Commit graph

2822 commits

Author SHA1 Message Date
Cory Snider
7fc29c1435 libnetwork/osl: clean up Linux InvokeFunc()
Aside from unconditionally unlocking the OS thread even if restoring the
thread's network namespace fails, func (*networkNamespace).InvokeFunc()
correctly implements invoking a function inside a network namespace.
This is far from obvious, however. func InitOSContext() does much of the
heavy lifting but in a bizarre fashion: it restores the initial network
namespace before it is changed in the first place, and the cleanup
function it returns does not restore the network namespace at all! The
InvokeFunc() implementation has to restore the network namespace
explicitly by deferring a call to ns.SetNamespace().

func InitOSContext() is a leaky abstraction taped to a footgun. On the
one hand, it defensively resets the current thread's network namespace,
which has the potential to fix up the thread state if other buggy code
had failed to maintain the invariant that an OS thread must be locked to
a goroutine unless it is interchangeable with a "clean" thread as
spawned by the Go runtime. On the other hand, it _facilitates_ writing
buggy code which fails to maintain the aforementioned invariant because
the cleanup function it returns unlocks the thread from the goroutine
unconditionally while neglecting to restore the thread's network
namespace! It is quite scary to need a function which fixes up threads'
network namespaces after the fact as an arbitrary number of goroutines
could have been scheduled onto a "dirty" thread and run non-libnetwork
code before the thread's namespace is fixed up. Any number of
(not-so-)subtle misbehaviours could result if an unfortunate goroutine
is scheduled onto a "dirty" thread. The whole repository has been
audited to ensure that the aforementioned invariant is never violated,
making after-the-fact fixing up of thread network namespaces redundant.
Make InitOSContext() a no-op on Linux and inline the thread-locking into
the function (singular) which previously relied on it to do so.

func ns.SetNamespace() is of similarly dubious utility. It intermixes
capturing the initial network namespace and restoring the thread's
network namespace, which could result in threads getting put into the
wrong network namespace if the wrong thread is the first to call it.
Delete it entirely; functions which need to manipulate a thread's
network namespace are better served by being explicit about capturing
and restoring the thread's namespace.

Rewrite InvokeFunc() to invoke the closure inside a goroutine to enable
a graceful and safe recovery if the thread's network namespace could not
be restored. Avoid any potential race conditions due to changing the
main thread's network namespace by preventing the aforementioned
goroutines from being eligible to be scheduled onto the main thread.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-25 13:35:44 -04:00
Cory Snider
d1e3705c1a libnet/d/overlay: restore thread netns
func (*network) watchMiss() correctly locks its goroutine to an OS
thread before changing the thread's network namespace, but neglects to
restore the thread's network namespace before unlocking. Fix this
oversight by unlocking iff the thread's network namespace is
successfully restored.

Prevent the watchMiss goroutine from being locked to the main thread to
avoid the issues which would arise if such a situation was to occur.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-25 13:35:44 -04:00
Cory Snider
3e2f0c7a39 libnetwork: fixup thread locking in Linux tests
The parallel tests were unconditionally unlocking the test case
goroutine from the OS thread, irrespective of whether the thread's
network namespace was successfully restored. This was not a problem in
practice as the unpaired calls to runtime.LockOSThread() peppered
through the test case would have prevented the goroutine from being
unlocked. Unlock the goroutine from the thread iff the thread's network
namespace is successfully restored.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-25 13:35:44 -04:00
Cory Snider
afa41b16ea libnetwork/testutils: restore netns on teardown
testutils.SetupTestOSContext() sets the calling thread's network
namespace but neglected to restore it on teardown. This was not a
problem in practice as it called runtime.LockOSThread() twice but
runtime.UnlockOSThread() only once, so the tampered threads would be
terminated by the runtime when the test case returned and replaced with
a clean thread. Correct the utility so it restores the thread's network
namespace during teardown and unlocks the goroutine from the thread on
success.

Remove unnecessary runtime.LockOSThread() calls peppering test cases
which leverage testutils.SetupTestOSContext().

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-24 15:37:46 -04:00
Sebastiaan van Stijn
3db11af44b
libnetwork/drivers/overlay: use filepath.WalkDir instead of filepath.Walk
WalkDir is more performant as it doesn't perform an os.Lstat on every visited
file or directory.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-09 17:25:03 +02:00
Sebastiaan van Stijn
145817a9cf
libnetwork: use strconv instead of fmt.Sprintf()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-08 17:41:39 +02:00
Sebastiaan van Stijn
1515e02c8a
Merge pull request #44215 from corhere/fix-unlockosthread-pdeathsig
Stop subprocesses from getting unexpectedly killed
2022-10-06 20:08:53 +02:00
Cory Snider
1f22b15030 Lock OS threads when exec'ing with Pdeathsig
On Linux, when (os/exec.Cmd).SysProcAttr.Pdeathsig is set, the signal
will be sent to the process when the OS thread on which cmd.Start() was
executed dies. The runtime terminates an OS thread when a goroutine
exits after being wired to the thread with runtime.LockOSThread(). If
other goroutines are allowed to be scheduled onto a thread which called
cmd.Start(), an unrelated goroutine could cause the thread to be
terminated and prematurely signal the command. See
https://github.com/golang/go/issues/27505 for more information.

Prevent started subprocesses with Pdeathsig from getting signaled
prematurely by wiring the starting goroutine to the OS thread until the
subprocess has exited. No other goroutines can be scheduled onto a
locked thread so it will remain alive until unlocked or the daemon
process exits.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-05 12:18:03 -04:00
Sebastiaan van Stijn
c523d6d25c
libnetwork: remove some outdated comments
The corresponding "nolint" comments were removed in 2f1c382a6d,
but didn't remove these comments.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-04 15:34:39 +02:00
Sebastiaan van Stijn
60ace31be0
libnetwork: sandbox.updateDNS(): use const for file permissions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-02 01:28:05 +02:00
Sebastiaan van Stijn
f0be4d126d
libnetwork: use object-literal for some structs
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-02 01:26:15 +02:00
Sebastiaan van Stijn
50a7c67363
libnetwork: fix some whitespace formatting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-02 01:26:14 +02:00
Sebastiaan van Stijn
481185fb8a
libnetwork/osl: fix GoDoc formatting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-02 01:26:14 +02:00
Sebastiaan van Stijn
173d16b233
Merge pull request #44193 from thaJeztah/libnetwork_cleanup
libnetwork: cleanup config package, remove old integration tests
2022-09-27 22:41:32 +02:00
Sebastiaan van Stijn
762fc76cf9
Merge pull request #44089 from thaJeztah/update_golangci_lint
golangci-lint: update to v1.49.0
2022-09-27 18:24:15 +02:00
Sebastiaan van Stijn
89555e45f2
Merge pull request #44191 from corhere/drop-containerfs-iface
Remove LCOW: pkg/containerfs: drop ContainerFS abstraction
2022-09-27 10:28:35 +02:00
Sebastiaan van Stijn
e3d80cfc15
Merge pull request #44179 from thaJeztah/resolvconf_deadcode
libnetwork/resolvconf: removed unused GetIfChanged() and GetLastModified()
2022-09-26 23:51:52 +02:00
Sebastiaan van Stijn
cd381aea56
libnetwork: fix empty-lines (revive)
libnetwork/etchosts/etchosts_test.go:167:54: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/osl/route_linux.go:185:74: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/osl/sandbox_linux_test.go:323:36: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/bitseq/sequence.go:412:48: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/datastore/datastore_test.go:67:46: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/datastore/mock_store.go:34:60: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/iptables/firewalld.go:202:44: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/iptables/firewalld_test.go:76:36: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/iptables/iptables.go:256:67: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/iptables/iptables.go:303:128: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/networkdb/cluster.go:183:72: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/ipams/null/null_test.go:44:38: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/drivers/macvlan/macvlan_store.go:45:52: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/ipam/allocator_test.go:1058:39: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/drivers/bridge/port_mapping.go:88:111: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/drivers/bridge/link.go:26:90: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/drivers/bridge/setup_ipv6_test.go:17:34: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/drivers/bridge/setup_ip_tables.go:392:4: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/drivers/bridge/bridge.go:804:50: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/drivers/overlay/ov_serf.go:183:29: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/drivers/overlay/ov_utils.go:81:64: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/drivers/overlay/peerdb.go:172:67: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/drivers/overlay/peerdb.go:209:67: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/drivers/overlay/peerdb.go:344:89: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/drivers/overlay/peerdb.go:436:63: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/drivers/overlay/overlay.go:183:36: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/drivers/overlay/encryption.go:69:28: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/drivers/overlay/ov_network.go:563:81: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/default_gateway.go:32:43: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/errors_test.go:9:40: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/service_common.go:184:64: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/endpoint.go:161:55: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/store.go:320:33: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/store_linux_test.go:11:38: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/sandbox.go:571:36: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/service_common.go:317:246: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/endpoint.go:550:17: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/sandbox_dns_unix.go:213:106: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/controller.go:676:85: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/agent.go:876:60: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/resolver.go:324:69: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/network.go:1153:92: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/network.go:1955:67: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/network.go:2235:9: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/libnetwork_internal_test.go:336:26: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/resolver_test.go:76:35: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/libnetwork_test.go:303:38: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/libnetwork_test.go:985:46: empty-lines: extra empty line at the end of a block (revive)
    libnetwork/ipam/allocator_test.go:1263:37: empty-lines: extra empty line at the start of a block (revive)
    libnetwork/errors_test.go:9:40: empty-lines: extra empty line at the end of a block (revive)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-26 19:21:58 +02:00
Sebastiaan van Stijn
267108e113
libnetwork/config: rename ParseConfigOptions() to New()
This function effectively is a constructor, so rename it to better describe
it's functionality.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-26 19:20:55 +02:00
Sebastiaan van Stijn
09cc2f9d0e
libnetwork/config: inline LoadDefaultScopes()
This method was an exported method, but only used as part of ParseConfigOptions,
so inlining it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-26 17:40:06 +02:00
Sebastiaan van Stijn
528428919e
libnetwork/config: merge DaemonCfg into Config
It was unclear what the distinction was between these configuration
structs, so merging them to simplify.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-26 12:05:37 +02:00
Sebastiaan van Stijn
571baffd59
libnetwork: remove old integration tests
This was used for testing purposes when libnetwork was in a separate repo, using
the dnet utility, which was removed in 7266a956a8.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-26 12:05:37 +02:00
Sebastiaan van Stijn
46f4a45769
libnetwork/config: remove ParseConfig()
Libnetwork configuration files were only used as part of integration tests using
the dnet utility, which was removed in 7266a956a8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-26 12:05:37 +02:00
Sebastiaan van Stijn
7d574f5ac6
libnetwork/config: inline ProcessOptions
This method was only used in a single place; inlining it makes it
easier to see what's done.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-26 12:05:37 +02:00
Sebastiaan van Stijn
a8a8bd1e42
libnetwork/config: remove "Experimental" and "Debug" options
These were no longer used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-26 12:05:22 +02:00
Sebastiaan van Stijn
2f1c382a6d
golangci-lint: update to v1.49.0
Remove the "deadcode", "structcheck", and "varcheck" linters, as they are
deprecated:

    WARN [runner] The linter 'deadcode' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [runner] The linter 'structcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [runner] The linter 'varcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [linters context] structcheck is disabled because of generics. You can track the evolution of the generics support by following the https://github.com/golangci/golangci-lint/issues/2649.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-23 23:31:27 +02:00
Cory Snider
e332c41e9d pkg/containerfs: alias ContainerFS to string
Drop the constructor and redundant string() type-casts.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-09-23 16:56:52 -04:00
Sebastiaan van Stijn
49de15cdcc
libnetwork/resolvconf: removed unused GetIfChanged() and GetLastModified()
These functions were used in 63a7ccdd23, which was
part of Docker v1.5.0 and v1.6.0, but removed in Docker v1.7.0 when the network
stack was replaced with libnetwork in d18919e304.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-22 13:58:34 +02:00
Sebastiaan van Stijn
55fd77f724
set ReadHeaderTimeout to address G112: Potential Slowloris Attack (gosec)
After discussing in the maintainers meeting, we concluded that Slowloris attacks
are not a real risk other than potentially having some additional goroutines
lingering around, so setting a long timeout to satisfy the linter, and to at
least have "some" timeout.

    libnetwork/diagnostic/server.go:96:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        srv := &http.Server{
            Addr:    net.JoinHostPort(ip, strconv.Itoa(port)),
            Handler: s,
        }
    api/server/server.go:60:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
                srv: &http.Server{
                    Addr: addr,
                },
    daemon/metrics_unix.go:34:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
            if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
                      ^
    cmd/dockerd/metrics.go:27:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
            if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
                      ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-22 12:13:28 +02:00
Samuel Karp
7860686a8d
Merge pull request #44090 from thaJeztah/fix_linting_issues 2022-09-07 14:27:03 -07:00
Sebastiaan van Stijn
58413c15cb
update to golang 1.19
also ran gofmt with go1.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-07 15:27:16 +02:00
Sebastiaan van Stijn
561a010161
linting: suppress false positive for G404 (gosec)
The linter falsely detects this as using "math/rand":

    libnetwork/networkdb/cluster.go:721:14: G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
       val, err := rand.Int(rand.Reader, big.NewInt(int64(n)))
                   ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-04 15:36:49 +02:00
Sebastiaan van Stijn
a33d1f9a7c
libnetwork/diagnostic: EnableDiagnostic(): use net.JoinHostPort
Use net.JoinHostPort to account for IPv6 addresses.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-04 15:36:47 +02:00
Youfu Zhang
549d24b437 libnetwork/drivers/ipvlan: fix missing IpvlanFlag field in config JSON
Fixes #42542

Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
2022-08-24 16:23:32 +08:00
Brian Goff
724feb898f
Merge pull request #43857 from corhere/follow-up-42829
libnetwork: refactor networkdb test implementation
2022-08-16 10:48:02 -07:00
Tianon Gravi
8d9d5a3bb5
Merge pull request #43844 from Abirdcfly/master
fix minor code unreachability error
2022-08-12 17:12:15 -07:00
Abirdcfly
9031de6a9b fix minor code unreachability error
Signed-off-by: Abirdcfly <fp544037857@gmail.com>
2022-08-04 22:32:59 +08:00
Cory Snider
1213881712 libnetwork: refactor networkdb test implementation
Leverage higher-order functions to DRY the polling checks in
TestNetworkDBNodeJoinLeaveIteration.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-25 09:44:35 -04:00
David Wang
f499c6b9ec
Test: wait for network changes in TestNetworkDBNodeJoinLeaveIteration
In network node change test, the expected behavior is focused on how many nodes
left in networkDB, besides timing issues, things would also go tricky for a
leave-then-join sequence, if the check (counting the nodes) happened before the
first "leave" event, then the testcase actually miss its target and report PASS
without verifying its final result; if the check happened after the 'leave' event,
but before the 'join' event, the test would report FAIL unnecessary;

This code change would check both the db changes and the node count, it would
report PASS only when networkdb has indeed changed and the node count is expected.

Signed-off-by: David Wang <00107082@163.com>
2022-07-21 22:56:58 +08:00
Sebastiaan van Stijn
5de77049db
Merge pull request #43793 from AkihiroSuda/fix-43781
libnetwork: skip firewalld management for rootless
2022-07-15 13:44:11 +02:00
Akihiro Suda
9464898b47
libnetwork: skip firewalld management for rootless
Fix issue 43781

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-07-15 00:59:11 +09:00
Sebastiaan van Stijn
4f08346686
fix formatting of "nolint" tags for go1.19
The correct formatting for machine-readable comments is;

    //<some alphanumeric identifier>:<options>[,<option>...][ // comment]

Which basically means:

- MUST NOT have a space before `<identifier>` (e.g. `nolint`)
- Identified MUST be alphanumeric
- MUST be followed by a colon
- MUST be followed by at least one `<option>`
- Optionally additional `<options>` (comma-separated)
- Optionally followed by a comment

Any other format will not be considered a machine-readable comment by `gofmt`,
and thus formatted as a regular comment. Note that this also means that a
`//nolint` (without anything after it) is considered invalid, same for `//#nosec`
(starts with a `#`).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-13 22:31:53 +02:00
Tianon Gravi
c8d18e27bd
Merge pull request #43760 from thaJeztah/vlan_cleanups
libnetwork: some cleaning up in ipvlan and macvlan drivers
2022-07-13 11:53:02 -07:00
Sebastiaan van Stijn
52c1a2fae8
gofmt GoDoc comments with go1.19
Older versions of Go don't format comments, so committing this as
a separate commit, so that we can already make these changes before
we upgrade to Go 1.19.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-08 19:56:23 +02:00
Sebastiaan van Stijn
968ff5ab44
fix some minor linting issues
libnetwork/firewall_linux.go:11:21: var-declaration: should drop = nil from declaration of var ctrl; it is the zero value (revive)
        ctrl *controller = nil
                           ^
    distribution/pull_v2_test.go:213:4: S1038: should use t.Fatalf(...) instead of t.Fatal(fmt.Sprintf(...)) (gosimple)
                t.Fatal(fmt.Sprintf("expected formatPlatform to show windows platform with a version, but got '%s'", result))
                ^
    integration-cli/docker_cli_build_test.go:5951:3: S1038: should use c.Skipf(...) instead of c.Skip(fmt.Sprintf(...)) (gosimple)
            c.Skip(fmt.Sprintf("Bug fixed in 18.06 or higher.Skipping it for %s", testEnv.DaemonInfo.ServerVersion))
            ^
    integration-cli/docker_cli_daemon_test.go:240:3: S1038: should use c.Skipf(...) instead of c.Skip(fmt.Sprintf(...)) (gosimple)
            c.Skip(fmt.Sprintf("New base device size (%v) must be greater than (%s)", units.HumanSize(float64(newBasesizeBytes)), units.HumanSize(float64(oldBasesizeBytes))))
            ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-04 10:15:28 +02:00
Sebastiaan van Stijn
b1a6d5388d
libnetwork: macvlan: reduce use of const for driver name
Inlining the string makes the code more grep'able; renaming the
const to "driverName" to reflect the remaining uses of it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 13:07:39 +02:00
Sebastiaan van Stijn
aca80d1cda
libnetwork: ipvlan: reduce use of const for driver name
Inlining the string makes the code more grep'able; renaming the
const to "driverName" to reflect the remaining uses of it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:49 +02:00
Sebastiaan van Stijn
dddb4d25d2
libnetwork: macvlan: cleanup parseNetworkGenericOptions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:47 +02:00
Sebastiaan van Stijn
1992190162
libnetwork: macvlan: make configuration.fromOptions a constructor
This was effectively a constructor, but through some indirection; make it a
regular function, which is a bit more idiomatic.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:46 +02:00
Sebastiaan van Stijn
99bde59229
libnetwork: ipvlan: cleanup parseNetworkGenericOptions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:44 +02:00
Sebastiaan van Stijn
1a1a885423
libnetwork: ipvlan: make configuration.fromOptions a constructor
This was effectively a constructor, but through some indirection; make it a
regular function, which is a bit more idiomatic.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:42 +02:00
Sebastiaan van Stijn
4e39cdd9bb
libnetwork: ipvlan: move validation into parseNetworkOptions()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:41 +02:00
Sebastiaan van Stijn
9f0cb20d9f
libnetwork: macvlan: move validation into parseNetworkOptions()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:39 +02:00
Sebastiaan van Stijn
b768d69c04
libnetwork: macvlan: processIPAM(): simplify
Remove redundant checks and intermediate variables.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:37 +02:00
Sebastiaan van Stijn
5d13b38479
libnetwork: macvlan: processIPAM(): remove unused arg and error return
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:36 +02:00
Sebastiaan van Stijn
798021af9f
libnetwork: macvlan: set network ID as part of parseNetworkOptions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:33 +02:00
Sebastiaan van Stijn
35cba9b1c9
libnetwork: ipvlan: processIPAM(): simplify
Remove redundant checks and intermediate variables.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:32 +02:00
Sebastiaan van Stijn
8d067bbdb4
libnetwork: ipvlan: processIPAM(): remove unused arg and error return
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:30 +02:00
Sebastiaan van Stijn
a893540b66
libnetwork: ipvlan: set network ID as part of parseNetworkOptions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:28 +02:00
Sebastiaan van Stijn
afeb4c7a6e
libnetwork: macvlan: use single ipSubnet type
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:27 +02:00
Sebastiaan van Stijn
d3e3d43482
libnetwork: ipvlan: use single ipSubnet type
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:25 +02:00
Sebastiaan van Stijn
9fba1514d2
libnetwork: macvlan: clean up some consts
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:23 +02:00
Sebastiaan van Stijn
aec4853498
libnetwork: ipvlan: clean up some consts
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-01 11:44:17 +02:00
Youfu Zhang
f70a9788c5 drivers/ipvlan: add ipvlan_flag option, support l3s ipvlan_mode
Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
2022-06-28 19:28:49 +08:00
Sebastiaan van Stijn
db977355b0
fix typo (cluser -> cluster)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-27 15:12:14 +02:00
Martin Braun
5edfd6d081 bump netlink library
bump netlink to 1.2.1
change usages of netlink handle .Delete() to Close()
remove superfluous replace in vendor.mod
make requires of github.com/Azure/go-ansiterm direct

Signed-off-by: Martin Braun <braun@neuroforge.de>
2022-06-16 22:25:33 +02:00
Sebastiaan van Stijn
9959eceb9a
Merge pull request #42626 from mfeit-internet2/small-ipv4-networks
Support small ipv4 networks
2022-06-07 22:15:19 +02:00
Sebastiaan van Stijn
6e80c027c5
Merge pull request #43409 from vincentbernat/fix/udp-conntrack
bridge: also flush conntrack entries when setting up endpoints
2022-06-03 11:29:25 +02:00
Albin Kerouanton
af7236f85a
Check ipt options before looking for ip6t
iptables package has a function `detectIptables()` called to initialize
some local variables. Since v20.10.0, it first looks for iptables bin,
then ip6tables and finally it checks what iptables flags are available
(including -C). It early exits when ip6tables isn't available, and
doesn't execute the last check.

To remove port mappings (eg. when a container stops/dies), Docker
first checks if those NAT rules exist and then deletes them. However, in
the particular case where there's no ip6tables bin available, iptables
`-C` flag is considered unavailable and thus it looks for NAT rules by
using some substring matching. This substring matching then fails
because `iptables -t nat -S POSTROUTING` dumps rules in a slighly format
than what's expected.

For instance, here's what `iptables -t nat -S POSTROUTING` dumps:

```
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 9999 -j MASQUERADE
```

And here's what Docker looks for:

```
POSTROUTING -p tcp -s 172.18.0.2 -d 172.18.0.2 --dport 9999 -j MASQUERADE
```

Because of that, those rules are considered non-existant by Docker and
thus never deleted. To fix that, this change reorders the code in
`detectIptables()`.

Fixes #42127.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2022-06-03 09:29:02 +02:00
Sebastiaan van Stijn
b4b2a0323b
libnetwork/portallocator: un-export consts for defaults
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 22:59:32 +02:00
Albin Kerouanton
414dd017b3
Revert "Added API to set ephemeral port allocator range."
Since commit 2c4a868f64, Docker doesn't
use the value of net.ipv4.ip_local_port_range when choosing an ephemeral
port. This change reverts back to the previous behavior.

Fixes #43054.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2022-06-02 22:56:18 +02:00
Sebastiaan van Stijn
5a8304c9c5
Merge pull request #43670 from evol262/ipvs-module-idempotency
Ensure performance tuning is always applied
2022-05-31 22:00:40 +02:00
Ryan Barry
293cfd6c76 Ensure performance tuning is always applied
Previously, with the patch from #43146, it was possible for a
network configured with a single ingress or load balancer on a
distribution which does not have the `ip_vs` kernel module loaded
by default to try to apply sysctls which did not exist yet, and
subsequently dynamically load the module as part of ipvs/netlink.go.

This module is vendored, and not a great place to try to tie back
into core libnetwork functionality, so also ensure that the sysctls
(which are idempotent) are called after ingress/lb creation once
`ipvs` has been initialized.

Signed-off-by: Ryan Barry <rbarry@mirantis.com>
2022-05-31 11:47:30 -04:00
Ameya Gawde
cba8cf34d2
Set ExternalPortReserved for dummy proxy
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2022-05-25 07:12:43 -07:00
Sebastiaan van Stijn
1aea4c2bbd
Merge pull request #43146 from evol262/fix/ingress-namespace-performance
Apply peformance tuning to new sandboxes also
2022-05-18 18:28:30 +02:00
Ryan Barry
0dd3a2eade Apply performance tuning to new sandboxes also
relates to #35082, moby/libnetwork#2491

Previously, values for expire_quiescent_template, conn_reuse_mode,
and expire_nodest_conn were set only system-wide. Also apply them
for new lb_* and ingress_sbox sandboxes, so they are appropriately
propagated

Signed-off-by: Ryan Barry <rbarry@mirantis.com>
2022-05-17 15:44:49 -04:00
Eng Zer Jun
7873c27cfb
all: replace strings.Replace with strings.ReplaceAll
strings.ReplaceAll(s, old, new) is a wrapper function for
strings.Replace(s, old, new, -1). But strings.ReplaceAll is more
readable and removes the hardcoded -1.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-05-09 19:45:40 +08:00
Samuel Karp
ccb691a427
Merge pull request #43511 from thaJeztah/no_logrus_fatal 2022-04-21 11:33:43 -07:00
Sebastiaan van Stijn
df650a1aeb
panic() instead of logrus.Fatal() in init funcs
Some packages were using `logrus.Fatal()` in init functions (which logs the error,
and (by default) calls `os.Exit(1)` after logging).

Given that logrus formatting and outputs have not yet been configured during the
initialization stage, it does not provide much benefits over a plain `panic()`.

This patch replaces some instances of `logrus.Fatal()` with `panic()`, which has
the added benefits of not introducing logrus as a dependency in some of these
packages, and also produces a stacktrace, which could help locating the problem
in the unlikely event an `init()` fails.

Before this change, an error would look like:

    $ dockerd
    FATA[0000] something bad happened

After this change, the same error looks like:

    $ dockerd
    panic: something bad happened

    goroutine 1 [running]:
      github.com/docker/docker/daemon/logger/awslogs.init.0()
        /go/src/github.com/docker/docker/daemon/logger/awslogs/cloudwatchlogs.go:128 +0x89

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-21 12:15:20 +02:00
Samuel Karp
c5f18aac9f
Merge pull request #43505 from thaJeztah/libnetwork_no_string_fields
libnetwork: don't use strings.Fields() to improve performance
2022-04-21 00:57:55 -07:00
Sebastiaan van Stijn
301b252b58
libnetwork: don't use strings.Fields() to improve performance
While looking at this code, I noticed that we were wasting quite some resources
by first constructing a string, only to split it again (with `strings.Fields()`)
into a string slice.

Some conversions were also happening multiple times (int to string, IP-address to
string, etc.)

Setting up networking is known to be costing a considerable amount of time when
starting containers, and while this may only be a small part of that, it doesn't
hurt to save some resources (and readability of the code isn't significantly
impacted).

For example, benchmarking the `redirector()` code before/after:

    BenchmarkParseOld-4   	  137646	      8398 ns/op	    4192 B/op	      75 allocs/op
    BenchmarkParseNew-4   	  629395	      1762 ns/op	    2362 B/op	      24 allocs/op

Average over 10 runs:

    benchstat old.txt new.txt

    name     old time/op    new time/op    delta
    Parse-4    8.43µs ± 2%    1.79µs ± 3%  -78.76%  (p=0.000 n=9+8)

    name     old alloc/op   new alloc/op   delta
    Parse-4    4.19kB ± 0%    2.36kB ± 0%  -43.65%  (p=0.000 n=10+10)

    name     old allocs/op  new allocs/op  delta
    Parse-4      75.0 ± 0%      24.0 ± 0%  -68.00%  (p=0.000 n=10+10)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-20 14:43:07 +02:00
Trapier Marshall
a46700dbdb Cleanup servicebindings only on Windows
Make the call to cleanupServiceBindings during network deletion
conditional on Windows (where it is required), thereby providing a
performance improvement to network cleanup on Linux.

Signed-off-by: Trapier Marshall <tmarshall@mirantis.com>
2022-04-19 14:22:16 +00:00
Trapier Marshall
6861aade58 Delay network deletion until after lb cleanup
Removal of PolicyLists from Windows VFP must be performed prior to
removing the HNS network. Otherwise PolicyList removal fails with
HNS error "network not found".

Signed-off-by: Trapier Marshall <tmarshall@mirantis.com>
2022-04-19 14:22:08 +00:00
Trapier Marshall
556cb3ae81 Log HNS policylist removal failures
Signed-off-by: Trapier Marshall <tmarshall@mirantis.com>
2022-04-19 14:21:29 +00:00
Vincent Bernat
e5812117a5 bridge: also flush conntrack entries when setting up endpoints
There is a race condition between the local proxy and iptables rule
setting. When we have a lot of UDP traffic, the kernel will create
conntrack entries to the local proxy and will ignore the iptables
rules set after that.

Related to PR #32505. Fix #8795.

Signed-off-by: Vincent Bernat <vincent@bernat.ch>
2022-03-23 08:34:26 +01:00
Martin Dojcak
feab0cca9f libnetwork/overlay:fix join sandbox deadlock
Operations performed on overlay network sandboxes are handled by
dispatching operations send through a channel. This allows for
asynchronous operations to be performed which, since they are
not called from within another function, are able to operate in
an idempotent manner with a known/measurable starting state from
which an identical series of iterative actions can be performed.

However, it was possible in some cases for an operation dispatched
from this channel to write a message back to the channel in the
case of joining a network when a sufficient volume of sandboxes
were operated on.

A goroutine which is simultaneously reading and writing to an
unbuffered channel can deadlock if it sends a message to a channel
then waits for it to be consumed and completed, since the only
available goroutine is more or less "talking to itself". In order
to break this deadlock, in the observed race, a goroutine is now
created to send the message to the channel.

Signed-off-by: Martin Dojcak <martin.dojcak@lablabs.io>
Signed-off-by: Ryan Barry <rbarry@mirantis.com>
2022-03-22 11:15:14 -04:00
Sebastiaan van Stijn
1b3fef5333
Windows: require Windows Server RS5 / ltsc2019 (build 17763) as minimum
Windows Server 2016 (RS1) reached end of support, and Docker Desktop requires
Windows 10 V19H2 (version 1909, build 18363) as a minimum.

This patch makes Windows Server RS5 /  ltsc2019 (build 17763) the minimum version
to run the daemon, and removes some hacks for older versions of Windows.

There is one check remaining that checks for Windows RS3 for a workaround
on older versions, but recent changes in Windows seemed to have regressed
on the same issue, so I kept that code for now to check if we may need that
workaround (again);

085c6a98d5/daemon/graphdriver/windows/windows.go (L319-L341)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 22:58:28 +01:00
Sebastiaan van Stijn
b9c8eca468
libnetwork/networkdb: remove some redundant fmt.Sprintf()'s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-15 12:56:23 +01:00
Sebastiaan van Stijn
85ed9b8746
libnetwork: fix unhandled errors in tests (ineffassign)
libnetwork/libnetwork_test.go:1014:8: ineffectual assignment to err (ineffassign)
        sbx1, err := controller.NewSandbox(containerID,
              ^
    libnetwork/libnetwork_test.go:1024:8: ineffectual assignment to err (ineffassign)
        sbx2, err := controller.NewSandbox("c2")
              ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-08 09:43:27 +01:00
Sebastiaan van Stijn
7b692a421b
libnetwork: remove more config bits related to external k/v stores
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-06 18:45:45 +01:00
Sebastiaan van Stijn
745ba3ecbc
libnetwork: remove etcd-related code and tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-06 18:45:43 +01:00
Sebastiaan van Stijn
147173b099
libnetwork: remove consul-related code and tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-06 18:45:41 +01:00
Sebastiaan van Stijn
25594c33b9
libnetwork: replace consul with boltdb in test
Based on randomLocalStore() in libnetwork/ipam/allocator_test.go

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-06 18:45:07 +01:00
Sebastiaan van Stijn
a7d0f3060a
libnetwork: remove zookeeper-related code and tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-06 18:28:30 +01:00
Anca Iordache
00f9b23c3a
libnetwork: remove external DS-based host discovery
Signed-off-by: Anca Iordache <anca.iordache@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-06 18:28:26 +01:00
Tianon Gravi
8955d8da89
Merge pull request #42981 from frobnicaty/patch-1
Fix grammar for "does not exist"
2021-12-09 13:36:53 -08:00
frobnicaty
d78b883576 Fix grammar for "does not exist"
as opposed to "does not exists"

Signed-off-by: frobnicaty <92033765+frobnicaty@users.noreply.github.com>
2021-12-03 15:50:13 +00:00
Albin Kerouanton
c721bad8cc
Fix flaky TestPortMappingV6Config
Since moby/libnetwork#2635 has been merged, allocatePortsInternal()
checks if IPv6 is enabled by calling IsV6Listenable(). This function
calls `net.Listen("tcp6", "[::1]:0")` and returns false when
net.Listen() fails.

TestPortMappingV6Config() starts by setting up a new net ns to run into
it. The loopback interface is not bring up in this net ns, thus
net.Listen() fails and IsV6Listenable() returns false. This change takes
care of bringing loopback iface up right after moving to the new net ns.

This test has been reported has flaky on s390x in #42468. For some
reason, this test seems to be consistently green on the CI (on amd64
arch) and when running `hack/test/unit` locally. However it consistently
fails when running `TESTFLAGS='-shuffle on' hack/test/unit` locally.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2021-11-16 09:37:34 +01:00
Mark Feit
3a938df4b5
Make the network allocator handle IPv4 blocks too small for network/broadcast addresses.
This was originally in docker/libnetwork#2624, which has been closed since the
code was moved here.

When creating a new network, IPAM's address allocator attempts to reserve the
network and broadcast addresses on IPv4 networks of all sizes. For RFC 3021
point-to-point networks (IPv4 /31s), this consumes both available addresses and
renders any attempt to allocate an address from the block unsuccessful.

This change prevents those reservations from taking place on IPv4 networks having
two or fewer addresses (i.e., /31s and /32s) while retaining the existing behavior
for larger IPv4 blocks and all IPv6 blocks.

In case you're wondering why anyone would allocate /31s:  I work for a network
service provider.  We use a lot of point-to-point networks.  This cuts our
address space utilization for those by 50%, which makes ARIN happy.

This patch modifies the network allocator to recognize when an network is too
small for network and broadcast addresses and skip those reservations.

There are additional unit tests to make sure the functions involved behave as expected.

Try these out:

 * `docker network create --driver bridge --subnet 10.200.1.0/31 --ip-range 10.200.1.0/31 test-31`
 * `docker network create --driver bridge --subnet 10.200.1.0/32 --ip-range 10.200.1.0/32 test-32`

My installation has been running this patch in production with /31s since March.

Signed-off-by: Mark Feit <mfeit@internet2.edu>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-27 13:03:19 +02:00
Sebastiaan van Stijn
eadf839530
fix TestInvalidRemoteDriver() to check underlying error
commit b1a3fe4934 changed how the error was
returned (which is now wrapped), causing the test to fail:

    === RUN   TestInvalidRemoteDriver
        libnetwork_test.go:1289: Did not fail with expected error. Actual error: Plugin does not implement the requested driver: plugin="invalid-network-driver", requested implementation="NetworkDriver"
    --- FAIL: TestInvalidRemoteDriver (0.01s)

Changing the test to use errors.Is()

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-25 14:57:18 +02:00
Sebastiaan van Stijn
79d6e935ad
libnetwork: some minor refactoring / cleanup
- don't pass the query's quetion.name separately, as we're already
  passing the query itself.
- remove a "fallthrough" in favor of combining the cases in the switch

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 15:26:15 +02:00
Sebastiaan van Stijn
d86a331fa4
libnetwork: improve consistency in log messages
- Make sure all log messages have the `[resolver]` prefix
- Use `logrus.WithError()` consistently
- Improve information included in some logs

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 12:51:02 +02:00
Sebastiaan van Stijn
9a09448540
libnetwork: ServeDNS(): don't panic on unsupported query types
This was added in b3c883bb2f, but resulted
in a panic if the embedded DNS had to handle an unsupported query-type,
such as ANY.

This patch adds a debug log for this case (to better describe how it's
handled.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-14 20:17:39 +02:00
Sebastiaan van Stijn
abd7966165
Merge pull request #42794 from thaJeztah/remove_libnetwork_api
libnetwork: remove API, as it's no longer used
2021-08-28 04:41:21 +02:00
Sebastiaan van Stijn
7bdf98276c
Merge pull request #42787 from thaJeztah/libnetwork_fix_lint
libnetwork: fix some linting issues
2021-08-28 01:18:13 +02:00
Sebastiaan van Stijn
175dc09491
Merge pull request #42795 from thaJeztah/libnetwork_cleanup
libnetwork/types: remove unused functions
2021-08-27 19:43:34 +02:00
Sebastiaan van Stijn
c23eae3114
libnetwork/ipamapi: godoc fixes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-27 16:52:46 +02:00
Sebastiaan van Stijn
92ea7df3d1
libnetwork: fix some linting issues
- fix incorrectly formatted GoDoc and comments
- rename a variable that collided with the `cap` built-in

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-27 16:52:44 +02:00
Sebastiaan van Stijn
c425188bc0
libnetwork: remove API, as it's no longer used
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-27 16:50:33 +02:00
Sebastiaan van Stijn
073f8df0fe
libnetwork/types: remove TransportPort.FromString() as it's unused
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-27 14:16:32 +02:00
Sebastiaan van Stijn
7c0d8fa5da
libnetwork/types: remove PortBinding.FromString() as it's unused
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-27 14:16:30 +02:00
Sebastiaan van Stijn
513310f776
libnetwork/types: remove GetMinimalIPNet() as it's unused
This wass addded in 4e48ff3aab
but never used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-27 14:16:28 +02:00
Eng Zer Jun
c55a4ac779
refactor: move from io/ioutil to io and os package
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-08-27 14:56:57 +08:00
Sebastiaan van Stijn
2b70006e3b
Merge pull request #42777 from thaJeztah/update_go_1.17
Update to Go 1.17.0
2021-08-26 21:24:23 +02:00
Sebastiaan van Stijn
2bb21b85c2
Merge pull request #42598 from deepy/linux-routeoverlaps-link-only
Only check if route overlaps routes with scope: LINK
2021-08-26 09:58:35 +02:00
Alex Nordlund
ee9e526764 Only check if route overlaps routes with scope: LINK
Signed-off-by: Alex Nordlund <alexander.nordlund@nasdaq.com>
2021-08-25 10:58:06 +02:00
Sebastiaan van Stijn
686be57d0a
Update to Go 1.17.0, and gofmt with Go 1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-24 23:33:27 +02:00
Sebastiaan van Stijn
d215d3477b
libnetwork/resolvconf: remove README.md
This information was already documented in the package's GoDoc, so
no need to repeat it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-20 00:35:43 +02:00
Sebastiaan van Stijn
572498be56
move pkg/ioutils.HashData() to libnetwork/resolvconf
It's the only location it's used, so we might as well move it there.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-20 00:35:39 +02:00
Sebastiaan van Stijn
c21be64e1a
libnetwork: remove resolvconf/dns package
The IsLocalhost utility was not used, which only leaves the IsIPv4Localhost
utility.

Go's "net" package provides a `IsLoopBack()` check, but it checks for both
IPv4 and IPv6 loopback interfaces. We likely should also do IPv6 here, but
that's better left for a separate change, so instead, I replicated the IPv4
bits from Go's net.IP.IsLoopback().

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-20 00:35:34 +02:00
Sebastiaan van Stijn
c9ba301a49
libnetwork: move resolvconf consts into the resolvconf package
This allows using the package without having to import the "types" package,
and without having to consume github.com/ishidawataru/sctp.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-20 00:23:43 +02:00
Sebastiaan van Stijn
b6919cb553
Merge pull request #42756 from thaJeztah/remove_unused_testutils_imports
libnetwork: remove unused "testutils" imports
2021-08-19 22:00:56 +02:00
Akihiro Suda
f95be5e2f3
Merge pull request #42510 from thaJeztah/proxy_cleanup
libnetwork/portmapper: some minor cleaning up
2021-08-19 19:02:09 +09:00
Sebastiaan van Stijn
427ad30c05
libnetwork: remove unused "testutils" imports
Perhaps the testutils package in the past had an `init()` function to set up
specific things, but it no longer has. so these imports were doing nothing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-18 14:20:37 +02:00
Roman Volosatovs
b821590461
libnetwork/networkdb: consistently wait for nodes in tests
Use `verifyNetworkExistence` like it was done in 2837fba75f

Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
2021-08-01 17:47:51 +02:00
Roman Volosatovs
8fbba73f42
libnetwork: wait until t.Deadline() instead of hardcoded value
Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
2021-08-01 17:47:50 +02:00
Brian Goff
3ad9549e70
Merge pull request #42545 from steffengy/master
libnetwork: processEndpointDelete: Fix deadlock between getSvcRecords and processEndpointDelete
2021-07-29 09:29:34 -07:00
Brian Goff
9a6ff685a8
Merge pull request #42641 from thaJeztah/make_signal_selfcontained 2021-07-19 14:46:15 -07:00
Sebastiaan van Stijn
ea5c94cdb9
pkg/signal: move signal.DumpStacks() to a separate package
It is not directly related to signal-handling, so can well live
in its own package.

Also added a variant that doesn't take a directory to write files
to, for easier consumption / better match to how it's used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 18:09:43 +02:00
Roman Volosatovs
2837fba75f
libnetwork: ensure all nodes are available in tests
`github.com/hashicorp/memberlist` update caused `TestNetworkDBCRUDTableEntries`
to occasionally fail, because the test would try to check whether an entry
write is propagated to all nodes, but it would not wait for all nodes to
be available before performing the write.
It could be that the failure is caused simply by improved performance of
the dependency - it could also be that some connectivity guarantee the
test depended on is not provided by the dependency anymore.
The same fix is applied to `TestNetworkDBNodeJoinLeaveIteration` due to
same issue.

Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
2021-07-12 19:25:50 +02:00
Roman Volosatovs
d7a2635537
libnetwork: make rejoin intervals configurable
This allows the rejoin intervals to be chosen according to the context
within which the component is used, and, in particular, this allows
lower intervals to be used within TestNetworkDBIslands test.

Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
2021-07-12 19:25:49 +02:00
Steffen Butzer
0c1a125644 libnetwork: processEndpointCreate: Fix deadlock between getSvcRecords and processEndpointCreate
References https://github.com/moby/moby/pull/42545

Signed-off-by: Steffen Butzer <steffen.butzer@outlook.com>
2021-06-29 08:07:14 +02:00
Brian Goff
116f200737
Fix gosec complaints in libnetwork
These were purposefully ignored before but this goes ahead and "fixes"
most of them.
Note that none of the things gosec flagged are problematic, just
quieting the linter here.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-25 18:02:03 +02:00
Brian Goff
0645eb8461
Remove libnetwork/client package
This is another one of those tools to mimic the docker network cli.
It is not needed anymore, along with an old fork of the docker flag
packages which was a fork of the go flag package.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-25 18:02:00 +02:00
Brian Goff
e7cf711c02
Move proxy CLI to main cmd/
Since this command is part of the official distribution and even
required for tests, let's move this up to the main cmd's.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-25 18:01:55 +02:00
Brian Goff
7266a956a8
Remove dnet libnetwork cli
This was used for testing purposes when libnetwork was in a separate
repo.
Now that it is integrated we no longer need it since dockerd and docker
cli provide the same function.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-25 17:59:04 +02:00
Brian Goff
42bcc2df68
Remove leftovers from libnetwork move
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-25 17:59:01 +02:00
Steffen Butzer
7c97896747 libnetwork: processEndpointDelete: Fix deadlock between getSvcRecords and processEndpointDelete
We had some hosts with quite a bit of cycling containers that ocassionally causes docker daemons to lock up.
Most prominently `docker run` commands do not respond and nothing happens anymore.

Looking at the stack trace the following is at least likely sometimes a cause to that:
Two goroutines g0 and g1 can race against each other:
* (g0) 1. getSvcRecords is called and calls (*network).Lock()
       --> Network is locked.
* (g1) 2. processEndpointDelete is called, and calls (*controller).Lock()
       --> Controller is locked
* (g1) 3. processEndpointDelete tries (*network).ID() which calls (*network).Lock().
* (g0) 4. getSvcRecords calls (*controller).Lock().

3./4. are deadlocked against each other since the other goroutine holds the lock they need.

References b5dc370370/network.go

Signed-off-by: Steffen Butzer <steffen.butzer@outlook.com>
2021-06-22 16:05:20 +02:00
Lei Jitang
cda846e9a8
Merge pull request #42541 from yalpul/patch-1
Fix typo in macvlan_setup.go
2021-06-21 13:39:01 +02:00
yalpul
967ec6f2e8 Fix typo in macvlan_setup.go
Signed-off-by: yalpul <yalpul@gmail.com>
2021-06-19 11:36:16 +03:00
Sebastiaan van Stijn
ff141d366f
netutils: minor cleanups
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-17 10:49:48 +02:00
Sebastiaan van Stijn
888e75dfc9
netutils: remove unused ErrNoDefaultRoute
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-17 10:49:45 +02:00
Sebastiaan van Stijn
c21eaf9a07
portmapper: move mockProxyCommand to a _test file
No need to vendor this file in other projects, and it's only
used during tests.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-17 10:27:34 +02:00
Sebastiaan van Stijn
ac8c80d6f1
portmapper: change userlandProxyCommandName to a const
it's not overridden anywhere, so may as well be a const

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-17 10:27:33 +02:00
Sebastiaan van Stijn
f6be7f2945
portmapper: minor linting fix, and comment purpose of newProxy variable
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-17 10:27:31 +02:00
Sebastiaan van Stijn
4231dbca23
portmapper: don't compile linux-only code on Windows
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-17 10:27:29 +02:00
Akihiro Suda
5e62ca1a05
Merge pull request #42504 from thaJeztah/portallocator_cleanup 2021-06-13 06:10:10 +09:00
Akihiro Suda
342dfb3521
Merge pull request #42505 from thaJeztah/endpoint_deadcode 2021-06-13 03:07:03 +09:00
Sebastiaan van Stijn
76640e5d39
drivers/bridge: format comments
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 18:06:07 +02:00
Sebastiaan van Stijn
da0a006b14
drivers/bridge: dont use types.ParseCIDR() for fixed value
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 18:06:04 +02:00
Sebastiaan van Stijn
31d3468146
windows: remove redundant init()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 18:00:00 +02:00
Justin Cormack
9459423e31
Merge pull request #42503 from thaJeztah/bridge_redundant_list
libnetwork/bridge: remove unused "others" argument from isolateNetwork()
2021-06-10 10:51:19 +01:00
Sebastiaan van Stijn
c7b1e5ba38
portallocator: log instead of discard port-range failures
Both getDynamicPortRange() and sanitizePortRange() could produce
and error, and the error message was currently discarded, silently
falling back to using the default port range.

This patch:

- Moves the fallback message from getDynamicPortRange() to getDefaultPortRange(),
  which is where the actual fallback occurs.
- Logs the fallback message and the error that causes the fallback.

The message/error is currently printed at the INFO level, but could be raised
to a WARN, depending on what kind of situations can cause the error.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 10:52:59 +02:00
Sebastiaan van Stijn
1f398f06aa
portallocator: minor refactor for readability
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 10:52:57 +02:00
Sebastiaan van Stijn
1f90fdd973
portallocator: use const for default port-ranges, instead of init()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 10:52:49 +02:00
Sebastiaan van Stijn
350e303c7f endpoint: remove redundant doUpdateHostsFile() function
The second (sandbox) argument was unused, and it was only
used in a single location, so we may as well inline the
check.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-09 22:38:34 +02:00
Sebastiaan van Stijn
508a0979d9
bridge: remove unused "others" argument from isolateNetwork()
This argument was used to detect conflicts, but was later removed in
1c73b1c99c14d7f048a2318a3caf589865c76fad.

However, it was never removed, and we were still getting a list
of all networks, without using the results.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-09 22:23:38 +02:00
Sebastiaan van Stijn
117bca149f
libnetwork/resolver: fix minor linting issues
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-09 19:37:10 +02:00
Sebastiaan van Stijn
774b970cb1
libnetwork: remove MAINTAINERS and LICENSE
There's already a copy of the Apache license at the root of the
repository.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-09 12:37:45 +02:00
Sebastiaan van Stijn
e90d6abfcd
libnetwork: update Dockerfile to Go 1.13.15
Also adds other build-args to match the main Dockerfile

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-09 12:34:01 +02:00
Sebastiaan van Stijn
a384f83e7a
libnetwork: remove CircleCI config and code
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-09 12:31:52 +02:00
Sebastiaan van Stijn
9f6add406e
networkdb: mark test-helpers as t.Helper()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-09 01:44:46 +02:00
Sebastiaan van Stijn
a7ecbd4b29
libnetwork: replace BurntSushi/toml with pelletier/go-toml
The BurntSushi project is no longer maintained, and the container ecosystem
is moving to use the pelletier/go-toml project instead.

This patch moves libnetwork to use the pelletier/go-toml library, to reduce
our dependency tree and use the same library in all places.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-05 00:53:49 +02:00
Brian Goff
0dd8bc6d31 Fix flakey test TestNetworkDBIslands
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-02 16:53:29 +00:00
Brian Goff
b3c883bb2f Skip libnetwork integration tests on Windows
Most of these tests are making use of the bridge network and do not work
on Windows.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-02 16:53:29 +00:00
Brian Goff
7186fd8a95 More libnetwork windows test fixes
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-02 16:53:24 +00:00
Brian Goff
4b981436fe Fixup libnetwork lint errors
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-01 23:48:32 +00:00
Brian Goff
b53b85ca40 Remove libnetwork leftover vendor stuff
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-01 23:48:32 +00:00
Brian Goff
00b2c13a1b Fix some windows issues in libnetwork tests
Fix build constraints for linux-only network drivers

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-01 23:48:23 +00:00
Brian Goff
20fd1dd7d2 Skip some windows network driver tests
These are failing in CI because something is not enabled.
Its not clear that these tests ever worked because they were not
actually running while in the libnetwork repo, which was only testing
Linux.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-01 22:15:10 +00:00
Brian Goff
72c4a7b496 Fix issues running libnetwork tests.
libnetwork does different stuff depending on if you are running the
tests in a container or not... without telling it we are in a container
a bunch of the tests actually fail.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-01 22:14:41 +00:00
Brian Goff
a0a473125b Fix libnetwork imports
After moving libnetwork to this repo, we need to update all the import
paths for libnetwork to point to docker/docker/libnetwork instead of
docker/libnetwork.
This change implements that.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-01 21:51:23 +00:00
Sebastiaan van Stijn
c1437c2f42 Merge pull request #2635 from AkihiroSuda/ipv6disable
fix port forwarding with ipv6.disable=1
2021-05-25 11:06:46 +02:00
Sebastiaan van Stijn
719504b810 vendor: github.com/ishidawataru/sctp f2269e66cdee387bd321445d5d300893449805be
full diff: 6e2cb13661...f2269e66cd

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-19 14:11:08 +02:00
Akihiro Suda
325668315c fix port forwarding with ipv6.disable=1
Make `docker run -p 80:80` functional again on environments with kernel boot parameter `ipv6.disable=1`.

Fix moby/moby issue 42288

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-27 15:46:07 +09:00
Francesco Degrassi
f41a6d5c95 enforce order of lock acquisitions on network/controller, fixes #2632
Signed-off-by: Francesco Degrassi <francesco.degrassi@optionfactory.net>
2021-04-21 15:51:31 +02:00
Arko Dasgupta
5d3b0102f7 Use hostIP to decide on Portmapper version
Use HostIP to decide which portmapper object to store the binding
in consistently in the allocate and release method (b506539e9c/drivers/bridge/port_mapping.go (L208))

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2021-01-23 12:00:46 -08:00
Arko Dasgupta
b506539e9c Merge pull request #2608 from arkodg/allow-ipv6-ipv4-userland-proxy
Fix regression in docker-proxy
2021-01-19 09:48:41 -08:00
Arko Dasgupta
4f9af99194 Fix regression in docker-proxy
Allow proxying IPv6 traffic to the container's IPv4 interface
if `--ipv6` is disabled and the container does not have a
IPv6 address, when the docker-proxy / `userland-proxy` is enabled
on `dockerd`

Relates to https://github.com/moby/libnetwork/issues/2607

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2021-01-14 17:51:09 -08:00
Benjamin Böhmke
a6d7b43dfc fixed IPv6 iptables rules for enabled firewalld
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2021-01-07 17:46:32 +01:00
Arko Dasgupta
33a82a26a8 Fix IPv6 Port Forwarding for the Bridge Driver
1. Allocate either a IPv4 and/or IPv6 Port Binding (HostIP, HostPort, ContainerIP,
ContainerPort) based on the input and system parameters
2. Update the userland proxy as well as dummy proxy (inside port mapper) to
specifically listen on either the IPv4 or IPv6 network

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2020-12-14 18:46:22 -08:00
Arko Dasgupta
09be71b900 Merge pull request #2603 from bboehmke/ipv6_portmapper_chain
Fixed IPv6 portmapper iptables chain initialization
2020-12-11 10:39:35 -08:00
Arko Dasgupta
cf05dae77a Merge pull request #2600 from arkodg/fix-ipv6tables-panic
Make sure IPv6 is enabled for IP6tables
2020-12-11 10:20:38 -08:00
Benjamin Böhmke
06308f4d37 setup IPv4 and IPv6 iptables chain
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-12-11 11:12:41 +01:00
Benjamin Böhmke
d14b7a5191 fixed ip6tables command in error message
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-12-11 11:10:55 +01:00
Arko Dasgupta
b7c663c2ec Make sure IPv6 is enabled for IP6tables
Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2020-12-11 00:39:42 -08:00
Benjamin Böhmke
4886e5e5b1 Added improved IP validation for port mapper
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-11-20 23:03:35 +01:00
Sebastiaan van Stijn
5602e9b969 Merge pull request #2550 from fanjiyun/control-network-interface-order-for-containers
reduce parameters for func JoinOptionPriority
2020-10-31 19:02:54 +01:00
Sebastiaan van Stijn
fb9ecec127 Merge pull request #2585 from scottp-dpaw/lbendpoint_fix
service_linux: Fix null dereference in findLBEndpointSandbox
2020-10-31 18:31:17 +01:00
Arko Dasgupta
dc6cbb55b4 Merge pull request #2572 from bboehmke/ipv6_nat
Enable IPv6 NAT (rebase of #2023)
2020-10-29 14:13:58 -07:00
Scott Percival
959dfca7e6 service_linux: Fix null dereference in findLBEndpointSandbox
Signed-off-by: Scott Percival <scottp@lastyard.com>
2020-09-22 15:06:41 +08:00
Tibor Vass
20c88eb92f Merge pull request #2583 from thaJeztah/update_docker_alt
vendor: update docker to 7ca355652f and reduce dependency graph
2020-09-17 13:29:33 -07:00
Tibor Vass
32e231a258 Merge pull request #2560 from thaJeztah/remove_dead_code
types: remove some dead code
2020-09-17 13:22:34 -07:00
Tibor Vass
2d8f0b4f87 Merge pull request #2562 from thaJeztah/replace_pkg_homedir
client/mflag: remove use of docker/docker/pkg/homedir
2020-09-17 13:21:49 -07:00
Tibor Vass
1d903b1089 Merge pull request #2580 from thaJeztah/update_circleci
CircleCI: update to Docker 19.03.12, and enable BuildKit
2020-09-17 13:13:15 -07:00
Sebastiaan van Stijn
e9646aafa4 vendor: docker/docker 7ca355652f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:57 +02:00
Sebastiaan van Stijn
b3b8f561f7 vendor: github.com/gogo/protobuf v1.3.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:55 +02:00
Sebastiaan van Stijn
77c68a7f6e vendor: golang.org/x/crypto 75b288015ac94e66e3d6715fb68a9b41bf046ec2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:53 +02:00
Sebastiaan van Stijn
d321fc2f61 vendor: golang.org/x/sync cd5d95a43a6e21273425c7ae415d3df9ea832eeb
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:51 +02:00
Sebastiaan van Stijn
b14bf0e66e vendor: golang.org/x/sys ed371f2e16b4b305ee99df548828de367527b76b
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:48 +02:00
Sebastiaan van Stijn
3c90d159f8 vendor: golang.org/x/net ab34263943818b32f575efc978a3d24e80b04bd7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:45 +02:00
Sebastiaan van Stijn
b95a3f1f23 vendor: github.com/coreos/etcd v3.3.12
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:43 +02:00
Sebastiaan van Stijn
5ce882207d vendor: runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:41 +02:00
Sebastiaan van Stijn
64e852ee65 vendor github.com/Microsoft/hcsshim 9dcb42f100215f8d375b4a9265e5bba009217a85
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:39 +02:00
Sebastiaan van Stijn
0aad792f1d vendor: containerd/cgroups 318312a373405e5e91134d8063d04d59768a1bff
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:37 +02:00
Sebastiaan van Stijn
2fdc3e86b1 vendor: logrus v1.6.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:35 +02:00
Sebastiaan van Stijn
05701c485e vendor: go.etcd.io/bbolt v1.3.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:33 +02:00
Sebastiaan van Stijn
e11c7fe3ab vendor: vishvananda/netns db3c7e526aae966c4ccfa6c8189b693d6ac5d202
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:31 +02:00
Sebastiaan van Stijn
6cbe360e47 vendor: github.com/gorilla/mux v1.8.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:29 +02:00
Sebastiaan van Stijn
e18c7629c3 vendor: docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:25 +02:00
Sebastiaan van Stijn
3e1e9e878c vendor: gotest.tools v3.0.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 03:22:18 +02:00
Sebastiaan van Stijn
5186d9e1b1 vendor: github.com/pkg/errors v0.9.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 02:49:03 +02:00
Sebastiaan van Stijn
dc6e4d8881 replace github.com/docker/docker/locker with github.com/moby/locker
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 02:38:50 +02:00
Sebastiaan van Stijn
6796c2cc9b client/mflag: remove use of docker/docker/pkg/homedir
The homedir package was only used to print default values for
flags that contained paths inside the user's home-directory in
a slightly nicer way (replace `/users/home` with `~`).

Given that this is not critical, we can replace this with golang's
function, which does not depend on libcontainer.

There's still one use of the homedir package in docker/docker/opts,
which is used by the dnet binary (but only requires the homedir
package when running in rootless mode)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 02:38:48 +02:00
Sebastiaan van Stijn
681196c8f2 Remove dependency on github.com/docker/docker/opts
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 02:38:39 +02:00
Sebastiaan van Stijn
bf28003c99 Replace use of deprecated functions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-12 01:49:42 +02:00
Sebastiaan van Stijn
0e8b02bac4 Makefile: enable BuildKit
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-11 16:39:51 +02:00
Sebastiaan van Stijn
53688d374e CircleCI: update to Docker 19.03.12
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-11 16:39:34 +02:00
Sebastiaan van Stijn
6dde6cb0b0 drivers/macvlan: skip kernel version check
All distros that are supported by Docker now have at least
kernel version 3.10, so this check should no longer be needed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-31 20:45:02 +02:00
Sebastiaan van Stijn
02d313ca15 drivers/bridge: skip kernel version check
All distros that are supported by Docker now have at least
kernel version 3.10, so this check should no longer be needed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-31 20:44:51 +02:00
Sebastiaan van Stijn
304bb14ffc vendor.conf: reformat to match spacing in docker/docker
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-31 20:00:11 +02:00
Benjamin Böhmke
34f4706174 added TODOs for open IPv6 point
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-23 16:52:40 +02:00
Benjamin Böhmke
648d891827 reworked allocatePorts
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-22 15:43:02 +02:00
Benjamin Böhmke
9f98bd79d8 reworked comment of IPTable struct
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-22 15:08:22 +02:00
Benjamin Böhmke
1e1408f421 additional EnableIPTables check in isolateNetwork
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-22 15:06:19 +02:00
Benjamin Böhmke
a4fcced708 enabled ipv6 parameter in TestSetupIPForwarding
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-22 15:05:51 +02:00
Benjamin Böhmke
4d1c92c155 resorted EnableIP6Tables in driver configure
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-21 18:50:03 +02:00
Benjamin Böhmke
9bc2f88f04 isolateNetwork for both IP version
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-21 18:14:19 +02:00
Benjamin Böhmke
ccad03a139 split setupIPTables into setupIP4Tables and setupIP6Tables
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-21 18:14:07 +02:00
Benjamin Böhmke
9cf5335269 default DROP policy on firewall reload also for IPv6
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-21 15:24:20 +02:00
Benjamin Böhmke
ec7df93731 replace string.Contains* with net.IP.To4() check
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-21 15:23:33 +02:00
Benjamin Böhmke
3475f006b7 moved some ipv6 config to setupIPForwarding
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-19 16:17:02 +02:00
Benjamin Böhmke
dfd1925ed1 Renamed driver config variable to EnableIP6Tables
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-19 16:17:02 +02:00
Billy Ridgway
8dbb5b5a7d Implement NAT IPv6 to fix the issue https://github.com/moby/moby/issues/25407
Signed-off-by: Billy Ridgway <wrridgwa@us.ibm.com>
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2020-07-19 16:16:51 +02:00
Sebastiaan van Stijn
570c5f9e76 testing: remove use of docker/docker/errdefs in tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-17 11:08:39 +02:00
Sebastiaan van Stijn
27345e8f8f log error instead if disabling IPv6 router advertisement failed
Previously, failing to disable IPv6 router advertisement prevented the daemon to
start.

An issue was reported by a user that started docker using `systemd-nspawn "machine"`,
which produced an error;

    failed to start daemon: Error initializing network controller:
    Error creating default "bridge" network: libnetwork:
    Unable to disable IPv6 router advertisement:
    open /proc/sys/net/ipv6/conf/docker0/accept_ra: read-only file system

This patch changes the error to a log-message instead.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-12 19:32:18 +02:00
Sebastiaan van Stijn
9fd12a5e31 client/mflag: remove use of docker/docker/pkg/homedir
The homedir package was only used to print default values for
flags that contained paths inside the user's home-directory in
a slightly nicer way (replace `/users/home` with `~`).

Given that this is not critical, we can replace this with golang's
function, which does not depend on libcontainer.

There's still one use of the homedir package in docker/docker/opts,
which is used by the dnet binary (but only requires the homedir
package when running in rootless mode)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-04 12:48:37 +02:00
Sebastiaan van Stijn
42b87e6a4b types: remove some dead code
These errors were not in use, so we can remove them

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-04 12:07:03 +02:00
Tibor Vass
dc89fc3449 Merge pull request #2558 from thaJeztah/master_router_advertisements
[master] bridge: disable IPv6 router advertisements
2020-06-02 11:02:38 -07:00
Samuel Karp
e65003a722 bridge: disable IPv6 router advertisements
Signed-off-by: Samuel Karp <skarp@amazon.com>
(cherry picked from commit 9489546c44d94d37337191c263879a7ac075a331)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-02 12:06:39 +02:00
Xinfeng Liu
0c8ffda2ab Fix 'failed to get network during CreateEndpoint'
Fix 'failed to get network during CreateEndpoint' during container starting.
Change the error type to `libnetwork.ErrNoSuchNetwork`, so `Start()` in `daemon/cluster/executor/container/controller.go` will recreate the network.

Signed-off-by: Xinfeng Liu <xinfeng.liu@gmail.com>
2020-06-01 17:16:07 +08:00
Arko Dasgupta
fd1765ca9b Merge pull request #2556 from thaJeztah/remove_unused_error
store.getNetworksFromStore() remove unused error return
2020-05-28 20:03:21 -07:00
Sebastiaan van Stijn
07ed00102d store.getNetworksFromStore() remove unused error return
This function always returned `nil`, so we can remove the error
return, and update other functions that were handling errors.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-05-26 10:39:38 +02:00
Arko Dasgupta
3f0652ac36 Merge pull request #2548 from arkodg/add-intf-firewalld-zone
Add docker interfaces to firewalld docker zone
2020-05-21 11:34:49 -07:00
Sebastiaan van Stijn
efe0ab37a1 Resolver: fix error handling if we didn't receive a response
Commit 2a480d515e updated the DNS library
and updated the error handling.

Due to changes in the library, we now had to check the response itself
to check if the response was truncated (Truncated DNS replies should
be sent to the client so that the client can retry over TCP).

However, 1e02aae252 added an incorrect
`nil` check to fix a panic, which ignored situations where
an error was returned, but no response (for example, if we failed
to connect to the DNS server).

In that situation, the error would be ignored, and further down we
would consider the connection to have been succesfull, but the DNS
server not returning a result.

After a "successful" lookup (but no results), we break the loop,
and don't attempt lookups in other DNS servers.

Versions before 1e02aae252 would produce:

    Name To resolve: bbc.co.uk.
    [resolver] query bbc.co.uk. (A) from 172.21.0.2:36181, forwarding to udp:192.168.5.1
    [resolver] read from DNS server failed, read udp 172.21.0.2:36181->192.168.5.1:53: i/o timeout
    [resolver] query bbc.co.uk. (A) from 172.21.0.2:38582, forwarding to udp:8.8.8.8
    [resolver] received A record "151.101.0.81" for "bbc.co.uk." from udp:8.8.8.8
    [resolver] received A record "151.101.192.81" for "bbc.co.uk." from udp:8.8.8.8
    [resolver] received A record "151.101.64.81" for "bbc.co.uk." from udp:8.8.8.8
    [resolver] received A record "151.101.128.81" for "bbc.co.uk." from udp:8.8.8.8

Versions after that commit would ignore the error, and stop further lookups:

    Name To resolve: bbc.co.uk.
    [resolver] query bbc.co.uk. (A) from 172.21.0.2:59870, forwarding to udp:192.168.5.1
    [resolver] external DNS udp:192.168.5.1 returned empty response for "bbc.co.uk."

This patch updates the logic to handle the error to log the error (and continue with the next DNS):

 - if an error is returned, and no response was received
 - if an error is returned, but it was not related to a truncated response

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tibor Vass <tibor@docker.com>
2020-05-21 17:50:39 +00:00
fanjiyun
a24e5f5fd4 reduce parameters for func JoinOptionPriority
Signed-off-by: fanjiyun <fan.jiyun@zte.com.cn>
2020-05-15 18:29:54 +08:00
Arko Dasgupta
23d1ca4426 Add docker interfaces to firewalld docker zone
If firewalld is running, create a new docker zone and
add the docker interfaces to the docker zone to allow
container networking for distros with firewalld enabled

Fixes: https://github.com/moby/libnetwork/issues/2496

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2020-05-07 18:37:33 -07:00
Sebastiaan van Stijn
c30d55d067 vendor: update moby/ipvs v1.0.1
full diff: https://github.com/moby/ipvs/compare/v1.0.0...v1.0.1

- Fix compatibility issue on older kernels (< 3.18) where the address
  family attribute for destination servers do not exist
- Fix the stats attribute check when parsing destination addresses
- NetlinkSocketsTimeout should be a constant

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-28 17:04:14 +02:00
Arko Dasgupta
7fd076595a Merge pull request #2471 from suwang48404/master
DOCKER-USER chain not created when IPTableEnable=false.
2020-04-09 15:01:08 -07:00
Arko Dasgupta
c7f0b0152e Fix NPE due to null value returned by ep.Iface()
This PR carryforwards https://github.com/moby/libnetwork/pull/2239
and incorporates the suggestions in comments to fix the NPE and
potential NPEs due to a null value returned by ep.Iface()

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2020-04-02 22:34:55 -07:00