[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Add support for forcing a private network namespace for LXC guests



On 01/25/2012 07:35 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange redhat com>
> 
> If no <interface> elements are included in an LXC guest XML
> description, then the LXC guest will just see the host's
> network interfaces. It is desirable to be able to hide the
> host interfaces, without having to define any guest interfaces.
> 
> This patch introduces a new feature flag <privnet/> to allow
> forcing of a private network namespace for LXC. In the future
> I also anticipate that we will add <privuser/> to force a
> private user ID namespace.
> 
> * src/conf/domain_conf.c, src/conf/domain_conf.h: Add support
>   for <privnet/> feature. Auto-set <privnet> if any <interface>
>   devices are defined
> * src/lxc/lxc_container.c: Honour request for private network
>   namespace
> ---

> @@ -870,6 +871,12 @@
>        <dd>Enable Viridian hypervisor extensions for paravirtualizing
>          guest operating systems
>        </dd>
> +      <dt><code>privnet</code></dt>
> +      <dd>Always create a private network namespace. This is
> +        automatically set if any interface devices are defined.
> +        This feature is only relevant for container based
> +        virtualization drivers eg LXC.

s/drivers eg/drivers, such as/

> +++ b/src/lxc/lxc_container.c
> @@ -254,7 +254,8 @@ int lxcContainerWaitForContinue(int control)
>   *
>   * Returns 0 on success or nonzero in case of error
>   */
> -static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths,
> +static int lxcContainerRenameAndEnableInterfaces(bool privNet,
> +                                                 unsigned int nveths,
>                                                   char **veths)
>  {
>      int rc = 0;
> @@ -282,7 +283,7 @@ static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths,
>      }
>  
>      /* enable lo device only if there were other net devices */
> -    if (veths)
> +    if (veths || privNet)
>          rc = virNetDevSetOnline("lo", true);
>  
>  error_out:
> @@ -1277,7 +1278,8 @@ static int lxcContainerChild( void *data )
>      VIR_DEBUG("Received container continue message");
>  
>      /* rename and enable interfaces */
> -    if (lxcContainerRenameAndEnableInterfaces(argv->nveths,
> +    if (lxcContainerRenameAndEnableInterfaces(vmDef->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET),

I'm still a bit leery of relying on C99 conversion to bool; I would
write this as:

!!(vm->def->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET))

or similar.  But this wouldn't be the first time we rely on the compiler
obeying the spec without us having to add extra syntax.

> @@ -1386,7 +1388,8 @@ int lxcContainerStart(virDomainDefPtr def,
>          cflags |= CLONE_NEWUSER;
>      }
>  
> -    if (def->nets != NULL) {
> +    if (def->nets != NULL ||
> +        (def->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET))) {

On the other hand, this use is fine (that is, passing int to a bool
parameter is risky, using int in || is not).

ACK, whether or not you change the syntax of the call to
lxcContainerRenameAndEnableInterfaces.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]