bridge.go 40 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497
  1. //go:build linux
  2. package bridge
  3. import (
  4. "context"
  5. "errors"
  6. "fmt"
  7. "net"
  8. "os"
  9. "os/exec"
  10. "strconv"
  11. "sync"
  12. "github.com/containerd/containerd/log"
  13. "github.com/docker/docker/libnetwork/datastore"
  14. "github.com/docker/docker/libnetwork/driverapi"
  15. "github.com/docker/docker/libnetwork/iptables"
  16. "github.com/docker/docker/libnetwork/netlabel"
  17. "github.com/docker/docker/libnetwork/netutils"
  18. "github.com/docker/docker/libnetwork/ns"
  19. "github.com/docker/docker/libnetwork/options"
  20. "github.com/docker/docker/libnetwork/portallocator"
  21. "github.com/docker/docker/libnetwork/portmapper"
  22. "github.com/docker/docker/libnetwork/scope"
  23. "github.com/docker/docker/libnetwork/types"
  24. "github.com/vishvananda/netlink"
  25. )
  26. const (
  27. NetworkType = "bridge"
  28. vethPrefix = "veth"
  29. vethLen = len(vethPrefix) + 7
  30. defaultContainerVethPrefix = "eth"
  31. maxAllocatePortAttempts = 10
  32. )
  33. const (
  34. // DefaultGatewayV4AuxKey represents the default-gateway configured by the user
  35. DefaultGatewayV4AuxKey = "DefaultGatewayIPv4"
  36. // DefaultGatewayV6AuxKey represents the ipv6 default-gateway configured by the user
  37. DefaultGatewayV6AuxKey = "DefaultGatewayIPv6"
  38. )
  39. type defaultBridgeNetworkConflict struct {
  40. ID string
  41. }
  42. func (d defaultBridgeNetworkConflict) Error() string {
  43. return fmt.Sprintf("Stale default bridge network %s", d.ID)
  44. }
  45. type (
  46. iptableCleanFunc func() error
  47. iptablesCleanFuncs []iptableCleanFunc
  48. )
  49. // configuration info for the "bridge" driver.
  50. type configuration struct {
  51. EnableIPForwarding bool
  52. EnableIPTables bool
  53. EnableIP6Tables bool
  54. EnableUserlandProxy bool
  55. UserlandProxyPath string
  56. }
  57. // networkConfiguration for network specific configuration
  58. type networkConfiguration struct {
  59. ID string
  60. BridgeName string
  61. EnableIPv6 bool
  62. EnableIPMasquerade bool
  63. EnableICC bool
  64. InhibitIPv4 bool
  65. Mtu int
  66. DefaultBindingIP net.IP
  67. DefaultBridge bool
  68. HostIP net.IP
  69. ContainerIfacePrefix string
  70. // Internal fields set after ipam data parsing
  71. AddressIPv4 *net.IPNet
  72. AddressIPv6 *net.IPNet
  73. DefaultGatewayIPv4 net.IP
  74. DefaultGatewayIPv6 net.IP
  75. dbIndex uint64
  76. dbExists bool
  77. Internal bool
  78. BridgeIfaceCreator ifaceCreator
  79. }
  80. // ifaceCreator represents how the bridge interface was created
  81. type ifaceCreator int8
  82. const (
  83. ifaceCreatorUnknown ifaceCreator = iota
  84. ifaceCreatedByLibnetwork
  85. ifaceCreatedByUser
  86. )
  87. // endpointConfiguration represents the user specified configuration for the sandbox endpoint
  88. type endpointConfiguration struct {
  89. MacAddress net.HardwareAddr
  90. }
  91. // containerConfiguration represents the user specified configuration for a container
  92. type containerConfiguration struct {
  93. ParentEndpoints []string
  94. ChildEndpoints []string
  95. }
  96. // connectivityConfiguration represents the user specified configuration regarding the external connectivity
  97. type connectivityConfiguration struct {
  98. PortBindings []types.PortBinding
  99. ExposedPorts []types.TransportPort
  100. }
  101. type bridgeEndpoint struct {
  102. id string
  103. nid string
  104. srcName string
  105. addr *net.IPNet
  106. addrv6 *net.IPNet
  107. macAddress net.HardwareAddr
  108. config *endpointConfiguration // User specified parameters
  109. containerConfig *containerConfiguration
  110. extConnConfig *connectivityConfiguration
  111. portMapping []types.PortBinding // Operation port bindings
  112. dbIndex uint64
  113. dbExists bool
  114. }
  115. type bridgeNetwork struct {
  116. id string
  117. bridge *bridgeInterface // The bridge's L3 interface
  118. config *networkConfiguration
  119. endpoints map[string]*bridgeEndpoint // key: endpoint id
  120. portMapper *portmapper.PortMapper
  121. portMapperV6 *portmapper.PortMapper
  122. driver *driver // The network's driver
  123. iptCleanFuncs iptablesCleanFuncs
  124. sync.Mutex
  125. }
  126. type driver struct {
  127. config configuration
  128. natChain *iptables.ChainInfo
  129. filterChain *iptables.ChainInfo
  130. isolationChain1 *iptables.ChainInfo
  131. isolationChain2 *iptables.ChainInfo
  132. natChainV6 *iptables.ChainInfo
  133. filterChainV6 *iptables.ChainInfo
  134. isolationChain1V6 *iptables.ChainInfo
  135. isolationChain2V6 *iptables.ChainInfo
  136. networks map[string]*bridgeNetwork
  137. store *datastore.Store
  138. nlh *netlink.Handle
  139. configNetwork sync.Mutex
  140. portAllocator *portallocator.PortAllocator // Overridable for tests.
  141. sync.Mutex
  142. }
  143. // New constructs a new bridge driver
  144. func newDriver() *driver {
  145. return &driver{
  146. networks: map[string]*bridgeNetwork{},
  147. portAllocator: portallocator.Get(),
  148. }
  149. }
  150. // Register registers a new instance of bridge driver.
  151. func Register(r driverapi.Registerer, config map[string]interface{}) error {
  152. d := newDriver()
  153. if err := d.configure(config); err != nil {
  154. return err
  155. }
  156. return r.RegisterDriver(NetworkType, d, driverapi.Capability{
  157. DataScope: scope.Local,
  158. ConnectivityScope: scope.Local,
  159. })
  160. }
  161. // Validate performs a static validation on the network configuration parameters.
  162. // Whatever can be assessed a priori before attempting any programming.
  163. func (c *networkConfiguration) Validate() error {
  164. if c.Mtu < 0 {
  165. return ErrInvalidMtu(c.Mtu)
  166. }
  167. // If bridge v4 subnet is specified
  168. if c.AddressIPv4 != nil {
  169. // If default gw is specified, it must be part of bridge subnet
  170. if c.DefaultGatewayIPv4 != nil {
  171. if !c.AddressIPv4.Contains(c.DefaultGatewayIPv4) {
  172. return &ErrInvalidGateway{}
  173. }
  174. }
  175. }
  176. // If default v6 gw is specified, AddressIPv6 must be specified and gw must belong to AddressIPv6 subnet
  177. if c.EnableIPv6 && c.DefaultGatewayIPv6 != nil {
  178. if c.AddressIPv6 == nil || !c.AddressIPv6.Contains(c.DefaultGatewayIPv6) {
  179. return &ErrInvalidGateway{}
  180. }
  181. }
  182. return nil
  183. }
  184. // Conflicts check if two NetworkConfiguration objects overlap
  185. func (c *networkConfiguration) Conflicts(o *networkConfiguration) error {
  186. if o == nil {
  187. return errors.New("same configuration")
  188. }
  189. // Also empty, because only one network with empty name is allowed
  190. if c.BridgeName == o.BridgeName {
  191. return errors.New("networks have same bridge name")
  192. }
  193. // They must be in different subnets
  194. if (c.AddressIPv4 != nil && o.AddressIPv4 != nil) &&
  195. (c.AddressIPv4.Contains(o.AddressIPv4.IP) || o.AddressIPv4.Contains(c.AddressIPv4.IP)) {
  196. return errors.New("networks have overlapping IPv4")
  197. }
  198. // They must be in different v6 subnets
  199. if (c.AddressIPv6 != nil && o.AddressIPv6 != nil) &&
  200. (c.AddressIPv6.Contains(o.AddressIPv6.IP) || o.AddressIPv6.Contains(c.AddressIPv6.IP)) {
  201. return errors.New("networks have overlapping IPv6")
  202. }
  203. return nil
  204. }
  205. func (c *networkConfiguration) fromLabels(labels map[string]string) error {
  206. var err error
  207. for label, value := range labels {
  208. switch label {
  209. case BridgeName:
  210. c.BridgeName = value
  211. case netlabel.DriverMTU:
  212. if c.Mtu, err = strconv.Atoi(value); err != nil {
  213. return parseErr(label, value, err.Error())
  214. }
  215. case netlabel.EnableIPv6:
  216. if c.EnableIPv6, err = strconv.ParseBool(value); err != nil {
  217. return parseErr(label, value, err.Error())
  218. }
  219. case EnableIPMasquerade:
  220. if c.EnableIPMasquerade, err = strconv.ParseBool(value); err != nil {
  221. return parseErr(label, value, err.Error())
  222. }
  223. case EnableICC:
  224. if c.EnableICC, err = strconv.ParseBool(value); err != nil {
  225. return parseErr(label, value, err.Error())
  226. }
  227. case InhibitIPv4:
  228. if c.InhibitIPv4, err = strconv.ParseBool(value); err != nil {
  229. return parseErr(label, value, err.Error())
  230. }
  231. case DefaultBridge:
  232. if c.DefaultBridge, err = strconv.ParseBool(value); err != nil {
  233. return parseErr(label, value, err.Error())
  234. }
  235. case DefaultBindingIP:
  236. if c.DefaultBindingIP = net.ParseIP(value); c.DefaultBindingIP == nil {
  237. return parseErr(label, value, "nil ip")
  238. }
  239. case netlabel.ContainerIfacePrefix:
  240. c.ContainerIfacePrefix = value
  241. case netlabel.HostIP:
  242. if c.HostIP = net.ParseIP(value); c.HostIP == nil {
  243. return parseErr(label, value, "nil ip")
  244. }
  245. }
  246. }
  247. return nil
  248. }
  249. func parseErr(label, value, errString string) error {
  250. return types.BadRequestErrorf("failed to parse %s value: %v (%s)", label, value, errString)
  251. }
  252. func (n *bridgeNetwork) registerIptCleanFunc(clean iptableCleanFunc) {
  253. n.iptCleanFuncs = append(n.iptCleanFuncs, clean)
  254. }
  255. func (n *bridgeNetwork) getDriverChains(version iptables.IPVersion) (*iptables.ChainInfo, *iptables.ChainInfo, *iptables.ChainInfo, *iptables.ChainInfo, error) {
  256. n.Lock()
  257. defer n.Unlock()
  258. if n.driver == nil {
  259. return nil, nil, nil, nil, types.BadRequestErrorf("no driver found")
  260. }
  261. if version == iptables.IPv6 {
  262. return n.driver.natChainV6, n.driver.filterChainV6, n.driver.isolationChain1V6, n.driver.isolationChain2V6, nil
  263. }
  264. return n.driver.natChain, n.driver.filterChain, n.driver.isolationChain1, n.driver.isolationChain2, nil
  265. }
  266. func (n *bridgeNetwork) getNetworkBridgeName() string {
  267. n.Lock()
  268. config := n.config
  269. n.Unlock()
  270. return config.BridgeName
  271. }
  272. func (n *bridgeNetwork) getEndpoint(eid string) (*bridgeEndpoint, error) {
  273. n.Lock()
  274. defer n.Unlock()
  275. if eid == "" {
  276. return nil, InvalidEndpointIDError(eid)
  277. }
  278. if ep, ok := n.endpoints[eid]; ok {
  279. return ep, nil
  280. }
  281. return nil, nil
  282. }
  283. // Install/Removes the iptables rules needed to isolate this network
  284. // from each of the other networks
  285. func (n *bridgeNetwork) isolateNetwork(enable bool) error {
  286. n.Lock()
  287. thisConfig := n.config
  288. n.Unlock()
  289. if thisConfig.Internal {
  290. return nil
  291. }
  292. // Install the rules to isolate this network against each of the other networks
  293. if n.driver.config.EnableIP6Tables {
  294. err := setINC(iptables.IPv6, thisConfig.BridgeName, enable)
  295. if err != nil {
  296. return err
  297. }
  298. }
  299. if n.driver.config.EnableIPTables {
  300. return setINC(iptables.IPv4, thisConfig.BridgeName, enable)
  301. }
  302. return nil
  303. }
  304. func (d *driver) configure(option map[string]interface{}) error {
  305. var (
  306. config configuration
  307. err error
  308. natChain *iptables.ChainInfo
  309. filterChain *iptables.ChainInfo
  310. isolationChain1 *iptables.ChainInfo
  311. isolationChain2 *iptables.ChainInfo
  312. natChainV6 *iptables.ChainInfo
  313. filterChainV6 *iptables.ChainInfo
  314. isolationChain1V6 *iptables.ChainInfo
  315. isolationChain2V6 *iptables.ChainInfo
  316. )
  317. switch opt := option[netlabel.GenericData].(type) {
  318. case options.Generic:
  319. opaqueConfig, err := options.GenerateFromModel(opt, &configuration{})
  320. if err != nil {
  321. return err
  322. }
  323. config = *opaqueConfig.(*configuration)
  324. case *configuration:
  325. config = *opt
  326. case nil:
  327. // No GenericData option set. Use defaults.
  328. default:
  329. return &ErrInvalidDriverConfig{}
  330. }
  331. if config.EnableIPTables || config.EnableIP6Tables {
  332. if _, err := os.Stat("/proc/sys/net/bridge"); err != nil {
  333. if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil {
  334. log.G(context.TODO()).Warnf("Running modprobe bridge br_netfilter failed with message: %s, error: %v", out, err)
  335. }
  336. }
  337. }
  338. if config.EnableIPTables {
  339. removeIPChains(iptables.IPv4)
  340. natChain, filterChain, isolationChain1, isolationChain2, err = setupIPChains(config, iptables.IPv4)
  341. if err != nil {
  342. return err
  343. }
  344. // Make sure on firewall reload, first thing being re-played is chains creation
  345. iptables.OnReloaded(func() {
  346. log.G(context.TODO()).Debugf("Recreating iptables chains on firewall reload")
  347. if _, _, _, _, err := setupIPChains(config, iptables.IPv4); err != nil {
  348. log.G(context.TODO()).WithError(err).Error("Error reloading iptables chains")
  349. }
  350. })
  351. }
  352. if config.EnableIP6Tables {
  353. removeIPChains(iptables.IPv6)
  354. natChainV6, filterChainV6, isolationChain1V6, isolationChain2V6, err = setupIPChains(config, iptables.IPv6)
  355. if err != nil {
  356. return err
  357. }
  358. // Make sure on firewall reload, first thing being re-played is chains creation
  359. iptables.OnReloaded(func() {
  360. log.G(context.TODO()).Debugf("Recreating ip6tables chains on firewall reload")
  361. if _, _, _, _, err := setupIPChains(config, iptables.IPv6); err != nil {
  362. log.G(context.TODO()).WithError(err).Error("Error reloading ip6tables chains")
  363. }
  364. })
  365. }
  366. if config.EnableIPForwarding {
  367. err = setupIPForwarding(config.EnableIPTables, config.EnableIP6Tables)
  368. if err != nil {
  369. log.G(context.TODO()).Warn(err)
  370. return err
  371. }
  372. }
  373. d.Lock()
  374. d.natChain = natChain
  375. d.filterChain = filterChain
  376. d.isolationChain1 = isolationChain1
  377. d.isolationChain2 = isolationChain2
  378. d.natChainV6 = natChainV6
  379. d.filterChainV6 = filterChainV6
  380. d.isolationChain1V6 = isolationChain1V6
  381. d.isolationChain2V6 = isolationChain2V6
  382. d.config = config
  383. d.Unlock()
  384. return d.initStore(option)
  385. }
  386. func (d *driver) getNetwork(id string) (*bridgeNetwork, error) {
  387. d.Lock()
  388. defer d.Unlock()
  389. if id == "" {
  390. return nil, types.BadRequestErrorf("invalid network id: %s", id)
  391. }
  392. if nw, ok := d.networks[id]; ok {
  393. return nw, nil
  394. }
  395. return nil, types.NotFoundErrorf("network not found: %s", id)
  396. }
  397. func parseNetworkGenericOptions(data interface{}) (*networkConfiguration, error) {
  398. var (
  399. err error
  400. config *networkConfiguration
  401. )
  402. switch opt := data.(type) {
  403. case *networkConfiguration:
  404. config = opt
  405. case map[string]string:
  406. config = &networkConfiguration{
  407. EnableICC: true,
  408. EnableIPMasquerade: true,
  409. }
  410. err = config.fromLabels(opt)
  411. case options.Generic:
  412. var opaqueConfig interface{}
  413. if opaqueConfig, err = options.GenerateFromModel(opt, config); err == nil {
  414. config = opaqueConfig.(*networkConfiguration)
  415. }
  416. default:
  417. err = types.BadRequestErrorf("do not recognize network configuration format: %T", opt)
  418. }
  419. return config, err
  420. }
  421. func (c *networkConfiguration) processIPAM(id string, ipamV4Data, ipamV6Data []driverapi.IPAMData) error {
  422. if len(ipamV4Data) > 1 || len(ipamV6Data) > 1 {
  423. return types.ForbiddenErrorf("bridge driver doesn't support multiple subnets")
  424. }
  425. if len(ipamV4Data) == 0 {
  426. return types.BadRequestErrorf("bridge network %s requires ipv4 configuration", id)
  427. }
  428. if ipamV4Data[0].Gateway != nil {
  429. c.AddressIPv4 = types.GetIPNetCopy(ipamV4Data[0].Gateway)
  430. }
  431. if gw, ok := ipamV4Data[0].AuxAddresses[DefaultGatewayV4AuxKey]; ok {
  432. c.DefaultGatewayIPv4 = gw.IP
  433. }
  434. if len(ipamV6Data) > 0 {
  435. c.AddressIPv6 = ipamV6Data[0].Pool
  436. if ipamV6Data[0].Gateway != nil {
  437. c.AddressIPv6 = types.GetIPNetCopy(ipamV6Data[0].Gateway)
  438. }
  439. if gw, ok := ipamV6Data[0].AuxAddresses[DefaultGatewayV6AuxKey]; ok {
  440. c.DefaultGatewayIPv6 = gw.IP
  441. }
  442. }
  443. return nil
  444. }
  445. func parseNetworkOptions(id string, option options.Generic) (*networkConfiguration, error) {
  446. var (
  447. err error
  448. config = &networkConfiguration{}
  449. )
  450. // Parse generic label first, config will be re-assigned
  451. if genData, ok := option[netlabel.GenericData]; ok && genData != nil {
  452. if config, err = parseNetworkGenericOptions(genData); err != nil {
  453. return nil, err
  454. }
  455. }
  456. // Process well-known labels next
  457. if val, ok := option[netlabel.EnableIPv6]; ok {
  458. config.EnableIPv6 = val.(bool)
  459. }
  460. if val, ok := option[netlabel.Internal]; ok {
  461. if internal, ok := val.(bool); ok && internal {
  462. config.Internal = true
  463. }
  464. }
  465. // Finally validate the configuration
  466. if err = config.Validate(); err != nil {
  467. return nil, err
  468. }
  469. if config.BridgeName == "" && !config.DefaultBridge {
  470. config.BridgeName = "br-" + id[:12]
  471. }
  472. exists, err := bridgeInterfaceExists(config.BridgeName)
  473. if err != nil {
  474. return nil, err
  475. }
  476. if !exists {
  477. config.BridgeIfaceCreator = ifaceCreatedByLibnetwork
  478. } else {
  479. config.BridgeIfaceCreator = ifaceCreatedByUser
  480. }
  481. config.ID = id
  482. return config, nil
  483. }
  484. // Return a slice of networks over which caller can iterate safely
  485. func (d *driver) getNetworks() []*bridgeNetwork {
  486. d.Lock()
  487. defer d.Unlock()
  488. ls := make([]*bridgeNetwork, 0, len(d.networks))
  489. for _, nw := range d.networks {
  490. ls = append(ls, nw)
  491. }
  492. return ls
  493. }
  494. func (d *driver) NetworkAllocate(id string, option map[string]string, ipV4Data, ipV6Data []driverapi.IPAMData) (map[string]string, error) {
  495. return nil, types.NotImplementedErrorf("not implemented")
  496. }
  497. func (d *driver) NetworkFree(id string) error {
  498. return types.NotImplementedErrorf("not implemented")
  499. }
  500. func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) {
  501. }
  502. func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) {
  503. return "", nil
  504. }
  505. // Create a new network using bridge plugin
  506. func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo driverapi.NetworkInfo, ipV4Data, ipV6Data []driverapi.IPAMData) error {
  507. if len(ipV4Data) == 0 || ipV4Data[0].Pool.String() == "0.0.0.0/0" {
  508. return types.BadRequestErrorf("ipv4 pool is empty")
  509. }
  510. // Sanity checks
  511. d.Lock()
  512. if _, ok := d.networks[id]; ok {
  513. d.Unlock()
  514. return types.ForbiddenErrorf("network %s exists", id)
  515. }
  516. d.Unlock()
  517. // Parse and validate the config. It should not be conflict with existing networks' config
  518. config, err := parseNetworkOptions(id, option)
  519. if err != nil {
  520. return err
  521. }
  522. if err = config.processIPAM(id, ipV4Data, ipV6Data); err != nil {
  523. return err
  524. }
  525. // start the critical section, from this point onward we are dealing with the list of networks
  526. // so to be consistent we cannot allow that the list changes
  527. d.configNetwork.Lock()
  528. defer d.configNetwork.Unlock()
  529. // check network conflicts
  530. if err = d.checkConflict(config); err != nil {
  531. nerr, ok := err.(defaultBridgeNetworkConflict)
  532. if !ok {
  533. return err
  534. }
  535. // Got a conflict with a stale default network, clean that up and continue
  536. log.G(context.TODO()).Warn(nerr)
  537. if err := d.deleteNetwork(nerr.ID); err != nil {
  538. log.G(context.TODO()).WithError(err).Debug("Error while cleaning up network on conflict")
  539. }
  540. }
  541. // there is no conflict, now create the network
  542. if err = d.createNetwork(config); err != nil {
  543. return err
  544. }
  545. return d.storeUpdate(config)
  546. }
  547. func (d *driver) checkConflict(config *networkConfiguration) error {
  548. networkList := d.getNetworks()
  549. for _, nw := range networkList {
  550. nw.Lock()
  551. nwConfig := nw.config
  552. nw.Unlock()
  553. if err := nwConfig.Conflicts(config); err != nil {
  554. if nwConfig.DefaultBridge {
  555. // We encountered and identified a stale default network
  556. // We must delete it as libnetwork is the source of truth
  557. // The default network being created must be the only one
  558. // This can happen only from docker 1.12 on ward
  559. log.G(context.TODO()).Infof("Found stale default bridge network %s (%s)", nwConfig.ID, nwConfig.BridgeName)
  560. return defaultBridgeNetworkConflict{nwConfig.ID}
  561. }
  562. return types.ForbiddenErrorf("cannot create network %s (%s): conflicts with network %s (%s): %s",
  563. config.ID, config.BridgeName, nwConfig.ID, nwConfig.BridgeName, err.Error())
  564. }
  565. }
  566. return nil
  567. }
  568. func (d *driver) createNetwork(config *networkConfiguration) (err error) {
  569. // Initialize handle when needed
  570. d.Lock()
  571. if d.nlh == nil {
  572. d.nlh = ns.NlHandle()
  573. }
  574. d.Unlock()
  575. // Create or retrieve the bridge L3 interface
  576. bridgeIface, err := newInterface(d.nlh, config)
  577. if err != nil {
  578. return err
  579. }
  580. // Create and set network handler in driver
  581. network := &bridgeNetwork{
  582. id: config.ID,
  583. endpoints: make(map[string]*bridgeEndpoint),
  584. config: config,
  585. portMapper: portmapper.NewWithPortAllocator(d.portAllocator, d.config.UserlandProxyPath),
  586. portMapperV6: portmapper.NewWithPortAllocator(d.portAllocator, d.config.UserlandProxyPath),
  587. bridge: bridgeIface,
  588. driver: d,
  589. }
  590. d.Lock()
  591. d.networks[config.ID] = network
  592. d.Unlock()
  593. // On failure make sure to reset driver network handler to nil
  594. defer func() {
  595. if err != nil {
  596. d.Lock()
  597. delete(d.networks, config.ID)
  598. d.Unlock()
  599. }
  600. }()
  601. // Add inter-network communication rules.
  602. setupNetworkIsolationRules := func(config *networkConfiguration, i *bridgeInterface) error {
  603. if err := network.isolateNetwork(true); err != nil {
  604. if err = network.isolateNetwork(false); err != nil {
  605. log.G(context.TODO()).Warnf("Failed on removing the inter-network iptables rules on cleanup: %v", err)
  606. }
  607. return err
  608. }
  609. // register the cleanup function
  610. network.registerIptCleanFunc(func() error {
  611. return network.isolateNetwork(false)
  612. })
  613. return nil
  614. }
  615. // Prepare the bridge setup configuration
  616. bridgeSetup := newBridgeSetup(config, bridgeIface)
  617. // If the bridge interface doesn't exist, we need to start the setup steps
  618. // by creating a new device and assigning it an IPv4 address.
  619. bridgeAlreadyExists := bridgeIface.exists()
  620. if !bridgeAlreadyExists {
  621. bridgeSetup.queueStep(setupDevice)
  622. bridgeSetup.queueStep(setupDefaultSysctl)
  623. }
  624. // For the default bridge, set expected sysctls
  625. if config.DefaultBridge {
  626. bridgeSetup.queueStep(setupDefaultSysctl)
  627. }
  628. // Even if a bridge exists try to setup IPv4.
  629. bridgeSetup.queueStep(setupBridgeIPv4)
  630. enableIPv6Forwarding := d.config.EnableIPForwarding && config.AddressIPv6 != nil
  631. // Conditionally queue setup steps depending on configuration values.
  632. for _, step := range []struct {
  633. Condition bool
  634. Fn setupStep
  635. }{
  636. // Enable IPv6 on the bridge if required. We do this even for a
  637. // previously existing bridge, as it may be here from a previous
  638. // installation where IPv6 wasn't supported yet and needs to be
  639. // assigned an IPv6 link-local address.
  640. {config.EnableIPv6, setupBridgeIPv6},
  641. // We ensure that the bridge has the expectedIPv4 and IPv6 addresses in
  642. // the case of a previously existing device.
  643. {bridgeAlreadyExists && !config.InhibitIPv4, setupVerifyAndReconcile},
  644. // Enable IPv6 Forwarding
  645. {enableIPv6Forwarding, setupIPv6Forwarding},
  646. // Setup Loopback Addresses Routing
  647. {!d.config.EnableUserlandProxy, setupLoopbackAddressesRouting},
  648. // Setup IPTables.
  649. {d.config.EnableIPTables, network.setupIP4Tables},
  650. // Setup IP6Tables.
  651. {config.EnableIPv6 && d.config.EnableIP6Tables, network.setupIP6Tables},
  652. // We want to track firewalld configuration so that
  653. // if it is started/reloaded, the rules can be applied correctly
  654. {d.config.EnableIPTables, network.setupFirewalld},
  655. // same for IPv6
  656. {config.EnableIPv6 && d.config.EnableIP6Tables, network.setupFirewalld6},
  657. // Setup DefaultGatewayIPv4
  658. {config.DefaultGatewayIPv4 != nil, setupGatewayIPv4},
  659. // Setup DefaultGatewayIPv6
  660. {config.DefaultGatewayIPv6 != nil, setupGatewayIPv6},
  661. // Add inter-network communication rules.
  662. {d.config.EnableIPTables, setupNetworkIsolationRules},
  663. // Configure bridge networking filtering if ICC is off and IP tables are enabled
  664. {!config.EnableICC && d.config.EnableIPTables, setupBridgeNetFiltering},
  665. } {
  666. if step.Condition {
  667. bridgeSetup.queueStep(step.Fn)
  668. }
  669. }
  670. // Apply the prepared list of steps, and abort at the first error.
  671. bridgeSetup.queueStep(setupDeviceUp)
  672. return bridgeSetup.apply()
  673. }
  674. func (d *driver) DeleteNetwork(nid string) error {
  675. d.configNetwork.Lock()
  676. defer d.configNetwork.Unlock()
  677. return d.deleteNetwork(nid)
  678. }
  679. func (d *driver) deleteNetwork(nid string) error {
  680. var err error
  681. // Get network handler and remove it from driver
  682. d.Lock()
  683. n, ok := d.networks[nid]
  684. d.Unlock()
  685. if !ok {
  686. return types.InternalMaskableErrorf("network %s does not exist", nid)
  687. }
  688. n.Lock()
  689. config := n.config
  690. n.Unlock()
  691. // delele endpoints belong to this network
  692. for _, ep := range n.endpoints {
  693. if err := n.releasePorts(ep); err != nil {
  694. log.G(context.TODO()).Warn(err)
  695. }
  696. if link, err := d.nlh.LinkByName(ep.srcName); err == nil {
  697. if err := d.nlh.LinkDel(link); err != nil {
  698. log.G(context.TODO()).WithError(err).Errorf("Failed to delete interface (%s)'s link on endpoint (%s) delete", ep.srcName, ep.id)
  699. }
  700. }
  701. if err := d.storeDelete(ep); err != nil {
  702. log.G(context.TODO()).Warnf("Failed to remove bridge endpoint %.7s from store: %v", ep.id, err)
  703. }
  704. }
  705. d.Lock()
  706. delete(d.networks, nid)
  707. d.Unlock()
  708. // On failure set network handler back in driver, but
  709. // only if is not already taken over by some other thread
  710. defer func() {
  711. if err != nil {
  712. d.Lock()
  713. if _, ok := d.networks[nid]; !ok {
  714. d.networks[nid] = n
  715. }
  716. d.Unlock()
  717. }
  718. }()
  719. switch config.BridgeIfaceCreator {
  720. case ifaceCreatedByLibnetwork, ifaceCreatorUnknown:
  721. // We only delete the bridge if it was created by the bridge driver and
  722. // it is not the default one (to keep the backward compatible behavior.)
  723. if !config.DefaultBridge {
  724. if err := d.nlh.LinkDel(n.bridge.Link); err != nil {
  725. log.G(context.TODO()).Warnf("Failed to remove bridge interface %s on network %s delete: %v", config.BridgeName, nid, err)
  726. }
  727. }
  728. case ifaceCreatedByUser:
  729. // Don't delete the bridge interface if it was not created by libnetwork.
  730. }
  731. // clean all relevant iptables rules
  732. for _, cleanFunc := range n.iptCleanFuncs {
  733. if errClean := cleanFunc(); errClean != nil {
  734. log.G(context.TODO()).Warnf("Failed to clean iptables rules for bridge network: %v", errClean)
  735. }
  736. }
  737. return d.storeDelete(config)
  738. }
  739. func addToBridge(nlh *netlink.Handle, ifaceName, bridgeName string) error {
  740. lnk, err := nlh.LinkByName(ifaceName)
  741. if err != nil {
  742. return fmt.Errorf("could not find interface %s: %v", ifaceName, err)
  743. }
  744. if err := nlh.LinkSetMaster(lnk, &netlink.Bridge{LinkAttrs: netlink.LinkAttrs{Name: bridgeName}}); err != nil {
  745. log.G(context.TODO()).WithError(err).Errorf("Failed to add %s to bridge via netlink", ifaceName)
  746. return err
  747. }
  748. return nil
  749. }
  750. func setHairpinMode(nlh *netlink.Handle, link netlink.Link, enable bool) error {
  751. err := nlh.LinkSetHairpin(link, enable)
  752. if err != nil {
  753. return fmt.Errorf("unable to set hairpin mode on %s via netlink: %v",
  754. link.Attrs().Name, err)
  755. }
  756. return nil
  757. }
  758. func (d *driver) CreateEndpoint(nid, eid string, ifInfo driverapi.InterfaceInfo, epOptions map[string]interface{}) error {
  759. if ifInfo == nil {
  760. return errors.New("invalid interface info passed")
  761. }
  762. // Get the network handler and make sure it exists
  763. d.Lock()
  764. n, ok := d.networks[nid]
  765. dconfig := d.config
  766. d.Unlock()
  767. if !ok {
  768. return types.NotFoundErrorf("network %s does not exist", nid)
  769. }
  770. if n == nil {
  771. return driverapi.ErrNoNetwork(nid)
  772. }
  773. // Sanity check
  774. n.Lock()
  775. if n.id != nid {
  776. n.Unlock()
  777. return InvalidNetworkIDError(nid)
  778. }
  779. n.Unlock()
  780. // Check if endpoint id is good and retrieve correspondent endpoint
  781. ep, err := n.getEndpoint(eid)
  782. if err != nil {
  783. return err
  784. }
  785. // Endpoint with that id exists either on desired or other sandbox
  786. if ep != nil {
  787. return driverapi.ErrEndpointExists(eid)
  788. }
  789. // Try to convert the options to endpoint configuration
  790. epConfig, err := parseEndpointOptions(epOptions)
  791. if err != nil {
  792. return err
  793. }
  794. // Create and add the endpoint
  795. n.Lock()
  796. endpoint := &bridgeEndpoint{id: eid, nid: nid, config: epConfig}
  797. n.endpoints[eid] = endpoint
  798. n.Unlock()
  799. // On failure make sure to remove the endpoint
  800. defer func() {
  801. if err != nil {
  802. n.Lock()
  803. delete(n.endpoints, eid)
  804. n.Unlock()
  805. }
  806. }()
  807. // Generate a name for what will be the host side pipe interface
  808. hostIfName, err := netutils.GenerateIfaceName(d.nlh, vethPrefix, vethLen)
  809. if err != nil {
  810. return err
  811. }
  812. // Generate a name for what will be the sandbox side pipe interface
  813. containerIfName, err := netutils.GenerateIfaceName(d.nlh, vethPrefix, vethLen)
  814. if err != nil {
  815. return err
  816. }
  817. // Generate and add the interface pipe host <-> sandbox
  818. veth := &netlink.Veth{
  819. LinkAttrs: netlink.LinkAttrs{Name: hostIfName, TxQLen: 0},
  820. PeerName: containerIfName,
  821. }
  822. if err = d.nlh.LinkAdd(veth); err != nil {
  823. return types.InternalErrorf("failed to add the host (%s) <=> sandbox (%s) pair interfaces: %v", hostIfName, containerIfName, err)
  824. }
  825. // Get the host side pipe interface handler
  826. host, err := d.nlh.LinkByName(hostIfName)
  827. if err != nil {
  828. return types.InternalErrorf("failed to find host side interface %s: %v", hostIfName, err)
  829. }
  830. defer func() {
  831. if err != nil {
  832. if err := d.nlh.LinkDel(host); err != nil {
  833. log.G(context.TODO()).WithError(err).Warnf("Failed to delete host side interface (%s)'s link", hostIfName)
  834. }
  835. }
  836. }()
  837. // Get the sandbox side pipe interface handler
  838. sbox, err := d.nlh.LinkByName(containerIfName)
  839. if err != nil {
  840. return types.InternalErrorf("failed to find sandbox side interface %s: %v", containerIfName, err)
  841. }
  842. defer func() {
  843. if err != nil {
  844. if err := d.nlh.LinkDel(sbox); err != nil {
  845. log.G(context.TODO()).WithError(err).Warnf("Failed to delete sandbox side interface (%s)'s link", containerIfName)
  846. }
  847. }
  848. }()
  849. n.Lock()
  850. config := n.config
  851. n.Unlock()
  852. // Add bridge inherited attributes to pipe interfaces
  853. if config.Mtu != 0 {
  854. err = d.nlh.LinkSetMTU(host, config.Mtu)
  855. if err != nil {
  856. return types.InternalErrorf("failed to set MTU on host interface %s: %v", hostIfName, err)
  857. }
  858. err = d.nlh.LinkSetMTU(sbox, config.Mtu)
  859. if err != nil {
  860. return types.InternalErrorf("failed to set MTU on sandbox interface %s: %v", containerIfName, err)
  861. }
  862. }
  863. // Attach host side pipe interface into the bridge
  864. if err = addToBridge(d.nlh, hostIfName, config.BridgeName); err != nil {
  865. return fmt.Errorf("adding interface %s to bridge %s failed: %v", hostIfName, config.BridgeName, err)
  866. }
  867. if !dconfig.EnableUserlandProxy {
  868. err = setHairpinMode(d.nlh, host, true)
  869. if err != nil {
  870. return err
  871. }
  872. }
  873. // Store the sandbox side pipe interface parameters
  874. endpoint.srcName = containerIfName
  875. endpoint.macAddress = ifInfo.MacAddress()
  876. endpoint.addr = ifInfo.Address()
  877. endpoint.addrv6 = ifInfo.AddressIPv6()
  878. // Set the sbox's MAC if not provided. If specified, use the one configured by user, otherwise generate one based on IP.
  879. if endpoint.macAddress == nil {
  880. endpoint.macAddress = electMacAddress(epConfig, endpoint.addr.IP)
  881. if err = ifInfo.SetMacAddress(endpoint.macAddress); err != nil {
  882. return err
  883. }
  884. }
  885. // Up the host interface after finishing all netlink configuration
  886. if err = d.nlh.LinkSetUp(host); err != nil {
  887. return fmt.Errorf("could not set link up for host interface %s: %v", hostIfName, err)
  888. }
  889. if endpoint.addrv6 == nil && config.EnableIPv6 {
  890. var ip6 net.IP
  891. network := n.bridge.bridgeIPv6
  892. if config.AddressIPv6 != nil {
  893. network = config.AddressIPv6
  894. }
  895. ones, _ := network.Mask.Size()
  896. if ones > 80 {
  897. err = types.ForbiddenErrorf("Cannot self generate an IPv6 address on network %v: At least 48 host bits are needed.", network)
  898. return err
  899. }
  900. ip6 = make(net.IP, len(network.IP))
  901. copy(ip6, network.IP)
  902. for i, h := range endpoint.macAddress {
  903. ip6[i+10] = h
  904. }
  905. endpoint.addrv6 = &net.IPNet{IP: ip6, Mask: network.Mask}
  906. if err = ifInfo.SetIPAddress(endpoint.addrv6); err != nil {
  907. return err
  908. }
  909. }
  910. if err = d.storeUpdate(endpoint); err != nil {
  911. return fmt.Errorf("failed to save bridge endpoint %.7s to store: %v", endpoint.id, err)
  912. }
  913. return nil
  914. }
  915. func (d *driver) DeleteEndpoint(nid, eid string) error {
  916. var err error
  917. // Get the network handler and make sure it exists
  918. d.Lock()
  919. n, ok := d.networks[nid]
  920. d.Unlock()
  921. if !ok {
  922. return types.InternalMaskableErrorf("network %s does not exist", nid)
  923. }
  924. if n == nil {
  925. return driverapi.ErrNoNetwork(nid)
  926. }
  927. // Sanity Check
  928. n.Lock()
  929. if n.id != nid {
  930. n.Unlock()
  931. return InvalidNetworkIDError(nid)
  932. }
  933. n.Unlock()
  934. // Check endpoint id and if an endpoint is actually there
  935. ep, err := n.getEndpoint(eid)
  936. if err != nil {
  937. return err
  938. }
  939. if ep == nil {
  940. return EndpointNotFoundError(eid)
  941. }
  942. // Remove it
  943. n.Lock()
  944. delete(n.endpoints, eid)
  945. n.Unlock()
  946. // On failure make sure to set back ep in n.endpoints, but only
  947. // if it hasn't been taken over already by some other thread.
  948. defer func() {
  949. if err != nil {
  950. n.Lock()
  951. if _, ok := n.endpoints[eid]; !ok {
  952. n.endpoints[eid] = ep
  953. }
  954. n.Unlock()
  955. }
  956. }()
  957. // Try removal of link. Discard error: it is a best effort.
  958. // Also make sure defer does not see this error either.
  959. if link, err := d.nlh.LinkByName(ep.srcName); err == nil {
  960. if err := d.nlh.LinkDel(link); err != nil {
  961. log.G(context.TODO()).WithError(err).Errorf("Failed to delete interface (%s)'s link on endpoint (%s) delete", ep.srcName, ep.id)
  962. }
  963. }
  964. if err := d.storeDelete(ep); err != nil {
  965. log.G(context.TODO()).Warnf("Failed to remove bridge endpoint %.7s from store: %v", ep.id, err)
  966. }
  967. return nil
  968. }
  969. func (d *driver) EndpointOperInfo(nid, eid string) (map[string]interface{}, error) {
  970. // Get the network handler and make sure it exists
  971. d.Lock()
  972. n, ok := d.networks[nid]
  973. d.Unlock()
  974. if !ok {
  975. return nil, types.NotFoundErrorf("network %s does not exist", nid)
  976. }
  977. if n == nil {
  978. return nil, driverapi.ErrNoNetwork(nid)
  979. }
  980. // Sanity check
  981. n.Lock()
  982. if n.id != nid {
  983. n.Unlock()
  984. return nil, InvalidNetworkIDError(nid)
  985. }
  986. n.Unlock()
  987. // Check if endpoint id is good and retrieve correspondent endpoint
  988. ep, err := n.getEndpoint(eid)
  989. if err != nil {
  990. return nil, err
  991. }
  992. if ep == nil {
  993. return nil, driverapi.ErrNoEndpoint(eid)
  994. }
  995. m := make(map[string]interface{})
  996. if ep.extConnConfig != nil && ep.extConnConfig.ExposedPorts != nil {
  997. // Return a copy of the config data
  998. epc := make([]types.TransportPort, 0, len(ep.extConnConfig.ExposedPorts))
  999. for _, tp := range ep.extConnConfig.ExposedPorts {
  1000. epc = append(epc, tp.GetCopy())
  1001. }
  1002. m[netlabel.ExposedPorts] = epc
  1003. }
  1004. if ep.portMapping != nil {
  1005. // Return a copy of the operational data
  1006. pmc := make([]types.PortBinding, 0, len(ep.portMapping))
  1007. for _, pm := range ep.portMapping {
  1008. pmc = append(pmc, pm.GetCopy())
  1009. }
  1010. m[netlabel.PortMap] = pmc
  1011. }
  1012. if len(ep.macAddress) != 0 {
  1013. m[netlabel.MacAddress] = ep.macAddress
  1014. }
  1015. return m, nil
  1016. }
  1017. // Join method is invoked when a Sandbox is attached to an endpoint.
  1018. func (d *driver) Join(nid, eid string, sboxKey string, jinfo driverapi.JoinInfo, options map[string]interface{}) error {
  1019. network, err := d.getNetwork(nid)
  1020. if err != nil {
  1021. return err
  1022. }
  1023. endpoint, err := network.getEndpoint(eid)
  1024. if err != nil {
  1025. return err
  1026. }
  1027. if endpoint == nil {
  1028. return EndpointNotFoundError(eid)
  1029. }
  1030. endpoint.containerConfig, err = parseContainerOptions(options)
  1031. if err != nil {
  1032. return err
  1033. }
  1034. iNames := jinfo.InterfaceName()
  1035. containerVethPrefix := defaultContainerVethPrefix
  1036. if network.config.ContainerIfacePrefix != "" {
  1037. containerVethPrefix = network.config.ContainerIfacePrefix
  1038. }
  1039. err = iNames.SetNames(endpoint.srcName, containerVethPrefix)
  1040. if err != nil {
  1041. return err
  1042. }
  1043. err = jinfo.SetGateway(network.bridge.gatewayIPv4)
  1044. if err != nil {
  1045. return err
  1046. }
  1047. err = jinfo.SetGatewayIPv6(network.bridge.gatewayIPv6)
  1048. if err != nil {
  1049. return err
  1050. }
  1051. return nil
  1052. }
  1053. // Leave method is invoked when a Sandbox detaches from an endpoint.
  1054. func (d *driver) Leave(nid, eid string) error {
  1055. network, err := d.getNetwork(nid)
  1056. if err != nil {
  1057. return types.InternalMaskableErrorf("%s", err)
  1058. }
  1059. endpoint, err := network.getEndpoint(eid)
  1060. if err != nil {
  1061. return err
  1062. }
  1063. if endpoint == nil {
  1064. return EndpointNotFoundError(eid)
  1065. }
  1066. if !network.config.EnableICC {
  1067. if err = d.link(network, endpoint, false); err != nil {
  1068. return err
  1069. }
  1070. }
  1071. return nil
  1072. }
  1073. func (d *driver) ProgramExternalConnectivity(nid, eid string, options map[string]interface{}) error {
  1074. network, err := d.getNetwork(nid)
  1075. if err != nil {
  1076. return err
  1077. }
  1078. endpoint, err := network.getEndpoint(eid)
  1079. if err != nil {
  1080. return err
  1081. }
  1082. if endpoint == nil {
  1083. return EndpointNotFoundError(eid)
  1084. }
  1085. endpoint.extConnConfig, err = parseConnectivityOptions(options)
  1086. if err != nil {
  1087. return err
  1088. }
  1089. // Program any required port mapping and store them in the endpoint
  1090. endpoint.portMapping, err = network.allocatePorts(endpoint, network.config.DefaultBindingIP, d.config.EnableUserlandProxy)
  1091. if err != nil {
  1092. return err
  1093. }
  1094. defer func() {
  1095. if err != nil {
  1096. if e := network.releasePorts(endpoint); e != nil {
  1097. log.G(context.TODO()).Errorf("Failed to release ports allocated for the bridge endpoint %s on failure %v because of %v",
  1098. eid, err, e)
  1099. }
  1100. endpoint.portMapping = nil
  1101. }
  1102. }()
  1103. // Clean the connection tracker state of the host for the specific endpoint. This is needed because some flows may
  1104. // be bound to the local proxy, or to the host (for UDP packets), and won't be redirected to the new endpoints.
  1105. clearConntrackEntries(d.nlh, endpoint)
  1106. if err = d.storeUpdate(endpoint); err != nil {
  1107. return fmt.Errorf("failed to update bridge endpoint %.7s to store: %v", endpoint.id, err)
  1108. }
  1109. if !network.config.EnableICC {
  1110. return d.link(network, endpoint, true)
  1111. }
  1112. return nil
  1113. }
  1114. func (d *driver) RevokeExternalConnectivity(nid, eid string) error {
  1115. network, err := d.getNetwork(nid)
  1116. if err != nil {
  1117. return err
  1118. }
  1119. endpoint, err := network.getEndpoint(eid)
  1120. if err != nil {
  1121. return err
  1122. }
  1123. if endpoint == nil {
  1124. return EndpointNotFoundError(eid)
  1125. }
  1126. err = network.releasePorts(endpoint)
  1127. if err != nil {
  1128. log.G(context.TODO()).Warn(err)
  1129. }
  1130. endpoint.portMapping = nil
  1131. // Clean the connection tracker state of the host for the specific endpoint. This is a precautionary measure to
  1132. // avoid new endpoints getting the same IP address to receive unexpected packets due to bad conntrack state leading
  1133. // to bad NATing.
  1134. clearConntrackEntries(d.nlh, endpoint)
  1135. if err = d.storeUpdate(endpoint); err != nil {
  1136. return fmt.Errorf("failed to update bridge endpoint %.7s to store: %v", endpoint.id, err)
  1137. }
  1138. return nil
  1139. }
  1140. func (d *driver) link(network *bridgeNetwork, endpoint *bridgeEndpoint, enable bool) (retErr error) {
  1141. cc := endpoint.containerConfig
  1142. if cc == nil {
  1143. return nil
  1144. }
  1145. ec := endpoint.extConnConfig
  1146. if ec == nil {
  1147. return nil
  1148. }
  1149. if ec.ExposedPorts != nil {
  1150. for _, p := range cc.ParentEndpoints {
  1151. parentEndpoint, err := network.getEndpoint(p)
  1152. if err != nil {
  1153. return err
  1154. }
  1155. if parentEndpoint == nil {
  1156. return InvalidEndpointIDError(p)
  1157. }
  1158. l := newLink(parentEndpoint.addr.IP, endpoint.addr.IP, ec.ExposedPorts, network.config.BridgeName)
  1159. if enable {
  1160. if err := l.Enable(); err != nil {
  1161. return err
  1162. }
  1163. defer func() {
  1164. if retErr != nil {
  1165. l.Disable()
  1166. }
  1167. }()
  1168. } else {
  1169. l.Disable()
  1170. }
  1171. }
  1172. }
  1173. for _, c := range cc.ChildEndpoints {
  1174. childEndpoint, err := network.getEndpoint(c)
  1175. if err != nil {
  1176. return err
  1177. }
  1178. if childEndpoint == nil {
  1179. return InvalidEndpointIDError(c)
  1180. }
  1181. if childEndpoint.extConnConfig == nil || childEndpoint.extConnConfig.ExposedPorts == nil {
  1182. continue
  1183. }
  1184. l := newLink(endpoint.addr.IP, childEndpoint.addr.IP, childEndpoint.extConnConfig.ExposedPorts, network.config.BridgeName)
  1185. if enable {
  1186. if err := l.Enable(); err != nil {
  1187. return err
  1188. }
  1189. defer func() {
  1190. if retErr != nil {
  1191. l.Disable()
  1192. }
  1193. }()
  1194. } else {
  1195. l.Disable()
  1196. }
  1197. }
  1198. return nil
  1199. }
  1200. func (d *driver) Type() string {
  1201. return NetworkType
  1202. }
  1203. func (d *driver) IsBuiltIn() bool {
  1204. return true
  1205. }
  1206. func parseEndpointOptions(epOptions map[string]interface{}) (*endpointConfiguration, error) {
  1207. if epOptions == nil {
  1208. return nil, nil
  1209. }
  1210. ec := &endpointConfiguration{}
  1211. if opt, ok := epOptions[netlabel.MacAddress]; ok {
  1212. if mac, ok := opt.(net.HardwareAddr); ok {
  1213. ec.MacAddress = mac
  1214. } else {
  1215. return nil, &ErrInvalidEndpointConfig{}
  1216. }
  1217. }
  1218. return ec, nil
  1219. }
  1220. func parseContainerOptions(cOptions map[string]interface{}) (*containerConfiguration, error) {
  1221. if cOptions == nil {
  1222. return nil, nil
  1223. }
  1224. genericData := cOptions[netlabel.GenericData]
  1225. if genericData == nil {
  1226. return nil, nil
  1227. }
  1228. switch opt := genericData.(type) {
  1229. case options.Generic:
  1230. opaqueConfig, err := options.GenerateFromModel(opt, &containerConfiguration{})
  1231. if err != nil {
  1232. return nil, err
  1233. }
  1234. return opaqueConfig.(*containerConfiguration), nil
  1235. case *containerConfiguration:
  1236. return opt, nil
  1237. default:
  1238. return nil, nil
  1239. }
  1240. }
  1241. func parseConnectivityOptions(cOptions map[string]interface{}) (*connectivityConfiguration, error) {
  1242. if cOptions == nil {
  1243. return nil, nil
  1244. }
  1245. cc := &connectivityConfiguration{}
  1246. if opt, ok := cOptions[netlabel.PortMap]; ok {
  1247. if pb, ok := opt.([]types.PortBinding); ok {
  1248. cc.PortBindings = pb
  1249. } else {
  1250. return nil, types.BadRequestErrorf("Invalid port mapping data in connectivity configuration: %v", opt)
  1251. }
  1252. }
  1253. if opt, ok := cOptions[netlabel.ExposedPorts]; ok {
  1254. if ports, ok := opt.([]types.TransportPort); ok {
  1255. cc.ExposedPorts = ports
  1256. } else {
  1257. return nil, types.BadRequestErrorf("Invalid exposed ports data in connectivity configuration: %v", opt)
  1258. }
  1259. }
  1260. return cc, nil
  1261. }
  1262. func electMacAddress(epConfig *endpointConfiguration, ip net.IP) net.HardwareAddr {
  1263. if epConfig != nil && epConfig.MacAddress != nil {
  1264. return epConfig.MacAddress
  1265. }
  1266. return netutils.GenerateMACFromIP(ip)
  1267. }