arc/network/init/arc-network.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2016 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Start network for a container"
 author        "chromium-os-dev@chromium.org"

 start on started arc-boot-continue
 stop on stopped arc-boot-continue

 env ARC_IFNAME=arcbr0
 env CONTAINER_NAME=android

 import CONTAINER_PID

 pre-start script
   {
     echo "Pre-start arc-networkd - container booting"
     set -x

     # Load networking modules needed by Android that are not compiled in the
     # kernel. Android does not allow auto-loading of kernel modules.

     # The netfilter modules needed by netd for iptables commands.
     modprobe -a ip6table_filter ip6t_ipv6header ip6t_REJECT
     # This module is not available in kernels < 3.18
     modprobe -a nf_reject_ipv6 || true

     # These modules are needed for supporting Chrome traffic on Android VPN
     # which uses Android nat feature. Android nat setups iptables rules that
     # uses these conntrack modules for FTP/TFTP.
     modprobe -a nf_nat_ftp nf_nat_tftp || true

     # The xfrm modules needed for Android's ipsec APIs.
     modprobe -a xfrm4_mode_transport xfrm4_mode_tunnel \
       xfrm6_mode_transport xfrm6_mode_tunnel

     # The ipsec modules for AH and ESP encryption for ipv6.
     modprobe -a ah6 esp6

     # Wait until the container's network namespace is changed before setting up
     # the network.
     init_ns=$(readlink "/proc/1/ns/net")
     for i in `seq 1 50`; do
       if [ -d "/proc/${CONTAINER_PID}" ]; then
         ns=$(readlink "/proc/${CONTAINER_PID}/ns/net")
         if [ -n "${ns}" -a "${ns}" != "${init_ns}" ]; then
           break
         fi
       fi
       sleep 0.1
     done

     # Enable IPv6 routing and neighbor discovery proxying.
     sysctl net.ipv6.conf.all.forwarding=1
     sysctl net.ipv6.conf.all.proxy_ndp=1

     # Temporary workaround for b/27932574 permission check.
     chown 655360:655360 /sys/class/xt_idletimer

     # Signal arc-networkd that the container is booting.
     pkill -x -USR1 arc-networkd
   } 2>&1 | logger -t "${UPSTART_JOB}"
 end script

 post-stop script
   {
     echo "Post-stop arc-networkd - container going down"
     set +e -x

     # Signal arc-networkd that the container is shutting down.
     pkill -x -USR2 arc-networkd
   } 2>&1 | logger -t "${UPSTART_JOB}"
 end script
	# Copyright 2016 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start network for a container"
	author "chromium-os-dev@chromium.org"

	start on started arc-boot-continue
	stop on stopped arc-boot-continue

	env ARC_IFNAME=arcbr0
	env CONTAINER_NAME=android

	import CONTAINER_PID

	pre-start script
	{
	echo "Pre-start arc-networkd - container booting"
	set -x

	# Load networking modules needed by Android that are not compiled in the
	# kernel. Android does not allow auto-loading of kernel modules.

	# The netfilter modules needed by netd for iptables commands.
	modprobe -a ip6table_filter ip6t_ipv6header ip6t_REJECT
	# This module is not available in kernels < 3.18
	modprobe -a nf_reject_ipv6 \|\| true

	# These modules are needed for supporting Chrome traffic on Android VPN
	# which uses Android nat feature. Android nat setups iptables rules that
	# uses these conntrack modules for FTP/TFTP.
	modprobe -a nf_nat_ftp nf_nat_tftp \|\| true

	# The xfrm modules needed for Android's ipsec APIs.
	modprobe -a xfrm4_mode_transport xfrm4_mode_tunnel \
	xfrm6_mode_transport xfrm6_mode_tunnel

	# The ipsec modules for AH and ESP encryption for ipv6.
	modprobe -a ah6 esp6

	# Wait until the container's network namespace is changed before setting up
	# the network.
	init_ns=$(readlink "/proc/1/ns/net")
	for i in `seq 1 50`; do
	if [ -d "/proc/${CONTAINER_PID}" ]; then
	ns=$(readlink "/proc/${CONTAINER_PID}/ns/net")
	if [ -n "${ns}" -a "${ns}" != "${init_ns}" ]; then
	break
	fi
	fi
	sleep 0.1
	done

	# Enable IPv6 routing and neighbor discovery proxying.
	sysctl net.ipv6.conf.all.forwarding=1
	sysctl net.ipv6.conf.all.proxy_ndp=1

	# Temporary workaround for b/27932574 permission check.
	chown 655360:655360 /sys/class/xt_idletimer

	# Signal arc-networkd that the container is booting.
	pkill -x -USR1 arc-networkd
	} 2>&1 \| logger -t "${UPSTART_JOB}"
	end script

	post-stop script
	{
	echo "Post-stop arc-networkd - container going down"
	set +e -x

	# Signal arc-networkd that the container is shutting down.
	pkill -x -USR2 arc-networkd
	} 2>&1 \| logger -t "${UPSTART_JOB}"
	end script