diff --git a/hack/dockerfile/install/proxy.installer b/hack/dockerfile/install/proxy.installer index a9562dfa8c..b7ce672fad 100755 --- a/hack/dockerfile/install/proxy.installer +++ b/hack/dockerfile/install/proxy.installer @@ -3,7 +3,7 @@ # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When # updating the binary version, consider updating github.com/docker/libnetwork # in vendor.conf accordingly -: "${LIBNETWORK_COMMIT:=fa125a3512ee0f6187721c88582bf8c4378bd4d7}" +: "${LIBNETWORK_COMMIT:=b3507428be5b458cb0e2b4086b13531fb0706e46}" install_proxy() { case "$1" in diff --git a/integration-cli/docker_cli_port_test.go b/integration-cli/docker_cli_port_test.go index 46722ae471..dd41d9891f 100644 --- a/integration-cli/docker_cli_port_test.go +++ b/integration-cli/docker_cli_port_test.go @@ -20,13 +20,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) { out, _ = dockerCmd(c, "port", firstID, "80") - err := assertPortList(c, out, []string{"0.0.0.0:9876"}) + err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"}) // Port list is not correct assert.NilError(c, err) out, _ = dockerCmd(c, "port", firstID) - err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876"}) + err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876", "80/tcp -> [::]:9876"}) // Port list is not correct assert.NilError(c, err) @@ -42,7 +42,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) { out, _ = dockerCmd(c, "port", ID, "80") - err = assertPortList(c, out, []string{"0.0.0.0:9876"}) + err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"}) // Port list is not correct assert.NilError(c, err) @@ -50,8 +50,11 @@ func (s *DockerSuite) TestPortList(c *testing.T) { err = assertPortList(c, out, []string{ "80/tcp -> 0.0.0.0:9876", + "80/tcp -> [::]:9876", "81/tcp -> 0.0.0.0:9877", + "81/tcp -> [::]:9877", "82/tcp -> 0.0.0.0:9878", + "82/tcp -> [::]:9878", }) // Port list is not correct assert.NilError(c, err) @@ -69,7 +72,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) { out, _ = dockerCmd(c, "port", ID, "80") - err = assertPortList(c, out, []string{"0.0.0.0:9876", "0.0.0.0:9999"}) + err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876", "0.0.0.0:9999", "[::]:9999"}) // Port list is not correct assert.NilError(c, err) @@ -78,8 +81,12 @@ func (s *DockerSuite) TestPortList(c *testing.T) { err = assertPortList(c, out, []string{ "80/tcp -> 0.0.0.0:9876", "80/tcp -> 0.0.0.0:9999", + "80/tcp -> [::]:9876", + "80/tcp -> [::]:9999", "81/tcp -> 0.0.0.0:9877", + "81/tcp -> [::]:9877", "82/tcp -> 0.0.0.0:9878", + "82/tcp -> [::]:9878", }) // Port list is not correct assert.NilError(c, err) @@ -94,7 +101,10 @@ func (s *DockerSuite) TestPortList(c *testing.T) { out, _ = dockerCmd(c, "port", IDs[i]) - err = assertPortList(c, out, []string{fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i)}) + err = assertPortList(c, out, []string{ + fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i), + fmt.Sprintf("80/tcp -> [::]:%d", 9090+i), + }) // Port list is not correct assert.NilError(c, err) } @@ -127,9 +137,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) { err = assertPortList(c, out, []string{ "80/tcp -> 0.0.0.0:9800", + "80/tcp -> [::]:9800", "81/tcp -> 0.0.0.0:9801", + "81/tcp -> [::]:9801", "82/tcp -> 0.0.0.0:9802", + "82/tcp -> [::]:9802", "83/tcp -> 0.0.0.0:9803", + "83/tcp -> [::]:9803", }) // Port list is not correct assert.NilError(c, err) @@ -305,7 +319,7 @@ func (s *DockerSuite) TestPortHostBinding(c *testing.T) { out, _ = dockerCmd(c, "port", firstID, "80") - err := assertPortList(c, out, []string{"0.0.0.0:9876"}) + err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"}) // Port list is not correct assert.NilError(c, err) diff --git a/vendor.conf b/vendor.conf index 4381943aed..abedda4ee8 100644 --- a/vendor.conf +++ b/vendor.conf @@ -47,7 +47,7 @@ github.com/grpc-ecosystem/go-grpc-middleware 3c51f7f332123e8be5a157c0802a # libnetwork # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly -github.com/docker/libnetwork fa125a3512ee0f6187721c88582bf8c4378bd4d7 +github.com/docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46 github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec diff --git a/vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go b/vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go index 56a9271ea7..946130ecdd 100644 --- a/vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go +++ b/vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go @@ -49,8 +49,16 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont } bs = append(bs, bIPv4) } + // Allocate IPv6 Port mappings - if ok := n.validatePortBindingIPv6(&bIPv6, containerIPv6, defHostIP); ok { + // If the container has no IPv6 address, allow proxying host IPv6 traffic to it + // by setting up the binding with the IPv4 interface if the userland proxy is enabled + // This change was added to keep backward compatibility + containerIP := containerIPv6 + if ulPxyEnabled && (containerIPv6 == nil) { + containerIP = containerIPv4 + } + if ok := n.validatePortBindingIPv6(&bIPv6, containerIP, defHostIP); ok { if err := n.allocatePort(&bIPv6, ulPxyEnabled); err != nil { // On allocation failure, release previously allocated ports. On cleanup error, just log a warning message if cuErr := n.releasePortsInternal(bs); cuErr != nil { @@ -67,7 +75,7 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont // validatePortBindingIPv4 validates the port binding, populates the missing Host IP field and returns true // if this is a valid IPv4 binding, else returns false func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containerIPv4, defHostIP net.IP) bool { - //Return early if there is a valid Host IP, but its not a IPv6 address + //Return early if there is a valid Host IP, but its not a IPv4 address if len(bnd.HostIP) > 0 && bnd.HostIP.To4() == nil { return false } @@ -85,10 +93,10 @@ func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containe } // validatePortBindingIPv6 validates the port binding, populates the missing Host IP field and returns true -// if this is a valid IP6v binding, else returns false -func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIPv6, defHostIP net.IP) bool { - // Return early if there is no IPv6 container endpoint - if containerIPv6 == nil { +// if this is a valid IPv6 binding, else returns false +func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIP, defHostIP net.IP) bool { + // Return early if there is no container endpoint + if containerIP == nil { return false } // Return early if there is a valid Host IP, which is a IPv4 address @@ -108,9 +116,8 @@ func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containe return false } } - bnd.IP = containerIPv6 + bnd.IP = containerIP return true - } func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool) error { @@ -132,7 +139,7 @@ func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool) portmapper := n.portMapper - if bnd.IP.To4() == nil { + if bnd.HostIP.To4() == nil { portmapper = n.portMapperV6 } diff --git a/vendor/github.com/docker/libnetwork/iptables/iptables.go b/vendor/github.com/docker/libnetwork/iptables/iptables.go index 20c35d46de..9bd100f1e8 100644 --- a/vendor/github.com/docker/libnetwork/iptables/iptables.go +++ b/vendor/github.com/docker/libnetwork/iptables/iptables.go @@ -512,8 +512,14 @@ func filterOutput(start time.Time, output []byte, args ...string) []byte { // Raw calls 'iptables' system command, passing supplied arguments. func (iptable IPTable) Raw(args ...string) ([]byte, error) { if firewalldRunning { + // select correct IP version for firewalld + ipv := Iptables + if iptable.Version == IPv6 { + ipv = IP6Tables + } + startTime := time.Now() - output, err := Passthrough(Iptables, args...) + output, err := Passthrough(ipv, args...) if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") { return filterOutput(startTime, output, args...), err }