After consulting with Serge Hallyn, the original author of the upstart script that governs creation of the lxc-net bridge, I came up with the following solution:
1. Turn off all lxc containers and the lxc-net (sudo service lxc-net stop) 2. Remove (or move away) the file /etc/init/lxc-net.conf 3. Create the file /etc/init/lxc-net.conf with the following contents: description "lxc network" author "Serge Hallyn <serge.hal...@canonical.com>" start on starting lxc stop on stopped lxc env USE_LXC_BRIDGE="true" env LXC_BRIDGE="lxcbr0" env LXC_ADDR="10.0.3.1" env LXC_NETMASK="255.255.255.0" env LXC_NETWORK="10.0.3.0/24" env varrun="/run/lxc" env LXC_DOMAIN="" pre-start script [ -f /etc/default/lxc ] && . /etc/default/lxc [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; } use_iptables_lock="-w" iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock="" cleanup() { # dnsmasq failed to start, clean up the bridge iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill ifconfig ${LXC_BRIDGE} down || true brctl delbr ${LXC_BRIDGE} || true } if [ -d /sys/class/net/${LXC_BRIDGE} ]; then if [ ! -f ${varrun}/network_up ]; then # bridge exists, but we didn't start it stop; fi exit 0; fi # set up the lxc network brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; } echo 1 > /proc/sys/net/ipv4/ip_forward mkdir -p ${varrun} ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill touch ${varrun}/network_up end script post-stop script [ -f /etc/default/lxc ] && . /etc/default/lxc [ -f "${varrun}/network_up" ] || exit 0; # if $LXC_BRIDGE has attached interfaces, don't shut it down ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0; if [ -d /sys/class/net/${LXC_BRIDGE} ]; then use_iptables_lock="-w" iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock="" ifconfig ${LXC_BRIDGE} down iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true rm -f ${varrun}/dnsmasq.pid brctl delbr ${LXC_BRIDGE} fi rm -f ${varrun}/network_up end script 4. Create the file /etc/init/lxc-dnsmasq.conf with the following contents: description "lxc dnsmasq service" author "Adam Ryczkowski, ispired by Serge Hallyn <serge.hal...@canonical.com>" expect fork start on started lxc-net stop on stopped lxc-net env USE_LXC_BRIDGE="true" env LXC_BRIDGE="lxcbr0" env LXC_ADDR="10.0.3.1" env LXC_NETMASK="255.255.255.0" env LXC_NETWORK="10.0.3.0/24" env LXC_DHCP_RANGE="10.0.3.2,10.0.3.254" env LXC_DHCP_MAX="253" env LXC_DHCP_CONFILE="" env varrun="/run/lxc-dnsmasq" env LXC_DOMAIN="" pre-start script [ -f /etc/default/lxc ] && . /etc/default/lxc [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; } if [ ! -d ${varrun} ]; then mkdir -p ${varrun} fi opts="$LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative --keep-in-foreground" /usr/sbin/dnsmasq $opts & end script post-stop script if [ -f ${varrun}/dnsmasq.pid ]; then PID=`cat ${varrun}/dnsmasq.pid` kill $PID fi end script 5. Start the lxc-net again. After that, if user wants to force dnsmasq to re-read its configuration, all he need to do is to "sudo service lxc-dnsmasq restart" As far as I am concerned the problem is solved. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1389849 Title: sudo service lxc-net restart does not reload dnsmasq when there is a container running To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1389849/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs