- 04 Sep, 2017 9 commits
-
-
Christian Brauner authored
Signed-off-by:Christian Brauner <christian.brauner@ubuntu.com>
-
Christian Brauner authored
- Retrieve the host's veth device ifindex in the host's network namespace. - Add a note why we retrieve the container's veth device ifindex in the host's network namespace. Signed-off-by: -
Christian Brauner authored
- On unprivileged veth network creation have lxc-user-nic send the names of the veth devices and their respective ifindeces. The advantage of retrieving this information from lxc-user-nic is that we spare us sending around more stuff via the netpipe in start.c. Also, lxc-user-nic operates in both namespaces (the container's namespace and the hosts's namespace) via setns and so is guaranteed to retrieve the correct ifindex via if_nametoindex() which is an network namespace aware ioctl() call. While I'm pretty sure the ifindeces for veth devices are identical across network namespaces I'm weary to rely on this. We need the ifindexes to guarantee safe deletion of unprivileged network devices via lxc-user-nic later on since we use them to identify the network devices in their corresponding network namespaces. - Move the network device logging from the child to the parent. The child does not have all of the information about the network devices available only the few bits it actually needs to now. The monitor process is the only process that needs all this information. - The network creation code for privileged and unprivileged networks was previously mangled into one single function but at the same time some of the privileged code had additional functions that were called in other places in start.c. Let's divide and conquer and split out the privileged and unprivileged network creation into completely separate functions. This makes what's happening way more clear. This will also have no performance impact since either you are privileged and only execute the privileged network creation functions or you are unprivileged and only execute the unprivileged network creation functions. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
This is menial work but I'll thank myself later... a lot. Signed-off-by: -
Christian Brauner authored
We should not just record the ifindex for the container's veth device but also for the host's veth device. This is useful when {configuring,deconfiguring} veth devices and becomes crucial when calling our lxc-user-nic setuid helper where we rely on the ifindex to make decisions about whether we are licensed to perform certain operations on the veth device in question. Signed-off-by: -
Christian Brauner authored
If the user specified lxc.net.[i].veth.pair attribute to request that the host side of a veth pair be given a specific name let's log it at the trace level. Otherwise, if the user didn't not specify lxc.net.[i].veth.pair veth_attr.veth1 will contain the name of the host side veth device. Signed-off-by: -
Christian Brauner authored
When lxc-user-nic is called with the "delete" subcommand we need to make sure that we are actually privileged over the network namespace for which we are supposed to delete devices on the host. To this end we require that path to the affected network namespace is passed. We then setns() to the network namespace and drop privilege to the caller's real user id. Then we try to delete the loopback interface which is not possible. If we are privileged over the network namespace this operation will fail with ENOTSUP. If we are not privileged over the network namespace we will get EPERM. This is the first part of the commit. As of now nothing guarantees that the caller does not just give us a random path to a network namespace it is privileged over. Signed-off-by: -
Christian Brauner authored
Signed-off-by:
-
- 29 Aug, 2017 31 commits
-
-
Stéphane Graber authored
stable 2.0: cherry picks
-
Christian Brauner authored
This moves all of the network handling code into network.{c,h}. This makes what is going on much clearer. Also it's easier to find relevant code if it is all in one place. Signed-off-by: -
Christian Brauner authored
This will allow us log more detailed failures. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
We use the ifindex as an indicator that liblxc created the network so let's record it for the unprivileged case as well. Signed-off-by: -
Christian Brauner authored
This should make things a little less convoluted. Signed-off-by: -
Christian Brauner authored
- lxc-user-nic gains the subcommands {create,delete} - dup2() STDERR_FILENO as well so that we can show helpful messages in our logs on failure - initialize output buffer so that we don't print garbage Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
get_new_nicname() calls lxc_mkifname() which allocates memory and returns it to the caller. The way get_new_nicname() and get_nic_if_avail() were implemented they hid that fact by returning a boolean. That doesn't make sense. Let's rather have them return a pointer to the allocated nic name which the caller needs to free. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
This will obviously not work. Signed-off-by: -
Christian Brauner authored
I'm ashamed at how aweful my previous code was. Signed-off-by: -
Christian Brauner authored
So far, when creating veth devices attached to openvswitch bridges we used to fork() off a thread on container startup. This thread was kept around until the container shut down. I have no good explanation why we did it that why but it's certainly not necessary. Instead, let's fork() off the thread on container shutdown to delete the veth. Signed-off-by: -
Dimitri John Ledkov authored
Mimic the code from the debian template. Signed-off-by:Dimitri John Ledkov <xnox@ubuntu.com>
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Salvatore Bonaccorso authored
The httpredir.debian.org service has been discontinued in favour of deb.debian.org and httpredir.debian.org now redirects to deb.debian.org. https://lists.debian.org/debian-mirrors/2017/02/msg00000.html https://wiki.debian.org/DebianGeoMirror#httpredir.debian.org_.2F_http.debian.net Cf. https://bugs.debian.org/872719Signed-off-by:
Salvatore Bonaccorso <carnil@debian.org>
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Surfaced while building lxc-2.0.8 on e2k architecture with lcc, looks like its -Wall is more pedantic than gcc's: lcc: "conf.c", line 1514: error: unrecognized character escape sequence [-Werror] DEBUG("created directory for console and tty devices at \%s\"", path); ^ in expansion of macro "DEBUG" at line 1514 Another byte is a leading whitespace fix while at that. Signed-off-by:Michael Shigorin <mike@altlinux.org> Acked-by:
-
