Merge pull request #42205 from thaJeztah/20.10_backport_bump_libnetwork

[20.10 backport] vendor: docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46

hack/dockerfile/install/proxy.installer

@@ -3,7 +3,7 @@
 # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When
 # updating the binary version, consider updating github.com/docker/libnetwork
 # in vendor.conf accordingly
-: "${LIBNETWORK_COMMIT:=fa125a3512ee0f6187721c88582bf8c4378bd4d7}"
+: "${LIBNETWORK_COMMIT:=b3507428be5b458cb0e2b4086b13531fb0706e46}"
 
 install_proxy() {
 	case "$1" in

integration-cli/docker_cli_port_test.go

@@ -20,13 +20,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
 
 	out, _ = dockerCmd(c, "port", firstID, "80")
 
-	err := assertPortList(c, out, []string{"0.0.0.0:9876"})
+	err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})
 	// Port list is not correct
 	assert.NilError(c, err)
 
 	out, _ = dockerCmd(c, "port", firstID)
 
-	err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876"})
+	err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876", "80/tcp -> [::]:9876"})
 	// Port list is not correct
 	assert.NilError(c, err)
 
@@ -42,7 +42,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
 
 	out, _ = dockerCmd(c, "port", ID, "80")
 
-	err = assertPortList(c, out, []string{"0.0.0.0:9876"})
+	err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})
 	// Port list is not correct
 	assert.NilError(c, err)
 
@@ -50,8 +50,11 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
 
 	err = assertPortList(c, out, []string{
 		"80/tcp -> 0.0.0.0:9876",
+		"80/tcp -> [::]:9876",
 		"81/tcp -> 0.0.0.0:9877",
+		"81/tcp -> [::]:9877",
 		"82/tcp -> 0.0.0.0:9878",
+		"82/tcp -> [::]:9878",
 	})
 	// Port list is not correct
 	assert.NilError(c, err)
@@ -69,7 +72,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
 
 	out, _ = dockerCmd(c, "port", ID, "80")
 
-	err = assertPortList(c, out, []string{"0.0.0.0:9876", "0.0.0.0:9999"})
+	err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876", "0.0.0.0:9999", "[::]:9999"})
 	// Port list is not correct
 	assert.NilError(c, err)
 
@@ -78,8 +81,12 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
 	err = assertPortList(c, out, []string{
 		"80/tcp -> 0.0.0.0:9876",
 		"80/tcp -> 0.0.0.0:9999",
+		"80/tcp -> [::]:9876",
+		"80/tcp -> [::]:9999",
 		"81/tcp -> 0.0.0.0:9877",
+		"81/tcp -> [::]:9877",
 		"82/tcp -> 0.0.0.0:9878",
+		"82/tcp -> [::]:9878",
 	})
 	// Port list is not correct
 	assert.NilError(c, err)
@@ -94,7 +101,10 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
 
 			out, _ = dockerCmd(c, "port", IDs[i])
 
-			err = assertPortList(c, out, []string{fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i)})
+			err = assertPortList(c, out, []string{
+				fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i),
+				fmt.Sprintf("80/tcp -> [::]:%d", 9090+i),
+			})
 			// Port list is not correct
 			assert.NilError(c, err)
 		}
@@ -127,9 +137,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
 
 	err = assertPortList(c, out, []string{
 		"80/tcp -> 0.0.0.0:9800",
+		"80/tcp -> [::]:9800",
 		"81/tcp -> 0.0.0.0:9801",
+		"81/tcp -> [::]:9801",
 		"82/tcp -> 0.0.0.0:9802",
+		"82/tcp -> [::]:9802",
 		"83/tcp -> 0.0.0.0:9803",
+		"83/tcp -> [::]:9803",
 	})
 	// Port list is not correct
 	assert.NilError(c, err)
@@ -161,7 +175,7 @@ func assertPortList(c *testing.T, out string, expected []string) error {
 	// of the CLI used an incorrect output format for mappings on IPv6 addresses
 	// for example, "80/tcp -> :::80" instead of "80/tcp -> [::]:80".
 	oldFormat := func(mapping string) string {
-		old := strings.Replace(mapping, "-> [", "-> ", 1)
+		old := strings.Replace(mapping, "[", "", 1)
 		old = strings.Replace(old, "]:", ":", 1)
 		return old
 	}
@@ -305,7 +319,7 @@ func (s *DockerSuite) TestPortHostBinding(c *testing.T) {
 
 	out, _ = dockerCmd(c, "port", firstID, "80")
 
-	err := assertPortList(c, out, []string{"0.0.0.0:9876"})
+	err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})
 	// Port list is not correct
 	assert.NilError(c, err)
 

vendor.conf

@@ -47,7 +47,7 @@ github.com/grpc-ecosystem/go-grpc-middleware        3c51f7f332123e8be5a157c0802a
 # libnetwork
 
 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly
-github.com/docker/libnetwork                        fa125a3512ee0f6187721c88582bf8c4378bd4d7 
+github.com/docker/libnetwork                        b3507428be5b458cb0e2b4086b13531fb0706e46
 github.com/docker/go-events                         e31b211e4f1cd09aa76fe4ac244571fab96ae47f
 github.com/armon/go-radix                           e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
 github.com/armon/go-metrics                         eb0af217e5e9747e41dd5303755356b62d28e3ec

vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go

@@ -49,8 +49,16 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont
 			}
 			bs = append(bs, bIPv4)
 		}
+
 		// Allocate IPv6 Port mappings
-		if ok := n.validatePortBindingIPv6(&bIPv6, containerIPv6, defHostIP); ok {
+		// If the container has no IPv6 address, allow proxying host IPv6 traffic to it
+		// by setting up the binding with the IPv4 interface if the userland proxy is enabled
+		// This change was added to keep backward compatibility
+		containerIP := containerIPv6
+		if ulPxyEnabled && (containerIPv6 == nil) {
+			containerIP = containerIPv4
+		}
+		if ok := n.validatePortBindingIPv6(&bIPv6, containerIP, defHostIP); ok {
 			if err := n.allocatePort(&bIPv6, ulPxyEnabled); err != nil {
 				// On allocation failure, release previously allocated ports. On cleanup error, just log a warning message
 				if cuErr := n.releasePortsInternal(bs); cuErr != nil {
@@ -67,7 +75,7 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont
 // validatePortBindingIPv4 validates the port binding, populates the missing Host IP field and returns true
 // if this is a valid IPv4 binding, else returns false
 func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containerIPv4, defHostIP net.IP) bool {
-	//Return early if there is a valid Host IP, but its not a IPv6 address
+	//Return early if there is a valid Host IP, but its not a IPv4 address
 	if len(bnd.HostIP) > 0 && bnd.HostIP.To4() == nil {
 		return false
 	}
@@ -85,10 +93,10 @@ func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containe
 }
 
 // validatePortBindingIPv6 validates the port binding, populates the missing Host IP field and returns true
-// if this is a valid IP6v binding, else returns false
-func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIPv6, defHostIP net.IP) bool {
-	// Return early if there is no IPv6 container endpoint
-	if containerIPv6 == nil {
+// if this is a valid IPv6 binding, else returns false
+func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIP, defHostIP net.IP) bool {
+	// Return early if there is no container endpoint
+	if containerIP == nil {
 		return false
 	}
 	// Return early if there is a valid Host IP, which is a IPv4 address
@@ -108,9 +116,8 @@ func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containe
 			return false
 		}
 	}
-	bnd.IP = containerIPv6
+	bnd.IP = containerIP
 	return true
-
 }
 
 func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool) error {
@@ -132,7 +139,7 @@ func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool)
 
 	portmapper := n.portMapper
 
-	if bnd.IP.To4() == nil {
+	if bnd.HostIP.To4() == nil {
 		portmapper = n.portMapperV6
 	}
 

vendor/github.com/docker/libnetwork/iptables/iptables.go

@@ -512,8 +512,14 @@ func filterOutput(start time.Time, output []byte, args ...string) []byte {
 // Raw calls 'iptables' system command, passing supplied arguments.
 func (iptable IPTable) Raw(args ...string) ([]byte, error) {
 	if firewalldRunning {
+		// select correct IP version for firewalld
+		ipv := Iptables
+		if iptable.Version == IPv6 {
+			ipv = IP6Tables
+		}
+
 		startTime := time.Now()
-		output, err := Passthrough(Iptables, args...)
+		output, err := Passthrough(ipv, args...)
 		if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") {
 			return filterOutput(startTime, output, args...), err
 		}