Make sure that iptables operations on ingress
are serialized.
Before 2 racing routines trying to create the ingress chain
were allowed and one was failing reporting the chain as
already existing.
The lock guarantees that this condition does not happen anymore
Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
The system should remove cluster service info including networkDB
entries and DNS entries for container endpoints that are not part of a
service as well as those that are part of a service. This used to be
the normal sequence of operations but it moved to
sandbox.DisableService() in an effort to more gracefully handle endpoint
removal from a service (which proved insufficient). Unfortunately
subsequent changes also removed the newly-mandetory call to
sandbox.DisableService() preventing proper cleanup for non-service
container endpoints.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
Go 1.7 added the subtest feature which can make table-driven tests much easier to run and debug. Some tests are not using this feature.
Signed-off-by: Yang Li <idealhack@gmail.com>
Use net.splitHostPort() instead of our own logic in func (p *PortBinding)
FromString(s string) error. This means that IPv6 literals, including
IPv4 in IPv6 literals, can now be parsed from the string form of
PortBindings. Zoned addresses do not work - net.splitHostPort() parses
them but net.ParseIP() cannot and returns an error. This is ok because
we do not have a slot to store the zone name in PortBinding anyway.
Signed-off-by: Euan Harris <euan.harris@docker.com>
The function tested by TestUtilGetHostPortionIP is called GetHostPartIP.
Rename the test to match the function being tested.
Signed-off-by: Euan Harris <euan.harris@docker.com>
Releasing a pool which has already been released should fail; this
change increases coverage by a fraction by exercising this path.
Signed-off-by: Euan Harris <euan.harris@docker.com>
This makes it easy to drop into the build container, for instance to
run tests or other Go tools over a subset of the code.
Signed-off-by: Euan Harris <euan.harris@docker.com>
Multiple simultaneous updates here would leave the driver in a very
inconsistent state. The disadvantage to this change is that it requires
holding the driver lock while reprogramming the keys.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
This one is probably not critical. The worst that seems like could
happen would be if 2 deletes occur at the same time (one of which
should be an error):
1. network gets read from the map by delete-1
2. network gets read from the map by delete-2
3. delete-1 releases the network VNI
4. network create arrives at the driver and allocates the now free VNI
5. delete-2 releases the network VNI (error: it's been reallocated!)
6. both networks remove the VNI from the map
Part 6 could also become an issue if there were a simultaneous create
for the network at the same time. This leads to the modification of
the NewNetwork() method which now checks for an existing network before
adding it to the map.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
The overlay network driver is not properly using it's mutexes or
sync.Onces. It made the classic mistake of not holding a lock through
various read-modify-write operations. This can result in inconsistent
state storage leading to more catastrophic issues.
This patch attempts to maintain the previous semantics while holding the
driver lock through operations that are read-modify-write of the
driver's network state.
One example of this race would be if two goroutines tried to invoke
d.network() after the network ID was removed from the table. Both would
try to reinstall it causing the "once" to get reinitialized twice
without any lock protection. This could then lead to the "once" getting
invoked twice on the same network. Furthermore, the changes to one of
these network structures gets effectively discarded. It's also the
case, that because there would be two simultaneous instances of the
network, the various network Lock() invocations would be meaningless for
race prevention.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
This gets filtered for raw iptables calls, but not from calls made
through firewalld. The patch just ensures consistency of operation.
It also adds a warning when xtables contention detected and truncates
the search string slightly as it appears that the suffix will be
changing in the near future.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
Since Go 1.7, context is a standard package. Since about Go 1.9 time,
all x/net/context provides is a few aliases to types in context, meaning
"x/net/context" and "context" can be mixed freely.
Some vendored packages still use x/net/context, so vendor entry remains
for now.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This version includes "x/net/context" which is fully compatible with
the standard Go "context" package, so the two can be mixed together.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
