[libvirt] [PATCH] Add support for forcing a private network namespace for LXC guests

15 Mar 2012

From: "Daniel P. Berrange" <berrange@redhat.com>

If no <interface> elements are included in an LXC guest XML
description, then the LXC guest will just see the host's
network interfaces. It is desirable to be able to hide the
host interfaces, without having to define any guest interfaces.

This patch introduces a new feature flag <privnet/> to allow
forcing of a private network namespace for LXC. In the future
I also anticipate that we will add <privuser/> to force a
private user ID namespace.

* src/conf/domain_conf.c, src/conf/domain_conf.h: Add support
  for <privnet/> feature. Auto-set <privnet> if any <interface>
  devices are defined
* src/lxc/lxc_container.c: Honour request for private network
  namespace

NB: this was ACKed way back in January, but I forgot to push
it then. Pushing it now - this re-post is just to remind folks
where it came from

https://www.redhat.com/archives/libvir-list/2012-January/msg01018.html

---
 docs/formatdomain.html.in     |    7 +++++++
 docs/schemas/domaincommon.rng |    5 +++++
 src/conf/domain_conf.c        |    3 ++-
 src/conf/domain_conf.h        |    1 +
 src/lxc/lxc_container.c       |   12 ++++++++----
 5 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 624c6b2..4edada3 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -897,6 +897,7 @@
     <acpi/>
     <apic/>
     <hap/>
+    <privnet/>
   </features>
   ...</pre>
 
@@ -924,6 +925,12 @@
       <dd>Enable Viridian hypervisor extensions for paravirtualizing
         guest operating systems
       </dd>
+      <dt><code>privnet</code></dt>
+      <dd>Always create a private network namespace. This is
+        automatically set if any interface devices are defined.
+        This feature is only relevant for container based
+        virtualization drivers, such as LXC.
+      </dd>
     </dl>
 
     <h3><a name="elementsTime">Time keeping</a></h3>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index b804a70..5b3e5fa 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -2632,6 +2632,11 @@
               <empty/>
             </element>
           </optional>
+          <optional>
+            <element name="privnet">
+              <empty/>
+            </element>
+          </optional>
         </interleave>
       </element>
     </optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index f6f8b8c..e6d0f4b 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -106,7 +106,8 @@ VIR_ENUM_IMPL(virDomainFeature, VIR_DOMAIN_FEATURE_LAST,
               "apic",
               "pae",
               "hap",
-              "viridian")
+              "viridian",
+              "privnet")
 
 VIR_ENUM_IMPL(virDomainLifecycle, VIR_DOMAIN_LIFECYCLE_LAST,
               "destroy",
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 0ab3b81..f471e35 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1298,6 +1298,7 @@ enum virDomainFeature {
     VIR_DOMAIN_FEATURE_PAE,
     VIR_DOMAIN_FEATURE_HAP,
     VIR_DOMAIN_FEATURE_VIRIDIAN,
+    VIR_DOMAIN_FEATURE_PRIVNET,
 
     VIR_DOMAIN_FEATURE_LAST
 };
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index d827b35..267fbfb 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -261,7 +261,8 @@ int lxcContainerWaitForContinue(int control)
  *
  * Returns 0 on success or nonzero in case of error
  */
-static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths,
+static int lxcContainerRenameAndEnableInterfaces(bool privNet,
+                                                 unsigned int nveths,
                                                  char **veths)
 {
     int rc = 0;
@@ -289,7 +290,7 @@ static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths,
     }
 
     /* enable lo device only if there were other net devices */
-    if (veths)
+    if (veths || privNet)
         rc = virNetDevSetOnline("lo", true);
 
 error_out:
@@ -1343,7 +1344,9 @@ static int lxcContainerChild( void *data )
     VIR_DEBUG("Received container continue message");
 
     /* rename and enable interfaces */
-    if (lxcContainerRenameAndEnableInterfaces(argv->nveths,
+    if (lxcContainerRenameAndEnableInterfaces(!!(vmDef->features &
+                                                 (1 << VIR_DOMAIN_FEATURE_PRIVNET)),
+                                              argv->nveths,
                                               argv->veths) < 0) {
         goto cleanup;
     }
@@ -1458,7 +1461,8 @@ int lxcContainerStart(virDomainDefPtr def,
         cflags |= CLONE_NEWUSER;
     }
 
-    if (def->nets != NULL) {
+    if (def->nets != NULL ||
+        (def->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET))) {
         VIR_DEBUG("Enable network namespaces");
         cflags |= CLONE_NEWNET;
     }
-- 
1.7.7.6

    

Daniel P. Berrange

tags

participants (1)