Add a tool that switches context to enter the network namespace and then
execute an arbitrary command. Since we don't change mount / pid namespaces,
this allows the user to use the host's networking tools such as iputils,
iptables, netstat to query / configure the container from the outside. This
may be especially useful for administrators who have dropped network
configuration capabilities inside the container as a security measure.
Since network namespace switching via setns() was introduced in kernel 3.0,
this tool will work with any newer vanilla kernel version.
---
configure.ac | 1 +
doc/Makefile.am | 1 +
doc/lxc-net.sgml.in | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++
src/lxc/Makefile.am | 4 +-
src/lxc/attach.c | 22 +++++++++
src/lxc/attach.h | 1 +
src/lxc/lxc_net.c | 92 ++++++++++++++++++++++++++++++++++++
7 files changed, 251 insertions(+), 1 deletions(-)
create mode 100644 doc/lxc-net.sgml.in
create mode 100644 src/lxc/lxc_net.c
diff --git a/configure.ac b/configure.ac
index 0c8aa69..8605102 100644
--- a/configure.ac
+++ b/configure.ac
@@ -120,6 +120,7 @@ AC_CONFIG_FILES([
doc/lxc-cgroup.sgml
doc/lxc-kill.sgml
doc/lxc-attach.sgml
+ doc/lxc-net.sgml
doc/lxc.conf.sgml
doc/lxc.sgml
doc/common_options.sgml
diff --git a/doc/Makefile.am b/doc/Makefile.am
index b18c5eb..fd1a58b 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -24,6 +24,7 @@ man_MANS = \
lxc-cgroup.1 \
lxc-kill.1 \
lxc-attach.1 \
+ lxc-net.1 \
\
lxc.conf.5 \
\
diff --git a/doc/lxc-net.sgml.in b/doc/lxc-net.sgml.in
new file mode 100644
index 0000000..b675b4f
--- /dev/null
+++ b/doc/lxc-net.sgml.in
@@ -0,0 +1,131 @@
+<!--
+
+lxc: linux Container library
+
+(C) Copyright IBM Corp. 2007, 2008
+
+Authors:
+Daniel Lezcano <dlezcano at fr.ibm.com>
+
+This library is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public
+License as published by the Free Software Foundation; either
+version 2.1 of the License, or (at your option) any later version.
+
+This library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+-->
+
+<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN" [
+
+<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
+<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
+]>
+
+<refentry>
+
+ <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
+
+ <refmeta>
+ <refentrytitle>lxc-net</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>lxc-net</refname>
+
+ <refpurpose>
+ run a process in the network context of a container
+ </refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis><command>lxc-net <replaceable>-n
+ name</replaceable> -- command</command></cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>
+ <command>lxc-net</command> runs the specified
+ <replaceable>command</replaceable> inside the network
+ namespace of the container specified by
+ <replaceable>name</replaceable>. The container
+ has to be running already.
+ </para>
+ <para>
+ This may be used to query or modify the network
+ devices of a container from the outside. Note that
+ the executable itself must reside outside of the
+ container, since only the network namespace is
+ changed; the command will still see the file system
+ and process ids of the outside container.
+ </para>
+
+ </refsect1>
+
+ &commonoptions;
+
+ <refsect1>
+ <title>Examples</title>
+ <para>
+ To show the ip addresses of the devices of a container,
+ assuming iputils is installed outside, use
+ <programlisting>
+ lxc-net -n container -- ip -4 addr show
+ </programlisting>
+ </para>
+ <para>
+ To show the connections inside a container via netstat
+ <programlisting>
+ lxc-net -n container -- netstat
+ </programlisting>
+ </para>
+ <para>
+ To add an iptables filter rule
+ <programlisting>
+ lxc-net -n container -- iptables -A INPUT -d someip -j DROP
+ </programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>Notes</title>
+ <para>
+ This requires kernel version 3.0 to work.
+ </para>
+ </refsect1>
+
+ &seealso;
+
+ <refsect1>
+ <title>Author</title>
+ <para>Daniel Lezcano <email>daniel.lezc...@free.fr</email></para>
+ </refsect1>
+
+</refentry>
+
+<!-- Keep this comment at the end of the file
+Local variables:
+mode: sgml
+sgml-omittag:t
+sgml-shorttag:t
+sgml-minimize-attributes:nil
+sgml-always-quote-attributes:t
+sgml-indent-step:2
+sgml-indent-data:t
+sgml-parent-document:nil
+sgml-default-dtd-file:nil
+sgml-exposed-tags:nil
+sgml-local-catalogs:nil
+sgml-local-ecat-files:nil
+End:
+-->
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 1c26952..7b6f795 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -95,7 +95,8 @@ bin_PROGRAMS = \
lxc-unfreeze \
lxc-checkpoint \
lxc-restart \
- lxc-kill
+ lxc-kill \
+ lxc-net
pkglibexec_PROGRAMS = \
lxc-init
@@ -122,6 +123,7 @@ lxc_unfreeze_SOURCES = lxc_unfreeze.c
lxc_unshare_SOURCES = lxc_unshare.c
lxc_wait_SOURCES = lxc_wait.c
lxc_kill_SOURCES = lxc_kill.c
+lxc_net_SOURCES = lxc_net.c
install-exec-local: install-soPROGRAMS
mv $(DESTDIR)$(libdir)/liblxc.so
$(DESTDIR)$(libdir)/liblxc.so.$(VERSION)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index a95b3d3..45a3fd3 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -156,6 +156,28 @@ int lxc_attach_to_ns(pid_t pid)
return 0;
}
+int lxc_attach_to_ns_type(pid_t pid, char *type)
+{
+ char path[MAXPATHLEN];
+ int fd;
+
+ snprintf(path, MAXPATHLEN, "/proc/%d/ns/%s", pid, type);
+ fd = open(path, O_RDONLY);
+ if (fd < 0) {
+ SYSERROR("failed to open '%s'", path);
+ return -1;
+ }
+
+ if (setns(fd, 0)) {
+ SYSERROR("failed to set namespace '%s'", type);
+ return -1;
+ }
+
+ close(fd);
+
+ return 0;
+}
+
int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx)
{
int last_cap = lxc_caps_last_cap();
diff --git a/src/lxc/attach.h b/src/lxc/attach.h
index 2d46c83..0cfd6ae 100644
--- a/src/lxc/attach.h
+++ b/src/lxc/attach.h
@@ -34,6 +34,7 @@ struct lxc_proc_context_info {
extern struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid);
extern int lxc_attach_to_ns(pid_t other_pid);
+extern int lxc_attach_to_ns_type(pid_t pid, char *type);
extern int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx);
#endif
diff --git a/src/lxc/lxc_net.c b/src/lxc/lxc_net.c
new file mode 100644
index 0000000..80f2ffd
--- /dev/null
+++ b/src/lxc/lxc_net.c
@@ -0,0 +1,92 @@
+/*
+ * lxc: linux Container library
+ *
+ * (C) Copyright IBM Corp. 2007, 2010
+ *
+ * Authors:
+ * Daniel Lezcano <dlezcano at fr.ibm.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <errno.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/personality.h>
+
+#include "attach.h"
+#include "commands.h"
+#include "arguments.h"
+#include "confile.h"
+#include "log.h"
+
+lxc_log_define(lxc_net_ui, lxc);
+
+static const struct option my_longopts[] = {
+ LXC_COMMON_OPTIONS
+};
+
+static struct lxc_arguments my_args = {
+ .progname = "lxc-net",
+ .help = "\
+--name=NAME\n\
+\n\
+Execute the specified command - in the network namespace of container NAME\n\
+\n\
+Options :\n\
+ -n, --name=NAME NAME for name of the container",
+ .options = my_longopts,
+ .parser = NULL,
+ .checker = NULL,
+};
+
+int main(int argc, char *argv[])
+{
+ int ret;
+ pid_t init_pid;
+
+ ret = lxc_arguments_parse(&my_args, argc, argv);
+ if (ret)
+ return ret;
+
+ if (!my_args.argc) {
+ ERROR("usage: %s -n container -- command", argv[0]);
+ return -1;
+ }
+
+ ret = lxc_log_init(my_args.log_file, my_args.log_priority,
+ my_args.progname, my_args.quiet);
+ if (ret)
+ return ret;
+
+ init_pid = get_init_pid(my_args.name);
+ if (init_pid < 0) {
+ ERROR("failed to get the init pid");
+ return -1;
+ }
+
+ ret = lxc_attach_to_ns_type(init_pid, "net");
+ if (ret)
+ return ret;
+
+ execvp(my_args.argv[0], my_args.argv);
+ SYSERROR("failed to exec '%s'", my_args.argv[0]);
+ return -1;
+}
--
1.7.2.5
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
