diff --git a/hack/vendor.sh b/hack/vendor.sh index 0616d9bbe2..acbc4cd001 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -21,7 +21,7 @@ clone git golang.org/x/net 3cffabab72adf04f8e3b01c5baf775361837b5fe https://gith clone hg code.google.com/p/gosqlite 74691fb6f837 #get libnetwork packages -clone git github.com/docker/libnetwork 2a5cb84758b5115d99d8f82c84845417c6c345a3 +clone git github.com/docker/libnetwork f1c5671f1ee2133055144e566cd8b3a0ae4f0433 clone git github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec clone git github.com/hashicorp/go-msgpack 71c2886f5a673a35f909803f38ece5810165097b clone git github.com/hashicorp/memberlist 9a1e242e454d2443df330bdd51a436d5a9058fc4 diff --git a/vendor/src/github.com/docker/libnetwork/README.md b/vendor/src/github.com/docker/libnetwork/README.md index f43fe3c96b..90fcbe017f 100644 --- a/vendor/src/github.com/docker/libnetwork/README.md +++ b/vendor/src/github.com/docker/libnetwork/README.md @@ -18,7 +18,10 @@ There are many networking solutions available to suit a broad range of use-cases ```go // Create a new controller instance - controller := libnetwork.New() + controller, err := libnetwork.New() + if err != nil { + return + } // Select and configure the network driver networkType := "bridge" diff --git a/vendor/src/github.com/docker/libnetwork/client/network.go b/vendor/src/github.com/docker/libnetwork/client/network.go index 9d9ce71c3f..a244ad5f69 100644 --- a/vendor/src/github.com/docker/libnetwork/client/network.go +++ b/vendor/src/github.com/docker/libnetwork/client/network.go @@ -223,7 +223,7 @@ func networkUsage(chain string) string { help := "Commands:\n" for _, cmd := range networkCommands { - help += fmt.Sprintf(" %-25.25s%s\n", cmd.name, cmd.description) + help += fmt.Sprintf(" %-25.25s%s\n", cmd.name, cmd.description) } help += fmt.Sprintf("\nRun '%s network COMMAND --help' for more information on a command.", chain) diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/bridge.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/bridge.go index 7a86239a8f..57a7f575d6 100644 --- a/vendor/src/github.com/docker/libnetwork/drivers/bridge/bridge.go +++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/bridge.go @@ -3,10 +3,13 @@ package bridge import ( "errors" "fmt" + "io/ioutil" "net" "os/exec" + "path/filepath" "strconv" "sync" + "syscall" "github.com/Sirupsen/logrus" "github.com/docker/libnetwork/driverapi" @@ -660,6 +663,10 @@ func (d *driver) CreateNetwork(id types.UUID, option map[string]interface{}) err // Setup IPTables. {config.EnableIPTables, network.setupIPTables}, + //We want to track firewalld configuration so that + //if it is started/reloaded, the rules can be applied correctly + {config.EnableIPTables, network.setupFirewalld}, + // Setup DefaultGatewayIPv4 {config.DefaultGatewayIPv4 != nil, setupGatewayIPv4}, @@ -772,6 +779,37 @@ func addToBridge(ifaceName, bridgeName string) error { return ioctlAddToBridge(iface, master) } +func setHairpinMode(link netlink.Link, enable bool) error { + err := netlink.LinkSetHairpin(link, enable) + if err != nil && err != syscall.EINVAL { + // If error is not EINVAL something else went wrong, bail out right away + return fmt.Errorf("unable to set hairpin mode on %s via netlink: %v", + link.Attrs().Name, err) + } + + // Hairpin mode successfully set up + if err == nil { + return nil + } + + // The netlink method failed with EINVAL which is probably because of an older + // kernel. Try one more time via the sysfs method. + path := filepath.Join("/sys/class/net", link.Attrs().Name, "brport/hairpin_mode") + + var val []byte + if enable { + val = []byte{'1', '\n'} + } else { + val = []byte{'0', '\n'} + } + + if err := ioutil.WriteFile(path, val, 0644); err != nil { + return fmt.Errorf("unable to set hairpin mode on %s via sysfs: %v", link.Attrs().Name, err) + } + + return nil +} + func (d *driver) CreateEndpoint(nid, eid types.UUID, epInfo driverapi.EndpointInfo, epOptions map[string]interface{}) error { var ( ipv6Addr *net.IPNet @@ -902,14 +940,15 @@ func (d *driver) CreateEndpoint(nid, eid types.UUID, epInfo driverapi.EndpointIn } if !config.EnableUserlandProxy { - err = netlink.LinkSetHairpin(host, true) + err = setHairpinMode(host, true) if err != nil { return err } } // v4 address for the sandbox side pipe interface - ip4, err := ipAllocator.RequestIP(n.bridge.bridgeIPv4, nil) + sub := types.GetIPNetCanonical(n.bridge.bridgeIPv4) + ip4, err := ipAllocator.RequestIP(sub, nil) if err != nil { return err } @@ -1035,7 +1074,8 @@ func (d *driver) DeleteEndpoint(nid, eid types.UUID) error { n.releasePorts(ep) // Release the v4 address allocated to this endpoint's sandbox interface - err = ipAllocator.ReleaseIP(n.bridge.bridgeIPv4, ep.addr.IP) + sub := types.GetIPNetCanonical(n.bridge.bridgeIPv4) + err = ipAllocator.ReleaseIP(sub, ep.addr.IP) if err != nil { return err } diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/link.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/link.go index 4e4444e074..894c5e772c 100644 --- a/vendor/src/github.com/docker/libnetwork/drivers/bridge/link.go +++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/link.go @@ -32,7 +32,12 @@ func newLink(parentIP, childIP string, ports []types.TransportPort, bridge strin func (l *link) Enable() error { // -A == iptables append flag - return linkContainers("-A", l.parentIP, l.childIP, l.ports, l.bridge, false) + linkFunction := func() error { + return linkContainers("-A", l.parentIP, l.childIP, l.ports, l.bridge, false) + } + + iptables.OnReloaded(func() { linkFunction() }) + return linkFunction() } func (l *link) Disable() { diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_firewalld.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_firewalld.go new file mode 100644 index 0000000000..eeb7764801 --- /dev/null +++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_firewalld.go @@ -0,0 +1,15 @@ +package bridge + +import "github.com/docker/libnetwork/iptables" + +func (n *bridgeNetwork) setupFirewalld(config *networkConfiguration, i *bridgeInterface) error { + // Sanity check. + if config.EnableIPTables == false { + return IPTableCfgError(config.BridgeName) + } + + iptables.OnReloaded(func() { n.setupIPTables(config, i) }) + iptables.OnReloaded(n.portMapper.ReMapAll) + + return nil +} diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go index 70e4df652b..fa241c1b34 100644 --- a/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go +++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go @@ -149,7 +149,7 @@ func setIcc(bridgeIface string, iccEnable, insert bool) error { iptables.Raw(append([]string{"-D", chain}, dropArgs...)...) if !iptables.Exists(table, chain, acceptArgs...) { - if output, err := iptables.Raw(append([]string{"-A", chain}, acceptArgs...)...); err != nil { + if output, err := iptables.Raw(append([]string{"-I", chain}, acceptArgs...)...); err != nil { return fmt.Errorf("Unable to allow intercontainer communication: %s", err.Error()) } else if len(output) != 0 { return fmt.Errorf("Error enabling intercontainer communication: %s", output) diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ipv4.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ipv4.go index d05a47aea0..cca715e392 100644 --- a/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ipv4.go +++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ipv4.go @@ -8,6 +8,7 @@ import ( log "github.com/Sirupsen/logrus" "github.com/docker/libnetwork/netutils" + "github.com/docker/libnetwork/types" "github.com/vishvananda/netlink" ) @@ -75,7 +76,8 @@ func setupBridgeIPv4(config *networkConfiguration, i *bridgeInterface) error { } func allocateBridgeIP(config *networkConfiguration, i *bridgeInterface) error { - ipAllocator.RequestIP(i.bridgeIPv4, i.bridgeIPv4.IP) + sub := types.GetIPNetCanonical(i.bridgeIPv4) + ipAllocator.RequestIP(sub, i.bridgeIPv4.IP) return nil } @@ -109,7 +111,10 @@ func setupGatewayIPv4(config *networkConfiguration, i *bridgeInterface) error { if !i.bridgeIPv4.Contains(config.DefaultGatewayIPv4) { return &ErrInvalidGateway{} } - if _, err := ipAllocator.RequestIP(i.bridgeIPv4, config.DefaultGatewayIPv4); err != nil { + + // Pass the real network subnet to ip allocator (no host bits set) + sub := types.GetIPNetCanonical(i.bridgeIPv4) + if _, err := ipAllocator.RequestIP(sub, config.DefaultGatewayIPv4); err != nil { return err } diff --git a/vendor/src/github.com/docker/libnetwork/drivers/overlay/peerdb.go b/vendor/src/github.com/docker/libnetwork/drivers/overlay/peerdb.go index b951edac93..9e4f7f7e12 100644 --- a/vendor/src/github.com/docker/libnetwork/drivers/overlay/peerdb.go +++ b/vendor/src/github.com/docker/libnetwork/drivers/overlay/peerdb.go @@ -190,9 +190,13 @@ func (d *driver) peerDbUpdateSandbox(nid types.UUID) { continue } + // Go captures variables by reference. The pEntry could be + // pointing to the same memory location for every iteration. Make + // a copy of pEntry before capturing it in the following closure. + entry := pEntry op := func() { - if err := d.peerAdd(nid, pEntry.eid, pKey.peerIP, - pKey.peerMac, pEntry.vtep, + if err := d.peerAdd(nid, entry.eid, pKey.peerIP, + pKey.peerMac, entry.vtep, false); err != nil { fmt.Printf("peerdbupdate in sandbox failed for ip %s and mac %s: %v", pKey.peerIP, pKey.peerMac, err) diff --git a/vendor/src/github.com/docker/libnetwork/portmapper/mapper.go b/vendor/src/github.com/docker/libnetwork/portmapper/mapper.go index ac32f66ef1..b928e3c619 100644 --- a/vendor/src/github.com/docker/libnetwork/portmapper/mapper.go +++ b/vendor/src/github.com/docker/libnetwork/portmapper/mapper.go @@ -179,6 +179,18 @@ func (pm *PortMapper) Unmap(host net.Addr) error { return nil } +//ReMapAll will re-apply all port mappings +func (pm *PortMapper) ReMapAll() { + logrus.Debugln("Re-applying all port mappings.") + for _, data := range pm.currentMappings { + containerIP, containerPort := getIPAndPort(data.container) + hostIP, hostPort := getIPAndPort(data.host) + if err := pm.forward(iptables.Append, data.proto, hostIP, hostPort, containerIP.String(), containerPort); err != nil { + logrus.Errorf("Error on iptables add: %s", err) + } + } +} + func getKey(a net.Addr) string { switch t := a.(type) { case *net.TCPAddr: diff --git a/vendor/src/github.com/docker/libnetwork/sandbox/interface_freebsd.go b/vendor/src/github.com/docker/libnetwork/sandbox/interface_freebsd.go new file mode 100644 index 0000000000..115290d82b --- /dev/null +++ b/vendor/src/github.com/docker/libnetwork/sandbox/interface_freebsd.go @@ -0,0 +1,4 @@ +package sandbox + +// IfaceOption is a function option type to set interface options +type IfaceOption func() diff --git a/vendor/src/github.com/docker/libnetwork/sandbox/namespace_unsupported.go b/vendor/src/github.com/docker/libnetwork/sandbox/namespace_unsupported.go index 247f4fb7b4..9d38206bd7 100644 --- a/vendor/src/github.com/docker/libnetwork/sandbox/namespace_unsupported.go +++ b/vendor/src/github.com/docker/libnetwork/sandbox/namespace_unsupported.go @@ -1,4 +1,4 @@ -// +build !linux,!windows +// +build !linux,!windows,!freebsd package sandbox diff --git a/vendor/src/github.com/docker/libnetwork/sandbox/neigh_freebsd.go b/vendor/src/github.com/docker/libnetwork/sandbox/neigh_freebsd.go new file mode 100644 index 0000000000..58b30587e2 --- /dev/null +++ b/vendor/src/github.com/docker/libnetwork/sandbox/neigh_freebsd.go @@ -0,0 +1,4 @@ +package sandbox + +// NeighOption is a function option type to set neighbor options +type NeighOption func() diff --git a/vendor/src/github.com/docker/libnetwork/sandbox/route_linux.go b/vendor/src/github.com/docker/libnetwork/sandbox/route_linux.go index 7010957345..946e364860 100644 --- a/vendor/src/github.com/docker/libnetwork/sandbox/route_linux.go +++ b/vendor/src/github.com/docker/libnetwork/sandbox/route_linux.go @@ -177,7 +177,6 @@ func (n *networkNamespace) AddStaticRoute(r *types.StaticRoute) error { } func (n *networkNamespace) RemoveStaticRoute(r *types.StaticRoute) error { - n.Lock() err := removeRoute(n.nsPath(), r.Destination, r.NextHop) if err == nil { diff --git a/vendor/src/github.com/docker/libnetwork/sandbox/sandbox_freebsd.go b/vendor/src/github.com/docker/libnetwork/sandbox/sandbox_freebsd.go new file mode 100644 index 0000000000..4aa7787113 --- /dev/null +++ b/vendor/src/github.com/docker/libnetwork/sandbox/sandbox_freebsd.go @@ -0,0 +1,23 @@ +package sandbox + +// GenerateKey generates a sandbox key based on the passed +// container id. +func GenerateKey(containerID string) string { + maxLen := 12 + if len(containerID) < maxLen { + maxLen = len(containerID) + } + + return containerID[:maxLen] +} + +// NewSandbox provides a new sandbox instance created in an os specific way +// provided a key which uniquely identifies the sandbox +func NewSandbox(key string, osCreate bool) (Sandbox, error) { + return nil, nil +} + +// GC triggers garbage collection of namespace path right away +// and waits for it. +func GC() { +} diff --git a/vendor/src/github.com/docker/libnetwork/sandbox/sandbox_unsupported.go b/vendor/src/github.com/docker/libnetwork/sandbox/sandbox_unsupported.go index efda42a4a6..4ed3c9f58b 100644 --- a/vendor/src/github.com/docker/libnetwork/sandbox/sandbox_unsupported.go +++ b/vendor/src/github.com/docker/libnetwork/sandbox/sandbox_unsupported.go @@ -1,4 +1,4 @@ -// +build !linux,!windows +// +build !linux,!windows,!freebsd package sandbox diff --git a/vendor/src/github.com/docker/libnetwork/types/types.go b/vendor/src/github.com/docker/libnetwork/types/types.go index 934406834b..fa13bdeacc 100644 --- a/vendor/src/github.com/docker/libnetwork/types/types.go +++ b/vendor/src/github.com/docker/libnetwork/types/types.go @@ -173,6 +173,16 @@ func GetIPNetCopy(from *net.IPNet) *net.IPNet { return &net.IPNet{IP: GetIPCopy(from.IP), Mask: bm} } +// GetIPNetCanonical returns the canonical form for the passed network +func GetIPNetCanonical(nw *net.IPNet) *net.IPNet { + if nw == nil { + return nil + } + c := GetIPNetCopy(nw) + c.IP = c.IP.Mask(nw.Mask) + return c +} + // CompareIPNet returns equal if the two IP Networks are equal func CompareIPNet(a, b *net.IPNet) bool { if a == b {