From: Christoph Heiss <c.heiss@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH v2 container 3/4] lxc: Add `link-down` config to allow setting interfaces as disconnected
Date: Wed, 15 Feb 2023 15:02:44 +0100 [thread overview]
Message-ID: <20230215140245.496507-4-c.heiss@proxmox.com> (raw)
In-Reply-To: <20230215140245.496507-1-c.heiss@proxmox.com>
If this network option is set, the host-side link will be forced down
and the interface won't be connected to the bridge.
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v1 -> v2:
* Split trailing whitespace fix into separate patch
* Rename option to kebap-case
* Proper option comparison using `safe_boolean_ne`
* Copy option to new network conf like the other options
* Remove the veth interface from the bridge when disconnected
src/PVE/LXC.pm | 41 ++++++++++++++++++++++++++++++++++-------
src/PVE/LXC/Config.pm | 5 +++++
src/lxcnetaddbr | 7 +++++--
3 files changed, 44 insertions(+), 9 deletions(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 0de5ba3..1b93f48 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -955,7 +955,8 @@ sub update_net {
} else {
if (safe_string_ne($oldnet->{bridge}, $newnet->{bridge}) ||
safe_num_ne($oldnet->{tag}, $newnet->{tag}) ||
- safe_num_ne($oldnet->{firewall}, $newnet->{firewall})
+ safe_num_ne($oldnet->{firewall}, $newnet->{firewall}) ||
+ safe_boolean_ne($oldnet->{'link-down'}, $newnet->{'link-down'})
) {
if ($oldnet->{bridge}) {
@@ -968,10 +969,28 @@ sub update_net {
}
my ($bridge, $mac, $firewall, $rate) = $newnet->@{'bridge', 'hwaddr', 'firewall', 'rate'};
- PVE::LXC::net_tap_plug($veth, $bridge, $newnet->{tag}, $firewall, $newnet->{trunks}, $rate, { mac => $mac });
+
+ if (defined($newnet->{'link-down'})) {
+ # The interface must not be connected to the designated
+ # bridge if the link was requested to be disconnected.
+ # Otherwise it could get re-enabled by something like
+ # `ifreload`.
+ #
+ # Thus only force the host-side link down here and skip
+ # adding it to the bridge.
+ PVE::Tools::run_command(['/sbin/ip', 'link', 'set', 'dev', $veth, 'down']);
+ } else {
+ # Connect the interface to the bridge
+ PVE::LXC::net_tap_plug(
+ $veth, $bridge, $newnet->{tag}, $firewall, $newnet->{trunks}, $rate, { mac => $mac });
+
+ # Force the host-side link up if it was previously down.
+ PVE::Tools::run_command(['/sbin/ip', 'link', 'set', 'dev', $veth, 'up'])
+ if defined($oldnet->{'link-down'});
+ }
# This includes the rate:
- foreach (qw(bridge tag firewall rate)) {
+ foreach (qw(bridge tag firewall rate link-down)) {
$oldnet->{$_} = $newnet->{$_} if $newnet->{$_};
}
} elsif (safe_string_ne($oldnet->{rate}, $newnet->{rate})) {
@@ -1002,9 +1021,6 @@ sub hotplug_net {
} else {
PVE::Network::veth_create($veth, $vethpeer, $newnet->{bridge}, $newnet->{hwaddr});
}
- PVE::LXC::net_tap_plug(
- $veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks},
- $newnet->{rate}, { mac => $newnet->{hwaddr} });
# attach peer in container
my $cmd = ['lxc-device', '-n', $vmid, 'add', $vethpeer, "$eth" ];
@@ -1014,8 +1030,19 @@ sub hotplug_net {
$cmd = ['lxc-attach', '-n', $vmid, '-s', 'NETWORK', '--', '/sbin/ip', 'link', 'set', $eth ,'up' ];
PVE::Tools::run_command($cmd);
+ if (defined($newnet->{'link-down'})) {
+ # In case the network device should be disconnected, force the host-link down ..
+ PVE::Tools::run_command(['/sbin/ip', 'link', 'set', 'dev', $veth, 'down']);
+ } else {
+ # .. otherwise, connect it normally to the bridge.
+ # The interface is already up from creation.
+ PVE::LXC::net_tap_plug(
+ $veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks},
+ $newnet->{rate}, { mac => $newnet->{hwaddr} });
+ }
+
my $done = { type => 'veth' };
- foreach (qw(bridge tag firewall hwaddr name)) {
+ foreach (qw(bridge tag firewall hwaddr name link-down)) {
$done->{$_} = $newnet->{$_} if $newnet->{$_};
}
$conf->{$opt} = PVE::LXC::Config->print_lxc_network($done);
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index af25a96..26a2fac 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -814,6 +814,11 @@ our $netconf_desc = {
description => "Apply rate limiting to the interface",
optional => 1,
},
+ 'link-down' => {
+ type => 'boolean',
+ description => 'Whether this interface should be disconnected (like pulling the plug).',
+ optional => 1,
+ },
};
PVE::JSONSchema::register_format('pve-lxc-network', $netconf_desc);
diff --git a/src/lxcnetaddbr b/src/lxcnetaddbr
index ebd6baa..c5d724b 100755
--- a/src/lxcnetaddbr
+++ b/src/lxcnetaddbr
@@ -52,10 +52,13 @@ if (-d "/sys/class/net/$iface") {
#avoid insecure dependency;
($bridgemtu) = $bridgemtu =~ /(\d+)/;
- PVE::Tools::run_command("/sbin/ip link set dev $iface up mtu $bridgemtu");
+ my $linkstate = defined($net->{'link-down'}) ? 'down' : 'up';
+ PVE::Tools::run_command("/sbin/ip link set dev $iface $linkstate mtu $bridgemtu");
PVE::Tools::run_command("/sbin/ip addr add 0.0.0.0/0 dev $iface");
- PVE::LXC::net_tap_plug($iface, $bridge, $tag, $firewall, $trunks, $rate, { mac => $hwaddr });
+ # Only plug the interface into the bridge if it is not set as disconnected by the user.
+ PVE::LXC::net_tap_plug($iface, $bridge, $tag, $firewall, $trunks, $rate, { mac => $hwaddr })
+ if !defined($net->{'link-down'});
}
exit 0;
--
2.39.1
next prev parent reply other threads:[~2023-02-15 14:03 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-15 14:02 [pve-devel] [PATCH v2 container/manager 0/4] fix #3413: Add `Disconnect` option for LXC networks Christoph Heiss
2023-02-15 14:02 ` [pve-devel] [PATCH v2 container 1/4] lxc: Fix some trailing whitespace Christoph Heiss
2023-02-17 14:22 ` Wolfgang Bumiller
2023-02-20 11:13 ` Christoph Heiss
2023-02-15 14:02 ` [pve-devel] [PATCH v2 container 2/4] lxc: Avoid open-coding normal vs SDN-specific tap_plug() Christoph Heiss
2023-02-17 14:34 ` Wolfgang Bumiller
2023-02-20 11:17 ` Christoph Heiss
2023-02-15 14:02 ` Christoph Heiss [this message]
2023-02-17 14:51 ` [pve-devel] [PATCH v2 container 3/4] lxc: Add `link-down` config to allow setting interfaces as disconnected Wolfgang Bumiller
2023-02-17 16:38 ` Thomas Lamprecht
2023-02-20 11:51 ` Christoph Heiss
2023-02-20 12:33 ` Wolfgang Bumiller
2023-02-20 12:37 ` Thomas Lamprecht
2023-02-15 14:02 ` [pve-devel] [PATCH v2 manager 4/4] lxc: Add `Disconnect` option for network interfaces Christoph Heiss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230215140245.496507-4-c.heiss@proxmox.com \
--to=c.heiss@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal