The nftables masquarade rule for IPv6 was using the IPv4 syntax. This
resulted in the following error when starting the lxc-net.service with
LXC_IPV6_NAT="true" and nftables:
Feb 11 18:54:54 pc lxc-net[4936]: Error: conflicting protocols specified: ip6 vs. ip
Feb 11 18:54:54 pc lxc-net[4936]: ^^^^^^^^
Feb 11 18:54:54 pc lxc-net[4917]: Failed to setup lxc-net.
Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Failed with result 'exit-code'.
Feb 11 18:54:54 pc systemd[1]: Failed to start LXC network bridge setup.
Signed-off-by: Quentin Lyons <36303164+n0p90@users.noreply.github.com>
Failure executing dnsmasq happens if misc dir is not existed as the
following error messages.
localhost.localdomain systemd[1]: Starting LXC network bridge setup...
localhost.localdomain lxc-net[5754]: dnsmasq: cannot open or create lease file /usr/local/var/lib/misc/dnsmasq.lxcbr0.leases: No such file or directory
localhost.localdomain dnsmasq[5754]: cannot open or create lease file /usr/local/var/lib/misc/dnsmasq.lxcbr0.leases: No such file or directory
localhost.localdomain dnsmasq[5754]: FAILED to start up
localhost.localdomain lxc-net[5727]: Failed to setup lxc-net.
localhost.localdomain lxc-net[5727]: Failed to setup lxc-net.
localhost.localdomain systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
localhost.localdomain systemd[1]: lxc-net.service: Failed with result 'exit-code'.
localhost.localdomain systemd[1]: Failed to start LXC network bridge setup.
Modify 'lxc-net' script to call 'mkdir -p' command if the directory is not
existed before executing dnsmasq daemon.
Signed-off-by: Leesoo Ahn <lsahn@ooseel.net>
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details.
Not only uses this the recommended construct, it also makes the code
more uniform as in many other places the $() construct was already used.
Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
The 'which' command is deprecated on Debian Sid as it is not POSIX
compliant and it's behavior is therefor not consistent, so replace it
with 'command -v' which is POSIX compliant.
See https://stackoverflow.com/a/677212 for details.
Also replaced a use of backticks (`) as that is deprecated as well.
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details.
Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
Closes#3093Closes#3602
Add support for nftables firewall rules if `nft` command line
interface is available in the system
Signed-off-by: Pablo Correa Gómez <ablocorrea@hotmail.com>
lxc's dnsmasq will try to read system's dnsmasq if `--conf-file` is not
specified. This is likely not desirable, as lxc's dnsmasq should be
self-contained.
On my system the conflicting options are `--bind-interfaces` and
`--bind-dynamic`, since the same host is doing other DNS-y things
unrelated to lxc.
This is an incompatible change, since lxc's dnsmasq will stop honoring
system's `/etc/dnsmasq.conf`, and some systems may be relying on it.
Given that, I believe it should not depend on it by default, since
dnsmasq is lxc's implementation detail. However, if the user desires,
the old behavior could be brought back by setting
`LXC_DHCP_CONFILE=/etc/dnsmasq.conf` in `/etc/default/lxc-net`.
Signed-off-by: Motiejus Jakštys <motiejus@jakstys.lt>
Excerpt from dnsmasq(8):
By default, the DHCP server will attempt to ensure that an address in not
in use before allocating it to a host. It does this by sending an ICMP echo
request (aka "ping") to the address in question. If it gets a reply, then the
address must already be in use, and another is tried. This flag disables this check.
This is useful if one expects all the containers to get an IP address
from the LXC authoritative DHCP server and wants to speed up the process
of getting a lease.
Signed-off-by: Jonathan Calmels <jcalmels@nvidia.com>
I found that even though the service lxc-net failed to start because I made some wrong configuration
settings the command exists zero.
So systemd reports the status of the service as good even though it failed:
# service lxc-net status
● lxc-net.service - LXC network bridge setup
Loaded: loaded (/lib/systemd/system/lxc-net.service; enabled)
Active: active (exited) since Wed 2017-02-08 08:17:32 EST; 21min ago
Process: 529 ExecStart=/usr/lib/x86_64-linux-gnu/lxc/lxc-net start (code=exited, status=0/SUCCESS)
Main PID: 529 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/lxc-net.service
Feb 08 08:17:30 dvm2 systemd[1]: Starting LXC network bridge setup...
Feb 08 08:17:32 dvm2 lxc-net[529]: dnsmasq: failed to create listening socket for 10.2.2.1: Address already in use
Feb 08 08:17:32 dvm2 lxc-net[529]: Failed to setup lxc-net.
Feb 08 08:17:32 dvm2 systemd[1]: Started LXC network bridge setup.
Adding `exit 1` here makes it exit non-zero to make systemd recognize the failure.
Signed-off-by: Carsten Brandt <mail@cebe.cc>
Fold dnsmasq command line at about 80 chars because the line is too
long.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
V2 changes:
- Keep using /var/lib for the lease file, but making it respect localstatedir
- Don't pass an empty --conf-file as that confuses dnsmasq when
/etc/dnsmasq.conf doesn't exist or isn't readable.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This updates lxc-net with the following changes:
- Better recover from crashes/partial runs
- Better error detection and reporting
- Less code duplication (use the stop code on crash)
- Better state tracking
- Allow for restart of all of lxc-net except for the bridge itself
- Only support iproute from this point on (ifconfig's been deprecated
for years)
V2: Use template variables everywhere
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- RHEL/OL 7 doesn't have the ifconfig command by default so have the
lxc-net script check for its existence before use, and fall back
to using the ip command if ifconfig is not available
- When lxc-net is run from systemd on a system with selinux enabled,
the mkdir -p ${varrun} will create /run/lxc as init_var_run_t which
dnsmasq can't write its pid into, so we restorecon it
after creation (to var_run_t)
- The lxc-net systemd .service file needs an [Install] section so that
"systemctl enable lxc-net" will work
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
This commit is based on the work of:
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
A generic changelog would be:
- Bring support for lxcbr0 to all distributions
- Share the container startup and network configuration logic across
distributions and init systems.
- Have all the init scripts call the helper script.
- Support for the various different distro-specific configuration
locations to configure lxc-net and container startup.
Changes on top of Mike's original version:
- Remove sysconfig/lxc-net as it's apparently only there as a
workaround for an RPM limitation and is breaking Debian systems by
including a useless file which will get registered as a package provided
conffile in the dpkg database and will therefore cause conffile prompts
on upgrades...
- Go with a consistant coding style in the various init scripts.
- Split out the common logic from the sysvinit scripts and ship both in
their respective location rather than have them be copies.
- Fix the upstart jobs so they actually work (there's no such thing as
libexec on Debian systems).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
