vagrant-lxc 1.0.1 → 1.1.0

data/lib/vagrant-lxc/action/create.rb

@@ -16,11 +16,7 @@ module Vagrant
             when String
               # Nothing to do here, move along...
             else
-              container_name = "#{env[:root_path].basename}_#{env[:machine].name}"
-              container_name.gsub!(/[^-a-z0-9_]/i, "")
-              # milliseconds + random number suffix to allow for simultaneous
-              # `vagrant up` of the same box in different dirs
-              container_name << "_#{(Time.now.to_f * 1000.0).to_i}_#{rand(100000)}"
+              container_name = generate_container_name(env)
           end
 
           env[:machine].provider.driver.create(
@@ -36,6 +32,19 @@ module Vagrant
 
           @app.call env
         end
+
+        def generate_container_name(env)
+          container_name = "#{env[:root_path].basename}_#{env[:machine].name}"
+          container_name.gsub!(/[^-a-z0-9_]/i, "")
+
+          # milliseconds + random number suffix to allow for simultaneous
+          # `vagrant up` of the same box in different dirs
+          container_name << "_#{(Time.now.to_f * 1000.0).to_i}_#{rand(100000)}"
+
+          # Trim container name to 64 chars, keeping "randomness"
+          trim_point = container_name.size > 64 ? -64 : -(container_name.size)
+          container_name[trim_point..-1]
+        end
       end
     end
   end

data/lib/vagrant-lxc/action/gc_private_network_bridges.rb

@@ -0,0 +1,46 @@
+module Vagrant
+  module LXC
+    module Action
+      class GcPrivateNetworkBridges
+        def initialize(app, env)
+          @app = app
+        end
+
+        def call(env)
+          was_running = env[:machine].provider.state.id == :running
+
+          # Continue execution, we need the container to be stopped
+          @app.call(env)
+
+          was_running = was_running && env[:machine].provider.state.id != :running
+
+          if was_running && private_network_configured?(env[:machine].config)
+            private_network_configured?(env[:machine].config)
+            remove_bridges_that_are_not_in_use(env)
+          end
+        end
+
+        def private_network_configured?(config)
+          config.vm.networks.find do |type, _|
+            type.to_sym == :private_network
+          end
+        end
+
+        def remove_bridges_that_are_not_in_use(env)
+          env[:machine].config.vm.networks.find do |type, config|
+            next if type.to_sym != :private_network
+
+            bridge = config.fetch(:lxc__bridge_name)
+            driver = env[:machine].provider.driver
+
+            if ! driver.bridge_is_in_use?(bridge)
+              env[:ui].info I18n.t("vagrant_lxc.messages.remove_bridge", name: bridge)
+              # TODO: Output that bridge is being removed
+              driver.remove_bridge(bridge)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-lxc/action/private_networks.rb

@@ -0,0 +1,43 @@
+module Vagrant
+  module LXC
+    module Action
+      class PrivateNetworks
+        def initialize(app, env)
+          @app = app
+        end
+
+        def call(env)
+          @app.call(env)
+
+          if private_network_configured?(env[:machine].config)
+            env[:ui].output(I18n.t("vagrant_lxc.messages.setup_private_network"))
+            configure_private_networks(env)
+          end
+        end
+
+        def private_network_configured?(config)
+          config.vm.networks.find do |type, _|
+            type.to_sym == :private_network
+          end
+        end
+
+        def configure_private_networks(env)
+          env[:machine].config.vm.networks.find do |type, config|
+            next if type.to_sym != :private_network
+
+            container_name = env[:machine].provider.driver.container_name
+            ip             = config[:ip]
+            bridge_ip      = config.fetch(:lxc__bridge_ip) { build_bridge_ip(ip) }
+            bridge         = config.fetch(:lxc__bridge_name)
+
+            env[:machine].provider.driver.configure_private_network(bridge, bridge_ip, container_name, ip)
+          end
+        end
+
+        def build_bridge_ip(ip)
+          ip.sub(/^(\d+\.\d+\.\d+)\.\d+/, '\1.254')
+        end
+      end
+    end
+  end
+end

data/lib/vagrant-lxc/action/warn_networks.rb

@@ -7,16 +7,16 @@ module Vagrant
         end
 
         def call(env)
-          if public_or_private_network_configured?(env[:machine].config)
+          if public_network_configured?(env[:machine].config)
             env[:ui].warn(I18n.t("vagrant_lxc.messages.warn_networks"))
           end
 
           @app.call(env)
         end
 
-        def public_or_private_network_configured?(config)
+        def public_network_configured?(config)
           config.vm.networks.find do |type, _|
-            [:private_network, :public_network].include?(type.to_sym)
+            type.to_sym == :public_network
           end
         end
       end

data/lib/vagrant-lxc/command/sudoers.rb

@@ -46,8 +46,9 @@ module Vagrant
           wrapper = Tempfile.new('lxc-wrapper').tap do |file|
             template = Vagrant::Util::TemplateRenderer.new(
               'sudoers.rb',
-              :template_root => Vagrant::LXC.source_root.join('templates').to_s,
-              :cmd_paths     => build_cmd_paths_hash
+              :template_root  => Vagrant::LXC.source_root.join('templates').to_s,
+              :cmd_paths      => build_cmd_paths_hash,
+              :pipework_regex => "#{ENV['HOME']}/\.vagrant\.d/gems/gems/vagrant-lxc.+/scripts/pipework"
             )
             file.puts template.render
           end
@@ -78,7 +79,7 @@ module Vagrant
 
         def build_cmd_paths_hash
           {}.tap do |hash|
-            %w( which cat mkdir cp chown chmod rm tar chown ).each do |cmd|
+            %w( which cat mkdir cp chown chmod rm tar chown ip ifconfig brctl ).each do |cmd|
               hash[cmd] = `which #{cmd}`.strip
             end
             hash['lxc_bin'] = Pathname(`which lxc-create`.strip).parent.to_s

data/lib/vagrant-lxc/driver.rb

@@ -6,6 +6,8 @@ require "vagrant-lxc/driver/cli"
 
 require "etc"
 
+require "tempfile"
+
 module Vagrant
   module LXC
     class Driver
@@ -45,7 +47,21 @@ module Vagrant
       end
 
       def rootfs_path
-        Pathname.new(config_string.match(/^lxc\.rootfs\s+=\s+(.+)$/)[1])
+        config_entry = config_string.match(/^lxc\.rootfs\s+=\s+(.+)$/)[1]
+        case config_entry
+        when /^overlayfs:/
+          # Split on colon (:), ignoring any colon escaped by an escape character ( \ )
+          # Pays attention to when the escape character is itself escaped.
+          fs_type, master_path, overlay_path = config_entry.split(/(?<!\\)(?:\\\\)*:/)
+          if overlay_path
+            Pathname.new(overlay_path)
+          else
+            # Malformed: fall back to prior behaviour
+            Pathname.new(config_entry)
+          end
+        else
+          Pathname.new(config_entry)
+        end
       end
 
       def mac_address
@@ -124,6 +140,52 @@ module Vagrant
         @cli.attach(*command)
       end
 
+      def configure_private_network(bridge_name, bridge_ip, container_name, ip)
+        @logger.info "Configuring network interface for #{container_name} using #{ip} and bridge #{bridge_name}"
+        cmd = [
+          Vagrant::LXC.source_root.join('scripts/pipework').to_s,
+          bridge_name,
+          container_name,
+          "#{ip}/24"
+        ]
+        @sudo_wrapper.run(*cmd)
+
+        if ! bridge_has_an_ip?(bridge_name)
+          @logger.info "Adding #{bridge_ip} to the bridge #{bridge_name}"
+          cmd = [
+            'ip',
+            'addr',
+            'add',
+            "#{bridge_ip}/24",
+            'dev',
+            bridge_name
+          ]
+          @sudo_wrapper.run(*cmd)
+        end
+      end
+
+      def bridge_has_an_ip?(bridge_name)
+        @logger.info "Checking whether the bridge #{bridge_name} has an IP"
+        `ip -4 addr show scope global #{bridge_name}` =~ /^\s+inet ([0-9.]+)\/[0-9]+\s+/
+      end
+
+      def bridge_is_in_use?(bridge_name)
+        # REFACTOR: This method is **VERY** hacky
+        @logger.info "Checking if bridge #{bridge_name} is in use"
+        brctl_output = `brctl show #{bridge_name} 2>/dev/null | tail -n +2 | grep -q veth`
+        $?.to_i == 0
+      end
+
+      def remove_bridge(bridge_name)
+        @logger.info "Checking whether bridge #{bridge_name} exists"
+        brctl_output = `ifconfig -a | grep -q #{bridge_name}`
+        return if $?.to_i != 0
+
+        @logger.info "Removing bridge #{bridge_name}"
+        @sudo_wrapper.run('ifconfig', bridge_name, 'down')
+        @sudo_wrapper.run('brctl', 'delbr', bridge_name)
+      end
+
       def version
         @version ||= @cli.version
       end

data/lib/vagrant-lxc/driver/cli.rb

@@ -64,9 +64,9 @@ module Vagrant
 
           run :create,
               '-B', backingstore,
-              *(backingstore_options.to_a.flatten),
               '--template', template,
               '--name',     @name,
+              *(backingstore_options.to_a.flatten),
               *(config_opts),
               *extra
         rescue Errors::ExecuteError => e

data/lib/vagrant-lxc/errors.rb

@@ -18,6 +18,10 @@ module Vagrant
       class NamespacesNotSupported < Vagrant::Errors::VagrantError
       end
 
+      class LxcLinuxRequired < Vagrant::Errors::VagrantError
+        error_key(:lxc_linux_required)
+      end
+
       class LxcNotInstalled < Vagrant::Errors::VagrantError
         error_key(:lxc_not_installed)
       end

data/lib/vagrant-lxc/plugin.rb

@@ -1,5 +1,4 @@
 require 'vagrant'
-require 'vagrant-backports/utils'
 
 module Vagrant
   module LXC
@@ -10,9 +9,7 @@ module Vagrant
       LXC-based virtual machines.
       EOF
 
-      extra = []
-      extra << {parallel: true} if Vagrant::Backports.vagrant_1_2_or_later?
-      provider(:lxc, *extra) do
+      provider(:lxc, parallel: true, priority: 7) do
         require File.expand_path("../provider", __FILE__)
 
         I18n.load_path << File.expand_path(File.dirname(__FILE__) + '/../../locales/en.yml')
@@ -31,18 +28,14 @@ module Vagrant
         Config
       end
 
-      if Vagrant::Backports.vagrant_1_4_or_later?
-        synced_folder(:lxc) do
-          require File.expand_path("../synced_folder", __FILE__)
-          SyncedFolder
-        end
+      synced_folder(:lxc) do
+        require File.expand_path("../synced_folder", __FILE__)
+        SyncedFolder
       end
 
-      if Vagrant::Backports.vagrant_1_5_or_later?
-        provider_capability("lxc", "public_address") do
-          require_relative "provider/cap/public_address"
-          Provider::Cap::PublicAddress
-        end
+      provider_capability("lxc", "public_address") do
+        require_relative "provider/cap/public_address"
+        Provider::Cap::PublicAddress
       end
     end
   end

data/lib/vagrant-lxc/provider.rb

@@ -9,6 +9,14 @@ module Vagrant
     class Provider < Vagrant.plugin("2", :provider)
       attr_reader :driver
 
+      def self.usable?(raise_error=false)
+        if !Vagrant::Util::Platform.linux?
+          raise Errors::LxcLinuxRequired
+        end
+
+        true
+      end
+
       def initialize(machine)
         @logger    = Log4r::Logger.new("vagrant::provider::lxc")
         @machine   = machine
@@ -28,7 +36,7 @@ module Vagrant
 
       def ensure_lxc_installed!
         begin
-          sudo_wrapper.run("which", "lxc-create")
+          sudo_wrapper.run("/usr/bin/which", "lxc-create")
         rescue Vagrant::LXC::Errors::ExecuteError
           raise Errors::LxcNotInstalled
         end

data/lib/vagrant-lxc/version.rb

@@ -1,5 +1,5 @@
 module Vagrant
   module LXC
-    VERSION = "1.0.1"
+    VERSION = "1.1.0"
   end
 end

data/locales/en.yml

@@ -13,15 +13,18 @@ en:
       force_shutdown: |-
         Forcing shutdown of container...
       warn_networks: |-
-        Warning! The LXC provider doesn't support any of the Vagrant public / private
-        network configurations (ex: `config.vm.network :private_network, ip: "some-ip"`).
-        They will be silently ignored.
+        Warning! The LXC provider doesn't support public networks, the settings
+        will be silently ignored.
       warn_group: |-
         Warning! The LXC provider doesn't support the :group parameter for synced
         folders. It will be silently ignored.
       warn_owner: |-
         Warning! The LXC provider doesn't support the :owner parameter for synced
         folders. It will be silently ignored.
+      setup_private_network: |-
+        Setting up private networks...
+      remove_bridge: |-
+        Removing bridge '%{name}'...
 
   vagrant:
     commands:
@@ -56,6 +59,10 @@ en:
 
         Looked up under: %{paths}
 
+      lxc_linux_required: |-
+        The LXC provider only works on Linux. Please try to use
+        another provider.
+
       lxc_not_installed: |-
         The `lxc` package does not seem to be installed or is not accessible on the PATH.
 

data/scripts/pipework

@@ -0,0 +1,298 @@
+#!/bin/bash
+
+# Borrowed from https://github.com/jpetazzo/pipework
+
+set -e
+
+case "$1" in
+    --wait)
+      WAIT=1
+      ;;
+esac
+
+IFNAME=$1
+
+# default value set further down if not set here
+CONTAINER_IFNAME=
+if [ "$2" = "-i" ]; then
+  CONTAINER_IFNAME=$3
+  shift 2
+fi
+
+GUESTNAME=$2
+IPADDR=$3
+MACADDR=$4
+
+if echo $MACADDR | grep -q @
+then
+  VLAN=$(echo $MACADDR | cut -d@ -f2)
+  MACADDR=$(echo $MACADDR | cut -d@ -f1)
+else
+  VLAN=
+fi
+
+[ "$IPADDR" ] || [ "$WAIT" ] || {
+    echo "Syntax:"
+    echo "pipework <hostinterface> [-i containerinterface] <guest> <ipaddr>/<subnet>[@default_gateway] [macaddr][@vlan]"
+    echo "pipework <hostinterface> [-i containerinterface] <guest> dhcp [macaddr][@vlan]"
+    echo "pipework --wait [-i containerinterface]"
+    exit 1
+}
+
+# First step: determine type of first argument (bridge, physical interface...), skip if --wait set
+if [ -z "$WAIT" ]; then
+    if [ -d /sys/class/net/$IFNAME ]
+    then
+        if [ -d /sys/class/net/$IFNAME/bridge ]
+        then
+            IFTYPE=bridge
+            BRTYPE=linux
+        elif $(which ovs-vsctl >/dev/null 2>&1) && $(ovs-vsctl list-br|grep -q ^$IFNAME$)
+        then
+            IFTYPE=bridge
+            BRTYPE=openvswitch
+        elif [ $(cat /sys/class/net/$IFNAME/type) -eq 32 ]; # Infiniband IPoIB interface type 32
+        then
+            IFTYPE=ipoib
+            # The IPoIB kernel module is fussy, set device name to ib0 if not overridden
+            CONTAINER_IFNAME=${CONTAINER_IFNAME:-ib0}
+        else IFTYPE=phys
+        fi
+    else
+        # case "$IFNAME" in
+        # br*)
+            IFTYPE=bridge
+            BRTYPE=linux
+        #     ;;
+        # ovs*)
+        #     if ! $(which ovs-vsctl >/dev/null)
+        #     then
+        #         echo "Need OVS installed on the system to create an ovs bridge"
+        #     exit 1
+        #     fi
+        #     IFTYPE=bridge
+        #     BRTYPE=openvswitch
+        #     ;;
+        # *)
+        #     echo "I do not know how to setup interface $IFNAME."
+        #     exit 1
+        #     ;;
+        # esac
+    fi
+fi
+
+# Set the default container interface name to eth1 if not already set
+CONTAINER_IFNAME=${CONTAINER_IFNAME:-eth1}
+
+[ "$WAIT" ] && {
+  while ! grep -q ^1$ /sys/class/net/$CONTAINER_IFNAME/carrier 2>/dev/null
+  do sleep 1
+  done
+  exit 0
+}
+
+[ $IFTYPE = bridge ] && [ $BRTYPE = linux ] && [ "$VLAN" ] && {
+    echo "VLAN configuration currently unsupported for Linux bridge."
+    exit 1
+}
+
+[ $IFTYPE = ipoib ] && [ $MACADDR ] && {
+	echo "MACADDR configuration unsupported for IPoIB interfaces."
+	exit 1
+}
+
+# Second step: find the guest (for now, we only support LXC containers)
+while read dev mnt fstype options dump fsck
+do
+    [ "$fstype" != "cgroup" ] && continue
+    echo $options | grep -qw devices || continue
+    CGROUPMNT=$mnt
+done < /proc/mounts
+
+[ "$CGROUPMNT" ] || {
+    echo "Could not locate cgroup mount point."
+    exit 1
+}
+
+# Try to find a cgroup matching exactly the provided name.
+N=$(find "$CGROUPMNT" -name "$GUESTNAME" | wc -l)
+case "$N" in
+    0)
+	# If we didn't find anything, try to lookup the container with Docker.
+	if which docker >/dev/null
+	then
+        RETRIES=3
+        while [ $RETRIES -gt 0 ]; do
+      	    DOCKERPID=$(docker inspect --format='{{ .State.Pid }}' $GUESTNAME)
+            [ $DOCKERPID != 0 ] && break
+            sleep 1
+            RETRIES=$((RETRIES - 1))
+        done
+
+        [ "$DOCKERPID" = 0 ] && {
+      		echo "Docker inspect returned invalid PID 0"
+    		exit 1
+      	}
+
+        [ "$DOCKERPID" = "<no value>" ] && {
+      		echo "Container $GUESTNAME not found, and unknown to Docker."
+    		exit 1
+      	}
+	else
+	    echo "Container $GUESTNAME not found, and Docker not installed."
+	    exit 1
+	fi
+	;;
+    1)
+	true
+	;;
+    *)
+	echo "Found more than one container matching $GUESTNAME."
+	exit 1
+	;;
+esac
+
+if [ "$IPADDR" = "dhcp" ]
+then
+    # Check for first available dhcp client
+    DHCP_CLIENT_LIST="udhcpc dhcpcd dhclient"
+    for CLIENT in $DHCP_CLIENT_LIST; do
+        which $CLIENT >/dev/null && {
+            DHCP_CLIENT=$CLIENT
+            break
+        }
+    done
+    [ -z $DHCP_CLIENT ] && {
+    	echo "You asked for DHCP; but no DHCP client could be found."
+    	exit 1
+    }
+else
+    # Check if a subnet mask was provided.
+    echo $IPADDR | grep -q / || {
+	echo "The IP address should include a netmask."
+	echo "Maybe you meant $IPADDR/24 ?"
+	exit 1
+    }
+    # Check if a gateway address was provided.
+    if echo $IPADDR | grep -q @
+    then
+        GATEWAY=$(echo $IPADDR | cut -d@ -f2)
+        IPADDR=$(echo $IPADDR | cut -d@ -f1)
+    else
+        GATEWAY=
+    fi
+fi
+
+if [ $DOCKERPID ]; then
+  NSPID=$DOCKERPID
+else
+  NSPID=$(head -n 1 $(find "$CGROUPMNT" -name "$GUESTNAME" | head -n 1)/tasks)
+  [ "$NSPID" ] || {
+      echo "Could not find a process inside container $GUESTNAME."
+      exit 1
+  }
+fi
+
+# Check if an incompatible VLAN device already exists
+[ $IFTYPE = phys ] && [ "$VLAN" ] && [ -d /sys/class/net/$IFNAME.VLAN ] && {
+    [ -z "$(ip -d link show $IFNAME.$VLAN | grep "vlan.*id $VLAN")" ] && {
+        echo "$IFNAME.VLAN already exists but is not a VLAN device for tag $VLAN"
+        exit 1
+    }
+}
+
+[ ! -d /var/run/netns ] && mkdir -p /var/run/netns
+[ -f /var/run/netns/$NSPID ] && rm -f /var/run/netns/$NSPID
+ln -s /proc/$NSPID/ns/net /var/run/netns/$NSPID
+
+# Check if we need to create a bridge.
+[ $IFTYPE = bridge ] && [ ! -d /sys/class/net/$IFNAME ] && {
+    [ $BRTYPE = linux ] && {
+        (ip link add dev $IFNAME type bridge > /dev/null 2>&1) || (brctl addbr $IFNAME)
+        ip link set $IFNAME up
+    }
+    [ $BRTYPE = openvswitch ] && {
+        ovs-vsctl add-br $IFNAME
+    }
+}
+
+MTU=$(ip link show $IFNAME | awk '{print $5}')
+# If it's a bridge, we need to create a veth pair
+[ $IFTYPE = bridge ] && {
+    LOCAL_IFNAME="v${CONTAINER_IFNAME}pl${NSPID}"
+    GUEST_IFNAME="v${CONTAINER_IFNAME}pg${NSPID}"
+    ip link add name $LOCAL_IFNAME mtu $MTU type veth peer name $GUEST_IFNAME mtu $MTU
+    case "$BRTYPE" in
+        linux)
+            (ip link set $LOCAL_IFNAME master $IFNAME > /dev/null 2>&1) || (brctl addif $IFNAME $LOCAL_IFNAME)
+            ;;
+        openvswitch)
+            ovs-vsctl add-port $IFNAME $LOCAL_IFNAME ${VLAN:+"tag=$VLAN"}
+            ;;
+    esac
+    ip link set $LOCAL_IFNAME up
+}
+
+# Note: if no container interface name was specified, pipework will default to ib0
+# Note: no macvlan subinterface or ethernet bridge can be created against an
+# ipoib interface. Infiniband is not ethernet. ipoib is an IP layer for it.
+# To provide additional ipoib interfaces to containers use SR-IOV and pipework
+# to assign them.
+[ $IFTYPE = ipoib ] && {
+  GUEST_IFNAME=$CONTAINER_IFNAME
+}
+
+# If it's a physical interface, create a macvlan subinterface
+[ $IFTYPE = phys ] && {
+    [ "$VLAN" ] && {
+        [ ! -d /sys/class/net/$IFNAME.$VLAN ] && {
+            ip link add link $IFNAME name $IFNAME.$VLAN mtu $MTU type vlan id $VLAN
+        }
+
+        ip link set $IFNAME up
+        IFNAME=$IFNAME.$VLAN
+    }
+    GUEST_IFNAME=ph$NSPID$CONTAINER_IFNAME
+    ip link add link $IFNAME dev $GUEST_IFNAME mtu $MTU type macvlan mode bridge
+    ip link set $IFNAME up
+}
+
+ip link set $GUEST_IFNAME netns $NSPID
+ip netns exec $NSPID ip link set $GUEST_IFNAME name $CONTAINER_IFNAME
+[ "$MACADDR" ] && ip netns exec $NSPID ip link set dev $CONTAINER_IFNAME address $MACADDR
+if [ "$IPADDR" = "dhcp" ]
+then
+    [ $DHCP_CLIENT = "udhcpc"  ] && ip netns exec $NSPID $DHCP_CLIENT -qi $CONTAINER_IFNAME -x hostname:$GUESTNAME
+    if [ $DHCP_CLIENT = "dhclient"  ]
+    then
+        # kill dhclient after get ip address to prevent device be used after container close
+        ip netns exec $NSPID $DHCP_CLIENT -pf "/var/run/dhclient.$NSPID.pid" $CONTAINER_IFNAME
+        kill "$(cat "/var/run/dhclient.$NSPID.pid")"
+        rm "/var/run/dhclient.$NSPID.pid"
+    fi
+    [ $DHCP_CLIENT = "dhcpcd"  ] && ip netns exec $NSPID $DHCP_CLIENT -q $CONTAINER_IFNAME -h $GUESTNAME
+else
+    ip netns exec $NSPID ip addr add $IPADDR dev $CONTAINER_IFNAME
+    [ "$GATEWAY" ] && {
+	ip netns exec $NSPID ip route delete default >/dev/null 2>&1 && true
+    }
+    ip netns exec $NSPID ip link set $CONTAINER_IFNAME up
+    [ "$GATEWAY" ] && {
+	ip netns exec $NSPID ip route get $GATEWAY >/dev/null 2>&1 || \
+		ip netns exec $NSPID ip route add $GATEWAY/32 dev $CONTAINER_IFNAME
+	ip netns exec $NSPID ip route replace default via $GATEWAY
+    }
+fi
+
+# Give our ARP neighbors a nudge about the new interface
+if which arping > /dev/null 2>&1
+then
+    IPADDR=$(echo $IPADDR | cut -d/ -f1)
+    ip netns exec $NSPID arping -c 1 -A -I $CONTAINER_IFNAME $IPADDR > /dev/null 2>&1 || true
+else
+    echo "Warning: arping not found; interface may not be immediately reachable"
+fi
+
+# Remove NSPID to avoid `ip netns` catch it.
+[ -f /var/run/netns/$NSPID ] && rm -f /var/run/netns/$NSPID
+exit 0