vendor: docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46
full diff: fa125a3512...b3507428be
- fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609)
- fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes"
- Fix regression in docker-proxy
- introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604)
- fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607)
- fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858)
- Use hostIP to decide on Portmapper version
- fixes docker-proxy not being stopped correctly
Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when
listening on "any" IP address. Various tests had to be updated to take multiple mappings into
account.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
c8599a6537
commit
0450728267
5 changed files with 45 additions and 18 deletions
|
@ -3,7 +3,7 @@
|
|||
# LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When
|
||||
# updating the binary version, consider updating github.com/docker/libnetwork
|
||||
# in vendor.conf accordingly
|
||||
: "${LIBNETWORK_COMMIT:=fa125a3512ee0f6187721c88582bf8c4378bd4d7}"
|
||||
: "${LIBNETWORK_COMMIT:=b3507428be5b458cb0e2b4086b13531fb0706e46}"
|
||||
|
||||
install_proxy() {
|
||||
case "$1" in
|
||||
|
|
|
@ -20,13 +20,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
|
|||
|
||||
out, _ = dockerCmd(c, "port", firstID, "80")
|
||||
|
||||
err := assertPortList(c, out, []string{"0.0.0.0:9876"})
|
||||
err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})
|
||||
// Port list is not correct
|
||||
assert.NilError(c, err)
|
||||
|
||||
out, _ = dockerCmd(c, "port", firstID)
|
||||
|
||||
err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876"})
|
||||
err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876", "80/tcp -> [::]:9876"})
|
||||
// Port list is not correct
|
||||
assert.NilError(c, err)
|
||||
|
||||
|
@ -42,7 +42,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
|
|||
|
||||
out, _ = dockerCmd(c, "port", ID, "80")
|
||||
|
||||
err = assertPortList(c, out, []string{"0.0.0.0:9876"})
|
||||
err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})
|
||||
// Port list is not correct
|
||||
assert.NilError(c, err)
|
||||
|
||||
|
@ -50,8 +50,11 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
|
|||
|
||||
err = assertPortList(c, out, []string{
|
||||
"80/tcp -> 0.0.0.0:9876",
|
||||
"80/tcp -> [::]:9876",
|
||||
"81/tcp -> 0.0.0.0:9877",
|
||||
"81/tcp -> [::]:9877",
|
||||
"82/tcp -> 0.0.0.0:9878",
|
||||
"82/tcp -> [::]:9878",
|
||||
})
|
||||
// Port list is not correct
|
||||
assert.NilError(c, err)
|
||||
|
@ -69,7 +72,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
|
|||
|
||||
out, _ = dockerCmd(c, "port", ID, "80")
|
||||
|
||||
err = assertPortList(c, out, []string{"0.0.0.0:9876", "0.0.0.0:9999"})
|
||||
err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876", "0.0.0.0:9999", "[::]:9999"})
|
||||
// Port list is not correct
|
||||
assert.NilError(c, err)
|
||||
|
||||
|
@ -78,8 +81,12 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
|
|||
err = assertPortList(c, out, []string{
|
||||
"80/tcp -> 0.0.0.0:9876",
|
||||
"80/tcp -> 0.0.0.0:9999",
|
||||
"80/tcp -> [::]:9876",
|
||||
"80/tcp -> [::]:9999",
|
||||
"81/tcp -> 0.0.0.0:9877",
|
||||
"81/tcp -> [::]:9877",
|
||||
"82/tcp -> 0.0.0.0:9878",
|
||||
"82/tcp -> [::]:9878",
|
||||
})
|
||||
// Port list is not correct
|
||||
assert.NilError(c, err)
|
||||
|
@ -94,7 +101,10 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
|
|||
|
||||
out, _ = dockerCmd(c, "port", IDs[i])
|
||||
|
||||
err = assertPortList(c, out, []string{fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i)})
|
||||
err = assertPortList(c, out, []string{
|
||||
fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i),
|
||||
fmt.Sprintf("80/tcp -> [::]:%d", 9090+i),
|
||||
})
|
||||
// Port list is not correct
|
||||
assert.NilError(c, err)
|
||||
}
|
||||
|
@ -127,9 +137,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) {
|
|||
|
||||
err = assertPortList(c, out, []string{
|
||||
"80/tcp -> 0.0.0.0:9800",
|
||||
"80/tcp -> [::]:9800",
|
||||
"81/tcp -> 0.0.0.0:9801",
|
||||
"81/tcp -> [::]:9801",
|
||||
"82/tcp -> 0.0.0.0:9802",
|
||||
"82/tcp -> [::]:9802",
|
||||
"83/tcp -> 0.0.0.0:9803",
|
||||
"83/tcp -> [::]:9803",
|
||||
})
|
||||
// Port list is not correct
|
||||
assert.NilError(c, err)
|
||||
|
@ -305,7 +319,7 @@ func (s *DockerSuite) TestPortHostBinding(c *testing.T) {
|
|||
|
||||
out, _ = dockerCmd(c, "port", firstID, "80")
|
||||
|
||||
err := assertPortList(c, out, []string{"0.0.0.0:9876"})
|
||||
err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})
|
||||
// Port list is not correct
|
||||
assert.NilError(c, err)
|
||||
|
||||
|
|
|
@ -47,7 +47,7 @@ github.com/grpc-ecosystem/go-grpc-middleware 3c51f7f332123e8be5a157c0802a
|
|||
# libnetwork
|
||||
|
||||
# When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly
|
||||
github.com/docker/libnetwork fa125a3512ee0f6187721c88582bf8c4378bd4d7
|
||||
github.com/docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46
|
||||
github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f
|
||||
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
|
||||
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
|
||||
|
|
25
vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go
generated
vendored
25
vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go
generated
vendored
|
@ -49,8 +49,16 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont
|
|||
}
|
||||
bs = append(bs, bIPv4)
|
||||
}
|
||||
|
||||
// Allocate IPv6 Port mappings
|
||||
if ok := n.validatePortBindingIPv6(&bIPv6, containerIPv6, defHostIP); ok {
|
||||
// If the container has no IPv6 address, allow proxying host IPv6 traffic to it
|
||||
// by setting up the binding with the IPv4 interface if the userland proxy is enabled
|
||||
// This change was added to keep backward compatibility
|
||||
containerIP := containerIPv6
|
||||
if ulPxyEnabled && (containerIPv6 == nil) {
|
||||
containerIP = containerIPv4
|
||||
}
|
||||
if ok := n.validatePortBindingIPv6(&bIPv6, containerIP, defHostIP); ok {
|
||||
if err := n.allocatePort(&bIPv6, ulPxyEnabled); err != nil {
|
||||
// On allocation failure, release previously allocated ports. On cleanup error, just log a warning message
|
||||
if cuErr := n.releasePortsInternal(bs); cuErr != nil {
|
||||
|
@ -67,7 +75,7 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont
|
|||
// validatePortBindingIPv4 validates the port binding, populates the missing Host IP field and returns true
|
||||
// if this is a valid IPv4 binding, else returns false
|
||||
func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containerIPv4, defHostIP net.IP) bool {
|
||||
//Return early if there is a valid Host IP, but its not a IPv6 address
|
||||
//Return early if there is a valid Host IP, but its not a IPv4 address
|
||||
if len(bnd.HostIP) > 0 && bnd.HostIP.To4() == nil {
|
||||
return false
|
||||
}
|
||||
|
@ -85,10 +93,10 @@ func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containe
|
|||
}
|
||||
|
||||
// validatePortBindingIPv6 validates the port binding, populates the missing Host IP field and returns true
|
||||
// if this is a valid IP6v binding, else returns false
|
||||
func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIPv6, defHostIP net.IP) bool {
|
||||
// Return early if there is no IPv6 container endpoint
|
||||
if containerIPv6 == nil {
|
||||
// if this is a valid IPv6 binding, else returns false
|
||||
func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIP, defHostIP net.IP) bool {
|
||||
// Return early if there is no container endpoint
|
||||
if containerIP == nil {
|
||||
return false
|
||||
}
|
||||
// Return early if there is a valid Host IP, which is a IPv4 address
|
||||
|
@ -108,9 +116,8 @@ func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containe
|
|||
return false
|
||||
}
|
||||
}
|
||||
bnd.IP = containerIPv6
|
||||
bnd.IP = containerIP
|
||||
return true
|
||||
|
||||
}
|
||||
|
||||
func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool) error {
|
||||
|
@ -132,7 +139,7 @@ func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool)
|
|||
|
||||
portmapper := n.portMapper
|
||||
|
||||
if bnd.IP.To4() == nil {
|
||||
if bnd.HostIP.To4() == nil {
|
||||
portmapper = n.portMapperV6
|
||||
}
|
||||
|
||||
|
|
8
vendor/github.com/docker/libnetwork/iptables/iptables.go
generated
vendored
8
vendor/github.com/docker/libnetwork/iptables/iptables.go
generated
vendored
|
@ -512,8 +512,14 @@ func filterOutput(start time.Time, output []byte, args ...string) []byte {
|
|||
// Raw calls 'iptables' system command, passing supplied arguments.
|
||||
func (iptable IPTable) Raw(args ...string) ([]byte, error) {
|
||||
if firewalldRunning {
|
||||
// select correct IP version for firewalld
|
||||
ipv := Iptables
|
||||
if iptable.Version == IPv6 {
|
||||
ipv = IP6Tables
|
||||
}
|
||||
|
||||
startTime := time.Now()
|
||||
output, err := Passthrough(Iptables, args...)
|
||||
output, err := Passthrough(ipv, args...)
|
||||
if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") {
|
||||
return filterOutput(startTime, output, args...), err
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue