Explorar o código

Deallocate port before trying to delete iptables chain

Fixes #7954
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
Alexandr Morozov %!s(int64=10) %!d(string=hai) anos
pai
achega
2e7cf6b0ce

+ 2 - 6
daemon/networkdriver/portmapper/mapper.go

@@ -4,11 +4,11 @@ import (
 	"errors"
 	"errors"
 	"fmt"
 	"fmt"
 	"net"
 	"net"
-	"strings"
 	"sync"
 	"sync"
 
 
 	"github.com/docker/docker/daemon/networkdriver/portallocator"
 	"github.com/docker/docker/daemon/networkdriver/portallocator"
 	"github.com/docker/docker/pkg/iptables"
 	"github.com/docker/docker/pkg/iptables"
+	"github.com/docker/docker/pkg/log"
 )
 )
 
 
 type mapping struct {
 type mapping struct {
@@ -127,10 +127,7 @@ func Unmap(host net.Addr) error {
 	containerIP, containerPort := getIPAndPort(data.container)
 	containerIP, containerPort := getIPAndPort(data.container)
 	hostIP, hostPort := getIPAndPort(data.host)
 	hostIP, hostPort := getIPAndPort(data.host)
 	if err := forward(iptables.Delete, data.proto, hostIP, hostPort, containerIP.String(), containerPort); err != nil {
 	if err := forward(iptables.Delete, data.proto, hostIP, hostPort, containerIP.String(), containerPort); err != nil {
-		// skip "no chain" errors because we can safely release port in this case
-		if !strings.Contains(err.Error(), "No chain/target/match by that name") {
-			return err
-		}
+		log.Errorf("Error on iptables delete: %s", err)
 	}
 	}
 
 
 	switch a := host.(type) {
 	switch a := host.(type) {
@@ -139,7 +136,6 @@ func Unmap(host net.Addr) error {
 	case *net.UDPAddr:
 	case *net.UDPAddr:
 		return portallocator.ReleasePort(a.IP, "udp", a.Port)
 		return portallocator.ReleasePort(a.IP, "udp", a.Port)
 	}
 	}
-
 	return nil
 	return nil
 }
 }
 
 

+ 29 - 0
integration-cli/docker_cli_run_test.go

@@ -1846,3 +1846,32 @@ func TestRunNetworkNotInitializedNoneMode(t *testing.T) {
 	deleteAllContainers()
 	deleteAllContainers()
 	logDone("run - network must not be initialized in 'none' mode")
 	logDone("run - network must not be initialized in 'none' mode")
 }
 }
+
+func TestRunDeallocatePortOnMissingIptablesRule(t *testing.T) {
+	cmd := exec.Command(dockerBinary, "run", "-d", "-p", "23:23", "busybox", "top")
+	out, _, err := runCommandWithOutput(cmd)
+	if err != nil {
+		t.Fatal(err)
+	}
+	id := strings.TrimSpace(out)
+	ip, err := inspectField(id, "NetworkSettings.IPAddress")
+	if err != nil {
+		t.Fatal(err)
+	}
+	iptCmd := exec.Command("iptables", "-D", "FORWARD", "-d", fmt.Sprintf("%s/32", ip),
+		"!", "-i", "docker0", "-o", "docker0", "-p", "tcp", "-m", "tcp", "--dport", "23", "-j", "ACCEPT")
+	out, _, err = runCommandWithOutput(iptCmd)
+	if err != nil {
+		t.Fatal(err, out)
+	}
+	if err := deleteContainer(id); err != nil {
+		t.Fatal(err)
+	}
+	cmd = exec.Command(dockerBinary, "run", "-d", "-p", "23:23", "busybox", "top")
+	out, _, err = runCommandWithOutput(cmd)
+	if err != nil {
+		t.Fatal(err, out)
+	}
+	deleteAllContainers()
+	logDone("run - port should be deallocated even on iptables error")
+}