[Bug/Feature] Add lxc network config. Remove dead network code.
[Cause] N/A
[Solution] N/A
[Verification] Build, install, run
Change-Id: I2883858dbd571a01c93f6cc8c6b47cffe970a42a
BuildRequires: pkgconfig(libsystemd-journal)
BuildRequires: pkgconfig(sqlite3)
Requires(post): libcap-tools
+Requires: bridge-utils
%description
This package provides a daemon used to manage containers - start, stop and switch
esac
done
+br_name="virbr-${name}"
+sub_net="101" # TODO from param
+
# XXX assume rootfs if mounted from iso
# Prepare container configuration file
lxc.tty = 0
lxc.mount.auto = proc sys cgroup
-lxc.mount.entry = /var/run/containers/business/run var/run none rw,bind 0 0
+lxc.mount.entry = /var/run/containers/${name}/run var/run none rw,bind 0 0
+
+lxc.network.type = veth
+lxc.network.link = ${br_name}
+lxc.network.flags = up
+lxc.network.name = eth0
+lxc.network.veth.pair = veth-${name}
+lxc.network.ipv4.gateway = 10.0.${sub_net}.1
+lxc.network.ipv4 = 10.0.${sub_net}.2/24
+
+lxc.hook.pre-start = ${path}/pre-start.sh
+
+#lxc.loglevel = TRACE
+#lxc.logfile = /tmp/${name}.log
+EOF
+
+# prepare pre start hook
+cat <<EOF >> ${path}/pre-start.sh
+if [ -z "\$(/usr/sbin/brctl show | /bin/grep -P "${br_name}\t")" ]
+then
+ /usr/sbin/brctl addbr ${br_name}
+ /usr/sbin/brctl setfd ${br_name} 0
+ /sbin/ifconfig ${br_name} 10.0.${sub_net}.1 netmask 255.255.255.0 up
+fi
+if [ -z "\$(/usr/sbin/iptables -t nat -S | /bin/grep MASQUERADE)" ]
+then
+ /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
+ /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE
+fi
EOF
+chmod 755 ${path}/pre-start.sh
esac
done
+br_name="virbr-${name}"
+sub_net="102" # TODO from param
+
# XXX assume rootfs if mounted from iso
# Prepare container configuration file
lxc.tty = 0
lxc.mount.auto = proc sys cgroup
-lxc.mount.entry = /var/run/containers/private/run var/run none rw,bind 0 0
+lxc.mount.entry = /var/run/containers/${name}/run var/run none rw,bind 0 0
+
+lxc.network.type = veth
+lxc.network.link = ${br_name}
+lxc.network.flags = up
+lxc.network.name = eth0
+lxc.network.veth.pair = veth-${name}
+lxc.network.ipv4.gateway = 10.0.${sub_net}.1
+lxc.network.ipv4 = 10.0.${sub_net}.2/24
+
+lxc.hook.pre-start = ${path}/pre-start.sh
+
+#lxc.loglevel = TRACE
+#lxc.logfile = /tmp/${name}.log
+EOF
+
+# prepare pre start hook
+cat <<EOF >> ${path}/pre-start.sh
+if [ -z "\$(/usr/sbin/brctl show | /bin/grep -P "${br_name}\t")" ]
+then
+ /usr/sbin/brctl addbr ${br_name}
+ /usr/sbin/brctl setfd ${br_name} 0
+ /sbin/ifconfig ${br_name} 10.0.${sub_net}.1 netmask 255.255.255.0 up
+fi
+if [ -z "\$(/usr/sbin/iptables -t nat -S | /bin/grep MASQUERADE)" ]
+then
+ /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
+ /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE
+fi
EOF
+chmod 755 ${path}/pre-start.sh
mPermittedToRecv.push_back(boost::regex(r));
}
- //const std::string baseConfigPath = utils::dirName(containerConfigPath);
- //mConfig.config = fs::absolute(mConfig.config, baseConfigPath).string();
- //mConfig.networkConfig = fs::absolute(mConfig.networkConfig, baseConfigPath).string();
- //mConfig.networkFilterConfig = fs::absolute(mConfig.networkFilterConfig,
- // baseConfigPath).string();
if (!mConfig.runMountPoint.empty()) {
mRunMountPoint = fs::absolute(mConfig.runMountPoint, baseRunMountPointPath).string();
}
- //LOGT("Creating Network Admin " << mConfig.networkConfig);
- mNetworkAdmin.reset(new NetworkAdmin(mConfig));
- //LOGT("Creating Container Admin " << mConfig.config);
mAdmin.reset(new ContainerAdmin(containersPath, lxcTemplatePrefix, mConfig));
}
if (mConfig.enableDbusIntegration) {
mConnectionTransport.reset(new ContainerConnectionTransport(mRunMountPoint));
}
- mNetworkAdmin->start();
mAdmin->start();
if (mConfig.enableDbusIntegration) {
connect();
Lock lock(mReconnectMutex);
disconnect();
mAdmin->stop();
- mNetworkAdmin->stop();
mConnectionTransport.reset();
}
void Container::setDetachOnExit()
{
Lock lock(mReconnectMutex);
- mNetworkAdmin->setDetachOnExit();
mAdmin->setDetachOnExit();
if (mConnectionTransport) {
mConnectionTransport->setDetachOnExit();
#include "container-admin.hpp"
#include "container-connection.hpp"
#include "container-connection-transport.hpp"
-#include "network-admin.hpp"
-
#include <string>
#include <memory>
std::vector<boost::regex> mPermittedToSend;
std::vector<boost::regex> mPermittedToRecv;
std::unique_ptr<ContainerConnectionTransport> mConnectionTransport;
- std::unique_ptr<NetworkAdmin> mNetworkAdmin;
std::unique_ptr<ContainerAdmin> mAdmin;
std::unique_ptr<ContainerConnection> mConnection;
std::thread mReconnectThread;
+++ /dev/null
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Piotr Bartosiewicz <p.bartosiewi@partner.samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-
-/**
- * @file
- * @author Piotr Bartosiewicz (p.bartosiewi@partner.samsung.com)
- * @brief Implementation of class for administrating single network
- */
-
-#include "config.hpp"
-
-#include "network-admin.hpp"
-#include "exception.hpp"
-
-//#include "libvirt/helpers.hpp"
-#include "logger/logger.hpp"
-#include "utils/fs.hpp"
-
-#include <cassert>
-
-
-namespace security_containers {
-
-namespace {
-
-//std::string getNetworkName(virNetworkPtr net)
-//{
-// assert(net);
-//
-// const char* name = virNetworkGetName(net);
-// if (name == nullptr) {
-// LOGE("Failed to get the network's id:\n"
-// << libvirt::libvirtFormatError());
-// throw ContainerOperationException();
-// }
-//
-// return name;
-//}
-
-} // namespace
-
-
-NetworkAdmin::NetworkAdmin(const ContainerConfig& config)
- : mConfig(config),
- //mNWFilter(utils::readFileContent(mConfig.networkFilterConfig)),
- //mNetwork(utils::readFileContent(mConfig.networkConfig)),
- mId("TODO"),//mId(getNetworkName(mNetwork.get())),
- mDetachOnExit(false)
-{
- LOGD(mId << ": Instantiating NetworkAdmin object");
-}
-
-
-NetworkAdmin::~NetworkAdmin()
-{
- LOGD(mId << ": Destroying NetworkAdmin object...");
- // Try to stop
- if (!mDetachOnExit) {
- try {
- stop();
- } catch (ServerException&) {
- LOGE(mId << ": Failed to stop the network");
- }
- }
-
- LOGD(mId << ": NetworkAdmin object destroyed");
-}
-
-
-const std::string& NetworkAdmin::getId() const
-{
- return mId;
-}
-
-
-void NetworkAdmin::start()
-{
-// assert(mNetwork);
-//
-// LOGD(mId << ": Starting...");
-// if (isActive()) {
-// LOGD(mId << ": Already running - nothing to do...");
-// return;
-// }
-//
-// if (virNetworkCreate(mNetwork.get()) < 0) {
-// LOGE(mId << ": Failed to start the network\n"
-// << libvirt::libvirtFormatError());
-// throw ContainerOperationException();
-// }
-//
-// LOGD(mId << ": Started");
-}
-
-
-void NetworkAdmin::stop()
-{
-// assert(mNetwork);
-//
-// LOGD(mId << ": Stopping procedure started...");
-// if (!isActive()) {
-// LOGD(mId << ": Already crashed/down/off - nothing to do");
-// return;
-// }
-//
-// if (virNetworkDestroy(mNetwork.get()) < 0) {
-// LOGE(mId << ": Failed to destroy the network\n"
-// << libvirt::libvirtFormatError());
-// throw ContainerOperationException();
-// }
-//
-// LOGD(mId << ": Stopping procedure ended");
-}
-
-
-bool NetworkAdmin::isActive()
-{
-// assert(mNetwork);
-// int ret = virNetworkIsActive(mNetwork.get());
-// if (ret < 0) {
-// LOGE(mId << ": Failed to get network state\n"
-// << libvirt::libvirtFormatError());
-// throw ContainerOperationException();
-// }
-// return ret > 0;
- return false;
-}
-
-
-void NetworkAdmin::setDetachOnExit()
-{
-// mDetachOnExit = true;
-// mNWFilter.setDetachOnExit();
-}
-
-
-} // namespace security_containers
+++ /dev/null
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Piotr Bartosiewicz <p.bartosiewi@partner.samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-
-/**
- * @file
- * @author Piotr Bartosiewicz (p.bartosiewi@partner.samsung.com)
- * @brief Declaration of the class for administrating single network
- */
-
-
-#ifndef SERVER_NETWORK_ADMIN_HPP
-#define SERVER_NETWORK_ADMIN_HPP
-
-#include "container-config.hpp"
-
-//#include "libvirt/network-filter.hpp"
-//#include "libvirt/network.hpp"
-
-
-namespace security_containers {
-
-
-class NetworkAdmin {
-
-public:
-
- NetworkAdmin(const ContainerConfig& config);
- virtual ~NetworkAdmin();
-
- /**
- * Get the network id
- */
- const std::string& getId() const;
-
- /**
- * Start network.
- */
- void start();
-
- /**
- * Stop network.
- */
- void stop();
-
- /**
- * @return Is the network active?
- */
- bool isActive();
-
- /**
- * Set whether container should be detached on exit.
- */
- void setDetachOnExit();
-
-
-private:
- const ContainerConfig& mConfig;
- //libvirt::LibvirtNWFilter mNWFilter;
- //libvirt::LibvirtNetwork mNetwork;
- const std::string mId;
- bool mDetachOnExit;
-};
-
-
-} // namespace security_containers
-
-
-#endif // SERVER_NETWORK_ADMIN_HPP
FILE(GLOB admin_container_CONF ut-container-admin/containers/*.conf)
-FILE(GLOB network_container_CONF ut-network-admin/containers/*.conf)
-
FILE(GLOB connection_CONF ut-container-connection/*.conf)
${CMAKE_BINARY_DIR}/ut-server/buggy-daemon.conf @ONLY)
FILE(GLOB server_manager_CONF_GEN ${CMAKE_BINARY_DIR}/ut-server/*.conf)
-CONFIGURE_FILE(ut-network-admin/containers/test.conf.in
- ${CMAKE_BINARY_DIR}/ut-network-admin/containers/test.conf @ONLY)
-CONFIGURE_FILE(ut-network-admin/containers/buggy.conf.in
- ${CMAKE_BINARY_DIR}/ut-network-admin/containers/buggy.conf @ONLY)
-FILE(GLOB network_container_CONF_GEN ${CMAKE_BINARY_DIR}/ut-network-admin/containers/*.conf)
-
CONFIGURE_FILE(ut-container/containers/test-dbus.conf.in
${CMAKE_BINARY_DIR}/ut-container/containers/test-dbus.conf @ONLY)
FILE(GLOB container_container_CONF_GEN ${CMAKE_BINARY_DIR}/ut-container/containers/*.conf)
INSTALL(FILES ${admin_container_CONF}
DESTINATION ${SC_TEST_CONFIG_INSTALL_DIR}/server/ut-container-admin/containers)
-INSTALL(FILES ${network_container_CONF}
- DESTINATION ${SC_TEST_CONFIG_INSTALL_DIR}/server/ut-network-admin/containers)
-INSTALL(FILES ${network_container_CONF_GEN}
- DESTINATION ${SC_TEST_CONFIG_INSTALL_DIR}/server/ut-network-admin/containers)
-
INSTALL(FILES ${connection_CONF}
DESTINATION ${SC_TEST_CONFIG_INSTALL_DIR}/server/ut-container-connection)
+++ /dev/null
-{
- "privilege" : 10,
- "vt" : -1,
- "switchToDefaultAfterTimeout" : true,
- "enableDbusIntegration" : false,
- "cpuQuotaForeground" : -1,
- "cpuQuotaBackground" : 1000,
- "runMountPoint" : "",
- "permittedToSend" : [],
- "permittedToRecv" : []
-}
+++ /dev/null
-{
- "privilege" : 10,
- "vt" : -1,
- "switchToDefaultAfterTimeout" : true,
- "enableDbusIntegration" : false,
- "cpuQuotaForeground" : -1,
- "cpuQuotaBackground" : 1000,
- "runMountPoint" : "",
- "permittedToSend" : [],
- "permittedToRecv" : []
-}
+++ /dev/null
-{
- "privilege" : 10,
- "vt" : -1,
- "switchToDefaultAfterTimeout" : true,
- "enableDbusIntegration" : false,
- "cpuQuotaForeground" : -1,
- "cpuQuotaBackground" : 1000,
- "runMountPoint" : "",
- "permittedToSend" : [],
- "permittedToRecv" : []
-}
+++ /dev/null
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Piotr Bartosiewicz <p.bartosiewi@partner.samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-
-
-/**
- * @file
- * @author Piotr Bartosiewicz (p.bartosiewi@partner.samsung.com)
- * @brief Unit tests of the NetworkAdmin class
- */
-
-//#include "config.hpp"
-//#include "ut.hpp"
-//
-//#include "network-admin.hpp"
-//
-//#include "utils/exception.hpp"
-////#include "libvirt/exception.hpp"
-//#include "config/manager.hpp"
-//
-//
-//using namespace security_containers;
-//
-//namespace {
-//
-//const std::string TEST_CONFIG_PATH = SC_TEST_CONFIG_INSTALL_DIR "/server/ut-network-admin/containers/test.conf";
-//const std::string BUGGY_CONFIG_PATH = SC_TEST_CONFIG_INSTALL_DIR "/server/ut-network-admin/containers/buggy.conf";
-//const std::string MISSING_CONFIG_PATH = SC_TEST_CONFIG_INSTALL_DIR "/server/ut-network-admin/containers/missing.conf";
-//
-//} // namespace
-//
-//
-//BOOST_AUTO_TEST_SUITE(NetworkAdminSuite)
-//
-//BOOST_AUTO_TEST_CASE(ConstructorDestructorTest)
-//{
-// ContainerConfig config;
-// config::loadFromFile(TEST_CONFIG_PATH, config);
-// std::unique_ptr<NetworkAdmin> admin;
-// BOOST_REQUIRE_NO_THROW(admin.reset(new NetworkAdmin(config)));
-// BOOST_REQUIRE_NO_THROW(admin.reset());
-//}
-//
-////BOOST_AUTO_TEST_CASE(BuggyConfigTest)
-////{
-//// ContainerConfig config;
-//// config::loadFromFile(BUGGY_CONFIG_PATH, config);
-//// BOOST_REQUIRE_THROW(NetworkAdmin na(config), LibvirtOperationException);
-////}
-//
-//BOOST_AUTO_TEST_CASE(MissingConfigTest)
-//{
-// ContainerConfig config;
-// config::loadFromFile(MISSING_CONFIG_PATH, config);
-// BOOST_REQUIRE_THROW(NetworkAdmin na(config), UtilsException);
-//}
-//
-//BOOST_AUTO_TEST_CASE(StartStopTest)
-//{
-// ContainerConfig config;
-// config::loadFromFile(TEST_CONFIG_PATH, config);
-// NetworkAdmin net(config);
-//
-// BOOST_CHECK(!net.isActive());
-// BOOST_CHECK_NO_THROW(net.start());
-// BOOST_CHECK(net.isActive());
-// BOOST_CHECK_NO_THROW(net.stop());
-// BOOST_CHECK(!net.isActive());
-//}
-//
-//BOOST_AUTO_TEST_SUITE_END()
projects / platform / core / security / vasum.git / commitdiff