bridge.go 28 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151
  1. package bridge
  2. import (
  3. "errors"
  4. "net"
  5. "strconv"
  6. "strings"
  7. "sync"
  8. "github.com/docker/libnetwork/driverapi"
  9. "github.com/docker/libnetwork/ipallocator"
  10. "github.com/docker/libnetwork/netlabel"
  11. "github.com/docker/libnetwork/netutils"
  12. "github.com/docker/libnetwork/options"
  13. "github.com/docker/libnetwork/portmapper"
  14. "github.com/docker/libnetwork/sandbox"
  15. "github.com/docker/libnetwork/types"
  16. "github.com/vishvananda/netlink"
  17. )
  18. const (
  19. networkType = "bridge"
  20. vethPrefix = "veth"
  21. vethLen = 7
  22. containerVethPrefix = "eth"
  23. maxAllocatePortAttempts = 10
  24. ifaceID = 1
  25. )
  26. var (
  27. ipAllocator *ipallocator.IPAllocator
  28. portMapper *portmapper.PortMapper
  29. )
  30. // configuration info for the "bridge" driver.
  31. type configuration struct {
  32. EnableIPForwarding bool
  33. }
  34. // networkConfiguration for network specific configuration
  35. type networkConfiguration struct {
  36. BridgeName string
  37. AddressIPv4 *net.IPNet
  38. FixedCIDR *net.IPNet
  39. FixedCIDRv6 *net.IPNet
  40. EnableIPv6 bool
  41. EnableIPTables bool
  42. EnableIPMasquerade bool
  43. EnableICC bool
  44. Mtu int
  45. DefaultGatewayIPv4 net.IP
  46. DefaultGatewayIPv6 net.IP
  47. DefaultBindingIP net.IP
  48. AllowNonDefaultBridge bool
  49. EnableUserlandProxy bool
  50. }
  51. // endpointConfiguration represents the user specified configuration for the sandbox endpoint
  52. type endpointConfiguration struct {
  53. MacAddress net.HardwareAddr
  54. PortBindings []types.PortBinding
  55. ExposedPorts []types.TransportPort
  56. }
  57. // containerConfiguration represents the user specified configuration for a container
  58. type containerConfiguration struct {
  59. ParentEndpoints []string
  60. ChildEndpoints []string
  61. }
  62. type bridgeEndpoint struct {
  63. id types.UUID
  64. intf *sandbox.Interface
  65. macAddress net.HardwareAddr
  66. config *endpointConfiguration // User specified parameters
  67. containerConfig *containerConfiguration
  68. portMapping []types.PortBinding // Operation port bindings
  69. }
  70. type bridgeNetwork struct {
  71. id types.UUID
  72. bridge *bridgeInterface // The bridge's L3 interface
  73. config *networkConfiguration
  74. endpoints map[types.UUID]*bridgeEndpoint // key: endpoint id
  75. sync.Mutex
  76. }
  77. type driver struct {
  78. config *configuration
  79. network *bridgeNetwork
  80. networks map[types.UUID]*bridgeNetwork
  81. sync.Mutex
  82. }
  83. func init() {
  84. ipAllocator = ipallocator.New()
  85. portMapper = portmapper.New()
  86. }
  87. // New constructs a new bridge driver
  88. func newDriver() driverapi.Driver {
  89. return &driver{networks: map[types.UUID]*bridgeNetwork{}}
  90. }
  91. // Init registers a new instance of bridge driver
  92. func Init(dc driverapi.DriverCallback) error {
  93. return dc.RegisterDriver(networkType, newDriver())
  94. }
  95. // Validate performs a static validation on the network configuration parameters.
  96. // Whatever can be assessed a priori before attempting any programming.
  97. func (c *networkConfiguration) Validate() error {
  98. if c.Mtu < 0 {
  99. return ErrInvalidMtu(c.Mtu)
  100. }
  101. // If bridge v4 subnet is specified
  102. if c.AddressIPv4 != nil {
  103. // If Container restricted subnet is specified, it must be a subset of bridge subnet
  104. if c.FixedCIDR != nil {
  105. // Check Network address
  106. if !c.AddressIPv4.Contains(c.FixedCIDR.IP) {
  107. return &ErrInvalidContainerSubnet{}
  108. }
  109. // Check it is effectively a subset
  110. brNetLen, _ := c.AddressIPv4.Mask.Size()
  111. cnNetLen, _ := c.FixedCIDR.Mask.Size()
  112. if brNetLen > cnNetLen {
  113. return &ErrInvalidContainerSubnet{}
  114. }
  115. }
  116. // If default gw is specified, it must be part of bridge subnet
  117. if c.DefaultGatewayIPv4 != nil {
  118. if !c.AddressIPv4.Contains(c.DefaultGatewayIPv4) {
  119. return &ErrInvalidGateway{}
  120. }
  121. }
  122. }
  123. // If default v6 gw is specified, FixedCIDRv6 must be specified and gw must belong to FixedCIDRv6 subnet
  124. if c.EnableIPv6 && c.DefaultGatewayIPv6 != nil {
  125. if c.FixedCIDRv6 == nil || !c.FixedCIDRv6.Contains(c.DefaultGatewayIPv6) {
  126. return &ErrInvalidGateway{}
  127. }
  128. }
  129. return nil
  130. }
  131. // Conflict check if two NetworkConfiguration objects overlap in the multinetwork
  132. func (c *networkConfiguration) Conflict(o *networkConfiguration) bool {
  133. if o == nil {
  134. return false
  135. }
  136. // Also empty, becasue only one network with empty name is allowed
  137. if c.BridgeName == o.BridgeName {
  138. return true
  139. }
  140. // They must be in different subnets
  141. if (c.AddressIPv4 != nil && o.AddressIPv4.IP != nil) &&
  142. (c.AddressIPv4.Contains(o.AddressIPv4.IP) || o.AddressIPv4.Contains(c.AddressIPv4.IP)) {
  143. return true
  144. }
  145. return false
  146. }
  147. // FromMap retrieve the configuration data from the map form.
  148. func (c *networkConfiguration) FromMap(data map[string]interface{}) error {
  149. if i, ok := data["BridgeName"]; ok && i != nil {
  150. if c.BridgeName, ok = i.(string); !ok {
  151. return types.BadRequestErrorf("invalid type for BridgeName value")
  152. }
  153. }
  154. var err error
  155. if i, ok := data["Mtu"]; ok && i != nil {
  156. if s, ok := i.(string); ok {
  157. if c.Mtu, err = strconv.Atoi(s); err != nil {
  158. return types.BadRequestErrorf("failed to parse Mtu value: %s", err.Error())
  159. }
  160. } else {
  161. return types.BadRequestErrorf("invalid type for Mtu value")
  162. }
  163. }
  164. if i, ok := data["EnableIPv6"]; ok && i != nil {
  165. if s, ok := i.(string); ok {
  166. if c.EnableIPv6, err = strconv.ParseBool(s); err != nil {
  167. return types.BadRequestErrorf("failed to parse EnableIPv6 value: %s", err.Error())
  168. }
  169. } else {
  170. return types.BadRequestErrorf("invalid type for EnableIPv6 value")
  171. }
  172. }
  173. if i, ok := data["EnableIPTables"]; ok && i != nil {
  174. if s, ok := i.(string); ok {
  175. if c.EnableIPTables, err = strconv.ParseBool(s); err != nil {
  176. return types.BadRequestErrorf("failed to parse EnableIPTables value: %s", err.Error())
  177. }
  178. } else {
  179. return types.BadRequestErrorf("invalid type for EnableIPTables value")
  180. }
  181. }
  182. if i, ok := data["EnableIPMasquerade"]; ok && i != nil {
  183. if s, ok := i.(string); ok {
  184. if c.EnableIPMasquerade, err = strconv.ParseBool(s); err != nil {
  185. return types.BadRequestErrorf("failed to parse EnableIPMasquerade value: %s", err.Error())
  186. }
  187. } else {
  188. return types.BadRequestErrorf("invalid type for EnableIPMasquerade value")
  189. }
  190. }
  191. if i, ok := data["EnableICC"]; ok && i != nil {
  192. if s, ok := i.(string); ok {
  193. if c.EnableICC, err = strconv.ParseBool(s); err != nil {
  194. return types.BadRequestErrorf("failed to parse EnableICC value: %s", err.Error())
  195. }
  196. } else {
  197. return types.BadRequestErrorf("invalid type for EnableICC value")
  198. }
  199. }
  200. if i, ok := data["AllowNonDefaultBridge"]; ok && i != nil {
  201. if s, ok := i.(string); ok {
  202. if c.AllowNonDefaultBridge, err = strconv.ParseBool(s); err != nil {
  203. return types.BadRequestErrorf("failed to parse AllowNonDefaultBridge value: %s", err.Error())
  204. }
  205. } else {
  206. return types.BadRequestErrorf("invalid type for AllowNonDefaultBridge value")
  207. }
  208. }
  209. if i, ok := data["AddressIPv4"]; ok && i != nil {
  210. if s, ok := i.(string); ok {
  211. if ip, nw, e := net.ParseCIDR(s); e == nil {
  212. nw.IP = ip
  213. c.AddressIPv4 = nw
  214. } else {
  215. return types.BadRequestErrorf("failed to parse AddressIPv4 value")
  216. }
  217. } else {
  218. return types.BadRequestErrorf("invalid type for AddressIPv4 value")
  219. }
  220. }
  221. if i, ok := data["FixedCIDR"]; ok && i != nil {
  222. if s, ok := i.(string); ok {
  223. if ip, nw, e := net.ParseCIDR(s); e == nil {
  224. nw.IP = ip
  225. c.FixedCIDR = nw
  226. } else {
  227. return types.BadRequestErrorf("failed to parse FixedCIDR value")
  228. }
  229. } else {
  230. return types.BadRequestErrorf("invalid type for FixedCIDR value")
  231. }
  232. }
  233. if i, ok := data["FixedCIDRv6"]; ok && i != nil {
  234. if s, ok := i.(string); ok {
  235. if ip, nw, e := net.ParseCIDR(s); e == nil {
  236. nw.IP = ip
  237. c.FixedCIDRv6 = nw
  238. } else {
  239. return types.BadRequestErrorf("failed to parse FixedCIDRv6 value")
  240. }
  241. } else {
  242. return types.BadRequestErrorf("invalid type for FixedCIDRv6 value")
  243. }
  244. }
  245. if i, ok := data["DefaultGatewayIPv4"]; ok && i != nil {
  246. if s, ok := i.(string); ok {
  247. if c.DefaultGatewayIPv4 = net.ParseIP(s); c.DefaultGatewayIPv4 == nil {
  248. return types.BadRequestErrorf("failed to parse DefaultGatewayIPv4 value")
  249. }
  250. } else {
  251. return types.BadRequestErrorf("invalid type for DefaultGatewayIPv4 value")
  252. }
  253. }
  254. if i, ok := data["DefaultGatewayIPv6"]; ok && i != nil {
  255. if s, ok := i.(string); ok {
  256. if c.DefaultGatewayIPv6 = net.ParseIP(s); c.DefaultGatewayIPv6 == nil {
  257. return types.BadRequestErrorf("failed to parse DefaultGatewayIPv6 value")
  258. }
  259. } else {
  260. return types.BadRequestErrorf("invalid type for DefaultGatewayIPv6 value")
  261. }
  262. }
  263. if i, ok := data["DefaultBindingIP"]; ok && i != nil {
  264. if s, ok := i.(string); ok {
  265. if c.DefaultBindingIP = net.ParseIP(s); c.DefaultBindingIP == nil {
  266. return types.BadRequestErrorf("failed to parse DefaultBindingIP value")
  267. }
  268. } else {
  269. return types.BadRequestErrorf("invalid type for DefaultBindingIP value")
  270. }
  271. }
  272. return nil
  273. }
  274. func (n *bridgeNetwork) getEndpoint(eid types.UUID) (*bridgeEndpoint, error) {
  275. n.Lock()
  276. defer n.Unlock()
  277. if eid == "" {
  278. return nil, InvalidEndpointIDError(eid)
  279. }
  280. if ep, ok := n.endpoints[eid]; ok {
  281. return ep, nil
  282. }
  283. return nil, nil
  284. }
  285. func (d *driver) Config(option map[string]interface{}) error {
  286. var config *configuration
  287. d.Lock()
  288. defer d.Unlock()
  289. if d.config != nil {
  290. return &ErrConfigExists{}
  291. }
  292. genericData, ok := option[netlabel.GenericData]
  293. if ok && genericData != nil {
  294. switch opt := genericData.(type) {
  295. case options.Generic:
  296. opaqueConfig, err := options.GenerateFromModel(opt, &configuration{})
  297. if err != nil {
  298. return err
  299. }
  300. config = opaqueConfig.(*configuration)
  301. case *configuration:
  302. config = opt
  303. default:
  304. return &ErrInvalidDriverConfig{}
  305. }
  306. d.config = config
  307. } else {
  308. config = &configuration{}
  309. }
  310. if config.EnableIPForwarding {
  311. return setupIPForwarding(config)
  312. }
  313. return nil
  314. }
  315. func (d *driver) getNetwork(id types.UUID) (*bridgeNetwork, error) {
  316. d.Lock()
  317. defer d.Unlock()
  318. if id == "" {
  319. return nil, types.BadRequestErrorf("invalid network id: %s", id)
  320. }
  321. if nw, ok := d.networks[id]; ok {
  322. return nw, nil
  323. }
  324. return nil, nil
  325. }
  326. func parseNetworkOptions(option options.Generic) (*networkConfiguration, error) {
  327. config := &networkConfiguration{}
  328. if genData, ok := option[netlabel.GenericData]; ok && genData != nil {
  329. switch opt := genData.(type) {
  330. case map[string]interface{}:
  331. if err := config.FromMap(opt); err != nil {
  332. return nil, err
  333. }
  334. case options.Generic:
  335. opaqueConfig, err := options.GenerateFromModel(opt, &networkConfiguration{})
  336. if err != nil {
  337. return nil, err
  338. }
  339. config = opaqueConfig.(*networkConfiguration)
  340. case *networkConfiguration:
  341. config = opt
  342. default:
  343. return nil, types.BadRequestErrorf("do not recognize network configuration format: %T", opt)
  344. }
  345. }
  346. if err := config.Validate(); err != nil {
  347. return nil, err
  348. }
  349. if _, ok := option[netlabel.EnableIPv6]; ok {
  350. config.EnableIPv6 = option[netlabel.EnableIPv6].(bool)
  351. }
  352. return config, nil
  353. }
  354. // Create a new network using bridge plugin
  355. func (d *driver) CreateNetwork(id types.UUID, option map[string]interface{}) error {
  356. var err error
  357. // Driver must be configured
  358. d.Lock()
  359. // Sanity checks
  360. if _, ok := d.networks[id]; ok {
  361. d.Unlock()
  362. return types.ForbiddenErrorf("network %s exists", id)
  363. }
  364. // Parse and validate the config. It should not conflict with existing networks' config
  365. config, err := parseNetworkOptions(option)
  366. if err != nil {
  367. d.Unlock()
  368. return err
  369. }
  370. for _, nw := range d.networks {
  371. if nw.config.Conflict(config) {
  372. d.Unlock()
  373. return types.ForbiddenErrorf("conflicts with network %s (%s)", nw.id, nw.config.BridgeName)
  374. }
  375. }
  376. // Create and set network handler in driver
  377. network := &bridgeNetwork{id: id, endpoints: make(map[types.UUID]*bridgeEndpoint), config: config}
  378. d.networks[id] = network
  379. d.Unlock()
  380. // On failure make sure to reset driver network handler to nil
  381. defer func() {
  382. if err != nil {
  383. d.Lock()
  384. delete(d.networks, id)
  385. d.Unlock()
  386. }
  387. }()
  388. // Create or retrieve the bridge L3 interface
  389. bridgeIface := newInterface(config)
  390. network.bridge = bridgeIface
  391. // Verify network does not conflict with previously configured networks
  392. // on parameters that were chosen by the driver.
  393. d.Lock()
  394. for _, nw := range d.networks {
  395. if nw.id == id {
  396. continue
  397. }
  398. // Verify the name (which may have been set by newInterface()) does not conflict with
  399. // existing bridge interfaces. Ironically the system chosen name gets stored in the config...
  400. // Basically we are checking if the two original configs were both empty.
  401. if nw.config.BridgeName == config.BridgeName {
  402. d.Unlock()
  403. return types.ForbiddenErrorf("conflicts with network %s (%s)", nw.id, nw.config.BridgeName)
  404. }
  405. // If this network config specifies the AddressIPv4, we need
  406. // to make sure it does not conflict with any previously allocated
  407. // bridges. This could not be completely caught by the config conflict
  408. // check, because networks which config does not specify the AddressIPv4
  409. // get their address and subnet selected by the driver (see electBridgeIPv4())
  410. if config.AddressIPv4 != nil {
  411. if nw.bridge.bridgeIPv4.Contains(config.AddressIPv4.IP) ||
  412. config.AddressIPv4.Contains(nw.bridge.bridgeIPv4.IP) {
  413. d.Unlock()
  414. return types.ForbiddenErrorf("conflicts with network %s (%s)", nw.id, nw.config.BridgeName)
  415. }
  416. }
  417. }
  418. d.Unlock()
  419. // Prepare the bridge setup configuration
  420. bridgeSetup := newBridgeSetup(config, bridgeIface)
  421. // If the bridge interface doesn't exist, we need to start the setup steps
  422. // by creating a new device and assigning it an IPv4 address.
  423. bridgeAlreadyExists := bridgeIface.exists()
  424. if !bridgeAlreadyExists {
  425. bridgeSetup.queueStep(setupDevice)
  426. }
  427. // Even if a bridge exists try to setup IPv4.
  428. bridgeSetup.queueStep(setupBridgeIPv4)
  429. // Conditionally queue setup steps depending on configuration values.
  430. for _, step := range []struct {
  431. Condition bool
  432. Fn setupStep
  433. }{
  434. // Enable IPv6 on the bridge if required. We do this even for a
  435. // previously existing bridge, as it may be here from a previous
  436. // installation where IPv6 wasn't supported yet and needs to be
  437. // assigned an IPv6 link-local address.
  438. {config.EnableIPv6, setupBridgeIPv6},
  439. // We ensure that the bridge has the expectedIPv4 and IPv6 addresses in
  440. // the case of a previously existing device.
  441. {bridgeAlreadyExists, setupVerifyAndReconcile},
  442. // Setup the bridge to allocate containers IPv4 addresses in the
  443. // specified subnet.
  444. {config.FixedCIDR != nil, setupFixedCIDRv4},
  445. // Setup the bridge to allocate containers global IPv6 addresses in the
  446. // specified subnet.
  447. {config.FixedCIDRv6 != nil, setupFixedCIDRv6},
  448. // Setup Loopback Adresses Routing
  449. {!config.EnableUserlandProxy, setupLoopbackAdressesRouting},
  450. // Setup IPTables.
  451. {config.EnableIPTables, setupIPTables},
  452. // Setup DefaultGatewayIPv4
  453. {config.DefaultGatewayIPv4 != nil, setupGatewayIPv4},
  454. // Setup DefaultGatewayIPv6
  455. {config.DefaultGatewayIPv6 != nil, setupGatewayIPv6},
  456. } {
  457. if step.Condition {
  458. bridgeSetup.queueStep(step.Fn)
  459. }
  460. }
  461. // Block bridge IP from being allocated.
  462. bridgeSetup.queueStep(allocateBridgeIP)
  463. // Apply the prepared list of steps, and abort at the first error.
  464. bridgeSetup.queueStep(setupDeviceUp)
  465. if err = bridgeSetup.apply(); err != nil {
  466. return err
  467. }
  468. return nil
  469. }
  470. func (d *driver) DeleteNetwork(nid types.UUID) error {
  471. var err error
  472. // Get network handler and remove it from driver
  473. d.Lock()
  474. n, ok := d.networks[nid]
  475. if !ok {
  476. d.Unlock()
  477. return types.InternalMaskableErrorf("network %s does not exist", nid)
  478. }
  479. delete(d.networks, nid)
  480. d.Unlock()
  481. // On failure set network handler back in driver, but
  482. // only if is not already taken over by some other thread
  483. defer func() {
  484. if err != nil {
  485. d.Lock()
  486. if _, ok := d.networks[nid]; !ok {
  487. d.networks[nid] = n
  488. }
  489. d.Unlock()
  490. }
  491. }()
  492. // Sanity check
  493. if n == nil {
  494. err = driverapi.ErrNoNetwork(nid)
  495. return err
  496. }
  497. // Cannot remove network if endpoints are still present
  498. if len(n.endpoints) != 0 {
  499. err = ActiveEndpointsError(n.id)
  500. return err
  501. }
  502. // Programming
  503. err = netlink.LinkDel(n.bridge.Link)
  504. return err
  505. }
  506. func (d *driver) CreateEndpoint(nid, eid types.UUID, epInfo driverapi.EndpointInfo, epOptions map[string]interface{}) error {
  507. var (
  508. ipv6Addr *net.IPNet
  509. err error
  510. )
  511. if epInfo == nil {
  512. return errors.New("invalid endpoint info passed")
  513. }
  514. if len(epInfo.Interfaces()) != 0 {
  515. return errors.New("non empty interface list passed to bridge(local) driver")
  516. }
  517. // Get the network handler and make sure it exists
  518. d.Lock()
  519. n, ok := d.networks[nid]
  520. if !ok {
  521. d.Unlock()
  522. return types.NotFoundErrorf("network %s does not exist", nid)
  523. }
  524. config := n.config
  525. d.Unlock()
  526. if n == nil {
  527. return driverapi.ErrNoNetwork(nid)
  528. }
  529. // Sanity check
  530. n.Lock()
  531. if n.id != nid {
  532. n.Unlock()
  533. return InvalidNetworkIDError(nid)
  534. }
  535. n.Unlock()
  536. // Check if endpoint id is good and retrieve correspondent endpoint
  537. ep, err := n.getEndpoint(eid)
  538. if err != nil {
  539. return err
  540. }
  541. // Endpoint with that id exists either on desired or other sandbox
  542. if ep != nil {
  543. return driverapi.ErrEndpointExists(eid)
  544. }
  545. // Try to convert the options to endpoint configuration
  546. epConfig, err := parseEndpointOptions(epOptions)
  547. if err != nil {
  548. return err
  549. }
  550. // Create and add the endpoint
  551. n.Lock()
  552. endpoint := &bridgeEndpoint{id: eid, config: epConfig}
  553. n.endpoints[eid] = endpoint
  554. n.Unlock()
  555. // On failure make sure to remove the endpoint
  556. defer func() {
  557. if err != nil {
  558. n.Lock()
  559. delete(n.endpoints, eid)
  560. n.Unlock()
  561. }
  562. }()
  563. // Generate a name for what will be the host side pipe interface
  564. name1, err := generateIfaceName()
  565. if err != nil {
  566. return err
  567. }
  568. // Generate a name for what will be the sandbox side pipe interface
  569. name2, err := generateIfaceName()
  570. if err != nil {
  571. return err
  572. }
  573. // Generate and add the interface pipe host <-> sandbox
  574. veth := &netlink.Veth{
  575. LinkAttrs: netlink.LinkAttrs{Name: name1, TxQLen: 0},
  576. PeerName: name2}
  577. if err = netlink.LinkAdd(veth); err != nil {
  578. return err
  579. }
  580. // Get the host side pipe interface handler
  581. host, err := netlink.LinkByName(name1)
  582. if err != nil {
  583. return err
  584. }
  585. defer func() {
  586. if err != nil {
  587. netlink.LinkDel(host)
  588. }
  589. }()
  590. // Get the sandbox side pipe interface handler
  591. sbox, err := netlink.LinkByName(name2)
  592. if err != nil {
  593. return err
  594. }
  595. defer func() {
  596. if err != nil {
  597. netlink.LinkDel(sbox)
  598. }
  599. }()
  600. // Set the sbox's MAC. If specified, use the one configured by user, otherwise use a random one
  601. mac := electMacAddress(epConfig)
  602. err = netlink.LinkSetHardwareAddr(sbox, mac)
  603. if err != nil {
  604. return err
  605. }
  606. endpoint.macAddress = mac
  607. // Add bridge inherited attributes to pipe interfaces
  608. if config.Mtu != 0 {
  609. err = netlink.LinkSetMTU(host, config.Mtu)
  610. if err != nil {
  611. return err
  612. }
  613. err = netlink.LinkSetMTU(sbox, config.Mtu)
  614. if err != nil {
  615. return err
  616. }
  617. }
  618. // Attach host side pipe interface into the bridge
  619. if err = netlink.LinkSetMaster(host,
  620. &netlink.Bridge{LinkAttrs: netlink.LinkAttrs{Name: config.BridgeName}}); err != nil {
  621. return err
  622. }
  623. // v4 address for the sandbox side pipe interface
  624. ip4, err := ipAllocator.RequestIP(n.bridge.bridgeIPv4, nil)
  625. if err != nil {
  626. return err
  627. }
  628. ipv4Addr := &net.IPNet{IP: ip4, Mask: n.bridge.bridgeIPv4.Mask}
  629. // v6 address for the sandbox side pipe interface
  630. ipv6Addr = &net.IPNet{}
  631. if config.EnableIPv6 {
  632. var ip6 net.IP
  633. network := n.bridge.bridgeIPv6
  634. if config.FixedCIDRv6 != nil {
  635. network = config.FixedCIDRv6
  636. }
  637. ones, _ := network.Mask.Size()
  638. if ones <= 80 {
  639. ip6 = make(net.IP, len(network.IP))
  640. copy(ip6, network.IP)
  641. for i, h := range mac {
  642. ip6[i+10] = h
  643. }
  644. }
  645. ip6, err := ipAllocator.RequestIP(network, ip6)
  646. if err != nil {
  647. return err
  648. }
  649. ipv6Addr = &net.IPNet{IP: ip6, Mask: network.Mask}
  650. }
  651. // Create the sandbox side pipe interface
  652. intf := &sandbox.Interface{}
  653. intf.SrcName = name2
  654. intf.DstName = containerVethPrefix
  655. intf.Address = ipv4Addr
  656. if config.EnableIPv6 {
  657. intf.AddressIPv6 = ipv6Addr
  658. }
  659. // Store the interface in endpoint, this is needed for cleanup on DeleteEndpoint()
  660. endpoint.intf = intf
  661. err = epInfo.AddInterface(ifaceID, endpoint.macAddress, *ipv4Addr, *ipv6Addr)
  662. if err != nil {
  663. return err
  664. }
  665. // Program any required port mapping and store them in the endpoint
  666. endpoint.portMapping, err = allocatePorts(epConfig, intf, config.DefaultBindingIP, config.EnableUserlandProxy)
  667. if err != nil {
  668. return err
  669. }
  670. return nil
  671. }
  672. func (d *driver) DeleteEndpoint(nid, eid types.UUID) error {
  673. var err error
  674. // Get the network handler and make sure it exists
  675. d.Lock()
  676. n, ok := d.networks[nid]
  677. if !ok {
  678. d.Unlock()
  679. return types.NotFoundErrorf("network %s does not exist", nid)
  680. }
  681. config := n.config
  682. d.Unlock()
  683. if n == nil {
  684. return driverapi.ErrNoNetwork(nid)
  685. }
  686. // Sanity Check
  687. n.Lock()
  688. if n.id != nid {
  689. n.Unlock()
  690. return InvalidNetworkIDError(nid)
  691. }
  692. n.Unlock()
  693. // Check endpoint id and if an endpoint is actually there
  694. ep, err := n.getEndpoint(eid)
  695. if err != nil {
  696. return err
  697. }
  698. if ep == nil {
  699. return EndpointNotFoundError(eid)
  700. }
  701. // Remove it
  702. n.Lock()
  703. delete(n.endpoints, eid)
  704. n.Unlock()
  705. // On failure make sure to set back ep in n.endpoints, but only
  706. // if it hasn't been taken over already by some other thread.
  707. defer func() {
  708. if err != nil {
  709. n.Lock()
  710. if _, ok := n.endpoints[eid]; !ok {
  711. n.endpoints[eid] = ep
  712. }
  713. n.Unlock()
  714. }
  715. }()
  716. // Remove port mappings. Do not stop endpoint delete on unmap failure
  717. releasePorts(ep)
  718. // Release the v4 address allocated to this endpoint's sandbox interface
  719. err = ipAllocator.ReleaseIP(n.bridge.bridgeIPv4, ep.intf.Address.IP)
  720. if err != nil {
  721. return err
  722. }
  723. // Release the v6 address allocated to this endpoint's sandbox interface
  724. if config.EnableIPv6 {
  725. err := ipAllocator.ReleaseIP(n.bridge.bridgeIPv6, ep.intf.AddressIPv6.IP)
  726. if err != nil {
  727. return err
  728. }
  729. }
  730. // Try removal of link. Discard error: link pair might have
  731. // already been deleted by sandbox delete.
  732. link, err := netlink.LinkByName(ep.intf.SrcName)
  733. if err == nil {
  734. netlink.LinkDel(link)
  735. }
  736. return nil
  737. }
  738. func (d *driver) EndpointOperInfo(nid, eid types.UUID) (map[string]interface{}, error) {
  739. // Get the network handler and make sure it exists
  740. d.Lock()
  741. n, ok := d.networks[nid]
  742. if !ok {
  743. d.Unlock()
  744. return nil, types.NotFoundErrorf("network %s does not exist", nid)
  745. }
  746. d.Unlock()
  747. if n == nil {
  748. return nil, driverapi.ErrNoNetwork(nid)
  749. }
  750. // Sanity check
  751. n.Lock()
  752. if n.id != nid {
  753. n.Unlock()
  754. return nil, InvalidNetworkIDError(nid)
  755. }
  756. n.Unlock()
  757. // Check if endpoint id is good and retrieve correspondent endpoint
  758. ep, err := n.getEndpoint(eid)
  759. if err != nil {
  760. return nil, err
  761. }
  762. if ep == nil {
  763. return nil, driverapi.ErrNoEndpoint(eid)
  764. }
  765. m := make(map[string]interface{})
  766. if ep.portMapping != nil {
  767. // Return a copy of the operational data
  768. pmc := make([]types.PortBinding, 0, len(ep.portMapping))
  769. for _, pm := range ep.portMapping {
  770. pmc = append(pmc, pm.GetCopy())
  771. }
  772. m[netlabel.PortMap] = pmc
  773. }
  774. if len(ep.macAddress) != 0 {
  775. m[netlabel.MacAddress] = ep.macAddress
  776. }
  777. return m, nil
  778. }
  779. // Join method is invoked when a Sandbox is attached to an endpoint.
  780. func (d *driver) Join(nid, eid types.UUID, sboxKey string, jinfo driverapi.JoinInfo, options map[string]interface{}) error {
  781. network, err := d.getNetwork(nid)
  782. if err != nil {
  783. return err
  784. }
  785. endpoint, err := network.getEndpoint(eid)
  786. if err != nil {
  787. return err
  788. }
  789. if endpoint == nil {
  790. return EndpointNotFoundError(eid)
  791. }
  792. for _, iNames := range jinfo.InterfaceNames() {
  793. // Make sure to set names on the correct interface ID.
  794. if iNames.ID() == ifaceID {
  795. err = iNames.SetNames(endpoint.intf.SrcName, endpoint.intf.DstName)
  796. if err != nil {
  797. return err
  798. }
  799. }
  800. }
  801. err = jinfo.SetGateway(network.bridge.gatewayIPv4)
  802. if err != nil {
  803. return err
  804. }
  805. err = jinfo.SetGatewayIPv6(network.bridge.gatewayIPv6)
  806. if err != nil {
  807. return err
  808. }
  809. if !network.config.EnableICC {
  810. return d.link(network, endpoint, options, true)
  811. }
  812. return nil
  813. }
  814. // Leave method is invoked when a Sandbox detaches from an endpoint.
  815. func (d *driver) Leave(nid, eid types.UUID) error {
  816. network, err := d.getNetwork(nid)
  817. if err != nil {
  818. return err
  819. }
  820. endpoint, err := network.getEndpoint(eid)
  821. if err != nil {
  822. return err
  823. }
  824. if endpoint == nil {
  825. return EndpointNotFoundError(eid)
  826. }
  827. if !network.config.EnableICC {
  828. return d.link(network, endpoint, nil, false)
  829. }
  830. return nil
  831. }
  832. func (d *driver) link(network *bridgeNetwork, endpoint *bridgeEndpoint, options map[string]interface{}, enable bool) error {
  833. var (
  834. cc *containerConfiguration
  835. err error
  836. )
  837. if enable {
  838. cc, err = parseContainerOptions(options)
  839. if err != nil {
  840. return err
  841. }
  842. } else {
  843. cc = endpoint.containerConfig
  844. }
  845. if cc == nil {
  846. return nil
  847. }
  848. if endpoint.config != nil && endpoint.config.ExposedPorts != nil {
  849. for _, p := range cc.ParentEndpoints {
  850. var parentEndpoint *bridgeEndpoint
  851. parentEndpoint, err = network.getEndpoint(types.UUID(p))
  852. if err != nil {
  853. return err
  854. }
  855. if parentEndpoint == nil {
  856. err = InvalidEndpointIDError(p)
  857. return err
  858. }
  859. l := newLink(parentEndpoint.intf.Address.IP.String(),
  860. endpoint.intf.Address.IP.String(),
  861. endpoint.config.ExposedPorts, network.config.BridgeName)
  862. if enable {
  863. err = l.Enable()
  864. if err != nil {
  865. return err
  866. }
  867. defer func() {
  868. if err != nil {
  869. l.Disable()
  870. }
  871. }()
  872. } else {
  873. l.Disable()
  874. }
  875. }
  876. }
  877. for _, c := range cc.ChildEndpoints {
  878. var childEndpoint *bridgeEndpoint
  879. childEndpoint, err = network.getEndpoint(types.UUID(c))
  880. if err != nil {
  881. return err
  882. }
  883. if childEndpoint == nil {
  884. err = InvalidEndpointIDError(c)
  885. return err
  886. }
  887. if childEndpoint.config == nil || childEndpoint.config.ExposedPorts == nil {
  888. continue
  889. }
  890. l := newLink(endpoint.intf.Address.IP.String(),
  891. childEndpoint.intf.Address.IP.String(),
  892. childEndpoint.config.ExposedPorts, network.config.BridgeName)
  893. if enable {
  894. err = l.Enable()
  895. if err != nil {
  896. return err
  897. }
  898. defer func() {
  899. if err != nil {
  900. l.Disable()
  901. }
  902. }()
  903. } else {
  904. l.Disable()
  905. }
  906. }
  907. if enable {
  908. endpoint.containerConfig = cc
  909. }
  910. return nil
  911. }
  912. func (d *driver) Type() string {
  913. return networkType
  914. }
  915. func parseEndpointOptions(epOptions map[string]interface{}) (*endpointConfiguration, error) {
  916. if epOptions == nil {
  917. return nil, nil
  918. }
  919. ec := &endpointConfiguration{}
  920. if opt, ok := epOptions[netlabel.MacAddress]; ok {
  921. if mac, ok := opt.(net.HardwareAddr); ok {
  922. ec.MacAddress = mac
  923. } else {
  924. return nil, &ErrInvalidEndpointConfig{}
  925. }
  926. }
  927. if opt, ok := epOptions[netlabel.PortMap]; ok {
  928. if bs, ok := opt.([]types.PortBinding); ok {
  929. ec.PortBindings = bs
  930. } else {
  931. return nil, &ErrInvalidEndpointConfig{}
  932. }
  933. }
  934. if opt, ok := epOptions[netlabel.ExposedPorts]; ok {
  935. if ports, ok := opt.([]types.TransportPort); ok {
  936. ec.ExposedPorts = ports
  937. } else {
  938. return nil, &ErrInvalidEndpointConfig{}
  939. }
  940. }
  941. return ec, nil
  942. }
  943. func parseContainerOptions(cOptions map[string]interface{}) (*containerConfiguration, error) {
  944. if cOptions == nil {
  945. return nil, nil
  946. }
  947. genericData := cOptions[netlabel.GenericData]
  948. if genericData == nil {
  949. return nil, nil
  950. }
  951. switch opt := genericData.(type) {
  952. case options.Generic:
  953. opaqueConfig, err := options.GenerateFromModel(opt, &containerConfiguration{})
  954. if err != nil {
  955. return nil, err
  956. }
  957. return opaqueConfig.(*containerConfiguration), nil
  958. case *containerConfiguration:
  959. return opt, nil
  960. default:
  961. return nil, nil
  962. }
  963. }
  964. func electMacAddress(epConfig *endpointConfiguration) net.HardwareAddr {
  965. if epConfig != nil && epConfig.MacAddress != nil {
  966. return epConfig.MacAddress
  967. }
  968. return netutils.GenerateRandomMAC()
  969. }
  970. // Generates a name to be used for a virtual ethernet
  971. // interface. The name is constructed by 'veth' appended
  972. // by a randomly generated hex value. (example: veth0f60e2c)
  973. func generateIfaceName() (string, error) {
  974. for i := 0; i < 3; i++ {
  975. name, err := netutils.GenerateRandomName(vethPrefix, vethLen)
  976. if err != nil {
  977. continue
  978. }
  979. if _, err := net.InterfaceByName(name); err != nil {
  980. if strings.Contains(err.Error(), "no such") {
  981. return name, nil
  982. }
  983. return "", err
  984. }
  985. }
  986. return "", &ErrIfaceName{}
  987. }