Commit graph

3273 commits

Author SHA1 Message Date
Sebastiaan van Stijn
a5b4670c79
Merge pull request #47001 from thaJeztah/portmapper_fix_release
portmapper: fix defers to prevent potentially unreleased ports
2024-01-02 10:58:24 +01:00
Sebastiaan van Stijn
4f9db655ed
portmapper: move userland-proxy lookup to daemon config
When mapping a port with the userland-proxy enabled, the daemon would
perform an "exec.LookPath" for every mapped port (which, in case of
a range of ports, would be for every port in the range).

This was both inefficient (looking up the binary for each port), inconsistent
(when running in rootless-mode, the binary was looked-up once), as well as
inconvenient, because a missing binary, or a mis-configureed userland-proxy-path
would not be detected daeemon startup, and not produce an error until starting
the container;

    docker run -d -P nginx:alpine
    4f7b6589a1680f883d98d03db12203973387f9061e7a963331776170e4414194
    docker: Error response from daemon: driver failed programming external connectivity on endpoint romantic_wiles (7cfdc361821f75cbc665564cf49856cf216a5b09046d3c22d5b9988836ee088d): fork/exec docker-proxy: no such file or directory.

However, the container would still be created (but invalid);

    docker ps -a
    CONTAINER ID   IMAGE          COMMAND                  CREATED          STATUS    PORTS     NAMES
    869f41d7e94f   nginx:alpine   "/docker-entrypoint.…"   10 seconds ago   Created             romantic_wiles

This patch changes how the userland-proxy is configured;

- The path of the userland-proxy is now looked up / configured at daemon
  startup; this is similar to how the proxy is configured in rootless-mode.
- A warning is logged when failing to lookup the binary.
- If the daemon is configured with "userland-proxy" enabled, an error is
  produced, and the daemon will refuse to start.
- The "proxyPath" argument for newProxyCommand() (in libnetwork/portmapper)
  is now required to be set. It no longer looks up the executable, and
  produces an error if no path was provided. While this change was not
  required, it makes the daemon config the canonical source of truth, instead
  of logic spread accross multiplee locations.

Some of this logic is a change of behavior, but these changes were made with
the assumption that we don't want to support;

- installing the userland proxy _after_ the daemon was started
- moving the userland proxy (or installing a proxy with a higher
  preference in PATH)

With this patch:

Validating the config produces an error if the binary is not found:

    dockerd --validate
    WARN[2023-12-29T11:36:39.748699591Z] failed to lookup default userland-proxy binary       error="exec: \"docker-proxy\": executable file not found in $PATH"
    userland-proxy is enabled, but userland-proxy-path is not set

Disabling userland-proxy prints a warning, but validates as "OK":

    dockerd --userland-proxy=false --validate
    WARN[2023-12-29T11:38:30.752523879Z] ffailed to lookup default userland-proxy binary       error="exec: \"docker-proxy\": executable file not found in $PATH"
    configuration OK

Speficying a non-absolute path produces an error:

    dockerd --userland-proxy-path=docker-proxy --validate
    invalid userland-proxy-path: must be an absolute path: docker-proxy

Befor this patch, we would not validate this path, which would allow the daemon
to start, but fail to map a port;

    docker run -d -P nginx:alpine
    4f7b6589a1680f883d98d03db12203973387f9061e7a963331776170e4414194
    docker: Error response from daemon: driver failed programming external connectivity on endpoint romantic_wiles (7cfdc361821f75cbc665564cf49856cf216a5b09046d3c22d5b9988836ee088d): fork/exec docker-proxy: no such file or directory.

Specifying an invalid userland-proxy-path produces an error as well:

    dockerd --userland-proxy-path=/usr/local/bin/no-such-binary --validate
    userland-proxy-path is invalid: stat /usr/local/bin/no-such-binary: no such file or directory

    mkdir -p /usr/local/bin/not-a-file
    dockerd --userland-proxy-path=/usr/local/bin/not-a-file --validate
    userland-proxy-path is invalid: exec: "/usr/local/bin/not-a-file": is a directory

    touch /usr/local/bin/not-an-executable
    dockerd --userland-proxy-path=/usr/local/bin/not-an-executable --validate
    userland-proxy-path is invalid: exec: "/usr/local/bin/not-an-executable": permission denied

Same when using the daemon.json config-file;

    echo '{"userland-proxy-path":"no-such-binary"}' > /etc/docker/daemon.json
    dockerd --validate
    unable to configure the Docker daemon with file /etc/docker/daemon.json: merged configuration validation from file and command line flags failed: invalid userland-proxy-path: must be an absolute path: no-such-binary

    dockerd --userland-proxy-path=hello --validate
    unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: userland-proxy-path: (from flag: hello, from file: /usr/local/bin/docker-proxy)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-29 16:23:18 +01:00
Sebastiaan van Stijn
214ab2caef
libnetwork/portmapper: PortMapper.MapRange: inline "cleanup" closure
The cleanup function never returns an error, so didn't add much value. This
patch removes the closure, and calls it inline to remove the extra
indirection, and removes the error which would never be returned.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-29 14:30:42 +01:00
Sebastiaan van Stijn
6ae6dcfc53
libnetwork/portmapper: PortMapper.MapRange: fix defer
The defer was set after the switch, but various code-paths inside the switch
could return with an error after the port was allocated / reserved, which
could result in those ports not being released.

This patch moves the defer into each individual branch of the switch to set
it immediately after succesfully reserving the port.

We can also remove a redundant ReleasePort from the cleanup function, as
it's only called if an error occurs, and the defers already take care of
that.

Note that the cleanup function was handling errors returned by ReleasePort,
but this function never returns an error, so it was fully redundant.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-29 14:26:56 +01:00
Sebastiaan van Stijn
8712c6df22
libnetwork/portmapper: PortMapper.MapRange: rename err-return
Prevent accidentally shadowing the error, which is used in a defer.
Also re-format the code to make it more clear we're not acting on
a locally-scoped "allocatedHostPort" variable.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-29 14:26:06 +01:00
Sebastiaan van Stijn
7bc56c5365
Merge pull request #46853 from akerouanton/libnet-ep-dns-names
libnet: Endpoint: remove isAnonymous & myAliases
2023-12-20 19:53:16 +01:00
Albin Kerouanton
13915f6521
libnet: document what Network.networkType represents
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-20 19:04:37 +01:00
Albin Kerouanton
6a2542dacf
libnet: remove Endpoint.anonymous
No more concept of "anonymous endpoints". The equivalent is now an
endpoint with no DNSNames set.

Some of the code removed by this commit was mutating user-supplied
endpoint's Aliases to add container's short ID to that list. In order to
preserve backward compatibility for the ContainerInspect endpoint, this
commit also takes care of adding that short ID (and the container
hostname) to `EndpointSettings.Aliases` before returning the response.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-20 19:04:37 +01:00
Sebastiaan van Stijn
388216fc45
Merge pull request #46850 from robmry/46829-allow_ipv6_subnet_change
Allow overlapping change in bridge's IPv6 network.
2023-12-19 18:35:13 +01:00
Cory Snider
5eaf898fcb libnetwork: write ServFail if DNS reply msg is bad
If the resolver's DNSBackend returns a name that cannot be marshaled
into a well-formed DNS message, the resolver will only discover this
when it attempts to write the reply message and it fails with an error.
No reply message is sent, leaving the client to wait out its timeout and
the user in the dark about what went wrong.

When writing the intended reply message fails, retry once with a
ServFail response to inform the client and user that the DNS query was
not resolved due to a problem with to the resolver, not the network.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-12-19 11:24:33 -05:00
Cory Snider
1da85f7bdc libnetwork: assert DNS replies are well-formed
The well-formedness of a DNS message is only checked when it is
serialized, through the (*dns.Msg).Pack() method. Add a call to Pack()
to our tstwriter mock to mirror the behaviour of the real
dns.ResponseWriter implementation. And fix tests which generated
ill-formed DNS query messages.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-12-19 11:13:35 -05:00
Albin Kerouanton
7a9b680a9c
libnet: remove Endpoint.myAliases
This property is now unused, let's get rid of it.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-19 10:20:38 +01:00
Albin Kerouanton
8b7af1d0fc
libnet: update dnsNames on ContainerRename
The `(*Endpoint).rename()` method is changed to only mutate `ep.name`
and let a new method `(*Endpoint).UpdateDNSNames()` handle DNS updates.

As a consequence, the rollback code that was part of
`(*Endpoint).rename()` is now removed, and DNS updates are now
rolled back by `ContainerRename`.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-19 10:20:38 +01:00
Albin Kerouanton
3bb13c7eb4
libnet: Use Endpoint.dnsNames to create DNS records
Instead of special-casing anonymous endpoints, use the list of DNS names
associated to the endpoint.

`(*Endpoint).isAnonymous()` has no more uses, so let's delete it.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-19 10:20:37 +01:00
Albin Kerouanton
f5cc497eac
libnet: populate Endpoint.dnsNames on UnmarshalJSON
This new property will be empty if the daemon was upgraded with
live-restore enabled. To not break DNS resolutions for restored
containers, we need to populate dnsNames based on endpoint's myAliases &
anonymous properties.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-19 10:16:05 +01:00
Albin Kerouanton
ab8968437b
daemon: build the list of endpoint's DNS names
Instead of special-casing anonymous endpoints in libnetwork, let the
daemon specify what (non fully qualified) DNS names should be associated
to container's endpoints.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-19 10:16:04 +01:00
Albin Kerouanton
dc1e73cbbf
libnet: add a new dnsNames property to Endpoint
This new property is meant to replace myAliases and anonymous
properties.

The end goal is to get rid of both properties by letting the daemon
determine what (non fully qualified) DNS names should be associated to
them.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-18 18:38:25 +01:00
Rob Murray
27f3abd893 Allow overlapping change in bridge's IPv6 network.
Calculate the IPv6 addreesses needed on a bridge, then reconcile them
with the addresses on an existing bridge by deleting then adding as
required.

(Previously, required addresses were added one-by-one, then unwanted
addresses were removed. This meant the daemon failed to start if, for
example, an existing bridge had address '2000:db8::/64' and the config
was changed to '2000:db8::/80'.)

IPv6 addresses are now calculated and applied in one go, so there's no
need for setupVerifyAndReconcile() to check the set of IPv6 addresses on
the bridge. And, it was guarded by !config.InhibitIPv4, which can't have
been right. So, removed its IPv6 parts, and added IPv4 to its name.

Link local addresses, the example given in the original ticket, are now
released when containers are stopped. Not releasing them meant that
when using an LL subnet on the default bridge, no container could be
started after a container was stopped (because the calculated address
could not be re-allocated). In non-default bridge networks using an
LL subnet, addresses leaked.

Linux always uses the standard 'fe80::/64' LL network. So, if a bridge
is configured with an LL subnet prefix that overlaps with it, a config
error is reported. Non-overlapping LL subnet prefixes are allowed.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2023-12-18 16:10:41 +00:00
Albin Kerouanton
d6a656cf7f
libnet: Remove unused cmd/readme_test
This command was originally added by ea7f555446
to test the code snippet put into libnet's README.md. Nothing compiles
this file and it doesn't add any value to the project. So better remove
it than maintaining it.

This commit also removes the code snippet from libnet's README.md for
the same reasons.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-16 13:06:15 +01:00
Sebastiaan van Stijn
2cf230951f
add //go:build directives to prevent downgrading to go1.16 language
This repository is not yet a module (i.e., does not have a `go.mod`). This
is not problematic when building the code in GOPATH or "vendor" mode, but
when using the code as a module-dependency (in module-mode), different semantics
are applied since Go1.21, which switches Go _language versions_ on a per-module,
per-package, or even per-file base.

A condensed summary of that logic [is as follows][1]:

- For modules that have a go.mod containing a go version directive; that
  version is considered a minimum _required_ version (starting with the
  go1.19.13 and go1.20.8 patch releases: before those, it was only a
  recommendation).
- For dependencies that don't have a go.mod (not a module), go language
  version go1.16 is assumed.
- Likewise, for modules that have a go.mod, but the file does not have a
  go version directive, go language version go1.16 is assumed.
- If a go.work file is present, but does not have a go version directive,
  language version go1.17 is assumed.

When switching language versions, Go _downgrades_ the language version,
which means that language features (such as generics, and `any`) are not
available, and compilation fails. For example:

    # github.com/docker/cli/cli/context/store
    /go/pkg/mod/github.com/docker/cli@v25.0.0-beta.2+incompatible/cli/context/store/storeconfig.go:6:24: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
    /go/pkg/mod/github.com/docker/cli@v25.0.0-beta.2+incompatible/cli/context/store/store.go:74:12: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)

Note that these fallbacks are per-module, per-package, and can even be
per-file, so _(indirect) dependencies_ can still use modern language
features, as long as their respective go.mod has a version specified.

Unfortunately, these failures do not occur when building locally (using
vendor / GOPATH mode), but will affect consumers of the module.

Obviously, this situation is not ideal, and the ultimate solution is to
move to go modules (add a go.mod), but this comes with a non-insignificant
risk in other areas (due to our complex dependency tree).

We can revert to using go1.16 language features only, but this may be
limiting, and may still be problematic when (e.g.) matching signatures
of dependencies.

There is an escape hatch: adding a `//go:build` directive to files that
make use of go language features. From the [go toolchain docs][2]:

> The go line for each module sets the language version the compiler enforces
> when compiling packages in that module. The language version can be changed
> on a per-file basis by using a build constraint.
>
> For example, a module containing code that uses the Go 1.21 language version
> should have a `go.mod` file with a go line such as `go 1.21` or `go 1.21.3`.
> If a specific source file should be compiled only when using a newer Go
> toolchain, adding `//go:build go1.22` to that source file both ensures that
> only Go 1.22 and newer toolchains will compile the file and also changes
> the language version in that file to Go 1.22.

This patch adds `//go:build` directives to those files using recent additions
to the language. It's currently using go1.19 as version to match the version
in our "vendor.mod", but we can consider being more permissive ("any" requires
go1.18 or up), or more "optimistic" (force go1.21, which is the version we
currently use to build).

For completeness sake, note that any file _without_ a `//go:build` directive
will continue to use go1.16 language version when used as a module.

[1]: 58c28ba286/src/cmd/go/internal/gover/version.go (L9-L56)
[2]: https://go.dev/doc/toolchain

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 15:24:15 +01:00
Rob Murray
0f9f9a132e Move 'netip' utils from 'ipam' to 'internal'.
Signed-off-by: Rob Murray <rob.murray@docker.com>
2023-12-06 17:13:40 +00:00
Cory Snider
1931a1bdc7 libnetwork/diagnostic: lock mutex in help handler
Acquire the mutex in the help handler to synchronize access to the
handlers map. While a trivial issue---a panic in the request handler if
the node joins a swarm at just the right time, which would only result
in an HTTP 500 response---it is also a trivial race condition to fix.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-12-06 11:20:47 -05:00
Cory Snider
424ae36046 libnetwork/diagnostic: use standard http.Handler
We don't need C-style callback functions which accept a void* context
parameter: Go has closures. Drop the unnecessary httpHandlerCustom type
and refactor the diagnostic server handler functions into closures which
capture whatever context they need implicitly.

If the node leaves and rejoins a swarm, the cluster agent and its
associated NetworkDB are discarded and replaced with new instances. Upon
rejoin, the agent registers its NetworkDB instance with the diagnostic
server. These handlers would all conflict with the handlers registered
by the previous NetworkDB instance. Attempting to register a second
handler on a http.ServeMux with the same pattern will panic, which the
diagnostic server would historically deal with by ignoring the duplicate
handler registration. Consequently, the first NetworkDB instance to be
registered would "stick" to the diagnostic server for the lifetime of
the process, even after it is replaced with another instance. Improve
duplicate-handler registration such that the most recently-registered
handler for a pattern is used for all subsequent requests.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-12-06 11:19:59 -05:00
Cory Snider
757a004a90 libnetwork/diagnostic: drop Init method
Fold it into the constructor, because that's what the constructor is
supposed to do.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-12-04 15:13:17 -05:00
Cory Snider
f270057e0c libnetwork/diagnostic: un-embed sync.Mutex field
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-12-04 15:13:17 -05:00
Rob Murray
964ab7158c Explicitly set MTU on bridge devices.
This is purely cosmetic - if a non-default MTU is configured, the bridge
will have the default MTU=1500 until a container's 'veth' is connected
and an MTU is set on the veth. That's a disconcerting, it looks like the
config has been ignored - so, set the bridge's MTU explicitly.

Fixes #37937

Signed-off-by: Rob Murray <rob.murray@docker.com>
2023-11-27 11:18:54 +00:00
Sebastiaan van Stijn
2f65748927
Merge pull request #46790 from corhere/libn/overlay-ipv6-vtep
libnetwork/drivers/overlay: support IPv6 transport
2023-11-23 18:23:27 +01:00
Paweł Gronowski
d154421092
Merge pull request #46444 from cpuguy83/docker_info_slow
Plumb context through info endpoint
2023-11-20 12:10:30 +01:00
Sebastiaan van Stijn
f13d8c2026
Merge pull request #46724 from rhansen/host_ipv6
New `host_ipv6` bridge option to SNAT IPv6 connections
2023-11-13 21:50:17 +01:00
Brian Goff
677d41aa3b Plumb context through info endpoint
I was trying to find out why `docker info` was sometimes slow so
plumbing a context through to propagate trace data through.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-11-10 20:09:25 +00:00
Brian Goff
f0b89e63b9 Fix missing import for "scope" package
I believe this happened due to conflicting PR's that got merged without
CI re-running between them.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-11-09 22:48:01 +00:00
Brian Goff
524eef5d75
Merge pull request #46681 from corhere/libn/datastore-misc-cleanups 2023-11-09 11:31:30 -08:00
Cory Snider
33564a0c03 libnetwork/d/overlay: support IPv6 transport
The forwarding database (fdb) of Linux VXLAN links are restricted to
entries with destination VXLAN tunnel endpoint (VTEP) address of a
single address family. Which address family is permitted is set when the
link is created and cannot be modified. The overlay network driver
creates VXLAN links such that the kernel only allows fdb entries to be
created with IPv4 destination VTEP addresses. If the Swarm is configured
with IPv6 advertise addresses, creating fdb entries for remote peers
fails with EAFNOSUPPORT (address family not supported by protocol).

Make overlay networks functional over IPv6 transport by configuring the
VXLAN links for IPv6 VTEPs if the local node's advertise address is an
IPv6 address. Make encrypted overlay networks secure over IPv6 transport
by applying the iptables rules to the ip6tables when appropriate.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-11-09 12:04:47 -05:00
Cory Snider
e1d85da306 libnetwork/d/overlay: parse discovery data eagerly
Parse the address strings once and use the binary representation
internally.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-11-09 12:04:47 -05:00
Albin Kerouanton
d47b3ef4c9
libnet: early return from updateSvcRecord if no addr available
Early return if the iface or its address is nil to make the whole
function slightly easier to read.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-11-08 20:45:15 +01:00
Sebastiaan van Stijn
5b19725de2
Merge pull request #46668 from corhere/libn/svc-record-update-without-store
libnetwork: svc record update without store
2023-11-03 13:47:12 +01:00
Cory Snider
7257c77e19 libnetwork/ipam: refactor prefix-overlap checks
I am finally convinced that, given two netip.Prefix values a and b, the
expression

    a.Contains(b.Addr()) || b.Contains(a.Addr())

is functionally equivalent to

    a.Overlaps(b)

The (netip.Prefix).Contains method works by masking the address with the
prefix's mask and testing whether the remaining most-significant bits
are equal to the same bits in the prefix. The (netip.Prefix).Overlaps
method works by masking the longer prefix to the length of the shorter
prefix and testing whether the remaining most-significant bits are
equal. This is equivalent to
shorterPrefix.Contains(longerPrefix.Addr()), therefore applying Contains
symmetrically to two prefixes will always yield the same result as
applying Overlaps to the two prefixes in either order.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-11-01 11:44:24 -04:00
Richard Hansen
808120e5b8 New host_ipv6 bridge option to SNAT IPv6 connections
Add a new `com.docker.network.host_ipv6` bridge option to compliment
the existing `com.docker.network.host_ipv4` option. When set to an
IPv6 address, this causes the bridge to insert `SNAT` rules instead of
`MASQUERADE` rules (assuming `ip6tables` is enabled).  `SNAT` makes it
possible for users to control the source IP address used for outgoing
connections.

Signed-off-by: Richard Hansen <rhansen@rhansen.org>
2023-10-25 20:11:49 -04:00
Richard Hansen
0cf113e250 Add unit tests for outgoing NAT rules
Signed-off-by: Richard Hansen <rhansen@rhansen.org>
2023-10-21 13:53:58 -04:00
Cory Snider
4af420f978 libnetwork/internal/kvstore: prune unused method
The datastore never calls Get() due to how the cache is implemented.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-19 12:57:42 -04:00
Cory Snider
4039b9c9c4 libnetwork/datastore: drop (KVObject).DataScope()
It wasn't being used for anything meaningful.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-19 12:38:39 -04:00
Cory Snider
4f4a897dda libnetwork/datastore: drop (*Store).Scope() method
It unconditionally returned scope.Local.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-19 12:38:37 -04:00
Cory Snider
4b40d82233 libnetwork/datastore: un-embed mutex from cache
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-19 12:37:12 -04:00
Cory Snider
9536fabaa8 libnetwork/datastore: minor code cleanup
While there is nothing inherently wrong with goto statements, their use
here is not helping with readability.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-19 12:37:12 -04:00
Cory Snider
43dccc6c1a libnetwork/datastore: unconditionally use ds.cache
ds.cache is never nil so the uncached code paths are unreachable in
practice. And given how many KVObject deep-copy implementations shallow
copy pointers and other reference-typed values, there is the distinct
possibility that disabling the datastore cache could break things.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-19 12:37:10 -04:00
Cory Snider
5b3086db1f libnetwork/datastore: prevent accidental recursion
The datastore cache only uses the reference to its datastore to get a
reference to the backing store. Modify the cache to take the backing
store reference directly so that methods on the datastore can't get
called, as that might result in infinite recursion between datastore and
cache methods.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-19 11:56:08 -04:00
Cory Snider
bcca214e36 libnetwork: open-code updating svc records
Inline the tortured logic for deciding when to skip updating the svc
records to give us a fighting chance at deciphering the logic behind the
logic and spotting logic bugs.

Update the service records synchronously. The only potential for issues
is if this change introduces deadlocks, which should be fixed by
restrucuting the mutexes rather than papering over the issue with
sketchy hacks like deferring the operation to a goroutine.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-17 19:51:21 -04:00
Cory Snider
33cf73f699 libnetwork: drop (*Controller).nmap
Its only remaining purpose is to elide removing the endpoint from the
service records if it was not previously added. Deleting the service
records is an idempotent operation so it is harmless to delete service
records which do not exist.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-17 19:46:18 -04:00
Cory Snider
804ef16822 libnetwork: only delete svc db entry on network rm
The service db entry for each network is deleted by
(*Controller).cleanupServiceDiscovery() when the network is deleted.
There is no need to also eagerly delete it whenever the network's
endpoint count drops to zero.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-17 19:46:18 -04:00
Cory Snider
c85398b020 libnetwork: drop vestigial endpoint-rename logic
The logic to rename an endpoint includes code which would synchronize
the renamed service records to peers through the distributed datastore.
It would trigger the remote peers to pick up the rename by touching a
datastore object which remote peers would have subscribed to events on.
The code also asserts that the local peer is subscribed to updates on
the network associated with the endpoint, presumably as a proxy for
asserting that the remote peers would also be subscribed.
https://github.com/moby/libnetwork/pull/712

Libnetwork no longer has support for distributed datastores or
subscribing to datastore object updates, so this logic can be deleted.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-17 19:46:18 -04:00