From 10a8b1f9585d7414d6d3a2571fffc5d699c4576b Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Wed, 18 Jan 2012 11:38:49 +0000 Subject: [PATCH] Add support for forcing a private network namespace for LXC guests If no elements are included in an LXC guest XML description, then the LXC guest will just see the host's network interfaces. It is desirable to be able to hide the host interfaces, without having to define any guest interfaces. This patch introduces a new feature flag to allow forcing of a private network namespace for LXC. In the future I also anticipate that we will add to force a private user ID namespace. * src/conf/domain_conf.c, src/conf/domain_conf.h: Add support for feature. Auto-set if any devices are defined * src/lxc/lxc_container.c: Honour request for private network namespace --- docs/formatdomain.html.in | 7 +++++++ docs/schemas/domaincommon.rng | 5 +++++ src/conf/domain_conf.c | 3 ++- src/conf/domain_conf.h | 1 + src/lxc/lxc_container.c | 12 ++++++++---- 5 files changed, 23 insertions(+), 5 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 624c6b2cd7..4edada3331 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -897,6 +897,7 @@ <acpi/> <apic/> <hap/> + <privnet/> </features> ... @@ -924,6 +925,12 @@
Enable Viridian hypervisor extensions for paravirtualizing guest operating systems
+
privnet
+
Always create a private network namespace. This is + automatically set if any interface devices are defined. + This feature is only relevant for container based + virtualization drivers, such as LXC. +

Time keeping

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index b804a7074b..5b3e5fa548 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -2632,6 +2632,11 @@ + + + + + diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index f6f8b8ca88..e6d0f4be01 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -106,7 +106,8 @@ VIR_ENUM_IMPL(virDomainFeature, VIR_DOMAIN_FEATURE_LAST, "apic", "pae", "hap", - "viridian") + "viridian", + "privnet") VIR_ENUM_IMPL(virDomainLifecycle, VIR_DOMAIN_LIFECYCLE_LAST, "destroy", diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 0ab3b814fa..f471e355db 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1298,6 +1298,7 @@ enum virDomainFeature { VIR_DOMAIN_FEATURE_PAE, VIR_DOMAIN_FEATURE_HAP, VIR_DOMAIN_FEATURE_VIRIDIAN, + VIR_DOMAIN_FEATURE_PRIVNET, VIR_DOMAIN_FEATURE_LAST }; diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index d827b35f61..267fbfb07a 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -261,7 +261,8 @@ int lxcContainerWaitForContinue(int control) * * Returns 0 on success or nonzero in case of error */ -static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths, +static int lxcContainerRenameAndEnableInterfaces(bool privNet, + unsigned int nveths, char **veths) { int rc = 0; @@ -289,7 +290,7 @@ static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths, } /* enable lo device only if there were other net devices */ - if (veths) + if (veths || privNet) rc = virNetDevSetOnline("lo", true); error_out: @@ -1343,7 +1344,9 @@ static int lxcContainerChild( void *data ) VIR_DEBUG("Received container continue message"); /* rename and enable interfaces */ - if (lxcContainerRenameAndEnableInterfaces(argv->nveths, + if (lxcContainerRenameAndEnableInterfaces(!!(vmDef->features & + (1 << VIR_DOMAIN_FEATURE_PRIVNET)), + argv->nveths, argv->veths) < 0) { goto cleanup; } @@ -1458,7 +1461,8 @@ int lxcContainerStart(virDomainDefPtr def, cflags |= CLONE_NEWUSER; } - if (def->nets != NULL) { + if (def->nets != NULL || + (def->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET))) { VIR_DEBUG("Enable network namespaces"); cflags |= CLONE_NEWNET; }