diff --git a/hack/dockerfile/install/proxy.installer b/hack/dockerfile/install/proxy.installer index 72a7c11a0b..dad0b68f60 100755 --- a/hack/dockerfile/install/proxy.installer +++ b/hack/dockerfile/install/proxy.installer @@ -3,7 +3,7 @@ # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When # updating the binary version, consider updating github.com/docker/libnetwork # in vendor.conf accordingly -: "${LIBNETWORK_COMMIT:=dcdf8f176d1e13ad719e913e796fb698d846de98}" +: "${LIBNETWORK_COMMIT:=374259e8316124ccf1fc38c0c0f3430f8d0e9c76}" install_proxy() { case "$1" in diff --git a/vendor.conf b/vendor.conf index 11b4b6bd02..93d6dd08ba 100644 --- a/vendor.conf +++ b/vendor.conf @@ -48,7 +48,7 @@ github.com/grpc-ecosystem/go-grpc-middleware 3c51f7f332123e8be5a157c0802a # libnetwork # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly -github.com/docker/libnetwork 1f3b98be6833a93f254aa0f765ff55d407dfdd69 +github.com/docker/libnetwork 374259e8316124ccf1fc38c0c0f3430f8d0e9c76 github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 github.com/armon/go-metrics f0300d1749da6fa982027e449ec0c7a145510c3c # v0.4.1 diff --git a/vendor/github.com/docker/libnetwork/iptables/iptables.go b/vendor/github.com/docker/libnetwork/iptables/iptables.go index 9e84b1242b..639e195131 100644 --- a/vendor/github.com/docker/libnetwork/iptables/iptables.go +++ b/vendor/github.com/docker/libnetwork/iptables/iptables.go @@ -5,7 +5,6 @@ import ( "fmt" "net" "os/exec" - "regexp" "strconv" "strings" "sync" @@ -54,7 +53,6 @@ var ( iptablesPath string ip6tablesPath string supportsXlock = false - supportsCOpt = false xLockWaitMsg = "Another app is currently holding the xtables lock" // used to lock iptables commands if xtables lock is not supported bestEffortLock sync.Mutex @@ -86,19 +84,27 @@ func (e ChainError) Error() string { return fmt.Sprintf("Error iptables %s: %s", e.Chain, string(e.Output)) } -func probe() { +func detectIptables() { path, err := exec.LookPath("iptables") if err != nil { - logrus.Warnf("Failed to find iptables: %v", err) + logrus.WithError(err).Warnf("failed to find iptables") return } - if out, err := exec.Command(path, "--wait", "-t", "nat", "-L", "-n").CombinedOutput(); err != nil { - logrus.Warnf("Running iptables --wait -t nat -L -n failed with message: `%s`, error: %v", strings.TrimSpace(string(out)), err) + iptablesPath = path + + // The --wait flag was added in iptables v1.6.0. + // TODO remove this check once we drop support for CentOS/RHEL 7, which uses an older version of iptables + if out, err := exec.Command(path, "--wait", "-L", "-n").CombinedOutput(); err != nil { + logrus.WithError(err).Infof("unable to detect if iptables supports xlock: 'iptables --wait -L -n': `%s`", strings.TrimSpace(string(out))) + } else { + supportsXlock = true } - _, err = exec.LookPath("ip6tables") + + path, err = exec.LookPath("ip6tables") if err != nil { - logrus.Warnf("Failed to find ip6tables: %v", err) - return + logrus.WithError(err).Warnf("unable to find ip6tables") + } else { + ip6tablesPath = path } } @@ -110,32 +116,11 @@ func initFirewalld() { return } if err := FirewalldInit(); err != nil { - logrus.Debugf("Fail to initialize firewalld: %v, using raw iptables instead", err) + logrus.WithError(err).Debugf("unable to initialize firewalld; using raw iptables instead") } } -func detectIptables() { - path, err := exec.LookPath("iptables") - if err != nil { - return - } - iptablesPath = path - path, err = exec.LookPath("ip6tables") - if err != nil { - return - } - ip6tablesPath = path - supportsXlock = exec.Command(iptablesPath, "--wait", "-L", "-n").Run() == nil - mj, mn, mc, err := GetVersion() - if err != nil { - logrus.Warnf("Failed to read iptables version: %v", err) - return - } - supportsCOpt = supportsCOption(mj, mn, mc) -} - func initDependencies() { - probe() initFirewalld() detectIptables() } @@ -475,26 +460,9 @@ func (iptable IPTable) exists(native bool, table Table, chain string, rule ...st return false } - if supportsCOpt { - // if exit status is 0 then return true, the rule exists - _, err := f(append([]string{"-t", string(table), "-C", chain}, rule...)...) - return err == nil - } - - // parse "iptables -S" for the rule (it checks rules in a specific chain - // in a specific table and it is very unreliable) - return iptable.existsRaw(table, chain, rule...) -} - -func (iptable IPTable) existsRaw(table Table, chain string, rule ...string) bool { - path := iptablesPath - if iptable.Version == IPv6 { - path = ip6tablesPath - } - ruleString := fmt.Sprintf("%s %s\n", chain, strings.Join(rule, " ")) - existingRules, _ := exec.Command(path, "-t", string(table), "-S", chain).Output() - - return strings.Contains(string(existingRules), ruleString) + // if exit status is 0 then return true, the rule exists + _, err := f(append([]string{"-t", string(table), "-C", chain}, rule...)...) + return err == nil } // Maximum duration that an iptables operation can take @@ -548,6 +516,9 @@ func (iptable IPTable) raw(args ...string) ([]byte, error) { path := iptablesPath commandName := "iptables" if iptable.Version == IPv6 { + if ip6tablesPath == "" { + return nil, fmt.Errorf("ip6tables is missing") + } path = ip6tablesPath commandName = "ip6tables" } @@ -589,15 +560,6 @@ func (iptable IPTable) ExistChain(chain string, table Table) bool { return false } -// GetVersion reads the iptables version numbers during initialization -func GetVersion() (major, minor, micro int, err error) { - out, err := exec.Command(iptablesPath, "--version").CombinedOutput() - if err == nil { - major, minor, micro = parseVersionNumbers(string(out)) - } - return -} - // SetDefaultPolicy sets the passed default policy for the table/chain func (iptable IPTable) SetDefaultPolicy(table Table, chain string, policy Policy) error { if err := iptable.RawCombinedOutput("-t", string(table), "-P", chain, string(policy)); err != nil { @@ -606,19 +568,6 @@ func (iptable IPTable) SetDefaultPolicy(table Table, chain string, policy Policy return nil } -func parseVersionNumbers(input string) (major, minor, micro int) { - re := regexp.MustCompile(`v\d*.\d*.\d*`) - line := re.FindString(input) - fmt.Sscanf(line, "v%d.%d.%d", &major, &minor, µ) - return -} - -// iptables -C, --check option was added in v.1.4.11 -// http://ftp.netfilter.org/pub/iptables/changes-iptables-1.4.11.txt -func supportsCOption(mj, mn, mc int) bool { - return mj > 1 || (mj == 1 && (mn > 4 || (mn == 4 && mc >= 11))) -} - // AddReturnRule adds a return rule for the chain in the filter table func (iptable IPTable) AddReturnRule(chain string) error { var (