daemon: Use short libnetwork ID in exec-root & update libnetwork
also updates libnetwork to d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23 full diff:3eb39382bf...d9a6682a4d
- docker/libnetwork#2482 [19.03 backport] Shorten controller ID in exec-root to not hit UNIX_PATH_MAX - docker/libnetwork#2483 [19.03 backport] Fix panic in drivers/overlay/encryption.go Signed-off-by: Grant Millar <rid@cylo.io> (cherry picked from commitdf7b8f458a
) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
ea84732a77
commit
d3d724e45a
7 changed files with 28 additions and 12 deletions
|
@ -10,6 +10,7 @@ import (
|
|||
|
||||
"github.com/docker/docker/daemon/config"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/stringid"
|
||||
"github.com/docker/libnetwork"
|
||||
"github.com/moby/buildkit/executor"
|
||||
"github.com/moby/buildkit/executor/oci"
|
||||
|
@ -100,11 +101,12 @@ func (iface *lnInterface) Set(s *specs.Spec) {
|
|||
logrus.WithError(iface.err).Error("failed to set networking spec")
|
||||
return
|
||||
}
|
||||
shortNetCtlrID := stringid.TruncateID(iface.provider.NetworkController.ID())
|
||||
// attach netns to bridge within the container namespace, using reexec in a prestart hook
|
||||
s.Hooks = &specs.Hooks{
|
||||
Prestart: []specs.Hook{{
|
||||
Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
|
||||
Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), iface.provider.NetworkController.ID()},
|
||||
Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), shortNetCtlrID},
|
||||
}},
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,6 +20,7 @@ import (
|
|||
"github.com/docker/docker/oci/caps"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/mount"
|
||||
"github.com/docker/docker/pkg/stringid"
|
||||
"github.com/docker/docker/rootless/specconv"
|
||||
volumemounts "github.com/docker/docker/volume/mounts"
|
||||
"github.com/opencontainers/runc/libcontainer/apparmor"
|
||||
|
@ -66,13 +67,14 @@ func WithLibnetwork(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
|||
for _, ns := range s.Linux.Namespaces {
|
||||
if ns.Type == "network" && ns.Path == "" && !c.Config.NetworkDisabled {
|
||||
target := filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe")
|
||||
shortNetCtlrID := stringid.TruncateID(daemon.netController.ID())
|
||||
s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{
|
||||
Path: target,
|
||||
Args: []string{
|
||||
"libnetwork-setkey",
|
||||
"-exec-root=" + daemon.configStore.GetExecRoot(),
|
||||
c.ID,
|
||||
daemon.netController.ID(),
|
||||
shortNetCtlrID,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When
|
||||
# updating the binary version, consider updating github.com/docker/libnetwork
|
||||
# in vendor.conf accordingly
|
||||
LIBNETWORK_COMMIT=3eb39382bfa6a3c42f83674ab080ae13b0e34e5d # bump_19.03 branch
|
||||
LIBNETWORK_COMMIT=d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23 # bump_19.03 branch
|
||||
|
||||
install_proxy() {
|
||||
case "$1" in
|
||||
|
|
|
@ -38,7 +38,7 @@ github.com/gofrs/flock 7f43ea2e6a643ad441fc12d0ecc0
|
|||
# libnetwork
|
||||
|
||||
# When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly
|
||||
github.com/docker/libnetwork 3eb39382bfa6a3c42f83674ab080ae13b0e34e5d # bump_19.03 branch
|
||||
github.com/docker/libnetwork d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23 # bump_19.03 branch
|
||||
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
|
||||
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
|
||||
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
|
||||
|
|
10
vendor/github.com/docker/libnetwork/agent.go
generated
vendored
10
vendor/github.com/docker/libnetwork/agent.go
generated
vendored
|
@ -184,6 +184,16 @@ func (c *controller) handleKeyChange(keys []*types.EncryptionKey) error {
|
|||
err := driver.DiscoverNew(discoverapi.EncryptionKeysUpdate, drvEnc)
|
||||
if err != nil {
|
||||
logrus.Warnf("Failed to update datapath keys in driver %s: %v", name, err)
|
||||
// Attempt to reconfigure keys in case of a update failure
|
||||
// which can arise due to a mismatch of keys
|
||||
// if worker nodes get temporarily disconnected
|
||||
logrus.Warnf("Reconfiguring datapath keys for %s", name)
|
||||
drvCfgEnc := discoverapi.DriverEncryptionConfig{}
|
||||
drvCfgEnc.Keys, drvCfgEnc.Tags = c.getKeys(subsysIPSec)
|
||||
err = driver.DiscoverNew(discoverapi.EncryptionKeysConfig, drvCfgEnc)
|
||||
if err != nil {
|
||||
logrus.Warnf("Failed to reset datapath keys in driver %s: %v", name, err)
|
||||
}
|
||||
}
|
||||
return false
|
||||
})
|
||||
|
|
2
vendor/github.com/docker/libnetwork/drivers/overlay/overlay.go
generated
vendored
2
vendor/github.com/docker/libnetwork/drivers/overlay/overlay.go
generated
vendored
|
@ -378,7 +378,7 @@ func (d *driver) DiscoverNew(dType discoverapi.DiscoveryType, data interface{})
|
|||
}
|
||||
}
|
||||
if err := d.updateKeys(newKey, priKey, delKey); err != nil {
|
||||
logrus.Warn(err)
|
||||
return err
|
||||
}
|
||||
default:
|
||||
}
|
||||
|
|
16
vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go
generated
vendored
16
vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go
generated
vendored
|
@ -12,6 +12,7 @@ import (
|
|||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/docker/docker/pkg/stringid"
|
||||
"github.com/docker/libnetwork/types"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/sirupsen/logrus"
|
||||
|
@ -24,7 +25,7 @@ const (
|
|||
)
|
||||
|
||||
// processSetKeyReexec is a private function that must be called only on an reexec path
|
||||
// It expects 3 args { [0] = "libnetwork-setkey", [1] = <container-id>, [2] = <controller-id> }
|
||||
// It expects 3 args { [0] = "libnetwork-setkey", [1] = <container-id>, [2] = <short-controller-id> }
|
||||
// It also expects specs.State as a json string in <stdin>
|
||||
// Refer to https://github.com/opencontainers/runc/pull/160/ for more information
|
||||
// The docker exec-root can be specified as "-exec-root" flag. The default value is "/run/docker".
|
||||
|
@ -41,14 +42,14 @@ func processSetKeyReexec() {
|
|||
execRoot := flag.String("exec-root", defaultExecRoot, "docker exec root")
|
||||
flag.Parse()
|
||||
|
||||
// expecting 3 os.Args {[0]="libnetwork-setkey", [1]=<container-id>, [2]=<controller-id> }
|
||||
// expecting 3 os.Args {[0]="libnetwork-setkey", [1]=<container-id>, [2]=<short-controller-id> }
|
||||
// (i.e. expecting 2 flag.Args())
|
||||
args := flag.Args()
|
||||
if len(args) < 2 {
|
||||
err = fmt.Errorf("Re-exec expects 2 args (after parsing flags), received : %d", len(args))
|
||||
return
|
||||
}
|
||||
containerID, controllerID := args[0], args[1]
|
||||
containerID, shortCtlrID := args[0], args[1]
|
||||
|
||||
// We expect specs.State as a json string in <stdin>
|
||||
stateBuf, err := ioutil.ReadAll(os.Stdin)
|
||||
|
@ -60,16 +61,16 @@ func processSetKeyReexec() {
|
|||
return
|
||||
}
|
||||
|
||||
err = SetExternalKey(controllerID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot)
|
||||
err = SetExternalKey(shortCtlrID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot)
|
||||
}
|
||||
|
||||
// SetExternalKey provides a convenient way to set an External key to a sandbox
|
||||
func SetExternalKey(controllerID string, containerID string, key string, execRoot string) error {
|
||||
func SetExternalKey(shortCtlrID string, containerID string, key string, execRoot string) error {
|
||||
keyData := setKeyData{
|
||||
ContainerID: containerID,
|
||||
Key: key}
|
||||
|
||||
uds := filepath.Join(execRoot, execSubdir, controllerID+".sock")
|
||||
uds := filepath.Join(execRoot, execSubdir, shortCtlrID+".sock")
|
||||
c, err := net.Dial("unix", uds)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -120,7 +121,8 @@ func (c *controller) startExternalKeyListener() error {
|
|||
if err := os.MkdirAll(udsBase, 0600); err != nil {
|
||||
return err
|
||||
}
|
||||
uds := filepath.Join(udsBase, c.id+".sock")
|
||||
shortCtlrID := stringid.TruncateID(c.id)
|
||||
uds := filepath.Join(udsBase, shortCtlrID+".sock")
|
||||
l, err := net.Listen("unix", uds)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
Loading…
Reference in a new issue