func loadModule(module string) error {
if shared.PathExists(fmt.Sprintf("/sys/module/%s", module)) {
return nil
}
return shared.RunCommand("modprobe", module)
}
func networkDetachInterface(netName string, devName string) error {
if shared.PathExists(fmt.Sprintf("/sys/class/net/%s/bridge", netName)) {
err := shared.RunCommand("ip", "link", "set", devName, "nomaster")
if err != nil {
return err
}
} else {
err := shared.RunCommand("ovs-vsctl", "port-to-br", devName)
if err == nil {
err := shared.RunCommand("ovs-vsctl", "del-port", netName, devName)
if err != nil {
return err
}
}
}
return nil
}
func (s *storageZfs) Init(config map[string]interface{}) (storage, error) {
s.sType = storageTypeZfs
s.sTypeName = storageTypeToString(s.sType)
err := s.initShared()
if err != nil {
return s, err
}
if config["zfsPool"] == nil {
zfsPool := daemonConfig["storage.zfs_pool_name"].Get()
if zfsPool == "" {
return s, fmt.Errorf("ZFS isn't enabled")
}
s.zfsPool = zfsPool
} else {
s.zfsPool = config["zfsPool"].(string)
}
out, err := exec.LookPath("zfs")
if err != nil || len(out) == 0 {
return s, fmt.Errorf("The 'zfs' tool isn't available")
}
err = s.zfsCheckPool(s.zfsPool)
if err != nil {
if shared.PathExists(shared.VarPath("zfs.img")) {
_ = loadModule("zfs")
output, err := exec.Command("zpool", "import",
"-d", shared.VarPath(), s.zfsPool).CombinedOutput()
if err != nil {
return s, fmt.Errorf("Unable to import the ZFS pool: %s", output)
}
} else {
return s, err
}
}
output, err := exec.Command("zfs", "get", "version", "-H", "-o", "value", s.zfsPool).CombinedOutput()
if err != nil {
return s, fmt.Errorf("The 'zfs' tool isn't working properly")
}
count, err := fmt.Sscanf(string(output), "%s\n", &s.sTypeVersion)
if err != nil || count != 1 {
return s, fmt.Errorf("The 'zfs' tool isn't working properly")
}
output, err = exec.Command("zfs", "get", "mountpoint", "-H", "-o", "source", s.zfsPool).CombinedOutput()
if err != nil {
return s, fmt.Errorf("Unable to query ZFS mountpoint")
}
if strings.TrimSpace(string(output)) != "local" {
err = shared.RunCommand("zfs", "set", "mountpoint=none", s.zfsPool)
if err != nil {
return s, err
}
}
return s, nil
}
func cmdInit() error {
var defaultPrivileged int // controls whether we set security.privileged=true
var storageBackend string // dir or zfs
var storageMode string // existing, loop or device
var storageLoopSize int64 // Size in GB
var storageDevice string // Path
var storagePool string // pool name
var networkAddress string // Address
var networkPort int64 // Port
var trustPassword string // Trust password
var imagesAutoUpdate bool // controls whether we set images.auto_update_interval to 0
var bridgeName string // Bridge name
var bridgeIPv4 string // IPv4 address
var bridgeIPv4Nat bool // IPv4 address
var bridgeIPv6 string // IPv6 address
var bridgeIPv6Nat bool // IPv6 address
// Detect userns
defaultPrivileged = -1
runningInUserns = shared.RunningInUserNS()
imagesAutoUpdate = true
// Only root should run this
if os.Geteuid() != 0 {
return fmt.Errorf("This must be run as root")
}
backendsAvailable := []string{"dir"}
backendsSupported := []string{"dir", "zfs"}
// Detect zfs
out, err := exec.LookPath("zfs")
if err == nil && len(out) != 0 && !runningInUserns {
_ = loadModule("zfs")
err := shared.RunCommand("zpool", "list")
if err == nil {
backendsAvailable = append(backendsAvailable, "zfs")
}
}
reader := bufio.NewReader(os.Stdin)
askBool := func(question string, default_ string) bool {
for {
fmt.Printf(question)
input, _ := reader.ReadString('\n')
input = strings.TrimSuffix(input, "\n")
if input == "" {
input = default_
}
if shared.StringInSlice(strings.ToLower(input), []string{"yes", "y"}) {
return true
} else if shared.StringInSlice(strings.ToLower(input), []string{"no", "n"}) {
return false
}
fmt.Printf("Invalid input, try again.\n\n")
}
}
askChoice := func(question string, choices []string, default_ string) string {
for {
fmt.Printf(question)
input, _ := reader.ReadString('\n')
input = strings.TrimSuffix(input, "\n")
if input == "" {
input = default_
}
if shared.StringInSlice(input, choices) {
return input
}
fmt.Printf("Invalid input, try again.\n\n")
}
}
askInt := func(question string, min int64, max int64, default_ string) int64 {
for {
fmt.Printf(question)
input, _ := reader.ReadString('\n')
input = strings.TrimSuffix(input, "\n")
if input == "" {
input = default_
}
intInput, err := strconv.ParseInt(input, 10, 64)
if err == nil && (min == -1 || intInput >= min) && (max == -1 || intInput <= max) {
return intInput
}
fmt.Printf("Invalid input, try again.\n\n")
}
}
askString := func(question string, default_ string, validate func(string) error) string {
for {
fmt.Printf(question)
input, _ := reader.ReadString('\n')
input = strings.TrimSuffix(input, "\n")
if input == "" {
input = default_
}
if validate != nil {
result := validate(input)
if result != nil {
fmt.Printf("Invalid input: %s\n\n", result)
continue
}
}
if len(input) != 0 {
return input
}
fmt.Printf("Invalid input, try again.\n\n")
}
}
askPassword := func(question string) string {
for {
fmt.Printf(question)
pwd, _ := terminal.ReadPassword(0)
fmt.Printf("\n")
inFirst := string(pwd)
inFirst = strings.TrimSuffix(inFirst, "\n")
fmt.Printf("Again: ")
pwd, _ = terminal.ReadPassword(0)
fmt.Printf("\n")
inSecond := string(pwd)
inSecond = strings.TrimSuffix(inSecond, "\n")
if inFirst == inSecond {
return inFirst
}
fmt.Printf("Invalid input, try again.\n\n")
}
}
// Confirm that LXD is online
c, err := lxd.NewClient(&lxd.DefaultConfig, "local")
if err != nil {
return fmt.Errorf("Unable to talk to LXD: %s", err)
}
// Check that we have no containers or images in the store
containers, err := c.ListContainers()
if err != nil {
return fmt.Errorf("Unable to list the LXD containers: %s", err)
}
images, err := c.ListImages()
if err != nil {
return fmt.Errorf("Unable to list the LXD images: %s", err)
}
if len(containers) > 0 || len(images) > 0 {
return fmt.Errorf("You have existing containers or images. lxd init requires an empty LXD.")
}
if *argAuto {
if *argStorageBackend == "" {
*argStorageBackend = "dir"
}
// Do a bunch of sanity checks
if !shared.StringInSlice(*argStorageBackend, backendsSupported) {
return fmt.Errorf("The requested backend '%s' isn't supported by lxd init.", *argStorageBackend)
}
if !shared.StringInSlice(*argStorageBackend, backendsAvailable) {
return fmt.Errorf("The requested backend '%s' isn't available on your system (missing tools).", *argStorageBackend)
}
if *argStorageBackend == "dir" {
if *argStorageCreateLoop != -1 || *argStorageCreateDevice != "" || *argStoragePool != "" {
return fmt.Errorf("None of --storage-pool, --storage-create-device or --storage-create-loop may be used with the 'dir' backend.")
}
}
if *argStorageBackend == "zfs" {
if *argStorageCreateLoop != -1 && *argStorageCreateDevice != "" {
return fmt.Errorf("Only one of --storage-create-device or --storage-create-loop can be specified with the 'zfs' backend.")
}
if *argStoragePool == "" {
return fmt.Errorf("--storage-pool must be specified with the 'zfs' backend.")
}
}
if *argNetworkAddress == "" {
if *argNetworkPort != -1 {
return fmt.Errorf("--network-port cannot be used without --network-address.")
}
if *argTrustPassword != "" {
return fmt.Errorf("--trust-password cannot be used without --network-address.")
}
}
// Set the local variables
if *argStorageCreateDevice != "" {
storageMode = "device"
} else if *argStorageCreateLoop != -1 {
storageMode = "loop"
} else {
storageMode = "existing"
}
storageBackend = *argStorageBackend
storageLoopSize = *argStorageCreateLoop
storageDevice = *argStorageCreateDevice
storagePool = *argStoragePool
networkAddress = *argNetworkAddress
networkPort = *argNetworkPort
trustPassword = *argTrustPassword
} else {
if *argStorageBackend != "" || *argStorageCreateDevice != "" || *argStorageCreateLoop != -1 || *argStoragePool != "" || *argNetworkAddress != "" || *argNetworkPort != -1 || *argTrustPassword != "" {
return fmt.Errorf("Init configuration is only valid with --auto")
}
defaultStorage := "dir"
if shared.StringInSlice("zfs", backendsAvailable) {
defaultStorage = "zfs"
}
storageBackend = askChoice(fmt.Sprintf("Name of the storage backend to use (dir or zfs) [default=%s]: ", defaultStorage), backendsSupported, defaultStorage)
if !shared.StringInSlice(storageBackend, backendsSupported) {
return fmt.Errorf("The requested backend '%s' isn't supported by lxd init.", storageBackend)
}
if !shared.StringInSlice(storageBackend, backendsAvailable) {
return fmt.Errorf("The requested backend '%s' isn't available on your system (missing tools).", storageBackend)
}
if storageBackend == "zfs" {
if askBool("Create a new ZFS pool (yes/no) [default=yes]? ", "yes") {
storagePool = askString("Name of the new ZFS pool [default=lxd]: ", "lxd", nil)
if askBool("Would you like to use an existing block device (yes/no) [default=no]? ", "no") {
deviceExists := func(path string) error {
if !shared.IsBlockdevPath(path) {
return fmt.Errorf("'%s' is not a block device", path)
}
return nil
}
storageDevice = askString("Path to the existing block device: ", "", deviceExists)
storageMode = "device"
} else {
st := syscall.Statfs_t{}
err := syscall.Statfs(shared.VarPath(), &st)
if err != nil {
return fmt.Errorf("couldn't statfs %s: %s", shared.VarPath(), err)
}
/* choose 15 GB < x < 100GB, where x is 20% of the disk size */
def := uint64(st.Frsize) * st.Blocks / (1024 * 1024 * 1024) / 5
if def > 100 {
def = 100
}
if def < 15 {
def = 15
}
q := fmt.Sprintf("Size in GB of the new loop device (1GB minimum) [default=%d]: ", def)
storageLoopSize = askInt(q, 1, -1, fmt.Sprintf("%d", def))
storageMode = "loop"
}
} else {
storagePool = askString("Name of the existing ZFS pool or dataset: ", "", nil)
storageMode = "existing"
}
}
if runningInUserns {
fmt.Printf(`
We detected that you are running inside an unprivileged container.
This means that unless you manually configured your host otherwise,
you will not have enough uid and gid to allocate to your containers.
LXD can re-use your container's own allocation to avoid the problem.
Doing so makes your nested containers slightly less safe as they could
in theory attack their parent container and gain more privileges than
they otherwise would.
`)
if askBool("Would you like to have your containers share their parent's allocation (yes/no) [default=yes]? ", "yes") {
defaultPrivileged = 1
} else {
defaultPrivileged = 0
}
}
if askBool("Would you like LXD to be available over the network (yes/no) [default=no]? ", "no") {
isIPAddress := func(s string) error {
if s != "all" && net.ParseIP(s) == nil {
return fmt.Errorf("'%s' is not an IP address", s)
}
return nil
}
networkAddress = askString("Address to bind LXD to (not including port) [default=all]: ", "all", isIPAddress)
if networkAddress == "all" {
networkAddress = "::"
}
if net.ParseIP(networkAddress).To4() == nil {
networkAddress = fmt.Sprintf("[%s]", networkAddress)
}
networkPort = askInt("Port to bind LXD to [default=8443]: ", 1, 65535, "8443")
trustPassword = askPassword("Trust password for new clients: ")
}
if !askBool("Would you like stale cached images to be updated automatically (yes/no) [default=yes]? ", "yes") {
imagesAutoUpdate = false
}
if askBool("Would you like to create a new network bridge (yes/no) [default=yes]? ", "yes") {
bridgeName = askString("What should the new bridge be called [default=lxdbr0]? ", "lxdbr0", networkValidName)
bridgeIPv4 = askString("What IPv4 subnet should be used (CIDR notation, “auto” or “none”) [default=auto]? ", "auto", func(value string) error {
if shared.StringInSlice(value, []string{"auto", "none"}) {
return nil
}
return networkValidAddressCIDRV4(value)
})
if !shared.StringInSlice(bridgeIPv4, []string{"auto", "none"}) {
bridgeIPv4Nat = askBool("Would you like LXD to NAT IPv4 traffic on your bridge? [default=yes]? ", "yes")
}
bridgeIPv6 = askString("What IPv6 subnet should be used (CIDR notation, “auto” or “none”) [default=auto]? ", "auto", func(value string) error {
if shared.StringInSlice(value, []string{"auto", "none"}) {
return nil
}
return networkValidAddressCIDRV6(value)
})
if !shared.StringInSlice(bridgeIPv6, []string{"auto", "none"}) {
bridgeIPv6Nat = askBool("Would you like LXD to NAT IPv6 traffic on your bridge? [default=yes]? ", "yes")
}
}
}
if !shared.StringInSlice(storageBackend, []string{"dir", "zfs"}) {
return fmt.Errorf("Invalid storage backend: %s", storageBackend)
}
// Unset all storage keys, core.https_address and core.trust_password
for _, key := range []string{"storage.zfs_pool_name", "core.https_address", "core.trust_password"} {
_, err = c.SetServerConfig(key, "")
if err != nil {
return err
}
}
// Destroy any existing loop device
for _, file := range []string{"zfs.img"} {
os.Remove(shared.VarPath(file))
}
if storageBackend == "zfs" {
if storageMode == "loop" {
storageDevice = shared.VarPath("zfs.img")
f, err := os.Create(storageDevice)
if err != nil {
return fmt.Errorf("Failed to open %s: %s", storageDevice, err)
}
err = f.Chmod(0600)
if err != nil {
return fmt.Errorf("Failed to chmod %s: %s", storageDevice, err)
}
err = f.Truncate(int64(storageLoopSize * 1024 * 1024 * 1024))
if err != nil {
return fmt.Errorf("Failed to create sparse file %s: %s", storageDevice, err)
}
err = f.Close()
if err != nil {
return fmt.Errorf("Failed to close %s: %s", storageDevice, err)
}
}
if shared.StringInSlice(storageMode, []string{"loop", "device"}) {
output, err := exec.Command(
"zpool",
"create", storagePool, storageDevice,
"-f", "-m", "none", "-O", "compression=on").CombinedOutput()
if err != nil {
return fmt.Errorf("Failed to create the ZFS pool: %s", output)
}
}
// Configure LXD to use the pool
_, err = c.SetServerConfig("storage.zfs_pool_name", storagePool)
if err != nil {
return err
}
}
if defaultPrivileged == 0 {
err = c.SetProfileConfigItem("default", "security.privileged", "")
if err != nil {
return err
}
} else if defaultPrivileged == 1 {
err = c.SetProfileConfigItem("default", "security.privileged", "true")
if err != nil {
}
}
if imagesAutoUpdate {
ss, err := c.ServerStatus()
if err != nil {
return err
}
if val, ok := ss.Config["images.auto_update_interval"]; ok && val == "0" {
_, err = c.SetServerConfig("images.auto_update_interval", "")
if err != nil {
return err
}
}
} else {
_, err = c.SetServerConfig("images.auto_update_interval", "0")
if err != nil {
return err
}
}
if networkAddress != "" {
_, err = c.SetServerConfig("core.https_address", fmt.Sprintf("%s:%d", networkAddress, networkPort))
if err != nil {
return err
}
if trustPassword != "" {
_, err = c.SetServerConfig("core.trust_password", trustPassword)
if err != nil {
return err
}
}
}
if bridgeName != "" {
bridgeConfig := map[string]string{}
bridgeConfig["ipv4.address"] = bridgeIPv4
bridgeConfig["ipv6.address"] = bridgeIPv6
if bridgeIPv4Nat {
bridgeConfig["ipv4.nat"] = "true"
}
if bridgeIPv6Nat {
bridgeConfig["ipv6.nat"] = "true"
}
err = c.NetworkCreate(bridgeName, bridgeConfig)
if err != nil {
return err
}
props := []string{"nictype=bridged", fmt.Sprintf("parent=%s", bridgeName)}
_, err = c.ProfileDeviceAdd("default", "eth0", "nic", props)
if err != nil {
return err
}
}
fmt.Printf("LXD has been successfully configured.\n")
return nil
}
func (n *network) Start() error {
// Create directory
if !shared.PathExists(shared.VarPath("networks", n.name)) {
err := os.MkdirAll(shared.VarPath("networks", n.name), 0700)
if err != nil {
return err
}
}
// Create the bridge interface
if !n.IsRunning() {
if n.config["bridge.driver"] == "openvswitch" {
err := shared.RunCommand("ovs-vsctl", "add-br", n.name)
if err != nil {
return err
}
} else {
err := shared.RunCommand("ip", "link", "add", n.name, "type", "bridge")
if err != nil {
return err
}
}
}
// Get a list of tunnels
tunnels := networkGetTunnels(n.config)
// IPv6 bridge configuration
if !shared.StringInSlice(n.config["ipv6.address"], []string{"", "none"}) {
err := networkSysctl(fmt.Sprintf("ipv6/conf/%s/autoconf", n.name), "0")
if err != nil {
return err
}
err = networkSysctl(fmt.Sprintf("ipv6/conf/%s/accept_dad", n.name), "0")
if err != nil {
return err
}
}
// Get a list of interfaces
ifaces, err := net.Interfaces()
if err != nil {
return err
}
// Cleanup any existing tunnel device
for _, iface := range ifaces {
if strings.HasPrefix(iface.Name, fmt.Sprintf("%s-", n.name)) {
err = shared.RunCommand("ip", "link", "del", iface.Name)
if err != nil {
return err
}
}
}
// Set the MTU
mtu := ""
if n.config["bridge.mtu"] != "" {
mtu = n.config["bridge.mtu"]
} else if len(tunnels) > 0 {
mtu = "1400"
} else if n.config["bridge.mode"] == "fan" {
if n.config["fan.type"] == "ipip" {
mtu = "1480"
} else {
mtu = "1450"
}
}
// Attempt to add a dummy device to the bridge to force the MTU
if mtu != "" && n.config["bridge.driver"] != "openvswitch" {
err = shared.RunCommand("ip", "link", "add", fmt.Sprintf("%s-mtu", n.name), "mtu", mtu, "type", "dummy")
if err == nil {
networkAttachInterface(n.name, fmt.Sprintf("%s-mtu", n.name))
}
}
// Now, set a default MTU
if mtu == "" {
mtu = "1500"
}
err = shared.RunCommand("ip", "link", "set", n.name, "mtu", mtu)
if err != nil {
return err
}
// Bring it up
err = shared.RunCommand("ip", "link", "set", n.name, "up")
if err != nil {
return err
}
// Add any listed existing external interface
if n.config["bridge.external_interfaces"] != "" {
for _, entry := range strings.Split(n.config["bridge.external_interfaces"], ",") {
entry = strings.TrimSpace(entry)
iface, err := net.InterfaceByName(entry)
if err != nil {
continue
}
addrs, err := iface.Addrs()
if err == nil && len(addrs) != 0 {
return fmt.Errorf("Only unconfigured network interfaces can be bridged")
}
err = networkAttachInterface(n.name, entry)
if err != nil {
return err
}
}
}
// Remove any existing IPv4 iptables rules
err = networkIptablesClear("ipv4", n.name, "")
if err != nil {
return err
}
err = networkIptablesClear("ipv4", n.name, "mangle")
if err != nil {
return err
}
err = networkIptablesClear("ipv4", n.name, "nat")
if err != nil {
return err
}
// Flush all IPv4 addresses
err = shared.RunCommand("ip", "-4", "addr", "flush", "dev", n.name, "scope", "global")
if err != nil {
return err
}
// Configure IPv4 firewall (includes fan)
if n.config["bridge.mode"] == "fan" || !shared.StringInSlice(n.config["ipv4.address"], []string{"", "none"}) {
// Setup basic iptables overrides
rules := [][]string{
[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "67", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "67", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "53", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "53", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "67", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "67", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"},
[]string{"ipv4", n.name, "mangle", "POSTROUTING", "-o", n.name, "-p", "udp", "--dport", "68", "-j", "CHECKSUM", "--checksum-fill"}}
for _, rule := range rules {
err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
if err != nil {
return err
}
}
// Allow forwarding
if n.config["bridge.mode"] == "fan" || n.config["ipv4.routing"] == "" || shared.IsTrue(n.config["ipv4.routing"]) {
err = networkSysctl("ipv4/ip_forward", "1")
if err != nil {
return err
}
err = networkIptablesPrepend("ipv4", n.name, "", "FORWARD", "-i", n.name, "-j", "ACCEPT")
if err != nil {
return err
}
err = networkIptablesPrepend("ipv4", n.name, "", "FORWARD", "-o", n.name, "-j", "ACCEPT")
if err != nil {
return err
}
} else {
err = networkIptablesPrepend("ipv4", n.name, "", "FORWARD", "-i", n.name, "-j", "REJECT")
if err != nil {
return err
}
err = networkIptablesPrepend("ipv4", n.name, "", "FORWARD", "-o", n.name, "-j", "REJECT")
if err != nil {
return err
}
}
}
// Start building the dnsmasq command line
dnsmasqCmd := []string{"dnsmasq", "-u", "root", "--strict-order", "--bind-interfaces",
fmt.Sprintf("--pid-file=%s", shared.VarPath("networks", n.name, "dnsmasq.pid")),
"--except-interface=lo",
fmt.Sprintf("--interface=%s", n.name)}
// Configure IPv4
if !shared.StringInSlice(n.config["ipv4.address"], []string{"", "none"}) {
// Parse the subnet
ip, subnet, err := net.ParseCIDR(n.config["ipv4.address"])
if err != nil {
return err
}
// Update the dnsmasq config
dnsmasqCmd = append(dnsmasqCmd, fmt.Sprintf("--listen-address=%s", ip.String()))
if n.config["ipv4.dhcp"] == "" || shared.IsTrue(n.config["ipv4.dhcp"]) {
if !shared.StringInSlice("--dhcp-no-override", dnsmasqCmd) {
dnsmasqCmd = append(dnsmasqCmd, []string{"--dhcp-no-override", "--dhcp-authoritative", fmt.Sprintf("--dhcp-leasefile=%s", shared.VarPath("networks", n.name, "dnsmasq.leases")), fmt.Sprintf("--dhcp-hostsfile=%s", shared.VarPath("networks", n.name, "dnsmasq.hosts"))}...)
}
if n.config["ipv4.dhcp.ranges"] != "" {
for _, dhcpRange := range strings.Split(n.config["ipv4.dhcp.ranges"], ",") {
dhcpRange = strings.TrimSpace(dhcpRange)
dnsmasqCmd = append(dnsmasqCmd, []string{"--dhcp-range", strings.Replace(dhcpRange, "-", ",", -1)}...)
}
} else {
dnsmasqCmd = append(dnsmasqCmd, []string{"--dhcp-range", fmt.Sprintf("%s,%s", networkGetIP(subnet, 2).String(), networkGetIP(subnet, -2).String())}...)
}
}
// Add the address
err = shared.RunCommand("ip", "-4", "addr", "add", "dev", n.name, n.config["ipv4.address"])
if err != nil {
return err
}
// Configure NAT
if shared.IsTrue(n.config["ipv4.nat"]) {
err = networkIptablesPrepend("ipv4", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
if err != nil {
return err
}
}
}
// Remove any existing IPv6 iptables rules
err = networkIptablesClear("ipv6", n.name, "")
if err != nil {
return err
}
err = networkIptablesClear("ipv6", n.name, "nat")
if err != nil {
return err
}
// Flush all IPv6 addresses
err = shared.RunCommand("ip", "-6", "addr", "flush", "dev", n.name, "scope", "global")
if err != nil {
return err
}
// Configure IPv6
if !shared.StringInSlice(n.config["ipv6.address"], []string{"", "none"}) {
// Enable IPv6 for the subnet
err := networkSysctl(fmt.Sprintf("ipv6/conf/%s/disable_ipv6", n.name), "0")
if err != nil {
return err
}
// Parse the subnet
ip, subnet, err := net.ParseCIDR(n.config["ipv6.address"])
if err != nil {
return err
}
// Update the dnsmasq config
dnsmasqCmd = append(dnsmasqCmd, []string{fmt.Sprintf("--listen-address=%s", ip.String()), "--enable-ra"}...)
if n.config["ipv6.dhcp"] == "" || shared.IsTrue(n.config["ipv6.dhcp"]) {
if !shared.StringInSlice("--dhcp-no-override", dnsmasqCmd) {
dnsmasqCmd = append(dnsmasqCmd, []string{"--dhcp-no-override", "--dhcp-authoritative", fmt.Sprintf("--dhcp-leasefile=%s", shared.VarPath("networks", n.name, "dnsmasq.leases")), fmt.Sprintf("--dhcp-hostsfile=%s", shared.VarPath("networks", n.name, "dnsmasq.hosts"))}...)
}
if shared.IsTrue(n.config["ipv6.dhcp.stateful"]) {
if n.config["ipv6.dhcp.ranges"] != "" {
for _, dhcpRange := range strings.Split(n.config["ipv6.dhcp.ranges"], ",") {
dhcpRange = strings.TrimSpace(dhcpRange)
dnsmasqCmd = append(dnsmasqCmd, []string{"--dhcp-range", fmt.Sprintf("%s", strings.Replace(dhcpRange, "-", ",", -1))}...)
}
} else {
dnsmasqCmd = append(dnsmasqCmd, []string{"--dhcp-range", fmt.Sprintf("%s,%s", networkGetIP(subnet, 2), networkGetIP(subnet, -1))}...)
}
} else {
dnsmasqCmd = append(dnsmasqCmd, []string{"--dhcp-range", fmt.Sprintf("::,constructor:%s,ra-stateless,ra-names", n.name)}...)
}
} else {
dnsmasqCmd = append(dnsmasqCmd, []string{"--dhcp-range", fmt.Sprintf("::,constructor:%s,ra-only", n.name)}...)
}
// Setup basic iptables overrides
rules := [][]string{
[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "546", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "546", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "udp", "--dport", "53", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "INPUT", "-i", n.name, "-p", "tcp", "--dport", "53", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "546", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "546", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "udp", "--sport", "53", "-j", "ACCEPT"},
[]string{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
for _, rule := range rules {
err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
if err != nil {
return err
}
}
// Allow forwarding
if n.config["ipv6.routing"] == "" || shared.IsTrue(n.config["ipv6.routing"]) {
// Get a list of proc entries
entries, err := ioutil.ReadDir("/proc/sys/net/ipv6/conf/")
if err != nil {
return err
}
// First set accept_ra to 2 for everything
for _, entry := range entries {
content, err := ioutil.ReadFile(fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/accept_ra", entry.Name()))
if err == nil && string(content) != "1\n" {
continue
}
err = networkSysctl(fmt.Sprintf("ipv6/conf/%s/accept_ra", entry.Name()), "2")
if err != nil && !os.IsNotExist(err) {
return err
}
}
// Then set forwarding for all of them
for _, entry := range entries {
err = networkSysctl(fmt.Sprintf("ipv6/conf/%s/forwarding", entry.Name()), "1")
if err != nil && !os.IsNotExist(err) {
return err
}
}
err = networkIptablesPrepend("ipv6", n.name, "", "FORWARD", "-i", n.name, "-j", "ACCEPT")
if err != nil {
return err
}
err = networkIptablesPrepend("ipv6", n.name, "", "FORWARD", "-o", n.name, "-j", "ACCEPT")
if err != nil {
return err
}
} else {
err = networkIptablesPrepend("ipv6", n.name, "", "FORWARD", "-i", n.name, "-j", "REJECT")
if err != nil {
return err
}
err = networkIptablesPrepend("ipv6", n.name, "", "FORWARD", "-o", n.name, "-j", "REJECT")
if err != nil {
return err
}
}
// Add the address
err = shared.RunCommand("ip", "-6", "addr", "add", "dev", n.name, n.config["ipv6.address"])
if err != nil {
return err
}
// Configure NAT
if shared.IsTrue(n.config["ipv6.nat"]) {
err = networkIptablesPrepend("ipv6", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
if err != nil {
return err
}
}
}
// Configure the fan
if n.config["bridge.mode"] == "fan" {
tunName := fmt.Sprintf("%s-fan", n.name)
// Parse the underlay
underlay := n.config["fan.underlay_subnet"]
_, underlaySubnet, err := net.ParseCIDR(underlay)
if err != nil {
return nil
}
// Parse the overlay
overlay := n.config["fan.overlay_subnet"]
if overlay == "" {
overlay = "240.0.0.0/8"
}
_, overlaySubnet, err := net.ParseCIDR(overlay)
if err != nil {
return err
}
// Get the address
fanAddress, devName, devAddr, err := networkFanAddress(underlaySubnet, overlaySubnet)
if err != nil {
return err
}
addr := strings.Split(fanAddress, "/")
if n.config["fan.type"] == "ipip" {
fanAddress = fmt.Sprintf("%s/24", addr[0])
}
// Parse the host subnet
_, hostSubnet, err := net.ParseCIDR(fmt.Sprintf("%s/24", addr[0]))
if err != nil {
return err
}
// Add the address
err = shared.RunCommand("ip", "-4", "addr", "add", "dev", n.name, fanAddress)
if err != nil {
return err
}
// Update the dnsmasq config
dnsmasqCmd = append(dnsmasqCmd, []string{
fmt.Sprintf("--listen-address=%s", addr[0]),
"--dhcp-no-override", "--dhcp-authoritative",
fmt.Sprintf("--dhcp-leasefile=%s", shared.VarPath("networks", n.name, "dnsmasq.leases")),
fmt.Sprintf("--dhcp-hostsfile=%s", shared.VarPath("networks", n.name, "dnsmasq.hosts")),
"--dhcp-range", fmt.Sprintf("%s,%s", networkGetIP(hostSubnet, 2).String(), networkGetIP(hostSubnet, -2).String())}...)
// Setup the tunnel
if n.config["fan.type"] == "ipip" {
err = shared.RunCommand("ip", "-4", "route", "flush", "dev", "tunl0")
if err != nil {
return err
}
err = shared.RunCommand("ip", "link", "set", "tunl0", "up")
if err != nil {
return err
}
// Fails if the map is already set
shared.RunCommand("ip", "link", "change", "tunl0", "type", "ipip", "fan-map", fmt.Sprintf("%s:%s", overlay, underlay))
err = shared.RunCommand("ip", "route", "add", overlay, "dev", "tunl0", "src", addr[0])
if err != nil {
return err
}
} else {
vxlanID := fmt.Sprintf("%d", binary.BigEndian.Uint32(overlaySubnet.IP.To4())>>8)
err = shared.RunCommand("ip", "link", "add", tunName, "type", "vxlan", "id", vxlanID, "dev", devName, "dstport", "0", "local", devAddr, "fan-map", fmt.Sprintf("%s:%s", overlay, underlay))
if err != nil {
return err
}
err = networkAttachInterface(n.name, tunName)
if err != nil {
return err
}
err = shared.RunCommand("ip", "link", "set", tunName, "mtu", mtu, "up")
if err != nil {
return err
}
err = shared.RunCommand("ip", "link", "set", n.name, "up")
if err != nil {
return err
}
}
// Configure NAT
err = networkIptablesPrepend("ipv4", n.name, "nat", "POSTROUTING", "-s", underlaySubnet.String(), "!", "-d", underlaySubnet.String(), "-j", "MASQUERADE")
if err != nil {
return err
}
}
// Configure tunnels
for _, tunnel := range tunnels {
getConfig := func(key string) string {
return n.config[fmt.Sprintf("tunnel.%s.%s", tunnel, key)]
}
tunProtocol := getConfig("protocol")
tunLocal := getConfig("local")
tunRemote := getConfig("remote")
tunName := fmt.Sprintf("%s-%s", n.name, tunnel)
// Configure the tunnel
cmd := []string{"ip", "link", "add", tunName}
if tunProtocol == "gre" {
// Skip partial configs
if tunProtocol == "" || tunLocal == "" || tunRemote == "" {
continue
}
cmd = append(cmd, []string{"type", "gretap", "local", tunLocal, "remote", tunRemote}...)
} else if tunProtocol == "vxlan" {
tunGroup := getConfig("group")
// Skip partial configs
if tunProtocol == "" {
continue
}
cmd = append(cmd, []string{"type", "vxlan"}...)
if tunLocal != "" && tunRemote != "" {
cmd = append(cmd, []string{"local", tunLocal, "remote", tunRemote}...)
} else {
if tunGroup == "" {
tunGroup = "239.0.0.1"
}
_, devName, err := networkDefaultGatewaySubnetV4()
if err != nil {
return err
}
cmd = append(cmd, []string{"group", tunGroup, "dev", devName}...)
}
tunPort := getConfig("port")
if tunPort == "" {
tunPort = "0"
}
cmd = append(cmd, []string{"dstport", tunPort}...)
tunId := getConfig("id")
if tunId == "" {
tunId = "1"
}
cmd = append(cmd, []string{"id", tunId}...)
}
// Create the interface
err = shared.RunCommand(cmd[0], cmd[1:]...)
if err != nil {
return err
}
// Bridge it and bring up
err = networkAttachInterface(n.name, tunName)
if err != nil {
return err
}
err = shared.RunCommand("ip", "link", "set", tunName, "mtu", mtu, "up")
if err != nil {
return err
}
err = shared.RunCommand("ip", "link", "set", n.name, "up")
if err != nil {
return err
}
}
// Kill any existing dnsmasq daemon for this network
err = networkKillDnsmasq(n.name, false)
if err != nil {
return err
}
// Configure dnsmasq
if n.config["bridge.mode"] == "fan" || !shared.StringInSlice(n.config["ipv4.address"], []string{"", "none"}) || !shared.StringInSlice(n.config["ipv6.address"], []string{"", "none"}) {
dnsDomain := n.config["dns.domain"]
if dnsDomain == "" {
dnsDomain = "lxd"
}
// Setup the dnsmasq domain
if n.config["dns.mode"] != "none" {
dnsmasqCmd = append(dnsmasqCmd, []string{"-s", dnsDomain, "-S", fmt.Sprintf("/%s/", dnsDomain)}...)
}
// Create raw config file
if n.config["raw.dnsmasq"] != "" {
err = ioutil.WriteFile(shared.VarPath("networks", n.name, "dnsmasq.raw"), []byte(fmt.Sprintf("%s\n", n.config["raw.dnsmasq"])), 0)
if err != nil {
return err
}
dnsmasqCmd = append(dnsmasqCmd, fmt.Sprintf("--conf-file=%s", shared.VarPath("networks", n.name, "dnsmasq.raw")))
}
// Create DHCP hosts file
if !shared.PathExists(shared.VarPath("networks", n.name, "dnsmasq.hosts")) {
err = ioutil.WriteFile(shared.VarPath("networks", n.name, "dnsmasq.hosts"), []byte(""), 0)
if err != nil {
return err
}
}
// Start dnsmasq (occasionaly races, try a few times)
output, err := tryExec(dnsmasqCmd[0], dnsmasqCmd[1:]...)
if err != nil {
return fmt.Errorf("Failed to run: %s: %s", strings.Join(dnsmasqCmd, " "), strings.TrimSpace(string(output)))
}
// Update the static leases
err = networkUpdateStatic(n.daemon)
if err != nil {
return err
}
}
return nil
}
func (n *network) Stop() error {
if !n.IsRunning() {
return fmt.Errorf("The network is already stopped")
}
// Destroy the bridge interface
if n.config["bridge.driver"] == "openvswitch" {
err := shared.RunCommand("ovs-vsctl", "del-br", n.name)
if err != nil {
return err
}
} else {
err := shared.RunCommand("ip", "link", "del", n.name)
if err != nil {
return err
}
}
// Cleanup iptables
err := networkIptablesClear("ipv4", n.name, "")
if err != nil {
return err
}
err = networkIptablesClear("ipv4", n.name, "mangle")
if err != nil {
return err
}
err = networkIptablesClear("ipv4", n.name, "nat")
if err != nil {
return err
}
err = networkIptablesClear("ipv6", n.name, "")
if err != nil {
return err
}
err = networkIptablesClear("ipv6", n.name, "nat")
if err != nil {
return err
}
// Kill any existing dnsmasq daemon for this network
err = networkKillDnsmasq(n.name, false)
if err != nil {
return err
}
// Get a list of interfaces
ifaces, err := net.Interfaces()
if err != nil {
return err
}
// Cleanup any existing tunnel device
for _, iface := range ifaces {
if strings.HasPrefix(iface.Name, fmt.Sprintf("%s-", n.name)) {
err = shared.RunCommand("ip", "link", "del", iface.Name)
if err != nil {
return err
}
}
}
return nil
}