make 'empty network' the default

Currently if no lxc.network.type section is in the container configuration, the container ends up sharing the host's network. This is a dangerous default. Instead, add 'lxc.network.type = none' as a valid type, and make en empty network the default. If none as well as another network type are specified, then the none type will be ignored. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

make 'empty network' the default
26b797f3 · Serge Hallyn · Stéphane Graber · 5d127727 · 26b797f3 · 26b797f3
Commit 26b797f3 authored Dec 13, 2013 by Serge Hallyn Committed by Stéphane Graber Dec 13, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 2 deletions

conf.c src/lxc/conf.c +39 -0

conf.h src/lxc/conf.h +2 -0

confile.c src/lxc/confile.c +2 -0

start.c src/lxc/start.c +3 -2

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -171,6 +171,7 @@ static int instanciate_macvlan(struct lxc_handler *, struct lxc_netdev *);
 static int instanciate_vlan(struct lxc_handler *, struct lxc_netdev *);
 static int instanciate_phys(struct lxc_handler *, struct lxc_netdev *);
 static int instanciate_empty(struct lxc_handler *, struct lxc_netdev *);
+static int instanciate_none(struct lxc_handler *, struct lxc_netdev *);

 static  instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
 	[LXC_NET_VETH]    = instanciate_veth,
@@ -178,6 +179,7 @@ static  instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
 	[LXC_NET_VLAN]    = instanciate_vlan,
 	[LXC_NET_PHYS]    = instanciate_phys,
 	[LXC_NET_EMPTY]   = instanciate_empty,
+	[LXC_NET_NONE]    = instanciate_none,
 };

 static int shutdown_veth(struct lxc_handler *, struct lxc_netdev *);
@@ -185,6 +187,7 @@ static int shutdown_macvlan(struct lxc_handler *, struct lxc_netdev *);
 static int shutdown_vlan(struct lxc_handler *, struct lxc_netdev *);
 static int shutdown_phys(struct lxc_handler *, struct lxc_netdev *);
 static int shutdown_empty(struct lxc_handler *, struct lxc_netdev *);
+static int shutdown_none(struct lxc_handler *, struct lxc_netdev *);

 static  instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = {
 	[LXC_NET_VETH]    = shutdown_veth,
@@ -192,6 +195,7 @@ static  instanciate_cb netdev_deconf[LXC_NET_MAXCONFTYPE + 1] = {
 	[LXC_NET_VLAN]    = shutdown_vlan,
 	[LXC_NET_PHYS]    = shutdown_phys,
 	[LXC_NET_EMPTY]   = shutdown_empty,
+	[LXC_NET_NONE]    = shutdown_none,
 };

 static struct mount_opt mount_opt[] = {
@@ -2911,6 +2915,12 @@ static int shutdown_phys(struct lxc_handler *handler, struct lxc_netdev *netdev)
 	return 0;
 }

+static int instanciate_none(struct lxc_handler *handler, struct lxc_netdev *netdev)
+{
+	netdev->ifindex = 0;
+	return 0;
+}
+
 static int instanciate_empty(struct lxc_handler *handler, struct lxc_netdev *netdev)
 {
 	netdev->ifindex = 0;
@@ -2937,6 +2947,35 @@ static int shutdown_empty(struct lxc_handler *handler, struct lxc_netdev *netdev
 	return 0;
 }

+static int shutdown_none(struct lxc_handler *handler, struct lxc_netdev *netdev)
+{
+	return 0;
+}
+
+int lxc_requests_empty_network(struct lxc_handler *handler)
+{
+	struct lxc_list *network = &handler->conf->network;
+	struct lxc_list *iterator;
+	struct lxc_netdev *netdev;
+	bool found_none = false, found_nic = false;
+
+	if (lxc_list_empty(network))
+		return 0;
+
+	lxc_list_for_each(iterator, network) {
+
+		netdev = iterator->elem;
+
+		if (netdev->type == LXC_NET_NONE)
+			found_none = true;
+		else
+			found_nic = true;
+	}
+	if (found_none && !found_nic)
+		return 1;
+	return 0;
+}
+
 int lxc_create_network(struct lxc_handler *handler)
 {
 	struct lxc_list *network = &handler->conf->network;

--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -45,6 +45,7 @@ enum {
 	LXC_NET_MACVLAN,
 	LXC_NET_PHYS,
 	LXC_NET_VLAN,
+	LXC_NET_NONE,
 	LXC_NET_MAXCONFTYPE,
 };

@@ -337,6 +338,7 @@ extern void lxc_conf_free(struct lxc_conf *conf);

 extern int pin_rootfs(const char *rootfs);

+extern int lxc_requests_empty_network(struct lxc_handler *handler);
 extern int lxc_create_network(struct lxc_handler *handler);
 extern void lxc_delete_network(struct lxc_handler *handler);
 extern int lxc_assign_network(struct lxc_list *networks, pid_t pid);

--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -334,6 +334,8 @@ static int config_network_type(const char *key, const char *value,
 		netdev->type = LXC_NET_PHYS;
 	else if (!strcmp(value, "empty"))
 		netdev->type = LXC_NET_EMPTY;
+	else if (!strcmp(value, "none"))
+		netdev->type = LXC_NET_NONE;
 	else {
 		ERROR("invalid network type %s", value);
 		return -1;

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -734,10 +734,11 @@ int lxc_spawn(struct lxc_handler *handler)
 	}

 	if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
-		if (!lxc_list_empty(&handler->conf->network)) {
-
+		if (!lxc_requests_empty_network(handler))
 			handler->clone_flags |= CLONE_NEWNET;

+		if (!lxc_list_empty(&handler->conf->network)) {
+
 			/* Find gateway addresses from the link device, which is
 			 * no longer accessible inside the container. Do this
 			 * before creating network interfaces, since goto