arc/network/init/arc-network.conf

# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

description   "Start network for a container"
author        "chromium-os-dev@chromium.org"

start on started arc-boot-continue
stop on stopped arc-boot-continue

env ARC_IFNAME=arcbr0
env CONTAINER_NAME=android

import CONTAINER_PID

pre-start script
  {
    echo "Pre-start arc-network"
    set -x

    # Load networking modules needed by Android that are not compiled in the
    # kernel. Android does not allow auto-loading of kernel modules.

    # The netfilter modules needed by netd for iptables commands.
    modprobe -a ip6table_filter ip6t_ipv6header ip6t_REJECT
    # This module is not available in kernels < 3.18
    modprobe -a nf_reject_ipv6 || true

    # These modules are needed for supporting Chrome traffic on Android VPN
    # which uses Android nat feature. Android nat setups iptables rules that
    # uses these conntrack modules for FTP/TFTP.
    modprobe -a nf_nat_ftp nf_nat_tftp || true

    # The xfrm modules needed for Android's ipsec APIs.
    modprobe -a xfrm4_mode_transport xfrm4_mode_tunnel \
      xfrm6_mode_transport xfrm6_mode_tunnel

    # The ipsec modules for AH and ESP encryption for ipv6.
    modprobe -a ah6 esp6

    # Set up network to ${ARC_IFNAME}.
    ip link delete "veth_${CONTAINER_NAME}" || true
    ip link add "veth_${CONTAINER_NAME}" type veth \
      peer name "slave_${CONTAINER_NAME}"
    ifconfig "veth_${CONTAINER_NAME}" up
    # Bringing up the master side implicitly brings up the slave side.
    # Force slave_${CONTAINER_NAME} down until the container initializes it.
    # This MAC address is what has been used from the beginning.
    ip link set dev "slave_${CONTAINER_NAME}" addr 00:FF:AA:00:00:55 down
    brctl addif ${ARC_IFNAME} "veth_${CONTAINER_NAME}"

    # Wait until the container's network namespace is changed before setting up
    # the network.
    init_ns=$(readlink "/proc/1/ns/net")
    for i in `seq 1 50`; do
      if [ -d "/proc/${CONTAINER_PID}" ]; then
        ns=$(readlink "/proc/${CONTAINER_PID}/ns/net")
        if [ -n "${ns}" -a "${ns}" != "${init_ns}" ]; then
          break
        fi
      fi
      sleep 0.1
    done

    # Pass the network device in to the container.
    ip link set "slave_${CONTAINER_NAME}" netns "${CONTAINER_PID}"
    nsenter -t "${CONTAINER_PID}" -n -- \
      ip link set "slave_${CONTAINER_NAME}" name arc0

    # Signal the container that network devices are ready.
    nsenter -t "${CONTAINER_PID}" --mount --pid -- \
      /system/bin/touch /dev/.arc_network_ready

    # Enable IPv6 routing and neighbor discovery proxying.
    sysctl net.ipv6.conf.all.forwarding=1
    sysctl net.ipv6.conf.all.proxy_ndp=1

    # Temporary workaround for b/27932574 permission check.
    chown 655360:655360 /sys/class/xt_idletimer
  } 2>&1 | logger -t "${UPSTART_JOB}"
end script

# Start the daemon that handles multicast and IPv6.
exec /usr/bin/arc-networkd --con_netns=$CONTAINER_PID \
  --internal_interface=${ARC_IFNAME}

post-stop exec logger -t "${UPSTART_JOB}" "Post-stop arc-network"