Support openvswitch bridges

We detect whether ovs-vsctl is available. If so, then we support adding network interfaces to openvswitch bridges with it. Note that with this patch, veths do not appear to be removed from the openvswitch bridge. This seems a bug in openvswitch, as the veths in fact do disappear from the system. If lxc is required to remove the port from the bridge manually, that becomes more complicated for unprivileged containers, as it would require a setuid-root wrapper to be called at shutdown. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Support openvswitch bridges
0d204771 · Serge Hallyn · 8aecd66b · 0d204771 · 0d204771 · 0d204771
Commit 0d204771 authored Jul 21, 2014 by Serge Hallyn
Hide whitespace changes
Inline Side-by-side

Showing with 58 additions and 0 deletions

configure.ac configure.ac +11 -0

Makefile.am src/lxc/Makefile.am +4 -0

network.c src/lxc/network.c +43 -0

No files found.
--- a/configure.ac
+++ b/configure.ac
@@ -190,6 +190,16 @@ fi

 AM_CONDITIONAL([ENABLE_API_DOCS], [test "x$HAVE_DOXYGEN" != "x"])

+# Openvswitch
+AC_PATH_PROG([OVS_CTL_PATH],[ovs-vsctl])
+if test "x$OVS_CTL_PATH" != "x"; then
+	enable_ovs="yes"
+	AS_AC_EXPAND(OVS_CTL_PATH, "$OVS_CTL_PATH")
+else
+	enable_ovs="no"
+fi
+AM_CONDITIONAL([HAVE_OVS], [test "x$enable_ovs" = "xyes"])
+
 # Apparmor
 AC_ARG_ENABLE([apparmor],
 	[AC_HELP_STRING([--enable-apparmor], [enable apparmor support [default=auto]])],
@@ -755,6 +765,7 @@ Environment:
 - rpath: $enable_rpath
 - GnuTLS: $enable_gnutls
 - Bash integration: $enable_bash
+ - Openvswitch: $enable_ovs

 Security features:
 - Apparmor: $enable_apparmor

--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -128,6 +128,10 @@ if ENABLE_APPARMOR
 AM_CFLAGS += -DHAVE_APPARMOR
 endif

+if HAVE_OVS
+AM_CFLAGS += -DHAVE_OVS -DOVS_CTL_PATH=\"$(OVS_CTL_PATH)\"
+endif
+
 if ENABLE_CGMANAGER
 AM_CFLAGS += -DHAVE_CGMANAGER
 endif

--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -48,6 +48,7 @@
 #include "nl.h"
 #include "network.h"
 #include "conf.h"
+#include "utils.h"

 #if HAVE_IFADDRS_H
 #include <ifaddrs.h>
@@ -1170,6 +1171,45 @@ int lxc_ipv6_dest_add(int ifindex, struct in6_addr *dest)
 	return ip_route_dest_add(AF_INET6, ifindex, dest);
 }

+#ifdef HAVE_OVS
+static bool is_ovs_bridge(const char *bridge)
+{
+	char brdirname[22 + IFNAMSIZ + 1] = {0};
+	struct stat sb;
+
+	snprintf(brdirname, 22 +IFNAMSIZ + 1, "/sys/class/net/%s/bridge", bridge);
+	if (stat(brdirname, &sb) == -1 && errno == ENOENT)
+		return true;
+	return false;
+}
+
+static int attach_to_ovs_bridge(const char *bridge, const char *nic)
+{
+	pid_t pid;
+	const char *progname;
+
+	pid = fork();
+	if (pid < 0)
+		return -1;
+	if (pid > 0)
+		return wait_for_pid(pid);
+
+	progname = strrchr(OVS_CTL_PATH, '/');
+	if (!progname) // not sane, should we just fail?
+		progname = OVS_CTL_PATH;
+	if (execl(OVS_CTL_PATH, progname, "add-port", bridge, nic, NULL))
+		exit(1);
+	// not reached
+	exit(1);
+}
+#else
+static inline bool is_ovs_bridge(const char *bridge) { return false; }
+static inline int attach_to_ovs_bridge(const char *bridge, const char *nic)
+{
+	retun -1;
+}
+#endif
+
 /*
 * There is a lxc_bridge_attach, but no need of a bridge detach
 * as automatically done by kernel when a netdev is deleted.
@@ -1186,6 +1226,9 @@ int lxc_bridge_attach(const char *bridge, const char *ifname)
 	if (!index)
 		return -EINVAL;

+	if (is_ovs_bridge(bridge))
+		return attach_to_ovs_bridge(bridge, ifname);
+
 	fd = socket(AF_INET, SOCK_STREAM, 0);
 	if (fd < 0)
 		return -errno;