summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/containers.py26
1 files changed, 25 insertions, 1 deletions
diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py
index 3d5795016..9b7a52d26 100755
--- a/src/conf_mode/containers.py
+++ b/src/conf_mode/containers.py
@@ -17,6 +17,9 @@
import os
import json
+from ipaddress import ip_address
+from ipaddress import ip_network
+
from vyos.config import Config
from vyos.configdict import dict_merge
from vyos.configdict import node_changed
@@ -99,11 +102,32 @@ def verify(container):
if len(container_config['network']) > 1:
raise ConfigError(f'Only one network can be specified for container "{name}"!')
+
# Check if the specified container network exists
network_name = list(container_config['network'])[0]
- if network_name not in container_config['network']:
+ if network_name not in container['network']:
raise ConfigError('Container network "{network_name}" does not exist!')
+ if 'address' in container_config['network'][network_name]:
+ if 'network' not in container_config:
+ raise ConfigError(f'Can not use "address" without "network" for container "{name}"!')
+
+ address = container_config['network'][network_name]['address']
+ network = None
+ if is_ipv4(address):
+ network = [x for x in container['network'][network_name]['prefix'] if is_ipv4(x)][0]
+ elif is_ipv6(address):
+ network = [x for x in container['network'][network_name]['prefix'] if is_ipv6(x)][0]
+
+ # Specified container IP address must belong to network prefix
+ if ip_address(address) not in ip_network(network):
+ raise ConfigError(f'Used container address "{address}" not in network "{network}"!')
+
+ # We can not use the first IP address of a network prefix as this is used by podman
+ if ip_address(address) == ip_network(network)[1]:
+ raise ConfigError(f'Address "{address}" reserved for the container engine!')
+
+
# Container image is a mandatory option
if 'image' not in container_config:
raise ConfigError(f'Container image for "{name}" is mandatory!')