libnetwork: implement Controller.setupOSLSandbox

osl.NewSandbox() always returns a nil interface on Windows (and other non-Linux
platforms). This means that any code that these fields are always nil, and
any code using these fields must be considered Linux-only;

- libnetwork/Controller.defOsSbox
- libnetwork/Sandbox.osSbox

Ideally, these fields would live in Linux-only files, but they're referenced
in various platform-neutral parts of the code, so let's start with moving
the initialization code to Linux-only files.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2023-08-20 12:48:09 +02:00
parent 35456d2eb1
commit 95abde479a
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
4 changed files with 69 additions and 35 deletions

View file

@ -92,9 +92,7 @@ type Controller struct {
svcRecords map[string]*svcInfo svcRecords map[string]*svcInfo
nmap map[string]*netWatch nmap map[string]*netWatch
serviceBindings map[serviceKey]*service serviceBindings map[serviceKey]*service
defOsSbox osl.Sandbox
ingressSandbox *Sandbox ingressSandbox *Sandbox
sboxOnce sync.Once
agent *nwAgent agent *nwAgent
networkLocker *locker.Locker networkLocker *locker.Locker
agentInitDone chan struct{} agentInitDone chan struct{}
@ -102,6 +100,10 @@ type Controller struct {
keys []*types.EncryptionKey keys []*types.EncryptionKey
DiagnosticServer *diagnostic.Server DiagnosticServer *diagnostic.Server
mu sync.Mutex mu sync.Mutex
// FIXME(thaJeztah): defOsSbox is always nil on non-Linux: move these fields to Linux-only files.
defOsSboxOnce sync.Once
defOsSbox osl.Sandbox
} }
// New creates a new instance of network controller. // New creates a new instance of network controller.
@ -937,38 +939,8 @@ func (c *Controller) NewSandbox(containerID string, options ...SandboxOption) (_
if err := sb.setupResolutionFiles(); err != nil { if err := sb.setupResolutionFiles(); err != nil {
return nil, err return nil, err
} }
if err := c.setupOSLSandbox(sb); err != nil {
if sb.config.useDefaultSandBox { return nil, err
var err error
c.sboxOnce.Do(func() {
c.defOsSbox, err = osl.NewSandbox(sb.Key(), false, false)
})
if err != nil {
c.sboxOnce = sync.Once{}
return nil, fmt.Errorf("failed to create default sandbox: %v", err)
}
sb.osSbox = c.defOsSbox
}
if sb.osSbox == nil && !sb.config.useExternalKey {
var err error
if sb.osSbox, err = osl.NewSandbox(sb.Key(), !sb.config.useDefaultSandBox, false); err != nil {
return nil, fmt.Errorf("failed to create new osl sandbox: %v", err)
}
}
if sb.osSbox != nil {
// Apply operating specific knobs on the load balancer sandbox
err := sb.osSbox.InvokeFunc(func() {
sb.osSbox.ApplyOSTweaks(sb.oslTypes)
})
if err != nil {
log.G(context.TODO()).Errorf("Failed to apply performance tuning sysctls to the sandbox: %v", err)
}
// Keep this just so performance is not changed
sb.osSbox.ApplyOSTweaks(sb.oslTypes)
} }
c.mu.Lock() c.mu.Lock()

View file

@ -1,9 +1,15 @@
package libnetwork package libnetwork
import ( import (
"context"
"fmt"
"sync"
"github.com/containerd/containerd/log"
"github.com/docker/docker/libnetwork/iptables" "github.com/docker/docker/libnetwork/iptables"
"github.com/docker/docker/libnetwork/netlabel" "github.com/docker/docker/libnetwork/netlabel"
"github.com/docker/docker/libnetwork/options" "github.com/docker/docker/libnetwork/options"
"github.com/docker/docker/libnetwork/osl"
) )
// enabledIptablesVersions returns the iptables versions that are enabled // enabledIptablesVersions returns the iptables versions that are enabled
@ -31,3 +37,54 @@ func (c *Controller) enabledIptablesVersions() []iptables.IPVersion {
} }
return versions return versions
} }
// getDefaultOSLSandbox returns the controller's default [osl.Sandbox]. It
// creates the sandbox if it does not yet exist.
func (c *Controller) getDefaultOSLSandbox(key string) (osl.Sandbox, error) {
var err error
c.defOsSboxOnce.Do(func() {
c.defOsSbox, err = osl.NewSandbox(key, false, false)
})
if err != nil {
c.defOsSboxOnce = sync.Once{}
return nil, fmt.Errorf("failed to create default sandbox: %v", err)
}
return c.defOsSbox, nil
}
// setupOSLSandbox sets the sandbox [osl.Sandbox], and applies operating-
// specific configuration.
//
// Depending on the Sandbox settings, it may either use the Controller's
// default sandbox, or configure a new one.
func (c *Controller) setupOSLSandbox(sb *Sandbox) error {
if sb.config.useDefaultSandBox {
defSB, err := c.getDefaultOSLSandbox(sb.Key())
if err != nil {
return err
}
sb.osSbox = defSB
}
if sb.osSbox == nil && !sb.config.useExternalKey {
newSB, err := osl.NewSandbox(sb.Key(), !sb.config.useDefaultSandBox, false)
if err != nil {
return fmt.Errorf("failed to create new osl sandbox: %v", err)
}
sb.osSbox = newSB
}
if sb.osSbox != nil {
// Apply operating specific knobs on the load balancer sandbox
err := sb.osSbox.InvokeFunc(func() {
sb.osSbox.ApplyOSTweaks(sb.oslTypes)
})
if err != nil {
log.G(context.TODO()).Errorf("Failed to apply performance tuning sysctls to the sandbox: %v", err)
}
// Keep this just so performance is not changed
sb.osSbox.ApplyOSTweaks(sb.oslTypes)
}
return nil
}

View file

@ -6,3 +6,7 @@ package libnetwork
func (c *Controller) enabledIptablesVersions() []any { func (c *Controller) enabledIptablesVersions() []any {
return nil return nil
} }
func (c *Controller) setupOSLSandbox(_ *Sandbox) error {
return nil
}

View file

@ -266,7 +266,8 @@ func (c *Controller) sandboxCleanup(activeSandboxes map[string]interface{}) {
continue continue
} }
} else { } else {
c.sboxOnce.Do(func() { // FIXME(thaJeztah): osSbox (and thus defOsSbox) is always nil on non-Linux: move this code to Linux-only files.
c.defOsSboxOnce.Do(func() {
c.defOsSbox = sb.osSbox c.defOsSbox = sb.osSbox
}) })
} }