[libvirt] [PATCH] Add support for forcing a private network namespace for LXC guests
Eric Blake
eblake at redhat.com
Wed Jan 25 15:18:19 UTC 2012
On 01/25/2012 07:35 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
>
> If no <interface> elements are included in an LXC guest XML
> description, then the LXC guest will just see the host's
> network interfaces. It is desirable to be able to hide the
> host interfaces, without having to define any guest interfaces.
>
> This patch introduces a new feature flag <privnet/> to allow
> forcing of a private network namespace for LXC. In the future
> I also anticipate that we will add <privuser/> to force a
> private user ID namespace.
>
> * src/conf/domain_conf.c, src/conf/domain_conf.h: Add support
> for <privnet/> feature. Auto-set <privnet> if any <interface>
> devices are defined
> * src/lxc/lxc_container.c: Honour request for private network
> namespace
> ---
> @@ -870,6 +871,12 @@
> <dd>Enable Viridian hypervisor extensions for paravirtualizing
> guest operating systems
> </dd>
> + <dt><code>privnet</code></dt>
> + <dd>Always create a private network namespace. This is
> + automatically set if any interface devices are defined.
> + This feature is only relevant for container based
> + virtualization drivers eg LXC.
s/drivers eg/drivers, such as/
> +++ b/src/lxc/lxc_container.c
> @@ -254,7 +254,8 @@ int lxcContainerWaitForContinue(int control)
> *
> * Returns 0 on success or nonzero in case of error
> */
> -static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths,
> +static int lxcContainerRenameAndEnableInterfaces(bool privNet,
> + unsigned int nveths,
> char **veths)
> {
> int rc = 0;
> @@ -282,7 +283,7 @@ static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths,
> }
>
> /* enable lo device only if there were other net devices */
> - if (veths)
> + if (veths || privNet)
> rc = virNetDevSetOnline("lo", true);
>
> error_out:
> @@ -1277,7 +1278,8 @@ static int lxcContainerChild( void *data )
> VIR_DEBUG("Received container continue message");
>
> /* rename and enable interfaces */
> - if (lxcContainerRenameAndEnableInterfaces(argv->nveths,
> + if (lxcContainerRenameAndEnableInterfaces(vmDef->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET),
I'm still a bit leery of relying on C99 conversion to bool; I would
write this as:
!!(vm->def->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET))
or similar. But this wouldn't be the first time we rely on the compiler
obeying the spec without us having to add extra syntax.
> @@ -1386,7 +1388,8 @@ int lxcContainerStart(virDomainDefPtr def,
> cflags |= CLONE_NEWUSER;
> }
>
> - if (def->nets != NULL) {
> + if (def->nets != NULL ||
> + (def->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET))) {
On the other hand, this use is fine (that is, passing int to a bool
parameter is risky, using int in || is not).
ACK, whether or not you change the syntax of the call to
lxcContainerRenameAndEnableInterfaces.
--
Eric Blake eblake at redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120125/ac5a9bf3/attachment-0001.sig>
More information about the libvir-list
mailing list