Re: [pve-devel] Request for improvement of Network handling regarding LXC

2017-07-20 Thread Tom Weber 
Am Donnerstag, den 20.07.2017, 15:00 +0200 schrieb Wolfgang Bumiller:
> On Thu, Jul 20, 2017 at 01:22:58PM +0200, Tom Weber wrote:
> > 
> > Hi there,
> > 
> > i'm currently evaluating the PVE environment as a replacement for
> > my
> > custom KVM+LXC+DRBD setup I'm running so far.
> > 
> > Playing with (privileged) containers I figured that IP
> > configuration is
> > always done from inside the container.
> > 
> > My usual setup is setting the (static) IP of the container from the
> > outside (and applying firewall rules) and dropping capabilities for
> > the
> > container itself so this can't be changed from inside the
> > container.
> > 
> > Currently this seems to be impossible with PVE as it comes.
> > 
> > Attached is a little patch that sets the IP from the 'outside' (if
> > defined as a static one). Once I manually add the lxc.cap.drop
> > lines to
> > the CT config, I can't change this from the inside anymore.
> > 
> > It's only for IPv4 (can't test v6 on this setup) but I think it's
> > rather trivial to add this.
> > 
> > Unless you drop net_admin the CT will still be able to change
> > networking and behave like before - or work with DHCP.
> No objection to adding this as a separate option.
> 
> There's still the idea of adding feature flags to containers floating
> around (initially for allowing things like fuse or mounting of
> network
> shares (nfs, cifs)), and this would definitely be another useful flag
> to add.
> 
> Note that dropping net_admin also prevents containers from
> configuring
> their inner firewall or using tunnels/vpns/etc., so it would
> definitely
> need to be a separate option rather than a general change of behavior
> like in this patch, but you probably know that.

As far as I can see this patch alone wouldn't change the normal
behavior: 
step 1) lxc sets the IP from outside
step 2) container itself sets/overrides the IP from the inside.

Only if I manually add lxc.cap.drop = net_admin to the config of the
container it will prevent step 2.

Preventing the container from messing with networking/firewall settings
is exactly why I want/need this.

A feature switch for this (maybe even in the UI would be nice too) but
thats far beyond my 2 days knowledge of playing with pve :)

  Tom

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Request for improvement of Network handling regarding LXC

2017-07-20 Thread Wolfgang Bumiller 
On Thu, Jul 20, 2017 at 01:22:58PM +0200, Tom Weber wrote:
> Hi there,
> 
> i'm currently evaluating the PVE environment as a replacement for my
> custom KVM+LXC+DRBD setup I'm running so far.
> 
> Playing with (privileged) containers I figured that IP configuration is
> always done from inside the container.
> 
> My usual setup is setting the (static) IP of the container from the
> outside (and applying firewall rules) and dropping capabilities for the
> container itself so this can't be changed from inside the container.
> 
> Currently this seems to be impossible with PVE as it comes.
> 
> Attached is a little patch that sets the IP from the 'outside' (if
> defined as a static one). Once I manually add the lxc.cap.drop lines to
> the CT config, I can't change this from the inside anymore.
> 
> It's only for IPv4 (can't test v6 on this setup) but I think it's
> rather trivial to add this.
> 
> Unless you drop net_admin the CT will still be able to change
> networking and behave like before - or work with DHCP.

No objection to adding this as a separate option.

There's still the idea of adding feature flags to containers floating
around (initially for allowing things like fuse or mounting of network
shares (nfs, cifs)), and this would definitely be another useful flag
to add.

Note that dropping net_admin also prevents containers from configuring
their inner firewall or using tunnels/vpns/etc., so it would definitely
need to be a separate option rather than a general change of behavior
like in this patch, but you probably know that.

> Regards,
>   Tom
> 
> --- /usr/share/perl5/PVE/LXC.pm.orig  2017-07-20 12:03:52.949344829 +0200
> +++ /usr/share/perl5/PVE/LXC.pm   2017-07-20 14:12:09.022119871 +0200
> @@ -428,6 +428,11 @@
>   $raw .= "lxc.network.type = veth\n";
>   $raw .= "lxc.network.veth.pair = veth${vmid}i${ind}\n";
>   $raw .= "lxc.network.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr});
> + if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) {
> + $raw .= "lxc.network.ipv4 = $d->{ip}\n";
> + $raw .= "lxc.network.ipv4.gateway = $d->{gw}\n" if 
> defined($d->{gw});
> + $raw .= "lxc.network.flags = up\n" if defined($d->{ip});
> + }
>   $raw .= "lxc.network.name = $d->{name}\n" if defined($d->{name});
>   $raw .= "lxc.network.mtu = $d->{mtu}\n" if defined($d->{mtu});
>  }

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Request for improvement of Network handling regarding LXC

2017-07-20 Thread Tom Weber 
Am Donnerstag, den 20.07.2017, 13:31 +0200 schrieb Michael Rasmussen:
> On Thu, 20 Jul 2017 13:22:58 +0200
> Tom Weber  wrote:
> 
> > 
> > +   if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) {
> > +   $raw .= "lxc.network.ipv4 = $d->{ip}\n";
> > +   $raw .= "lxc.network.ipv4.gateway = $d->{gw}\n" if
> > defined($d->{gw});
> > +   $raw .= "lxc.network.flags = up\n" if defined($d-
> > >{ip});
> The if defined($d->{ip}) in this line is not needed since this is
> already true when entering this condition. 

Indeed.
restover from the first version which didn't have the bigger if block
with dhcp checking.

thanks,
  Tom
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Request for improvement of Network handling regarding LXC

2017-07-20 Thread Michael Rasmussen 
On Thu, 20 Jul 2017 13:22:58 +0200
Tom Weber  wrote:

> + if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) {
> + $raw .= "lxc.network.ipv4 = $d->{ip}\n";
> + $raw .= "lxc.network.ipv4.gateway = $d->{gw}\n" if 
> defined($d->{gw});
> + $raw .= "lxc.network.flags = up\n" if defined($d->{ip});
The if defined($d->{ip}) in this line is not needed since this is
already true when entering this condition. 

-- 
Hilsen/Regards
Michael Rasmussen

Get my public GnuPG keys:
michael  rasmussen  cc
http://pgp.mit.edu:11371/pks/lookup?op=get=0xD3C9A00E
mir  datanom  net
http://pgp.mit.edu:11371/pks/lookup?op=get=0xE501F51C
mir  miras  org
http://pgp.mit.edu:11371/pks/lookup?op=get=0xE3E80917
--
/usr/games/fortune -es says:
Cats, no less liquid than their shadows, offer no angles to the wind.


pgpdpaWNTS9kJ.pgp
Description: OpenPGP digital signature
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel