Re: [PATCH]LXC: force container to enable network namespace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> -----Original Message-----
> From: Daniel P. Berrange [mailto:berrange@xxxxxxxxxx]
> Sent: Thursday, August 22, 2013 5:42 PM
> To: Gao feng
> Cc: Chen Hanxiao; libvir-list@xxxxxxxxxx
> Subject: Re:  [PATCH]LXC: force container to enable network namespace
> 
> On Thu, Aug 22, 2013 at 09:23:50AM +0800, Gao feng wrote:
> > On 08/21/2013 05:53 PM, Daniel P. Berrange wrote:
> > > On Wed, Aug 21, 2013 at 05:49:05PM +0800, Chen Hanxiao wrote:
> > >> From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> > >>
> > >> If we don't enable network namespace, we could shutdown host
> > >> inside container by command 'shutdown', which is unacceptable.
> > >> This patch will force users to enable network namespace
> > >> before they start container.
> > >>
> > >> Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> > >> ---
> > >>  src/lxc/lxc_container.c |    6 ++++++
> > >>  1 files changed, 6 insertions(+), 0 deletions(-)
> > >>
> > >> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> > >> index c7a22ab..5631ad7 100644
> > >> --- a/src/lxc/lxc_container.c
> > >> +++ b/src/lxc/lxc_container.c
> > >> @@ -1937,6 +1937,12 @@ int lxcContainerStart(virDomainDefPtr def,
> > >>      if (lxcNeedNetworkNamespace(def)) {
> > >>          VIR_DEBUG("Enable network namespaces");
> > >>          cflags |= CLONE_NEWNET;
> > >> +    } else {
> > >> +        errno = EINVAL;
> > >> +
> > >> +        virReportSystemError(errno, "%s",
> > >> +                             _("Network namespace needed"));
> > >> +        return -1;
> > >>      }
> > >>
> > >>      pid = clone(lxcContainerChild, stacktop, cflags, &args);
> > >
> > > NACK.
> > >
> > > We explicitly want to allow containers sharing the host's network
> > > namespace. If you wish to prevent the problem you describe, then
> > > set the <privnet/> feature in the XML, or configure virtual NICs
> > >
> >
> > At least we should give user some warning message or add a notification
> > about the probable reboot problem if user doesn't configure private
> > net namespace for container.
> 
> That can be documented in the drvlxc.html.in page
> 

Thanks. New patches will come soon.

> Daniel
> --
> |: http://berrange.com      -o-
> http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-
> http://virt-manager.org :|
> |: http://autobuild.org       -o-
> http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-
> http://live.gnome.org/gtk-vnc :|



--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]