Commit graph

272 commits

Author SHA1 Message Date
Sebastiaan van Stijn
605c8fb75d
Merge pull request #46546 from thaJeztah/libnetwork_return_errs
libnetwork: Controller.cleanupLocalEndpoints, sandboxCleanup: return errors
2023-09-27 10:31:56 +02:00
Sebastiaan van Stijn
324cb3d08f
Merge pull request #46545 from thaJeztah/libnetwork_NetworkByID_simplify
libnetwork: Controller.NetworkByID: remove redundant error-handling
2023-09-27 10:30:47 +02:00
Sebastiaan van Stijn
7cda3fb7b5
libnetwork: inline populateSpecial NetworkWalker
It was only used in a single place, and it was defined far away from
where it was used.

Move the code inline, so that it's clear at a glance what it's doing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-26 19:41:50 +02:00
Sebastiaan van Stijn
a8ea752a93
libnetwork: Controller.cleanupLocalEndpoints: return errors
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-26 19:28:18 +02:00
Sebastiaan van Stijn
2e60051c92
libnetwork: Controller.sandboxCleanup: return errors
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-26 19:28:18 +02:00
Sebastiaan van Stijn
642cf261a8
libnetwork: Controller.NetworkByID: remove redundant error-handling
Controller.getNetworkFromStore() already returns a ErrNoSuchNetwork if
no network was found, so we don't need to convert the existing error.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-26 19:22:52 +02:00
Albin Kerouanton
78479b1915
libnet: Make sure network names are unique
Fixes #18864, #20648, #33561, #40901.

[This GH comment][1] makes clear network name uniqueness has never been
enforced due to the eventually consistent nature of Classic Swarm
datastores:

> there is no guaranteed way to check for duplicates across a cluster of
> docker hosts.

And this is further confirmed by other comments made by @mrjana in that
same issue, eg. [this one][2]:

> we want to adopt a schema which can pave the way in the future for a
> completely decentralized cluster of docker hosts (if scalability is
> needed).

This decentralized model is what Classic Swarm was trying to be. It's
been superseded since then by Docker Swarm, which has a centralized
control plane.

To circumvent this drawback, the `NetworkCreate` endpoint accepts a
`CheckDuplicate` flag. However it's not perfectly reliable as it won't
catch concurrent requests.

Due to this design decision, API clients like Compose have to implement
workarounds to make sure names are really unique (eg.
docker/compose#9585). And the daemon itself has seen a string of issues
due to that decision, including some that aren't fixed to this day (for
instance moby/moby#40901):

> The problem is, that if you specify a network for a container using
> the ID, it will add that network to the container but it will then
> change it to reference the network by using the name.

To summarize, this "feature" is broken, has no practical use and is a
source of pain for Docker users and API consumers. So let's just remove
it for _all_ API versions.

[1]: https://github.com/moby/moby/issues/18864#issuecomment-167201414
[2]: https://github.com/moby/moby/issues/18864#issuecomment-167202589

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-09-12 10:40:13 +02:00
Cory Snider
a0a8d9d057 libnetwork: notify another driver registerer
There is no meaningful distinction between driverapi.Registerer and
drvregistry.DriverNotifyFunc. They are both used to register a network
driver with an interested party. They have the same function signature.
The only difference is that the latter could be satisfied by an
anonymous closure. However, in practice the only implementation of
drvregistry.DriverNotifyFunc is the
(*libnetwork.Controller).RegisterDriver method. This same method also
makes the libnetwork.Controller type satisfy the Registerer interface,
therefore the DriverNotifyFunc type is redundant. Change
drvregistry.Networks to notify a Registerer and drop the
DriverNotifyFunc type.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-08-29 10:32:18 -04:00
Sebastiaan van Stijn
b92cf68add
libnetwork/osl: remove Sandbox and Info interfaces
It only has a single implementation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-23 23:29:09 +02:00
Sebastiaan van Stijn
95abde479a
libnetwork: implement Controller.setupOSLSandbox
osl.NewSandbox() always returns a nil interface on Windows (and other non-Linux
platforms). This means that any code that these fields are always nil, and
any code using these fields must be considered Linux-only;

- libnetwork/Controller.defOsSbox
- libnetwork/Sandbox.osSbox

Ideally, these fields would live in Linux-only files, but they're referenced
in various platform-neutral parts of the code, so let's start with moving
the initialization code to Linux-only files.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-23 20:13:15 +02:00
Sebastiaan van Stijn
2eccf0e8d1
libnetwork: Controller.NewSandbox: don't generate ID if not used
Windows uses the container-iD as ID for sandboxes, so it's not needed to
generate an ID  when running on Windows.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-23 14:26:53 +02:00
Sebastiaan van Stijn
bb5813a93d
Merge pull request #46240 from thaJeztah/libnetwork_named_returns
libnetwork: Controller.NewNetwork, Controller.NewSandbox: use named error-return
2023-08-23 14:19:27 +02:00
Sebastiaan van Stijn
331854a126
Merge pull request #46239 from thaJeztah/vars_collide
libnetwork:  rename vars that collided
2023-08-22 10:50:35 +02:00
Sebastiaan van Stijn
dff53a02ef
libnetwork: remove Controller.Sandboxes as it's no longer used
The Controller.Sandboxes method was used by some SandboxWalkers. Now
that those have been removed, there are no longer any consumers of this
method, so let's remove it for now.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-21 19:08:43 +02:00
Sebastiaan van Stijn
f44fbab3ec
libnetwork: remove Controller.WalkSandboxes and related code
This functionality has been replaced with Controller.GetSandbox, and is
no longer used anywhere.

This patch removes:

- the Controller.WalkSandboxes method
- the SandboxContainerWalker SandboxWalker
- the SandboxWalker type

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-21 15:06:28 +02:00
Sebastiaan van Stijn
6dba98cf38
libnetwork: implement Controller.GetSandbox(containerID)
Various parts of the code were using "walkers" to iterate over the
controller's sandboxes, and the only condition for all of them was
to find the sandbox for a given container-ID. Iterating over all
sandboxes was also sub-optimal, because on Windows, the ContainerID
is used as Sandbox-ID, which can be used to lookup the sandbox from
the "sandboxes" map on the controller.

This patch implements a GetSandbox method on the controller that
looks up the sandbox for a given container-ID, using the most optimal
approach (depending on the platform).

The new method can return errors for invalid (empty) container-IDs, and
a "not found" error to allow consumers to detect non-existing sandboxes,
or potentially invalid IDs.

This new method replaces the (non-exported) Daemon.getNetworkSandbox(),
which was only used internally, in favor of directly accessing the
controller's method.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-21 15:06:26 +02:00
Sebastiaan van Stijn
e690cdb6a3
libnetwork: remove redundant sandboxTable type
It was not exported so let's remove the abstraction to not make it look
like something more than it is.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-21 15:03:14 +02:00
Sebastiaan van Stijn
3c10db669e
libnetwork: remove unused SandboxKeyWalker
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-21 15:03:08 +02:00
Albin Kerouanton
42d34e40f9
libnet: Replace BadRequest with InvalidParameter
InvalidParameter is now compatible with errdefs.InvalidParameter. Thus,
these errors will now return a 400 status code instead of a 500.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-08-17 16:45:04 +02:00
Sebastiaan van Stijn
56b62640a2
libnetwork: Controller.NewSandbox: use named error-return
It's used in various defers, but was using `err` as name, which can be
confusing, and increases the risk of accidentally shadowing the error.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-16 13:25:10 +02:00
Sebastiaan van Stijn
cbe692ffd1
libnetwork: Controller.NewNetwork: use named error-return
It's used in various defers, but was using `err` as name, which can be
confusing, and increases the risk of accidentally shadowing the error.

This patch:

- introduces a `retErr` output variable, to be used in defer statements.
- explicitly changes some `err` uses to locally-scoped variables.
- moves some variable definitions closer to where they're used (where possible).

While working on this change, there was one point in the code where
error handling was ambiguous. I added a note for that, in case this
was not a bug:

> This code was previously assigning the error to the global "err"
> variable (before it was renamed to "retErr"), but in case of a
> "MaskableError" did not *return* the error:
> b325dcbff6/libnetwork/controller.go (L566-L573)
>
> Depending on code paths further down, that meant that this error
> was either overwritten by other errors (and thus not handled in
> defer statements) or handled (if no other code was overwriting it.
>
> I suspect this was a bug (but possible without effect), but it could
> have been intentional. This logic is confusing at least, and even
> more so combined with the handling in defer statements that check for
> both the "err" return AND "skipCfgEpCount":
> b325dcbff6/libnetwork/controller.go (L586-L602)
>
> To save future visitors some time to dig up history:
>
> - config-only networks were added in 25082206df
> - the special error-handling and "skipCfgEpcoung" was added in ddd22a8198
> - and updated in 87b082f365 to don't use string-matching

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-16 13:25:10 +02:00
Sebastiaan van Stijn
e2f9d6c4c3
libnetwork: rename vars that collided with builtins
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-16 12:34:25 +02:00
Sebastiaan van Stijn
e8f0f5a4ce
libnetwork: rename agent type to reduce collisions
There were quite some places where the type collided with variables
named `agent`. Let's rename the type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-16 12:12:39 +02:00
Sebastiaan van Stijn
a908460adb
Merge pull request #46043 from thaJeztah/cleanup_iptables_the_firewall_strikes_back
libnetwork/iptables: cleaning up: "there's more where that came from"
2023-07-29 22:12:48 +02:00
Sebastiaan van Stijn
6ec03d6745
libnetwork: move datastore Scope consts to libnetwork/scope
The "Capability" type defines DataScope and ConnectivityScope fields,
but their value was set from consts in the datastore package, which
required importing that package and its dependencies for the consts
only.

This patch:

- Moves the consts to a separate "scope" package
- Adds aliases for the consts in the datastore package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 21:56:48 +02:00
Sebastiaan van Stijn
fca38bcd0a
libnetwork/driverapi: make discoverAPI an optional part of the interface
Most drivers do not implement this, so detect if a driver implements
the discoverAPI, and remove the implementation from drivers that do
not support it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 17:16:00 +02:00
Sebastiaan van Stijn
7e4ffa3fa9
Merge pull request #46050 from thaJeztah/libnetwork_remove_interface
libnetwork: remove Network interface
2023-07-25 16:02:19 +02:00
Sebastiaan van Stijn
704a19b25d
libnetwork/datastore: remove DataStore interface
It only had a single implementation, so let's remove the interface.

While changing, also renaming;

- datastore.DataStore -> datastore.Store
- datastore.NewDataStore -> datastore.New
- datastore.NewDataStoreFromConfig -> datastore.FromConfig

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-24 15:54:05 +02:00
Sebastiaan van Stijn
64c6f72988
libnetwork: remove Network interface
There's only one implementation; drop the interface and use the
concrete type instead.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-22 11:56:41 +02:00
Sebastiaan van Stijn
e57b807a42
libnetwork: Controller.NewNetwork: inline arrangeUserFilterRule()
arrangeUserFilterRule uses the package-level [`ctrl` variable][1], which
holds a reference to a controller instance. This variable is set by
[`setupArrangeUserFilterRule()`][2], which is called when initialization
a controller ([`libnetwork.New`][3]).

In normal circumstances, there would only be one controller, created during
daemon startup, and the instance of the controller would be the same as
the controller that `NewNetwork` is called from, but there's no protection
for the `ctrl` variable, and various integration tests create their own
controller instance.

The global `ctrl` var was introduced in [54e7900fb89b1aeeb188d935f29cf05514fd419b][4],
with the assumption that [only one controller could ever exist][5].

This patch tries to reduce uses of the `ctrl` variable, and as we're calling
this code from inside a method on a specific controller, we inline the code
and use that specific controller instead.

[1]: 37b908aa62/libnetwork/firewall_linux.go (L12)
[2]: 37b908aa62/libnetwork/firewall_linux.go (L14-L17)
[3]: 37b908aa62/libnetwork/controller.go (L163)
[4]: 54e7900fb8
[5]: https://github.com/moby/libnetwork/pull/2471#discussion_r343457183

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-21 21:08:03 +02:00
Sebastiaan van Stijn
a5f45b47a3
libnetwork: Controller: combine iptablesEnabled and ip6tablesEnabled
These functions were mostly identical, except for iptables being enabled
by default (unless explicitly disabled by config).

Rewrite the function to a enabledIptablesVersions, which returns the list
of iptables-versions that are enabled for the controller. This prevents
having to acquire a lock twice, and simplifies arrangeUserFilterRule, which
can now just iterate over the enabled versions.

Also moving this function to a linux-only file, as other platforms don't have
the iptables types defined.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-21 20:08:53 +02:00
Sebastiaan van Stijn
738b16d873
libnetwork/config: add Config.DriverConfig() and un-export DriverCfg
The driver-configurations are only set when creating a new controller,
using the `config.OptionDriverConfig()` option that can be passed to
`New()`, and used as "read-only" after that.

Taking away any other paths that set these options, the only type used
for per-driver options are a `map[string]interface{}`, so we can change
the type from `map[string]interface{}` to a `map[string]map[string]interface{}`,
(or its "modern" variant: `map[string]map[string]any`), so that it's
no longer needed to cast the type before use.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 09:57:14 +02:00
Sebastiaan van Stijn
e21ff6c0c9
libnetwork/config: remove IsValidName utility
This utility was not used for "Config", but for Networks and Endpoints.
Having this utility made it look like more than it was, and the related
test was effectively testing stdlib.

Abstracting the validation also was hiding that, while validation does
not allow "empty" names, it happily allows leading/trailing whitespace,
and does not remove that before creating networks or endpoints;

    docker network create "bridge "
    docker network create "bridge  "
    docker network create "bridge   "
    docker network create " bridge  "
    docker network create "  bridge "
    docker network create "   bridge"

    docker network ls --filter driver=bridge
    NETWORK ID     NAME        DRIVER    SCOPE
    d4d53210f185      bridge   bridge    local
    e9afba0d99de     bridge    bridge    local
    69fb7a7ba67c    bridge     bridge    local
    a452bf065403   bridge      bridge    local
    49d96c59061d   bridge      bridge    local
    8eae1c4be12c   bridge      bridge    local
    86dd65b881b9   bridge      bridge    local

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-16 19:42:44 +02:00
Cory Snider
1980deffae libn: refactor platform driver registration
Hide knowledge of the network driver initializer functions from
controller.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-06 12:56:09 -04:00
Sebastiaan van Stijn
dd5ea7e996
libnetwork: format code with gofumpt
Formatting the code with https://github.com/mvdan/gofumpt

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-29 00:31:49 +02:00
Brian Goff
74da6a6363 Switch all logging to use containerd log pkg
This unifies our logging and allows us to propagate logging and trace
contexts together.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-06-24 00:23:44 +00:00
Cory Snider
9e3a6ccf69 libn/i/setmatrix: make generic and constructorless
Allow SetMatrix to be used as a value type with a ready-to-use zero
value. SetMatrix values are already non-copyable by virtue of having a
mutex field so there is no harm in allowing non-pointer values to be
used as local variables or struct fields. Any attempts to pass around
by-value copies, e.g. as function arguments, will be flagged by go vet.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-03-29 13:31:12 -04:00
Cory Snider
28edc8e2d6 libnet: convert to new-style driver registration
Per the Interface Segregation Principle, network drivers should not have
to depend on GetPluginGetter methods they do not use. The remote network
driver is the only one which needs a PluginGetter, and it is already
special-cased in Controller so there is no sense warping the interfaces
to achieve a foolish consistency. Replace all other network drivers' Init
functions with Register functions which take a driverapi.Registerer
argument instead of a driverapi.DriverCallback. Add back in Init wrapper
functions for only the drivers which Swarmkit references so that
Swarmkit can continue to build.

Refactor the libnetwork Controller to use the new drvregistry.Networks
and drvregistry.IPAMs driver registries in place of the legacy ones.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-27 11:47:42 -05:00
Cory Snider
d478e13639 libnet: un-plumb datastores from IPAM inits
The datastore arguments to the IPAM driver Init() functions are always
nil, even in Swarmkit. The only IPAM driver which consumed the
datastores was builtin; all others (null, remote, windowsipam) simply
ignored it. As the signatures of the IPAM driver init functions cannot
be changed without breaking the Swarmkit build, they have to be left
with the same signatures for the time being. Assert that nil datastores
are always passed into the builtin IPAM driver's init function so that
there is no ambiguity the datastores are no longer respected.

Add new Register functions for the IPAM drivers which are free from the
legacy baggage of the Init functions. (The legacy Init functions can be
removed once Swarmkit is migrated to using the Register functions.) As
the remote IPAM driver is the only one which depends on a PluginGetter,
pass it in explicitly as an argument to Register. The other IPAM drivers
should not be forced to depend on a GetPluginGetter() method they do not
use (Interface Segregation Principle).

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-27 11:47:42 -05:00
Cory Snider
27cca19c9a libnetwork/drvregistry: drop unused args
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-26 17:56:40 -05:00
Cory Snider
befff0e13f libnetwork: remove more datastore scope plumbing
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-26 17:56:40 -05:00
Cory Snider
142b522946 libnetwork/config: remove vestiges of global scope
Without (*Controller).ReloadConfiguration, the only way to configure
datastore scopes would be by passing config.Options to libnetwork.New.
The only options defined which relate to datastore scopes are limited to
configuring the local-scope datastore. Furthermore, the default
datastore config only defines configuration for the local-scope
datastore. The local-scope datastore is therefore the only datastore
scope possible in libnetwork. Start removing code which is only
needed to support multiple datastore scopes.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-26 17:56:29 -05:00
Cory Snider
52d9883812 libnetwork: drop (*Controller).ReloadConfiguration
...as it is unused.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-26 16:48:35 -05:00
Albin Kerouanton
ffd75c2e0c
libnetwork: Support IPv6 in arrangeUserFilterRule() (redux)
This reapplies commit 2d397beb00.

Fixes #44451.

Co-authored-by: Bjorn Neergaard <bneergaard@mirantis.com>
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2023-01-14 19:11:44 -07:00
Bjorn Neergaard
17723691e5
Revert "libnetwork: Support IPv6 in arrangeUserFilterRule()"
This reverts commit 2d397beb00.

moby#44706 and moby#44805 were both merged, and both refactored the same
file. The combination broke the build, and was not detected in CI as
only the combination of the two, applied to the same parent commit,
caused the failure.

moby#44706 should be carried forward, based on the current master, in
order to resolve this conflict.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2023-01-14 15:31:56 -07:00
Bjorn Neergaard
803c21f4b2
Merge pull request #44706 from akerouanton/fix-44451
libnetwork: Support IPv6 in arrangeUserFilterRule()
2023-01-14 15:18:01 -07:00
Cory Snider
c71555f030 libnetwork: return concrete-typed *Endpoint
libnetwork.Endpoint is an interface with a single implementation.

https://github.com/golang/go/wiki/CodeReviewComments#interfaces

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-13 14:19:06 -05:00
Cory Snider
0e91d2e0e9 libnetwork: return concrete-typed *Sandbox
Basically every exported method which takes a libnetwork.Sandbox
argument asserts that the value's concrete type is *sandbox. Passing any
other implementation of the interface is a runtime error! This interface
is a footgun, and clearly not necessary. Export and use the concrete
type instead.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-13 14:19:06 -05:00
Cory Snider
f96b9bf761 libnetwork: return concrete-typed *Controller
libnetwork.NetworkController is an interface with a single
implementation.

https://github.com/golang/go/wiki/CodeReviewComments#interfaces

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-13 14:09:37 -05:00
Cory Snider
ae09fe3da7 libnetwork: don't embed mutex in controller
Embedded structs are part of the exported surface of a struct type.
Boxing a struct value into an interface value does not erase that;
any code could gain access to the embedded struct value with a simple
type assertion. The mutex is supposed to be a private implementation
detail, but *controller implements sync.Locker because the mutex is
embedded.

    c, _ := libnetwork.New()
    c.(sync.Locker).Lock()

Change the mutex to an unexported field so *controller no longer
spuriously implements the sync.Locker interface.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-13 14:09:37 -05:00