| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start network for a container" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started arc-boot-continue |
| stop on stopped arc-boot-continue |
| |
| env ARC_IFNAME=arcbr0 |
| env CONTAINER_NAME=android |
| |
| import CONTAINER_PID |
| |
| pre-start script |
| { |
| echo "Pre-start arc-network" |
| set -x |
| |
| # Load networking modules needed by Android that are not compiled in the |
| # kernel. Android does not allow auto-loading of kernel modules. |
| |
| # The netfilter modules needed by netd for iptables commands. |
| modprobe -a ip6table_filter ip6t_ipv6header ip6t_REJECT |
| # This module is not available in kernels < 3.18 |
| modprobe -a nf_reject_ipv6 || true |
| |
| # These modules are needed for supporting Chrome traffic on Android VPN |
| # which uses Android nat feature. Android nat setups iptables rules that |
| # uses these conntrack modules for FTP/TFTP. |
| modprobe -a nf_nat_ftp nf_nat_tftp || true |
| |
| # The xfrm modules needed for Android's ipsec APIs. |
| modprobe -a xfrm4_mode_transport xfrm4_mode_tunnel \ |
| xfrm6_mode_transport xfrm6_mode_tunnel |
| |
| # The ipsec modules for AH and ESP encryption for ipv6. |
| modprobe -a ah6 esp6 |
| |
| # Set up network to ${ARC_IFNAME}. |
| ip link delete "veth_${CONTAINER_NAME}" || true |
| ip link add "veth_${CONTAINER_NAME}" type veth \ |
| peer name "slave_${CONTAINER_NAME}" |
| ifconfig "veth_${CONTAINER_NAME}" up |
| # Bringing up the master side implicitly brings up the slave side. |
| # Force slave_${CONTAINER_NAME} down until the container initializes it. |
| # This MAC address is what has been used from the beginning. |
| ip link set dev "slave_${CONTAINER_NAME}" addr 00:FF:AA:00:00:55 down |
| brctl addif ${ARC_IFNAME} "veth_${CONTAINER_NAME}" |
| |
| # Wait until the container's network namespace is changed before setting up |
| # the network. |
| init_ns=$(readlink "/proc/1/ns/net") |
| for i in `seq 1 50`; do |
| if [ -d "/proc/${CONTAINER_PID}" ]; then |
| ns=$(readlink "/proc/${CONTAINER_PID}/ns/net") |
| if [ -n "${ns}" -a "${ns}" != "${init_ns}" ]; then |
| break |
| fi |
| fi |
| sleep 0.1 |
| done |
| |
| # Pass the network device in to the container. |
| ip link set "slave_${CONTAINER_NAME}" netns "${CONTAINER_PID}" |
| nsenter -t "${CONTAINER_PID}" -n -- \ |
| ip link set "slave_${CONTAINER_NAME}" name arc0 |
| |
| # Signal the container that network devices are ready. |
| nsenter -t "${CONTAINER_PID}" --mount --pid -- \ |
| /system/bin/touch /dev/.arc_network_ready |
| |
| # Enable IPv6 routing and neighbor discovery proxying. |
| sysctl net.ipv6.conf.all.forwarding=1 |
| sysctl net.ipv6.conf.all.proxy_ndp=1 |
| |
| # Temporary workaround for b/27932574 permission check. |
| chown 655360:655360 /sys/class/xt_idletimer |
| } 2>&1 | logger -t "${UPSTART_JOB}" |
| end script |
| |
| # Start the daemon that handles multicast and IPv6. |
| exec /usr/bin/arc-networkd --con_netns=$CONTAINER_PID \ |
| --internal_interface=${ARC_IFNAME} |
| |
| post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-network" |