Add support for forcing a private network namespace for LXC guests

If no <interface> elements are included in an LXC guest XML
description, then the LXC guest will just see the host's
network interfaces. It is desirable to be able to hide the
host interfaces, without having to define any guest interfaces.

This patch introduces a new feature flag <privnet/> to allow
forcing of a private network namespace for LXC. In the future
I also anticipate that we will add <privuser/> to force a
private user ID namespace.

* src/conf/domain_conf.c, src/conf/domain_conf.h: Add support
  for <privnet/> feature. Auto-set <privnet> if any <interface>
  devices are defined
* src/lxc/lxc_container.c: Honour request for private network
  namespace

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 624c6b2cd71a0a017197c42c365899194f1fa3f2..4edada3331080cdf503de3a5ff34c2734d07f753 100644 (file)
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -897,6 +897,7 @@
     <acpi/>
     <apic/>
     <hap/>
+    <privnet/>
   </features>
   ...</pre>
 
@@ -924,6 +925,12 @@
       <dd>Enable Viridian hypervisor extensions for paravirtualizing
         guest operating systems
       </dd>
+      <dt><code>privnet</code></dt>
+      <dd>Always create a private network namespace. This is
+        automatically set if any interface devices are defined.
+        This feature is only relevant for container based
+        virtualization drivers, such as LXC.
+      </dd>
     </dl>
 
     <h3><a name="elementsTime">Time keeping</a></h3>

diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index b804a7074b40f78a3f627d0c8c74b21db4bd5740..5b3e5fa548978ca753bdc929413dd9187b20a2e1 100644 (file)
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -2632,6 +2632,11 @@
               <empty/>
             </element>
           </optional>
+          <optional>
+            <element name="privnet">
+              <empty/>
+            </element>
+          </optional>
         </interleave>
       </element>
     </optional>

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index f6f8b8ca88073ae040cb4fd15b44b3cc7cf33e29..e6d0f4be010c37d7239a6f1ca3d50dfffaa97b1e 100644 (file)
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -106,7 +106,8 @@ VIR_ENUM_IMPL(virDomainFeature, VIR_DOMAIN_FEATURE_LAST,
               "apic",
               "pae",
               "hap",
-              "viridian")
+              "viridian",
+              "privnet")
 
 VIR_ENUM_IMPL(virDomainLifecycle, VIR_DOMAIN_LIFECYCLE_LAST,
               "destroy",

diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 0ab3b814fa767f1378d4e81ffea3d3fbef8ee1d4..f471e355db596eea7c921fbe7b0c101bb06bd6ac 100644 (file)
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1298,6 +1298,7 @@ enum virDomainFeature {
     VIR_DOMAIN_FEATURE_PAE,
     VIR_DOMAIN_FEATURE_HAP,
     VIR_DOMAIN_FEATURE_VIRIDIAN,
+    VIR_DOMAIN_FEATURE_PRIVNET,
 
     VIR_DOMAIN_FEATURE_LAST
 };

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index d827b35f61966743af748938c1a85642c34e785e..267fbfb07a96b9f95b4bf161e225dea128a23e95 100644 (file)
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -261,7 +261,8 @@ int lxcContainerWaitForContinue(int control)
  *
  * Returns 0 on success or nonzero in case of error
  */
-static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths,
+static int lxcContainerRenameAndEnableInterfaces(bool privNet,
+                                                 unsigned int nveths,
                                                  char **veths)
 {
     int rc = 0;
@@ -289,7 +290,7 @@ static int lxcContainerRenameAndEnableInterfaces(unsigned int nveths,
     }
 
     /* enable lo device only if there were other net devices */
-    if (veths)
+    if (veths || privNet)
         rc = virNetDevSetOnline("lo", true);
 
 error_out:
@@ -1343,7 +1344,9 @@ static int lxcContainerChild( void *data )
     VIR_DEBUG("Received container continue message");
 
     /* rename and enable interfaces */
-    if (lxcContainerRenameAndEnableInterfaces(argv->nveths,
+    if (lxcContainerRenameAndEnableInterfaces(!!(vmDef->features &
+                                                 (1 << VIR_DOMAIN_FEATURE_PRIVNET)),
+                                              argv->nveths,
                                               argv->veths) < 0) {
         goto cleanup;
     }
@@ -1458,7 +1461,8 @@ int lxcContainerStart(virDomainDefPtr def,
         cflags |= CLONE_NEWUSER;
     }
 
-    if (def->nets != NULL) {
+    if (def->nets != NULL ||
+        (def->features & (1 << VIR_DOMAIN_FEATURE_PRIVNET))) {
         VIR_DEBUG("Enable network namespaces");
         cflags |= CLONE_NEWNET;
     }