proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-14 09:05:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

make 'empty network' the default

Browse Source 
Currently if no lxc.network.type section is in the container
configuration, the container ends up sharing the host's network.
This is a dangerous default.

Instead, add 'lxc.network.type = none' as a valid type, and make
en empty network the default.

If none as well as another network type are specified, then the
none type will be ignored.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This commit is contained in:
Serge Hallyn 2013-12-13 12:46:28 -06:00 committed by Stéphane Graber
parent 5d127727fb
commit 26b797f3d2
4 changed files with 46 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/lxc/conf.c
View File

@ -171,6 +171,7 @@ static int instanciate_macvlan(struct lxc_handler *, struct lxc_netdev *);
static int instanciate_vlan(struct lxc_handler *, struct lxc_netdev *);
static int instanciate_phys(struct lxc_handler *, struct lxc_netdev *);
static int instanciate_empty(struct lxc_handler *, struct lxc_netdev *);
static int instanciate_none(struct lxc_handler *, struct lxc_netdev *);
static instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
[LXC_NET_VETH] = instanciate_veth,
@ -178,6 +179,7 @@ static instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
[LXC_NET_VLAN] = instanciate_vlan,
[LXC_NET_PHYS] = instanciate_phys,
[LXC_NET_EMPTY] = instanciate_empty,
[LXC_NET_NONE] = instanciate_none,
};
static int shutdown_veth(struct lxc_handler *, struct lxc_netdev *);
@ -185,6 +187,7 @@ static int shutdown_macvlan(struct lxc_handler *, struct lxc_netdev *);
static int shutdown_vlan(struct lxc_handler *, struct lxc_netdev *);
static int shutdown_phys(struct lxc_handler *, struct lxc_netdev *);
static int shutdown_empty(struct lxc_handler *, struct lxc_netdev *);
static int shutdown_none(struct lxc_handler *, struct lxc_netdev *);
static instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = {
[LXC_NET_VETH] = shutdown_veth,
@ -192,6 +195,7 @@ static instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = {
[LXC_NET_VLAN] = shutdown_vlan,
[LXC_NET_PHYS] = shutdown_phys,
[LXC_NET_EMPTY] = shutdown_empty,
[LXC_NET_NONE] = shutdown_none,
};
static struct mount_opt mount_opt[] = {
@ -2911,6 +2915,12 @@ static int shutdown_phys(struct lxc_handler *handler, struct lxc_netdev *netdev)
return 0;
}
static int instanciate_none(struct lxc_handler *handler, struct lxc_netdev *netdev)
{
netdev->ifindex = 0;
return 0;
}
static int instanciate_empty(struct lxc_handler *handler, struct lxc_netdev *netdev)
{
netdev->ifindex = 0;
@ -2937,6 +2947,35 @@ static int shutdown_empty(struct lxc_handler *handler, struct lxc_netdev *netdev
return 0;
}
static int shutdown_none(struct lxc_handler *handler, struct lxc_netdev *netdev)
{
return 0;
}
int lxc_requests_empty_network(struct lxc_handler *handler)
{
struct lxc_list *network = &handler->conf->network;
struct lxc_list *iterator;
struct lxc_netdev *netdev;
bool found_none = false, found_nic = false;
if (lxc_list_empty(network))
return 0;
lxc_list_for_each(iterator, network) {
netdev = iterator->elem;
if (netdev->type == LXC_NET_NONE)
found_none = true;
else
found_nic = true;
}
if (found_none && !found_nic)
return 1;
return 0;
}
int lxc_create_network(struct lxc_handler *handler)
{
struct lxc_list *network = &handler->conf->network;

2
src/lxc/conf.h
View File

@ -45,6 +45,7 @@ enum {
LXC_NET_MACVLAN,
LXC_NET_PHYS,
LXC_NET_VLAN,
LXC_NET_NONE,
LXC_NET_MAXCONFTYPE,
};
@ -337,6 +338,7 @@ extern void lxc_conf_free(struct lxc_conf *conf);
extern int pin_rootfs(const char *rootfs);
extern int lxc_requests_empty_network(struct lxc_handler *handler);
extern int lxc_create_network(struct lxc_handler *handler);
extern void lxc_delete_network(struct lxc_handler *handler);
extern int lxc_assign_network(struct lxc_list *networks, pid_t pid);

2
src/lxc/confile.c
View File

@ -334,6 +334,8 @@ static int config_network_type(const char *key, const char *value,
netdev->type = LXC_NET_PHYS;
else if (!strcmp(value, "empty"))
netdev->type = LXC_NET_EMPTY;
else if (!strcmp(value, "none"))
netdev->type = LXC_NET_NONE;
else {
ERROR("invalid network type %s", value);
return -1;

5
src/lxc/start.c
View File

@ -734,10 +734,11 @@ int lxc_spawn(struct lxc_handler *handler)
}
if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
if (!lxc_list_empty(&handler->conf->network)) {
if (!lxc_requests_empty_network(handler))
handler->clone_flags |= CLONE_NEWNET;
if (!lxc_list_empty(&handler->conf->network)) {
/* Find gateway addresses from the link device, which is
* no longer accessible inside the container. Do this
* before creating network interfaces, since goto