After consulting with Serge Hallyn, the original author of the upstart
script that governs creation of the lxc-net bridge, I came up with the
following solution:
1. Turn off all lxc containers and the lxc-net (sudo service lxc-net stop)
2. Remove (or move away) the file /etc/init/lxc-net.conf
3. Create the file /etc/init/lxc-net.conf with the following contents:
description "lxc network"
author "Serge Hallyn <serge.hal...@canonical.com>"
start on starting lxc
stop on stopped lxc
env USE_LXC_BRIDGE="true"
env LXC_BRIDGE="lxcbr0"
env LXC_ADDR="10.0.3.1"
env LXC_NETMASK="255.255.255.0"
env LXC_NETWORK="10.0.3.0/24"
env varrun="/run/lxc"
env LXC_DOMAIN=""
pre-start script
[ -f /etc/default/lxc ] && . /etc/default/lxc
[ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }
use_iptables_lock="-w"
iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
cleanup() {
# dnsmasq failed to start, clean up the bridge
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67
-j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67
-j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53
-j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53
-j ACCEPT
iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} !
-d ${LXC_NETWORK} -j MASQUERADE || true
iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE}
-p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
ifconfig ${LXC_BRIDGE} down || true
brctl delbr ${LXC_BRIDGE} || true
}
if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
if [ ! -f ${varrun}/network_up ]; then
# bridge exists, but we didn't start it
stop;
fi
exit 0;
fi
# set up the lxc network
brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel";
stop; exit 0; }
echo 1 > /proc/sys/net/ipv4/ip_forward
mkdir -p ${varrun}
ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j
ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j
ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j
ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j
ACCEPT
iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d
${LXC_NETWORK} -j MASQUERADE
iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p
udp -m udp --dport 68 -j CHECKSUM --checksum-fill
touch ${varrun}/network_up
end script
post-stop script
[ -f /etc/default/lxc ] && . /etc/default/lxc
[ -f "${varrun}/network_up" ] || exit 0;
# if $LXC_BRIDGE has attached interfaces, don't shut it down
ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;
if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
use_iptables_lock="-w"
iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
ifconfig ${LXC_BRIDGE} down
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67
-j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67
-j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53
-j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53
-j ACCEPT
iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} !
-d ${LXC_NETWORK} -j MASQUERADE || true
iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE}
-p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true
rm -f ${varrun}/dnsmasq.pid
brctl delbr ${LXC_BRIDGE}
fi
rm -f ${varrun}/network_up
end script
4. Create the file /etc/init/lxc-dnsmasq.conf with the following
contents:
description "lxc dnsmasq service"
author "Adam Ryczkowski, ispired by Serge Hallyn <serge.hal...@canonical.com>"
expect fork
start on started lxc-net
stop on stopped lxc-net
env USE_LXC_BRIDGE="true"
env LXC_BRIDGE="lxcbr0"
env LXC_ADDR="10.0.3.1"
env LXC_NETMASK="255.255.255.0"
env LXC_NETWORK="10.0.3.0/24"
env LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
env LXC_DHCP_MAX="253"
env LXC_DHCP_CONFILE=""
env varrun="/run/lxc-dnsmasq"
env LXC_DOMAIN=""
pre-start script
[ -f /etc/default/lxc ] && . /etc/default/lxc
[ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }
if [ ! -d ${varrun} ]; then
mkdir -p ${varrun}
fi
opts="$LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces
--pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE}
--listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE}
--dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo
--interface=${LXC_BRIDGE}
--dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases
--dhcp-authoritative --keep-in-foreground"
/usr/sbin/dnsmasq $opts &
end script
post-stop script
if [ -f ${varrun}/dnsmasq.pid ]; then
PID=`cat ${varrun}/dnsmasq.pid`
kill $PID
fi
end script
5. Start the lxc-net again.
After that, if user wants to force dnsmasq to re-read its configuration, all he
need to do is to "sudo service lxc-dnsmasq restart"
As far as I am concerned the problem is solved.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1389849
Title:
sudo service lxc-net restart does not reload dnsmasq when there is a
container running
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1389849/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
