From: "Daniel P. Berrange" <berrange@redhat.com> If no <interface> elements are included in an LXC guest XML description, then the LXC guest will just see the host's network interfaces. It is desirable to be able to hide the host interfaces, without having to define any guest interfaces. This patch introduces a new feature flag <privnet/> to allow forcing of a private network namespace for LXC. In the future I also anticipate that we will add <privuser/> to force a private user ID namespace. * src/conf/domain_conf.c, src/conf/domain_conf.h: Add support for <privnet/> feature. Auto-set <privnet> if any <interface> devices are defined * src/lxc/lxc_container.c: Honour request for private network namespace --- docs/formatdomain.html.in | 7 +++++++ docs/schemas/domaincommon.rng | 5 +++++ src/conf/domain_conf.c | 3 ++- src/conf/domain_conf.h | 1 + src/lxc/lxc_container.c | 11 +++++++---- 5 files changed, 22 insertions(+), 5 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 1d0211d..b7ad638 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -843,6 +843,7 @@ <acpi/> <apic/> <hap/> + <privnet/> </features> ...</pre> @@ -870,6 +871,12 @@ <dd>Enable Viridian hypervisor extensions for paravirtualizing guest operating systems </dd> + <dt><code>privnet</code></dt> + <dd>Always create a private network namespace. This is + automatically set if any interface devices are defined. + This feature is only relevant for container based + virtualization drivers eg LXC. + </dd> </dl> <h3><a name="elementsTime">Time keeping</a></h3> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 2f655a9..9f12a6d 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -2530,6 +2530,11 @@ <empty/> </element> </optional> + <optional> + <element name="privnet"> + <empty/> + </element> + </optional> </interleave> </element> </optional> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index e872396..66d7f39 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -103,7 +103,8 @@ VIR_ENUM_IMPL(virDomainFeature, VIR_DOMAIN_FEATURE_LAST, "apic", "pae", "hap", - "viridian") + "viridian", + "privnet") VIR_ENUM_IMPL(virDomainLifecycle, VIR_DOMAIN_LIFECYCLE_LAST, "destroy", diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 3b522a9..2131ff9 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1221,6 +1221,7 @@ enum virDomainFeature { VIR_DOMAIN_FEATURE_PAE, VIR_DOMAIN_FEATURE_HAP, VIR_DOMAIN_FEATURE_VIRIDIAN, + VIR_DOMAIN_FEATURE_PRIVNET, VIR_DOMAIN_FEATURE_LAST }; diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index dcd65ef..0820a0e 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -254,7 +254,8 @@ int lxcContainerWaitForContinue(int control) * * Returns 0 on success or nonzero in case of error */ -static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths, +static int lxcContainerRenameAndEnableInterfaces(bool privNet, + unsigned int nveths, char **veths) { int rc = 0; @@ -282,7 +283,7 @@ static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths, } /* enable lo device only if there were other net devices */ - if (veths) + if (veths || privNet) rc = virNetDevSetOnline("lo", true); error_out: @@ -1277,7 +1278,8 @@ static int lxcContainerChild( void *data ) VIR_DEBUG("Received container continue message"); /* rename and enable interfaces */ - if (lxcContainerRenameAndEnableInterfaces(argv->nveths, + if (lxcContainerRenameAndEnableInterfaces(vmDef->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET), + argv->nveths, argv->veths) < 0) { goto cleanup; } @@ -1386,7 +1388,8 @@ int lxcContainerStart(virDomainDefPtr def, cflags |= CLONE_NEWUSER; } - if (def->nets != NULL) { + if (def->nets != NULL || + (def->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET))) { VIR_DEBUG("Enable network namespaces"); cflags |= CLONE_NEWNET; } -- 1.7.7.5