Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
anbox
提交
06b529e0
A
anbox
项目概览
openeuler
/
anbox
通知
24
Star
1
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
A
anbox
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
06b529e0
编写于
11月 26, 2016
作者:
S
Simon Fels
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Implement simple network bridge
上级
5660b308
变更
3
显示空白变更内容
内联
并排
Showing
3 changed file
with
235 addition
and
0 deletion
+235
-0
android/anboxd.rc
android/anboxd.rc
+6
-0
scripts/anbox-bridge.sh
scripts/anbox-bridge.sh
+225
-0
src/anbox/container/lxc_container.cpp
src/anbox/container/lxc_container.cpp
+4
-0
未找到文件。
android/anboxd.rc
浏览文件 @
06b529e0
service anboxd /system/bin/anboxd
class boot
# We will ever only have a single network interface we need to care
# about so we can add static setup for this one here.
service anbox-network /system/bin/dhcptool eth0
class main
oneshot
scripts/anbox-bridge.sh
0 → 100755
浏览文件 @
06b529e0
#!/bin/sh
varrun
=
"/run/anbox"
varlib
=
"/var/lib/anbox"
BRIDGE
=
"anboxbr0"
# IPv4
IPV4_ADDR
=
"10.0.6.1"
IPV4_NETMASK
=
"255.255.255.0"
IPV4_NETWORK
=
"10.0.6.1/24"
IPV4_DHCP_RANGE
=
"10.0.6.2,10.0.6.254"
IPV4_DHCP_MAX
=
"252"
IPV4_NAT
=
"true"
# IPv6
IPV6_ADDR
=
"fd9d:e4dc:4e00:9e98::1"
IPV6_MASK
=
"64"
IPV6_NETWORK
=
"fd9d:e4dc:4e00:9e98::1/64"
IPV6_NAT
=
"true"
IPV6_PROXY
=
"false"
use_iptables_lock
=
"-w"
iptables
-w
-L
-n
>
/dev/null 2>&1
||
use_iptables_lock
=
""
HAS_IPV6
=
false
[
-e
"/proc/sys/net/ipv6/conf/default/disable_ipv6"
]
&&
\
[
"
$(
cat
/proc/sys/net/ipv6/conf/default/disable_ipv6
)
"
=
"0"
]
&&
HAS_IPV6
=
true
_netmask2cidr
()
{
# Assumes there's no "255." after a non-255 byte in the mask
local
x
=
${
1
##*255.
}
set
--
"0^^^128^192^224^240^248^252^254^"
"
$((
(
${#
1
}
-
${#
x
}
)*
2
))
"
"
${
x
%%.*
}
"
x
=
${
1
%%
${
3
}
*
}
echo
$((
${
2
}
+
(
${#
x
}
/
4
)
))
}
ifdown
()
{
ip addr flush dev
"
${
1
}
"
ip
link set
dev
"
${
1
}
"
down
}
ifup
()
{
[
"
${
HAS_IPV6
}
"
=
"true"
]
&&
[
"
${
IPV6_PROXY
}
"
=
"true"
]
&&
ip addr add fe80::1/64 dev
"
${
1
}
"
if
[
-n
"
${
IPV4_NETMASK
}
"
]
&&
[
-n
"
${
IPV4_ADDR
}
"
]
;
then
MASK
=
$(
_netmask2cidr
${
IPV4_NETMASK
}
)
CIDR_ADDR
=
"
${
IPV4_ADDR
}
/
${
MASK
}
"
ip addr add
"
${
CIDR_ADDR
}
"
dev
"
${
1
}
"
fi
ip
link set
dev
"
${
1
}
"
up
}
start
()
{
[
!
-f
"
${
varrun
}
/network_up"
]
||
{
echo
"anbox-bridge is already running"
;
exit
1
;
}
if
[
-d
/sys/class/net/
${
BRIDGE
}
]
;
then
stop force 2>/dev/null
||
true
fi
FAILED
=
1
cleanup
()
{
set
+e
if
[
"
${
FAILED
}
"
=
"1"
]
;
then
echo
"Failed to setup anbox-bridge."
>
&2
stop force
fi
}
trap
cleanup EXIT HUP INT TERM
set
-e
# set up the anbox network
[
!
-d
"/sys/class/net/
${
BRIDGE
}
"
]
&&
ip
link
add dev
"
${
BRIDGE
}
"
type
bridge
if
[
"
${
HAS_IPV6
}
"
=
"true"
]
;
then
echo
0
>
"/proc/sys/net/ipv6/conf/
${
BRIDGE
}
/autoconf"
||
true
echo
0
>
"/proc/sys/net/ipv6/conf/
${
BRIDGE
}
/accept_dad"
||
true
fi
# if we are run from systemd on a system with selinux enabled,
# the mkdir will create /run/anbox as init_var_run_t which dnsmasq
# can't write its pid into, so we restorecon it (to var_run_t)
if
[
!
-d
"
${
varrun
}
"
]
;
then
mkdir
-p
"
${
varrun
}
"
if
which restorecon
>
/dev/null 2>&1
;
then
restorecon
"
${
varrun
}
"
fi
fi
if
[
!
-d
"
${
varlib
}
"
]
;
then
mkdir
-p
"
${
varlib
}
"
if
which restorecon
>
/dev/null 2>&1
;
then
restorecon
"
${
varlib
}
"
fi
fi
ifup
"
${
BRIDGE
}
"
"
${
IPV4_ADDR
}
"
"
${
IPV4_NETMASK
}
"
IPV4_ARG
=
""
if
[
-n
"
${
IPV4_ADDR
}
"
]
&&
[
-n
"
${
IPV4_NETMASK
}
"
]
&&
[
-n
"
${
IPV4_NETWORK
}
"
]
;
then
echo
1
>
/proc/sys/net/ipv4/ip_forward
if
[
"
${
IPV4_NAT
}
"
=
"true"
]
;
then
iptables
"
${
use_iptables_lock
}
"
-t
nat
-A
POSTROUTING
-s
"
${
IPV4_NETWORK
}
"
!
-d
"
${
IPV4_NETWORK
}
"
-j
MASQUERADE
-m
comment
--comment
"managed by anbox-bridge"
fi
IPV4_ARG
=
"--listen-address
${
IPV4_ADDR
}
--dhcp-range
${
IPV4_DHCP_RANGE
}
--dhcp-lease-max=
${
IPV4_DHCP_MAX
}
"
fi
IPV6_ARG
=
""
if
[
"
${
HAS_IPV6
}
"
=
"true"
]
&&
[
-n
"
${
IPV6_ADDR
}
"
]
&&
[
-n
"
${
IPV6_MASK
}
"
]
&&
[
-n
"
${
IPV6_NETWORK
}
"
]
;
then
# IPv6 sysctls don't respect the "all" path...
for
interface
in
/proc/sys/net/ipv6/conf/
*
;
do
echo
2
>
"
${
interface
}
/accept_ra"
done
for
interface
in
/proc/sys/net/ipv6/conf/
*
;
do
echo
1
>
"
${
interface
}
/forwarding"
done
ip
-6
addr add dev
"
${
BRIDGE
}
"
"
${
IPV6_ADDR
}
/
${
IPV6_MASK
}
"
if
[
"
${
IPV6_NAT
}
"
=
"true"
]
;
then
ip6tables
"
${
use_iptables_lock
}
"
-t
nat
-A
POSTROUTING
-s
"
${
IPV6_NETWORK
}
"
!
-d
"
${
IPV6_NETWORK
}
"
-j
MASQUERADE
-m
comment
--comment
"managed by anbox-bridge"
fi
IPV6_ARG
=
"--dhcp-range=
${
IPV6_ADDR
}
,ra-stateless,ra-names --listen-address
${
IPV6_ADDR
}
"
fi
iptables
"
${
use_iptables_lock
}
"
-I
INPUT
-i
"
${
BRIDGE
}
"
-p
udp
--dport
67
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
"
${
use_iptables_lock
}
"
-I
INPUT
-i
"
${
BRIDGE
}
"
-p
tcp
--dport
67
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
"
${
use_iptables_lock
}
"
-I
INPUT
-i
"
${
BRIDGE
}
"
-p
udp
--dport
53
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
"
${
use_iptables_lock
}
"
-I
INPUT
-i
"
${
BRIDGE
}
"
-p
tcp
--dport
53
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
"
${
use_iptables_lock
}
"
-I
FORWARD
-i
"
${
BRIDGE
}
"
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
"
${
use_iptables_lock
}
"
-I
FORWARD
-o
"
${
BRIDGE
}
"
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
"
${
use_iptables_lock
}
"
-t
mangle
-A
POSTROUTING
-o
"
${
BRIDGE
}
"
-p
udp
-m
udp
--dport
68
-j
CHECKSUM
--checksum-fill
-m
comment
--comment
"managed by anbox-bridge"
DOMAIN_ARG
=
""
if
[
-n
"
${
DOMAIN
}
"
]
;
then
DOMAIN_ARG
=
"-s
${
DOMAIN
}
-S /
${
DOMAIN
}
/"
fi
CONFILE_ARG
=
""
if
[
-n
"
${
CONFILE
}
"
]
;
then
CONFILE_ARG
=
"--conf-file=
${
CONFILE
}
"
fi
# https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-October/010561.html
for
DNSMASQ_USER
in
anbox dnsmasq nobody
do
if
getent passwd
"
${
DNSMASQ_USER
}
"
>
/dev/null
;
then
break
fi
done
if
[
-n
"
${
IPV4_ADDR
}
"
]
||
[
-n
"
${
IPV6_ADDR
}
"
]
;
then
# shellcheck disable=SC2086
dnsmasq
${
CONFILE_ARG
}
${
DOMAIN_ARG
}
-u
"
${
DNSMASQ_USER
}
"
--strict-order
--bind-interfaces
--pid-file
=
"
${
varrun
}
/dnsmasq.pid"
--dhcp-no-override
--except-interface
=
lo
--interface
=
"
${
BRIDGE
}
"
--dhcp-leasefile
=
"
${
varlib
}
/dnsmasq.
${
BRIDGE
}
.leases"
--dhcp-authoritative
${
IPV4_ARG
}
${
IPV6_ARG
}
||
cleanup
fi
if
[
"
${
HAS_IPV6
}
"
=
"true"
]
&&
[
"
${
IPV6_PROXY
}
"
=
"true"
]
;
then
PATH
=
"
${
PATH
}
:
$(
dirname
"
${
0
}
"
)
"
anbox-bridge-proxy
--addr
=
"[fe80::1%
${
BRIDGE
}
]:13128"
&
PID
=
$!
echo
"
${
PID
}
"
>
"
${
varrun
}
/proxy.pid"
fi
touch
"
${
varrun
}
/network_up"
FAILED
=
0
}
stop
()
{
[
-f
"
${
varrun
}
/network_up"
]
||
[
"
${
1
}
"
=
"force"
]
||
{
echo
"anbox-bridge isn't running"
;
exit
1
;
}
if
[
-d
/sys/class/net/
${
BRIDGE
}
]
;
then
ifdown
${
BRIDGE
}
iptables
${
use_iptables_lock
}
-D
INPUT
-i
${
BRIDGE
}
-p
udp
--dport
67
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
${
use_iptables_lock
}
-D
INPUT
-i
${
BRIDGE
}
-p
tcp
--dport
67
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
${
use_iptables_lock
}
-D
INPUT
-i
${
BRIDGE
}
-p
udp
--dport
53
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
${
use_iptables_lock
}
-D
INPUT
-i
${
BRIDGE
}
-p
tcp
--dport
53
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
${
use_iptables_lock
}
-D
FORWARD
-i
${
BRIDGE
}
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
${
use_iptables_lock
}
-D
FORWARD
-o
${
BRIDGE
}
-j
ACCEPT
-m
comment
--comment
"managed by anbox-bridge"
iptables
${
use_iptables_lock
}
-t
mangle
-D
POSTROUTING
-o
${
BRIDGE
}
-p
udp
-m
udp
--dport
68
-j
CHECKSUM
--checksum-fill
-m
comment
--comment
"managed by anbox-bridge"
if
[
-n
"
${
IPV4_NETWORK
}
"
]
&&
[
"
${
IPV4_NAT
}
"
=
"true"
]
;
then
iptables
${
use_iptables_lock
}
-t
nat
-D
POSTROUTING
-s
${
IPV4_NETWORK
}
!
-d
${
IPV4_NETWORK
}
-j
MASQUERADE
-m
comment
--comment
"managed by anbox-bridge"
fi
if
[
"
${
HAS_IPV6
}
"
=
"true"
]
&&
[
-n
"
${
IPV6_NETWORK
}
"
]
&&
[
"
${
IPV6_NAT
}
"
=
"true"
]
;
then
ip6tables
${
use_iptables_lock
}
-t
nat
-D
POSTROUTING
-s
${
IPV6_NETWORK
}
!
-d
${
IPV6_NETWORK
}
-j
MASQUERADE
-m
comment
--comment
"managed by anbox-bridge"
fi
if
[
-e
"
${
varrun
}
/dnsmasq.pid"
]
;
then
pid
=
$(
cat
"
${
varrun
}
/dnsmasq.pid"
2>/dev/null
)
&&
kill
-9
"
${
pid
}
"
rm
-f
"
${
varrun
}
/dnsmasq.pid"
fi
if
[
-e
"
${
varrun
}
/proxy.pid"
]
;
then
pid
=
$(
cat
"
${
varrun
}
/proxy.pid"
2>/dev/null
)
&&
kill
-9
"
${
pid
}
"
rm
-f
"
${
varrun
}
/proxy.pid"
fi
# if ${BRIDGE} has attached interfaces, don't destroy the bridge
ls
/sys/class/net/
${
BRIDGE
}
/brif/
*
>
/dev/null 2>&1
||
ip
link
delete
"
${
BRIDGE
}
"
fi
rm
-f
"
${
varrun
}
/network_up"
}
# See how we were called.
case
"
${
1
}
"
in
start
)
start
;;
stop
)
stop
;;
restart|reload|force-reload
)
${
0
}
stop
${
0
}
start
;;
*
)
echo
"Usage:
${
0
}
{start|stop|restart|reload|force-reload}"
exit
2
esac
exit
$?
src/anbox/container/lxc_container.cpp
浏览文件 @
06b529e0
...
...
@@ -106,6 +106,10 @@ void LxcContainer::start(const Configuration &configuration) {
set_config_item
(
"lxc.loglevel"
,
"0"
);
set_config_item
(
"lxc.logfile"
,
utils
::
string_format
(
"%s/container.log"
,
config
::
log_path
()).
c_str
());
set_config_item
(
"lxc.network.type"
,
"veth"
);
set_config_item
(
"lxc.network.flags"
,
"up"
);
set_config_item
(
"lxc.network.link"
,
"anboxbr0"
);
#if 0
// Android uses namespaces as well so we have to allow nested namespaces for LXC
// which are otherwise forbidden by AppArmor.
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录