all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Filip Schauer <f.schauer@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH container v2 09/11] manage DHCP for containers with custom entrypoint
Date: Wed, 25 Jun 2025 10:50:07 +0200	[thread overview]
Message-ID: <vfje2njhqwdgrtez7yupoxcamgwox7a2kvg3nepdghvgokvzeh@odmtxjbxzsgd> (raw)
In-Reply-To: <20250611144903.200940-10-f.schauer@proxmox.com>

On Wed, Jun 11, 2025 at 04:49:01PM +0200, Filip Schauer wrote:
> Containers that do not use the default `/sbin/init` entrypoint may lack
> in‑container network management. A previous commit already handles
> static IP addresses. Now this commit also handles DHCP. This is done
> using a `dhclient` process for each network interface.
> 
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> ---
>  src/PVE/LXC.pm        | 74 ++++++++++++++++++++++++++++++++++++++++---
>  src/PVE/LXC/Config.pm |  6 +++-
>  2 files changed, 74 insertions(+), 6 deletions(-)
> 
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 0131ac3..e91b53a 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1004,6 +1004,8 @@ sub vm_stop_cleanup {
>  	PVE::Storage::deactivate_volumes($storage_cfg, $vollist);
>      };
>      warn $@ if $@; # avoid errors - just warn
> +
> +    kill_dhclients($vmid, '*') if (PVE::LXC::Config->get_entrypoint($conf) ne "/sbin/init");
>  }
>  
>  sub net_tap_plug : prototype($$) {
> @@ -1189,6 +1191,34 @@ sub get_interfaces {
>      return $res;
>  }
>  
> +sub manage_dhclient {
> +    my ($action, $vmid, $ipversion, $eth, $rootdir) = @_;
> +
> +    File::Path::make_path("/var/lib/lxc/$vmid/hook") if $action eq 'start';
> +    my $pidfile = "/var/lib/lxc/$vmid/hook/dhclient$ipversion-$eth.pid";
> +    my $leasefile = "/var/lib/lxc/$vmid/hook/dhclient$ipversion-$eth.leases";
> +    my $scriptfile = '/usr/share/lxc/hooks/dhclient-script';
> +    PVE::Tools::run_command([
> +	'lxc-attach', '-n', $vmid, '-s', 'NETWORK|UTSNAME', '--',
> +	'aa-exec', '-p', 'unconfined',

^ This should probably get a fixme, I'd like to at some point enforce
that dhclient really only writes to `/var/lib/lxc/$vmid` and the rootfs.

> +	'/sbin/dhclient', $action eq 'start' ? '-1' : '-r', "-$ipversion",
> +	'-pf', $pidfile, '-lf', $leasefile, '-e', "ROOTFS=$rootdir", '-sf', $scriptfile, $eth
> +    ]);
> +}
> +
> +sub kill_dhclients {
> +    my ($vmid, $eth) = @_;
> +
> +    foreach my $pidfile (glob("/var/lib/lxc/$vmid/hook/dhclient*-$eth.pid")) {
> +	my $pid = eval { file_get_contents($pidfile) };
> +	if (!$@) {
> +	    chomp $pid;
> +	    kill 9, $pid if ($pid =~ m/^\d+$/);

^ To avoid any surprises we should properly untaint this instead:
    next if $pid !~ /^(\d+)$/;
    kill 9, $1;

> +	    unlink($pidfile);
> +	}
> +    }
> +}
> +
>  sub update_ipconfig {
>      my ($vmid, $conf, $opt, $eth, $newnet, $rootdir) = @_;
>  
> @@ -1223,11 +1253,21 @@ sub update_ipconfig {
>  
>  	# step 1: add new IP, if this fails we cancel
>  	my $is_real_ip = ($newip && $newip !~ /^(?:auto|dhcp|manual)$/);
> -	if ($change_ip && $is_real_ip) {
> -	    eval { &$ipcmd($family_opt, 'addr', 'add', $newip, 'dev', $eth); };
> -	    if (my $err = $@) {
> -		warn $err;
> -		return;
> +	if ($change_ip) {
> +	    if (PVE::LXC::Config->get_entrypoint($conf) ne "/sbin/init") {
> +		if ($newip && $newip eq 'dhcp') {
> +		    manage_dhclient('start', $vmid, $ipversion, $eth, $rootdir);
> +		} elsif ($oldip && $oldip eq 'dhcp') {
> +		    manage_dhclient('stop', $vmid, $ipversion, $eth, $rootdir);
> +		}
> +	    }
> +
> +	    if ($is_real_ip) {
> +		eval { &$ipcmd($family_opt, 'addr', 'add', $newip, 'dev', $eth); };
> +		if (my $err = $@) {
> +		    warn $err;
> +		    return;
> +		}
>  	    }
>  	}
>  
> @@ -2707,6 +2747,30 @@ sub vm_start {
>      }
>      PVE::GuestHelpers::exec_hookscript($conf, $vmid, 'post-start');
>  
> +    my @dhcpv4_interfaces = ();
> +    my @dhcpv6_interfaces = ();
> +    foreach my $k (sort keys %$conf) {
> +	next if $k !~ m/^net(\d+)$/;
> +	my $d = PVE::LXC::Config->parse_lxc_network($conf->{$k});
> +	push @dhcpv4_interfaces, $d->{name} if $d->{ip} && $d->{ip} eq 'dhcp';
> +	push @dhcpv6_interfaces, $d->{name} if $d->{ip6} && $d->{ip6} eq 'dhcp';
> +    }
> +
> +    my $pid = PVE::LXC::find_lxc_pid($vmid);
> +    my $rootdir = "/proc/$pid/root";

^ When using this path over a potentially longer period of time it's
better to use

    my ($pid, $pidfd) = PVE::LXC::open_lxc_pid($vmid);

The open pidfd should guard against pid reuse during these operations.

(In fact, any code using this path should keep the pid fd open. That's
something that can still be improved across the container code base in
the future.)

> +
> +    if (PVE::LXC::Config->get_entrypoint($conf) ne "/sbin/init") {

^ This check could cover the entire hunk here.

> +	foreach my $eth (@dhcpv4_interfaces) {
> +	    eval { manage_dhclient('start', $vmid, 4, $eth, $rootdir) };
> +	    PVE::RESTEnvironment::log_warn("DHCP failed - $@") if $@;
> +	}
> +
> +	foreach my $eth (@dhcpv6_interfaces) {
> +	    eval { manage_dhclient('stop', $vmid, 6, $eth, $rootdir) };

^ Should be 'start'.

> +	    PVE::RESTEnvironment::log_warn("DHCP failed - $@") if $@;
> +	}
> +    }
> +
>      return;
>  }
>  
> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index d7d8b6a..854e711 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -1490,9 +1490,13 @@ sub vmconfig_hotplug_pending {
>  		$cgroup->change_cpu_shares(undef);
>  	    } elsif ($opt =~ m/^net(\d)$/) {
>  		my $netid = $1;
> +		my $net = PVE::LXC::Config->parse_lxc_network($conf->{$opt});
> +		if (PVE::LXC::Config->get_entrypoint($conf) ne "/sbin/init") {
> +		    PVE::LXC::kill_dhclients($vmid, $net->{name});
> +		}
> +
>  		PVE::Network::veth_delete("veth${vmid}i$netid");
>  		if ($have_sdn) {
> -		    my $net = PVE::LXC::Config->parse_lxc_network($conf->{$opt});
>  		    print "delete ips from $opt\n";
>  		    eval { PVE::Network::SDN::Vnets::del_ips_from_mac($net->{bridge}, $net->{hwaddr}, $conf->{hostname}) };
>  		    warn $@ if $@;
> -- 
> 2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

  reply	other threads:[~2025-06-25  8:49 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-11 14:48 [pve-devel] [PATCH container/manager/proxmox{, -perl-rs}/storage v2 00/11] support OCI images as container templates Filip Schauer
2025-06-11 14:48 ` [pve-devel] [PATCH proxmox v2 01/11] add proxmox-oci crate Filip Schauer
2025-06-24 12:42   ` Wolfgang Bumiller
2025-06-25  8:13   ` Wolfgang Bumiller
2025-06-11 14:48 ` [pve-devel] [PATCH proxmox-perl-rs v2 02/11] add Perl mapping for OCI container image parser/extractor Filip Schauer
2025-06-24 12:51   ` Wolfgang Bumiller
2025-06-25  7:59     ` Filip Schauer
2025-06-25  8:10       ` Wolfgang Bumiller
2025-06-11 14:48 ` [pve-devel] [PATCH container v2 03/11] config: whitelist lxc.init.cwd Filip Schauer
2025-06-25  9:00   ` [pve-devel] applied: " Wolfgang Bumiller
2025-06-11 14:48 ` [pve-devel] [PATCH container v2 04/11] add support for OCI images as container templates Filip Schauer
2025-06-11 14:48 ` [pve-devel] [PATCH container v2 05/11] config: add entrypoint parameter Filip Schauer
2025-06-11 14:48 ` [pve-devel] [PATCH container v2 06/11] configure static IP in LXC config for custom entrypoint Filip Schauer
2025-06-25  8:26   ` Wolfgang Bumiller
2025-06-25  8:30     ` Wolfgang Bumiller
2025-06-25  8:52       ` Stefan Hanreich
2025-07-09 12:45     ` Filip Schauer
2025-06-11 14:48 ` [pve-devel] [PATCH container v2 07/11] setup: debian: create /etc/network path if missing Filip Schauer
2025-06-11 14:49 ` [pve-devel] [PATCH container v2 08/11] setup: recursively mkdir /etc/systemd/{network, system-preset} Filip Schauer
2025-06-11 14:49 ` [pve-devel] [PATCH container v2 09/11] manage DHCP for containers with custom entrypoint Filip Schauer
2025-06-25  8:50   ` Wolfgang Bumiller [this message]
2025-07-09 12:43     ` Filip Schauer
2025-07-09 13:00       ` Wolfgang Bumiller
2025-06-11 14:49 ` [pve-devel] [PATCH storage v2 10/11] allow .tar container templates Filip Schauer
2025-06-24 13:11   ` Wolfgang Bumiller
2025-06-11 14:49 ` [pve-devel] [PATCH manager v2 11/11] ui: storage upload: accept *.tar files as vztmpl Filip Schauer
2025-06-17  8:01 ` [pve-devel] [PATCH container/manager/proxmox{, -perl-rs}/storage v2 00/11] support OCI images as container templates Christoph Heiss
2025-07-09 12:50   ` Filip Schauer
2025-07-09 12:40 ` [pve-devel] superseded: " Filip Schauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=vfje2njhqwdgrtez7yupoxcamgwox7a2kvg3nepdghvgokvzeh@odmtxjbxzsgd \
    --to=w.bumiller@proxmox.com \
    --cc=f.schauer@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal