vendor: docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46

full diff: fa125a3512...b3507428be

- fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609)
    - fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes"
- Fix regression in docker-proxy
    - introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604)
    - fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607)
    - fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858)
- Use hostIP to decide on Portmapper version
    - fixes docker-proxy not being stopped correctly

Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when
listening on "any" IP address. Various tests had to be updated to take multiple mappings into
account.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2021-01-20 17:48:05 +01:00
parent c8599a6537
commit 0450728267
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
5 changed files with 45 additions and 18 deletions

View file

@ -3,7 +3,7 @@
# LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When
# updating the binary version, consider updating github.com/docker/libnetwork
# in vendor.conf accordingly
: "${LIBNETWORK_COMMIT:=fa125a3512ee0f6187721c88582bf8c4378bd4d7}"
: "${LIBNETWORK_COMMIT:=b3507428be5b458cb0e2b4086b13531fb0706e46}"
install_proxy() {
case "$1" in

View file

@ -20,13 +20,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
out, _ = dockerCmd(c, "port", firstID, "80")
err := assertPortList(c, out, []string{"0.0.0.0:9876"})
err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})
// Port list is not correct
assert.NilError(c, err)
out, _ = dockerCmd(c, "port", firstID)
err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876"})
err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876", "80/tcp -> [::]:9876"})
// Port list is not correct
assert.NilError(c, err)
@ -42,7 +42,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
out, _ = dockerCmd(c, "port", ID, "80")
err = assertPortList(c, out, []string{"0.0.0.0:9876"})
err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})
// Port list is not correct
assert.NilError(c, err)
@ -50,8 +50,11 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
err = assertPortList(c, out, []string{
"80/tcp -> 0.0.0.0:9876",
"80/tcp -> [::]:9876",
"81/tcp -> 0.0.0.0:9877",
"81/tcp -> [::]:9877",
"82/tcp -> 0.0.0.0:9878",
"82/tcp -> [::]:9878",
})
// Port list is not correct
assert.NilError(c, err)
@ -69,7 +72,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
out, _ = dockerCmd(c, "port", ID, "80")
err = assertPortList(c, out, []string{"0.0.0.0:9876", "0.0.0.0:9999"})
err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876", "0.0.0.0:9999", "[::]:9999"})
// Port list is not correct
assert.NilError(c, err)
@ -78,8 +81,12 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
err = assertPortList(c, out, []string{
"80/tcp -> 0.0.0.0:9876",
"80/tcp -> 0.0.0.0:9999",
"80/tcp -> [::]:9876",
"80/tcp -> [::]:9999",
"81/tcp -> 0.0.0.0:9877",
"81/tcp -> [::]:9877",
"82/tcp -> 0.0.0.0:9878",
"82/tcp -> [::]:9878",
})
// Port list is not correct
assert.NilError(c, err)
@ -94,7 +101,10 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
out, _ = dockerCmd(c, "port", IDs[i])
err = assertPortList(c, out, []string{fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i)})
err = assertPortList(c, out, []string{
fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i),
fmt.Sprintf("80/tcp -> [::]:%d", 9090+i),
})
// Port list is not correct
assert.NilError(c, err)
}
@ -127,9 +137,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
err = assertPortList(c, out, []string{
"80/tcp -> 0.0.0.0:9800",
"80/tcp -> [::]:9800",
"81/tcp -> 0.0.0.0:9801",
"81/tcp -> [::]:9801",
"82/tcp -> 0.0.0.0:9802",
"82/tcp -> [::]:9802",
"83/tcp -> 0.0.0.0:9803",
"83/tcp -> [::]:9803",
})
// Port list is not correct
assert.NilError(c, err)
@ -305,7 +319,7 @@ func (s *DockerSuite) TestPortHostBinding(c *testing.T) {
out, _ = dockerCmd(c, "port", firstID, "80")
err := assertPortList(c, out, []string{"0.0.0.0:9876"})
err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})
// Port list is not correct
assert.NilError(c, err)

View file

@ -47,7 +47,7 @@ github.com/grpc-ecosystem/go-grpc-middleware 3c51f7f332123e8be5a157c0802a
# libnetwork
# When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly
github.com/docker/libnetwork fa125a3512ee0f6187721c88582bf8c4378bd4d7
github.com/docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46
github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

View file

@ -49,8 +49,16 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont
}
bs = append(bs, bIPv4)
}
// Allocate IPv6 Port mappings
if ok := n.validatePortBindingIPv6(&bIPv6, containerIPv6, defHostIP); ok {
// If the container has no IPv6 address, allow proxying host IPv6 traffic to it
// by setting up the binding with the IPv4 interface if the userland proxy is enabled
// This change was added to keep backward compatibility
containerIP := containerIPv6
if ulPxyEnabled && (containerIPv6 == nil) {
containerIP = containerIPv4
}
if ok := n.validatePortBindingIPv6(&bIPv6, containerIP, defHostIP); ok {
if err := n.allocatePort(&bIPv6, ulPxyEnabled); err != nil {
// On allocation failure, release previously allocated ports. On cleanup error, just log a warning message
if cuErr := n.releasePortsInternal(bs); cuErr != nil {
@ -67,7 +75,7 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont
// validatePortBindingIPv4 validates the port binding, populates the missing Host IP field and returns true
// if this is a valid IPv4 binding, else returns false
func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containerIPv4, defHostIP net.IP) bool {
//Return early if there is a valid Host IP, but its not a IPv6 address
//Return early if there is a valid Host IP, but its not a IPv4 address
if len(bnd.HostIP) > 0 && bnd.HostIP.To4() == nil {
return false
}
@ -85,10 +93,10 @@ func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containe
}
// validatePortBindingIPv6 validates the port binding, populates the missing Host IP field and returns true
// if this is a valid IP6v binding, else returns false
func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIPv6, defHostIP net.IP) bool {
// Return early if there is no IPv6 container endpoint
if containerIPv6 == nil {
// if this is a valid IPv6 binding, else returns false
func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIP, defHostIP net.IP) bool {
// Return early if there is no container endpoint
if containerIP == nil {
return false
}
// Return early if there is a valid Host IP, which is a IPv4 address
@ -108,9 +116,8 @@ func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containe
return false
}
}
bnd.IP = containerIPv6
bnd.IP = containerIP
return true
}
func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool) error {
@ -132,7 +139,7 @@ func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool)
portmapper := n.portMapper
if bnd.IP.To4() == nil {
if bnd.HostIP.To4() == nil {
portmapper = n.portMapperV6
}

View file

@ -512,8 +512,14 @@ func filterOutput(start time.Time, output []byte, args ...string) []byte {
// Raw calls 'iptables' system command, passing supplied arguments.
func (iptable IPTable) Raw(args ...string) ([]byte, error) {
if firewalldRunning {
// select correct IP version for firewalld
ipv := Iptables
if iptable.Version == IPv6 {
ipv = IP6Tables
}
startTime := time.Now()
output, err := Passthrough(Iptables, args...)
output, err := Passthrough(ipv, args...)
if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") {
return filterOutput(startTime, output, args...), err
}