return STATE_MAP.at(str);
}
-bool LxcDomain::create(const std::string& templatePath)
+bool LxcDomain::create(const std::string& templatePath, const char* const* argv)
{
- if (!mContainer->create(mContainer, templatePath.c_str(), NULL, NULL, 0, NULL)) {
+ if (!mContainer->create(mContainer,
+ templatePath.c_str(),
+ NULL, NULL, 0,
+ const_cast<char* const*>(argv))) {
LOGE("Could not create domain " + getName());
return false;
}
State getState();
- bool create(const std::string& templatePath);
+ bool create(const std::string& templatePath, const char* const* argv);
bool destroy();
bool start(const char* const* argv);
{
"name" : "business",
- "lxcTemplate" : "business.sh",
+ "lxcTemplate" : "template.sh",
"initWithArgs" : [],
+ "ipv4Gateway" : "10.0.102.1",
+ "ipv4" : "10.0.102.2",
"cpuQuotaForeground" : -1,
"cpuQuotaBackground" : 10000,
"enableDbusIntegration" : true,
{
"name" : "private",
- "lxcTemplate" : "private.sh",
+ "lxcTemplate" : "template.sh",
"initWithArgs" : [],
+ "ipv4Gateway" : "10.0.101.1",
+ "ipv4" : "10.0.101.2",
"cpuQuotaForeground" : -1,
"cpuQuotaBackground" : 10000,
"enableDbusIntegration" : true,
+++ /dev/null
-#!/bin/bash
-
-echo LXC template, args: $@
-
-options=$(getopt -o p:n: -l rootfs:,path:,name: -- "$@")
-if [ $? -ne 0 ]; then
- exit 1
-fi
-eval set -- "$options"
-
-while true
-do
- case "$1" in
- -p|--path) path=$2; shift 2;;
- --rootfs) rootfs=$2; shift 2;;
- -n|--name) name=$2; shift 2;;
- --) shift 1; break ;;
- *) break ;;
- esac
-done
-
-br_name="virbr-${name}"
-sub_net="101" # TODO from param
-
-# XXX assume rootfs if mounted from iso
-
-# Prepare container configuration file
-> ${path}/config
-cat <<EOF >> ${path}/config
-lxc.utsname = ${name}
-lxc.rootfs = ${rootfs}
-
-# userns 1-to-1 mapping
-#lxc.id_map = u 0 0 65536
-#lxc.id_map = g 0 0 65536
-
-lxc.pts = 256
-lxc.tty = 0
-
-lxc.mount.auto = proc sys cgroup
-lxc.mount.entry = /var/run/containers/${name}/run var/run none rw,bind 0 0
-
-lxc.network.type = veth
-lxc.network.link = ${br_name}
-lxc.network.flags = up
-lxc.network.name = eth0
-lxc.network.veth.pair = veth-${name}
-lxc.network.ipv4.gateway = 10.0.${sub_net}.1
-lxc.network.ipv4 = 10.0.${sub_net}.2/24
-
-lxc.hook.pre-start = ${path}/pre-start.sh
-
-#lxc.loglevel = TRACE
-#lxc.logfile = /tmp/${name}.log
-EOF
-
-# prepare pre start hook
-cat <<EOF >> ${path}/pre-start.sh
-if [ -z "\$(/usr/sbin/brctl show | /bin/grep -P "${br_name}\t")" ]
-then
- /usr/sbin/brctl addbr ${br_name}
- /usr/sbin/brctl setfd ${br_name} 0
- /sbin/ifconfig ${br_name} 10.0.${sub_net}.1 netmask 255.255.255.0 up
-fi
-if [ -z "\$(/usr/sbin/iptables -t nat -S | /bin/grep MASQUERADE)" ]
-then
- /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
- /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE
-fi
-EOF
-
-chmod 755 ${path}/pre-start.sh
+++ /dev/null
-#!/bin/bash
-
-echo LXC template, args: $@
-
-options=$(getopt -o p:n: -l rootfs:,path:,name: -- "$@")
-if [ $? -ne 0 ]; then
- exit 1
-fi
-eval set -- "$options"
-
-while true
-do
- case "$1" in
- -p|--path) path=$2; shift 2;;
- --rootfs) rootfs=$2; shift 2;;
- -n|--name) name=$2; shift 2;;
- --) shift 1; break ;;
- *) break ;;
- esac
-done
-
-br_name="virbr-${name}"
-sub_net="102" # TODO from param
-
-# XXX assume rootfs if mounted from iso
-
-# Prepare container configuration file
-> ${path}/config
-cat <<EOF >> ${path}/config
-lxc.utsname = ${name}
-lxc.rootfs = ${rootfs}
-
-# userns 1-to-1 mapping
-#lxc.id_map = u 0 0 65536
-#lxc.id_map = g 0 0 65536
-
-lxc.pts = 256
-lxc.tty = 0
-
-lxc.mount.auto = proc sys cgroup
-lxc.mount.entry = /var/run/containers/${name}/run var/run none rw,bind 0 0
-
-lxc.network.type = veth
-lxc.network.link = ${br_name}
-lxc.network.flags = up
-lxc.network.name = eth0
-lxc.network.veth.pair = veth-${name}
-lxc.network.ipv4.gateway = 10.0.${sub_net}.1
-lxc.network.ipv4 = 10.0.${sub_net}.2/24
-
-lxc.hook.pre-start = ${path}/pre-start.sh
-
-#lxc.loglevel = TRACE
-#lxc.logfile = /tmp/${name}.log
-EOF
-
-# prepare pre start hook
-cat <<EOF >> ${path}/pre-start.sh
-if [ -z "\$(/usr/sbin/brctl show | /bin/grep -P "${br_name}\t")" ]
-then
- /usr/sbin/brctl addbr ${br_name}
- /usr/sbin/brctl setfd ${br_name} 0
- /sbin/ifconfig ${br_name} 10.0.${sub_net}.1 netmask 255.255.255.0 up
-fi
-if [ -z "\$(/usr/sbin/iptables -t nat -S | /bin/grep MASQUERADE)" ]
-then
- /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
- /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE
-fi
-EOF
-
-chmod 755 ${path}/pre-start.sh
echo LXC template, args: $@
-options=$(getopt -o p:n: -l rootfs:,path:,name: -- "$@")
+options=$(getopt -o p:n: -l rootfs:,path:,name:,ipv4:,ipv4-gateway: -- "$@")
if [ $? -ne 0 ]; then
exit 1
fi
-p|--path) path=$2; shift 2;;
--rootfs) rootfs=$2; shift 2;;
-n|--name) name=$2; shift 2;;
+ --ipv4) ipv4=$2; shift 2;;
+ --ipv4-gateway) ipv4_gateway=$2; shift 2;;
--) shift 1; break ;;
*) break ;;
esac
done
br_name="virbr-${name}"
-sub_net="103" # TODO from param
# XXX assume rootfs if mounted from iso
lxc.mount.auto = proc sys cgroup
lxc.mount.entry = /var/run/containers/${name}/run var/run none rw,bind 0 0
+# create a separate network per container
+# - it forbids traffic sniffing (like macvlan in bridge mode)
+# - it enables traffic controlling from host using iptables
lxc.network.type = veth
lxc.network.link = ${br_name}
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.veth.pair = veth-${name}
-lxc.network.ipv4.gateway = 10.0.${sub_net}.1
-lxc.network.ipv4 = 10.0.${sub_net}.2/24
+lxc.network.ipv4.gateway = ${ipv4_gateway}
+lxc.network.ipv4 = ${ipv4}/24
lxc.hook.pre-start = ${path}/pre-start.sh
EOF
# prepare pre start hook
+> ${path}/pre-start.sh
cat <<EOF >> ${path}/pre-start.sh
if [ -z "\$(/usr/sbin/brctl show | /bin/grep -P "${br_name}\t")" ]
then
/usr/sbin/brctl addbr ${br_name}
/usr/sbin/brctl setfd ${br_name} 0
- /sbin/ifconfig ${br_name} 10.0.${sub_net}.1 netmask 255.255.255.0 up
+ /sbin/ifconfig ${br_name} ${ipv4_gateway} netmask 255.255.255.0 up
fi
if [ -z "\$(/usr/sbin/iptables -t nat -S | /bin/grep MASQUERADE)" ]
then
"name" : "~NAME~",
"lxcTemplate" : "template.sh",
"initWithArgs" : [],
+ "ipv4Gateway" : "10.0.~IP~.1",
+ "ipv4" : "10.0.~IP~.2",
"cpuQuotaForeground" : -1,
"cpuQuotaBackground" : 1000,
"privilege" : 10,
const std::string lxcTemplate = utils::getAbsolutePath(config.lxcTemplate,
lxcTemplatePrefix);
LOGI(mId << ": Creating domain from template: " << lxcTemplate);
- if (!mDom.create(lxcTemplate)) {
+ std::vector<std::string> args;
+ if (!config.ipv4Gateway.empty()) {
+ args.push_back("--ipv4-gateway");
+ args.push_back(config.ipv4Gateway);
+ }
+ if (!config.ipv4.empty()) {
+ args.push_back("--ipv4");
+ args.push_back(config.ipv4);
+ }
+ if (!mDom.create(lxcTemplate, Args(args).getAsCArray())) {
throw ContainerOperationException("Could not create domain");
}
}
std::vector<std::string> initWithArgs;
/**
+ * IP v4 gateway address
+ */
+ std::string ipv4Gateway;
+
+ /**
+ * IP v4 address
+ */
+ std::string ipv4;
+
+ /**
* Privilege of the container.
* The smaller the value the more important the container
*/
name,
lxcTemplate,
initWithArgs,
+ ipv4Gateway,
+ ipv4,
privilege,
vt,
switchToDefaultAfterTimeout,
"name" : "ut-containers-manager-console1-dbus",
"lxcTemplate" : "minimal-dbus1.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; /usr/bin/dbus-daemon --config-file=@SC_TEST_CONFIG_INSTALL_DIR@/server/ut-containers-manager/ut-dbus.conf --fork; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 20,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-containers-manager-console2-dbus",
"lxcTemplate" : "minimal-dbus2.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; /usr/bin/dbus-daemon --config-file=@SC_TEST_CONFIG_INSTALL_DIR@/server/ut-containers-manager/ut-dbus.conf --fork; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 20,
"vt" : -1,
"switchToDefaultAfterTimeout" : false,
"name" : "ut-containers-manager-console3-dbus",
"lxcTemplate" : "minimal-dbus3.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; /usr/bin/dbus-daemon --config-file=@SC_TEST_CONFIG_INSTALL_DIR@/server/ut-containers-manager/ut-dbus.conf --fork; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 20,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
const std::string LXC_PATH = "/tmp/ut-lxc/";
const std::string DOMAIN_NAME = "ut-domain";
const std::string TEMPLATE = SC_TEST_LXC_TEMPLATES_INSTALL_DIR "/minimal.sh";
+const char* TEMPLATE_ARGS[] = {NULL};
struct Fixture {
utils::ScopedDir mLxcDirGuard;
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
BOOST_CHECK(!lxc.isDefined());
- BOOST_CHECK(lxc.create(TEMPLATE));
+ BOOST_CHECK(lxc.create(TEMPLATE, TEMPLATE_ARGS));
BOOST_CHECK(lxc.isDefined());
BOOST_CHECK_EQUAL(lxc.getConfigItem("lxc.rootfs"), LXC_PATH + DOMAIN_NAME + "/rootfs");
{
{
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
- BOOST_CHECK(lxc.create(TEMPLATE));
+ BOOST_CHECK(lxc.create(TEMPLATE, TEMPLATE_ARGS));
}
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
BOOST_CHECK(lxc.getState() == LxcDomain::State::STOPPED);
{
{
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
- BOOST_CHECK(lxc.create(TEMPLATE));
+ BOOST_CHECK(lxc.create(TEMPLATE, TEMPLATE_ARGS));
}
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
BOOST_CHECK(lxc.getState() == LxcDomain::State::STOPPED);
{
{
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
- BOOST_CHECK(lxc.create(TEMPLATE));
+ BOOST_CHECK(lxc.create(TEMPLATE, TEMPLATE_ARGS));
}
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
BOOST_CHECK(lxc.getState() == LxcDomain::State::STOPPED);
BOOST_AUTO_TEST_CASE(FreezeUnfreezeTest)
{
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
- BOOST_CHECK(lxc.create(TEMPLATE));
+ BOOST_CHECK(lxc.create(TEMPLATE, TEMPLATE_ARGS));
const char* argv[] = {
"/bin/sh",
"-c",
BOOST_AUTO_TEST_CASE(FreezeStopTest)
{
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
- BOOST_CHECK(lxc.create(TEMPLATE));
+ BOOST_CHECK(lxc.create(TEMPLATE, TEMPLATE_ARGS));
const char* argv[] = {
"/bin/sh",
"-c",
BOOST_AUTO_TEST_CASE(RepeatTest)
{
LxcDomain lxc(LXC_PATH, DOMAIN_NAME);
- BOOST_CHECK(lxc.create(TEMPLATE));
- BOOST_CHECK(!lxc.create(TEMPLATE));// forbidden
+ BOOST_CHECK(lxc.create(TEMPLATE, TEMPLATE_ARGS));
+ BOOST_CHECK(!lxc.create(TEMPLATE, TEMPLATE_ARGS));// forbidden
const char* argv[] = {
"/bin/sh",
"-c",
"name" : "ut-container-admin-test",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/foo"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 10,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-container-admin-test",
"lxcTemplate" : "missing.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 10,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-container-admin-test",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/bin/sh"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 10,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-container-admin-test",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 10,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-container-test",
"lxcTemplate" : "/buggy/path",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 10,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-container-test-dbus",
"lxcTemplate" : "minimal-dbus1.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; /usr/bin/dbus-daemon --config-file=@SC_TEST_CONFIG_INSTALL_DIR@/server/ut-container/ut-dbus.conf --fork; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 10,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-container-test",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 10,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-containers-manager-console1-dbus",
"lxcTemplate" : "minimal-dbus1.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; /usr/bin/dbus-daemon --config-file=@SC_TEST_CONFIG_INSTALL_DIR@/server/ut-containers-manager/ut-dbus.conf --fork; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 20,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-containers-manager-console1",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 20,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-containers-manager-console2-dbus",
"lxcTemplate" : "minimal-dbus2.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; /usr/bin/dbus-daemon --config-file=@SC_TEST_CONFIG_INSTALL_DIR@/server/ut-containers-manager/ut-dbus.conf --fork; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 20,
"vt" : -1,
"switchToDefaultAfterTimeout" : false,
"name" : "ut-containers-manager-console2",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 10,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-containers-manager-console3-dbus",
"lxcTemplate" : "minimal-dbus3.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; /usr/bin/dbus-daemon --config-file=@SC_TEST_CONFIG_INSTALL_DIR@/server/ut-containers-manager/ut-dbus.conf --fork; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 20,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-containers-manager-console3",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 15,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-server-container1",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 20,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-server-container2",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 10,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,
"name" : "ut-server-container3",
"lxcTemplate" : "minimal.sh",
"initWithArgs" : ["/bin/sh", "-c", "trap exit SIGTERM; read"],
+ "ipv4Gateway" : "",
+ "ipv4" : "",
"privilege" : 15,
"vt" : -1,
"switchToDefaultAfterTimeout" : true,