/usr/lib/x86_64-linux-gnu/lxc/lxc-net is in lxc-utils 3.0.0-0ubuntu2.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 | #!/bin/sh -
distrosysconfdir="/etc/default"
varrun="/run/lxc"
varlib="/var/lib"
# These can be overridden in /etc/default/lxc
# or in /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_BRIDGE_MAC="00:16:3e:00:00:00"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
LXC_DHCP_CONFILE=""
LXC_DHCP_PING="true"
LXC_DOMAIN=""
LXC_IPV6_ADDR=""
LXC_IPV6_MASK=""
LXC_IPV6_NETWORK=""
LXC_IPV6_NAT="false"
write_lxc_net()
{
local i=$1
cat >> $distrosysconfdir/lxc-net << EOF
# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
# containers. Set to "false" if you'll use virbr0 or another existing
# bridge, or mavlan to your host's NIC.
USE_LXC_BRIDGE="true"
# If you change the LXC_BRIDGE to something other than lxcbr0, then
# you will also need to update your /etc/lxc/default.conf as well as the
# configuration (/var/lib/lxc/<container>/config) for any containers
# already created using the default config to reflect the new bridge
# name.
# If you have the dnsmasq daemon installed, you'll also have to update
# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.$i.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.$i.0/24"
LXC_DHCP_RANGE="10.0.$i.2,10.0.$i.254"
LXC_DHCP_MAX="253"
# Uncomment the next line if you'd like to use a conf-file for the lxcbr0
# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have
# container 'mail1' always get ip address 10.0.3.100.
#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf
# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc
# domain. You can then add "server=/lxc/10.0.$i.1' (or your actual \$LXC_ADDR)
# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf,
# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager).
# Once these changes are made, restart the lxc-net and network-manager services.
# 'container1.lxc' will then resolve on your host.
#LXC_DOMAIN="lxc"
EOF
}
configure_lxcbr0()
{
local i=3
cat > $distrosysconfdir/lxc-net << EOF
# This file is auto-generated by lxc.postinst if it does not
# exist. Customizations will not be overridden.
EOF
# if lxcbr0 exists, keep using the same network
if ip addr show lxcbr0 > /dev/null 2>&1 ; then
i=`ip addr show lxcbr0 | grep "inet\>" | awk '{ print $2 }' | awk -F. '{ print $3 }'`
write_lxc_net $i
return
fi
# if no lxcbr0, find an open 10.0.a.0 network
for l in `ip addr show | grep "inet\>" |awk '{ print $2 }' | grep '^10\.0\.' | sort -n`; do
j=`echo $l | awk -F. '{ print $3 }'`
if [ $j -gt $i ]; then
write_lxc_net $i
return
fi
i=$((j+1))
done
if [ $i -ne 254 ]; then
write_lxc_net $i
fi
}
update_lxcnet_config()
{
local i=3
# if lxcbr0 exists, keep using the same network
if ip addr show lxcbr0 > /dev/null 2>&1 ; then
return
fi
# our LXC_NET conflicts with an existing interface. Probably first
# run after system install with package pre-install. Find a new subnet
configure_lxcbr0
# and re-load the newly created config
[ ! -f $distrosysconfdir/lxc-net ] || . $distrosysconfdir/lxc-net
}
[ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc
use_iptables_lock="-w"
iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
_netmask2cidr ()
{
# Assumes there's no "255." after a non-255 byte in the mask
local x=${1##*255.}
set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#x})*2 )) ${x%%.*}
x=${1%%$3*}
echo $(( $2 + (${#x}/4) ))
}
_ifdown() {
ip addr flush dev ${LXC_BRIDGE}
ip link set dev ${LXC_BRIDGE} down
}
_ifup() {
MASK=`_netmask2cidr ${LXC_NETMASK}`
CIDR_ADDR="${LXC_ADDR}/${MASK}"
ip addr add ${CIDR_ADDR} dev ${LXC_BRIDGE}
ip link set dev ${LXC_BRIDGE} address $LXC_BRIDGE_MAC
ip link set dev ${LXC_BRIDGE} up
}
cleanup() {
set +e
if [ "$FAILED" = "1" ]; then
echo "Failed to setup lxc-net." >&2
stop force
exit 1
fi
}
start() {
[ ! -f $distrosysconfdir/lxc-net ] && update_lxcnet_config
[ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
[ ! -f "${varrun}/network_up" ] || { echo "lxc-net is already running"; exit 1; }
if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
stop force || true
fi
FAILED=1
trap cleanup EXIT HUP INT TERM
set -e
# set up the lxc network
[ ! -d /sys/class/net/${LXC_BRIDGE} ] && ip link add dev ${LXC_BRIDGE} type bridge
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/accept_dad || true
# if we are run from systemd on a system with selinux enabled,
# the mkdir will create /run/lxc as init_var_run_t which dnsmasq
# can't write its pid into, so we restorecon it (to var_run_t)
if [ ! -d "${varrun}" ]; then
mkdir -p "${varrun}"
if which restorecon >/dev/null 2>&1; then
restorecon "${varrun}"
fi
fi
_ifup
LXC_IPV6_ARG=""
if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/autoconf
ip -6 addr add dev ${LXC_BRIDGE} ${LXC_IPV6_ADDR}/${LXC_IPV6_MASK}
if [ "$LXC_IPV6_NAT" = "true" ]; then
ip6tables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
fi
LXC_IPV6_ARG="--dhcp-range=${LXC_IPV6_ADDR},ra-only --listen-address ${LXC_IPV6_ADDR}"
fi
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
LXC_DOMAIN_ARG=""
if [ -n "$LXC_DOMAIN" ]; then
LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
fi
LXC_DHCP_CONFILE_ARG=""
if [ -n "$LXC_DHCP_CONFILE" ]; then
LXC_DHCP_CONFILE_ARG="--conf-file=${LXC_DHCP_CONFILE}"
fi
# https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-October/010561.html
for DNSMASQ_USER in lxc-dnsmasq dnsmasq nobody
do
if getent passwd ${DNSMASQ_USER} >/dev/null; then
break
fi
done
LXC_DHCP_PING_ARG=""
if [ "x$LXC_DHCP_PING" = "xfalse" ]; then
LXC_DHCP_PING_ARG="--no-ping"
fi
dnsmasq $LXC_DHCP_CONFILE_ARG $LXC_DOMAIN_ARG $LXC_DHCP_PING_ARG -u ${DNSMASQ_USER} \
--strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid \
--listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} \
--dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \
--except-interface=lo --interface=${LXC_BRIDGE} \
--dhcp-leasefile="${varlib}"/misc/dnsmasq.${LXC_BRIDGE}.leases \
--dhcp-authoritative $LXC_IPV6_ARG || cleanup
touch "${varrun}"/network_up
FAILED=0
}
stop() {
[ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
[ -f "${varrun}/network_up" ] || [ "$1" = "force" ] || { echo "lxc-net isn't running"; exit 1; }
if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
_ifdown
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
if [ "$LXC_IPV6_NAT" = "true" ]; then
ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
fi
pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid
rm -f "${varrun}"/dnsmasq.pid
# if $LXC_BRIDGE has attached interfaces, don't destroy the bridge
ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 || ip link delete ${LXC_BRIDGE}
fi
rm -f "${varrun}"/network_up
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload|force-reload)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload|force-reload}"
exit 2
esac
exit $?
|