empty_network(struct lxc_handler *handler); > extern int lxc_create_network(struct lxc_handler *handler); > extern void lxc_delete_network(struct lxc_handler *handler); > extern int lxc_assign_network(struct lxc_list *networks, pid_t pid); > diff --git a/src/lxc/confile.c b/src/lxc/confile.c > index 732a81a..19ea72a 100644 > --- a/src/lxc/confile.c > +++ b/src/lxc/confile.c > @@ -334,6 +334,8 @@ static int config_network_type(const char *key, const > char *value, > netdev->type = LXC_NET_PHYS; > else if (!strcmp(value, "empty")) > netdev->type = LXC_NET_EMPTY; > + else if (!strcmp(value, "none")) > + netdev->type = LXC_NET_NONE; > else { > ERROR("invalid network type %s", value); > return -1; > diff --git a/src/lxc/start.c b/src/lxc/start.c > index 0727c2c..251bd26 100644 > --- a/src/lxc/start.c > +++ b/src/lxc/start.c > @@ -734,10 +734,11 @@ int lxc_spawn(struct lxc_handler *handler) > } > > if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) { > - if (!lxc_list_empty(&handler->conf->network)) { > - > + if (!lxc_requests_empty_network(handler)) > handler->clone_flags |= CLONE_NEWNET; > > + if (!lxc_list_empty(&handler->conf->network)) { > + > /* Find gateway addresses from the link device, which is > * no longer accessible inside the container. Do this > * before creating network interfaces, since goto > -- > 1.8.5.1 > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
