Commit graph

2812 commits

Author SHA1 Message Date
Cory Snider
ef1545ed4a libnetwork: leave global logger alone in tests
Swapping out the global logger on the fly is causing tests to flake out
by logging to a test's log output after the test function has returned.
Refactor Resolver to use a dependency-injected logger and the resolver
unit tests to inject a private logger instance into the Resolver under
test.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit d4f3858a40)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-05-23 11:31:28 -04:00
Cory Snider
876f5eda51 libnetwork: make resolver tests less confusing
tstwriter mocks the server-side connection between the resolver and the
container, not the resolver and the external DNS server, so returning
the external DNS server's address as w.LocalAddr() is technically
incorrect and misleading. Only the protocols need to match as the
resolver uses the client's choice of protocol to determine which
protocol to use when forwarding the query to the external DNS server.
While this change has no material impact on the tests, it makes the
tests slightly more comprehensible for the next person.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 0cc6e445d7)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-05-23 11:31:28 -04:00
Cory Snider
0869b089e4
libnetwork: just forward the external DNS response
Our resolver is just a forwarder for external DNS so it should act like
it. Unless it's a server failure or refusal, take the response at face
value and forward it along to the client. RFC 8020 is only applicable to
caching recursive name servers and our resolver is neither caching nor
recursive.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 41356227f2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-18 23:10:21 +02:00
Cory Snider
f77a3274b4
[chore] clean up reexec.Init() calls
Now that most uses of reexec have been replaced with non-reexec
solutions, most of the reexec.Init() calls peppered throughout the test
suites are unnecessary. Furthermore, most of the reexec.Init() calls in
test code neglects to check the return value to determine whether to
exit, which would result in the reexec'ed subprocesses proceeding to run
the tests, which would reexec another subprocess which would proceed to
run the tests, recursively. (That would explain why every reexec
callback used to unconditionally call os.Exit() instead of returning...)

Remove unneeded reexec.Init() calls from test and example code which no
longer needs it, and fix the reexec.Init() calls which are not inert to
exit after a reexec callback is invoked.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 4e0319c878)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-11 16:31:41 +02:00
Sebastiaan van Stijn
8142051a3b
libnetwork/osl: unify stubs for NeighOption
Use the same signature for all platforms, but stub the neigh type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:20:58 +02:00
Sebastiaan van Stijn
0ea41eaa51
libnetwork/osl: unify stubs for IfaceOption
Use the same signature for all platforms, but stub the nwIface type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:20:58 +02:00
Sebastiaan van Stijn
021e89d702
libnetwork/osl: rename var that collided with import
Also renaming another var for consistency ':-)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:20:58 +02:00
Sebastiaan van Stijn
3a4158e4fa
libnetwork: add missing stub for getInitializers()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:18:33 +02:00
Sebastiaan van Stijn
939a4eb5c9
libnetwork: fix stubs
- sandbox, endpoint changed in c71555f030, but
  missed updating the stubs.
- add missing stub for Controller.cleanupServiceDiscovery()
- While at it also doing some minor (formatting) changes.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:18:33 +02:00
Sebastiaan van Stijn
17feabcba0
libnetwork: overlayutils: remove redundant init()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:18:29 +02:00
Sebastiaan van Stijn
1e9ebfb00c
libnetwork: inline sendKey() into SetExternalKey()
This function included a defer to close the net.Conn if an error occurred,
but the calling function (SetExternalKey()) also had a defer to close it
unconditionally.

Rewrite it to use json.NewEncoder(), which accepts a writer, and inline
the code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 16:44:54 +02:00
Sebastiaan van Stijn
9d8fcb3296
libnetwork: setKey(): remove intermediate buffer
Use json.NewDecoder() instead, which accepts a reader.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 16:44:54 +02:00
Sebastiaan van Stijn
a813d7e961
libnetwork: don't register "libnetwork-setkey" re-exec on non-unix
It's a no-op on Windows and other non-Linux, non-FreeBSD platforms,
so there's no need to register the re-exec.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 16:44:54 +02:00
Sebastiaan van Stijn
881fff1a2f
libnetwork: processSetKeyReexec: don't use logrus.Fatal()
Just print the error and os.Exit() instead, which makes it more
explicit that we're exiting, and there's no need to decorate the
error.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 16:44:40 +02:00
Sebastiaan van Stijn
e974599593
libnetwork: processSetKeyReexec() remove defer()
Split the function into a "backing" function that returns an error, and the
re-exec entrypoint, which handles the error to provide a more idiomatic approach.

This was part of a larger change accross multiple re-exec functions (now removed).

For history's sake; here's the description for that;

The `reexec.Register()` function accepts reexec entrypoints, which are a `func()`
without return (matching a binary's `main()` function). As these functions cannot
return an error, it's the entrypoint's responsibility to handle any error, and to
indicate failures through `os.Exit()`.

I noticed that some of these entrypoint functions had `defer()` statements, but
called `os.Exit()` either explicitly or implicitly (e.g. through `logrus.Fatal()`).
defer statements are not executed if `os.Exit()` is called, which rendered these
statements useless.

While I doubt these were problematic (I expect files to be closed when the process
exists, and `runtime.LockOSThread()` to not have side-effects after exit), it also
didn't seem to "hurt" to call these as was expected by the function.

This patch rewrites some of the entrypoints to split them into a "backing function"
that can return an error (being slightly more iodiomatic Go) and an wrapper function
to act as entrypoint (which can handle the error and exit the executable).

To some extend, I'm wondering if we should change the signatures of the entrypoints
to return an error so that `reexec.Init()` can handle (or return) the errors, so
that logging can be handled more consistently (currently, some some use logrus,
some just print); this would also keep logging out of some packages, as well as
allows us to provide more metadata about the error (which reexec produced the
error for example).

A quick search showed that there's some external consumers of pkg/reexec, so I
kept this for a future discussion / exercise.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 12:52:38 +02:00
Sebastiaan van Stijn
56fbbde2ed
libnetwork/resolvconf: fix some minor (linting) issues
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 22:49:50 +02:00
Sebastiaan van Stijn
820975595c
libnetwork/resolvconf: improve tests for Build
- Verify the content to be equal, not "contains"; this output should be
  predictable.
- Also verify the content returned by the function to match.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 22:49:50 +02:00
Sebastiaan van Stijn
93c7b25ccd
libnetwork/resolvconf: refactor tests for readability
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 22:49:50 +02:00
Sebastiaan van Stijn
43378636d0
libnetwork/resolvconf: allow tests to be run on unix
Looks like the intent is to exclude windows (which wouldn't have /etc/resolv.conf
nor systemd), but most tests would run fine elsewhere. This allows running the
tests on macOS for local testing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 22:49:49 +02:00
Sebastiaan van Stijn
73c637ad60
libnetwork/resolvconf: use t.TempDir(), change t.Fatal to t.Error
Use t.TempDir() for convenience, and change some t.Fatal's to Errors,
so that all tests can run instead of failing early.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 22:49:49 +02:00
Sebastiaan van Stijn
fc1e698914
libnetwork/resolvconf: fix TestGet() testing wrong path
The test was assuming that the "source" file was always "/etc/resolv.conf",
but the `Get()` function uses `Path()` to find the location of resolv.conf,
which may be different.

While at it, also changed some `t.Fatalf()` to `t.Errorf()`, and renamed
some variables for clarity.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 22:49:49 +02:00
Sebastiaan van Stijn
55d18b7db9
libnetwork/resolvconf: use []byte for hash instead of string
After my last change, I noticed that the hash is used as a []byte in most
cases (other than tests). This patch updates the type to use a []byte, which
(although unlikely very important) also improves performance:

Compared to the previous version:

    benchstat new.txt new2.txt
    name         old time/op    new time/op    delta
    HashData-10     128ns ± 1%     116ns ± 1%   -9.77%  (p=0.000 n=20+20)

    name         old alloc/op   new alloc/op   delta
    HashData-10      208B ± 0%       88B ± 0%  -57.69%  (p=0.000 n=20+20)

    name         old allocs/op  new allocs/op  delta
    HashData-10      3.00 ± 0%      2.00 ± 0%  -33.33%  (p=0.000 n=20+20)

And compared to the original version:

    benchstat old.txt new2.txt
    name         old time/op    new time/op    delta
    HashData-10     201ns ± 1%     116ns ± 1%  -42.39%  (p=0.000 n=18+20)

    name         old alloc/op   new alloc/op   delta
    HashData-10      416B ± 0%       88B ± 0%  -78.85%  (p=0.000 n=20+20)

    name         old allocs/op  new allocs/op  delta
    HashData-10      6.00 ± 0%      2.00 ± 0%  -66.67%  (p=0.000 n=20+20)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 22:49:47 +02:00
Sebastiaan van Stijn
630fc3839e
libnetwork/resolvconf: simplify hashData() and improve performance
The code seemed overly complicated, requiring a reader to be constructed,
where in all cases, the data was already available in a variable. This patch
simplifies the utility to not require a reader, which also makes it a bit
more performant:

    go install golang.org/x/perf/cmd/benchstat@latest
    GO111MODULE=off go test -run='^$' -bench=. -count=20 > old.txt
    GO111MODULE=off go test -run='^$' -bench=. -count=20 > new.txt

    benchstat old.txt new.txt
    name         old time/op    new time/op    delta
    HashData-10     201ns ± 1%     128ns ± 1%  -36.16%  (p=0.000 n=18+20)

    name         old alloc/op   new alloc/op   delta
    HashData-10      416B ± 0%      208B ± 0%  -50.00%  (p=0.000 n=20+20)

    name         old allocs/op  new allocs/op  delta
    HashData-10      6.00 ± 0%      3.00 ± 0%  -50.00%  (p=0.000 n=20+20)

A small change was made in `Build()`, which previously returned the resolv.conf
data, even if the function failed to write it. In the new variation, `nil` is
consistently returned on failures.

Note that in various places, the hash is not even used, so we may be able to
simplify things more after this.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 22:47:23 +02:00
Sebastiaan van Stijn
214e200f95
Merge pull request #45308 from corhere/libnet/overlay-bpf-ipv6
libnetwork/drivers/overlay: make VNI matcher IPv6-compatible
2023-04-26 14:37:09 +02:00
Brian Goff
0970cb054c
Merge pull request #45366 from akerouanton/fix-docker0-PreferredPool
daemon: set docker0 subpool as the IPAM pool
2023-04-25 11:07:57 -07:00
Albin Kerouanton
2d31697d82
daemon: set docker0 subpool as the IPAM pool
Since cc19eba (backported to v23.0.4), the PreferredPool for docker0 is
set only when the user provides the bip config parameter or when the
default bridge already exist. That means, if a user provides the
fixed-cidr parameter on a fresh install or reboot their computer/server
without bip set, dockerd throw the following error when it starts:

> failed to start daemon: Error initializing network controller: Error
> creating default "bridge" network: failed to parse pool request for
> address space "LocalDefault" pool "" subpool "100.64.0.0/26": Invalid
> Address SubPool

See #45356.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-25 15:32:46 +02:00
Cory Snider
c399963243 libn/d/overlay: make VNI matcher IPv6-compatible
Use Linux BPF extensions to locate the offset of the VXLAN header within
the packet so that the same BPF program works with VXLAN packets
received over either IPv4 or IPv6.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-04-24 14:20:29 -04:00
Cory Snider
7d9bb170b7 libn/d/overlay: test the VNI BPF matcher on IPv4
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-04-24 14:19:39 -04:00
Bjorn Neergaard
660c04803e
Merge pull request #45310 from corhere/libn/delete-network-more-atomically
libnetwork: clean up inDelete network atomically
2023-04-20 20:26:24 +02:00
Albin Kerouanton
1e1efe1f61
libnet/d/overlay: clean up iptables rules on network delete
This commit removes iptables rules configured for secure overlay
networks when a network is deleted. Prior to this commit, only
CreateNetwork() was taking care of removing stale iptables rules.

If one of the iptables rule can't be removed, the erorr is logged but
it doesn't prevent network deletion.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-17 17:21:21 +02:00
Cory Snider
c957ad0067 libnetwork: clean up inDelete network atomically
The (*network).ipamRelease function nils out the network's IPAM info
fields, putting the network struct into an inconsistent state. The
network-restore startup code panics if it tries to restore a network
from a struct which has fewer IPAM config entries than IPAM info
entries. Therefore (*network).delete contains a critical section: by
persisting the network to the store after ipamRelease(), the datastore
will contain an inconsistent network until the deletion operation
completes and finishes deleting the network from the datastore. If for
any reason the deletion operation is interrupted between ipamRelease()
and deleteFromStore(), the daemon will crash on startup when it tries to
restore the network.

Updating the datastore after releasing the network's IPAM pools may have
served a purpose in the past, when a global datastore was used for
intra-cluster communication and the IPAM allocator had persistent global
state, but nowadays there is no global datastore and the IPAM allocator
has no persistent state whatsoever. Remove the vestigial datastore
update as it is no longer necessary and only serves to cause problems.
If the network deletion is interrupted before the network is deleted
from the datastore, the deletion will resume during the next daemon
startup, including releasing the IPAM pools.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-04-11 19:00:59 -04:00
Sebastiaan van Stijn
0154746b9f
Merge pull request #44965 from akerouanton/libnetwork-dead-code
libnetwork/overlay: remove dead code
2023-04-11 17:09:45 +02:00
Albin Kerouanton
8ed900263e
libnetwork/overlay: remove host mode
Linux kernel prior to v3.16 was not supporting netns for vxlan
interfaces. As such, moby/libnetwork#821 introduced a "host mode" to the
overlay driver. The related kernel fix is available for rhel7 users
since v7.2.

This mode could be forced through the use of the env var
_OVERLAY_HOST_MODE. However this env var has never been documented and
is not referenced in any blog post, so there's little chance many people
rely on it. Moreover, this host mode is deemed as an implementation
details by maintainers. As such, we can consider it dead and we can
remove it without a prior deprecation warning.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:52:41 +02:00
Albin Kerouanton
1d46597c8b
libnetwork/overlay: remove KVObject implementation
Since 0fa873c, there's no function writing overlay networks to some
datastore. As such, overlay network struct doesn't need to implement
KVObject interface.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:52:29 +02:00
Albin Kerouanton
f32f09e78f
libnetwork/overlay: don't lock network when accessing subnet vni
Since a few commits, subnet's vni don't change during the lifetime of
the subnet struct, so there's no need to lock the network before
accessing it.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:52:27 +02:00
Albin Kerouanton
b67446a8fa
libnetwork: remove local store from overlay driver
Since the previous commit, data from the local store are never read,
thus proving it was only used for Classic Swarm.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:52:27 +02:00
Albin Kerouanton
8aa1060c34
libnetwork/overlay: remove live-restore support
The overlay driver in Swarm v2 mode doesn't support live-restore, ie.
the daemon won't even start if the node is part of a Swarm cluster and
live-restore is enabled. This feature was only used by Swarm Classic.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:52:27 +02:00
Albin Kerouanton
e3708a89cc
libnetwork/overlay: remove vni allocation
VNI allocations made by the overlay driver were only used by Classic
Swarm. With Swarm v2 mode, the driver ovmanager is responsible of
allocating & releasing them.

Previously, vxlanIdm was initialized when a global store was available
but since 142b522, no global store can be instantiated. As such,
releaseVxlanID actually does actually nothing and iptables rules are
never removed.

The last line of dead code detected by golangci-lint is now gone.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:52:27 +02:00
Albin Kerouanton
e251837445
libnetwork/overlay: remove Serf-based clustering
Prior to 0fa873c, the serf-based event loop was started when a global
store was available. Since there's no more global store, this event loop
and all its associated code is dead.

Most dead code detected by golangci-lint in prior commits is now gone.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:52:17 +02:00
Albin Kerouanton
644e3d4cdb
libnetwork/netlabel: remove dead code
- LocalKVProvider, LocalKVProviderURL, LocalKVProviderConfig,
  GlobalKVProvider, GlobalKVProviderURL and GlobalKVProviderConfig
  are all unused since moby/libnetwork@be2b6962 (moby/libnetwork#908).
- GlobalKVClient is unused since 0fa873c and c8d2c6e.
- MakeKVProvider, MakeKVProviderURL and MakeKVProviderConfig are unused
  since 96cfb076 (moby/moby#44683).
- MakeKVClient is unused since 142b5229 (moby/moby#44875).

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:51:56 +02:00
Albin Kerouanton
f8b5fe5724
libnetwork/netutils: remove dead code
- GetIfaceAddr is unused since moby/libnetwork@e51ead59
  (moby/libnetwork#670).
- ValidateAlias and ParseAlias are unused since moby/moby@0645eb84
  (moby/moby#42539).

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:33:04 +02:00
Albin Kerouanton
c8d2c6ea77
libnetwork: remove unused props from windows overlay driver
The overlay driver was creating a global store whenever
netlabel.GlobalKVClient was specified in its config argument. This
specific label is unused anymore since 142b522 (moby/moby#44875).

It was also creating a local store whenever netlabel.LocalKVClient was
specificed in its config argument. This store is unused since
moby/libnetwork@9e72136 (moby/libnetwork#1636).

Finally, the sync.Once properties are never used and thus can be
deleted.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:33:04 +02:00
Albin Kerouanton
0fa873c0fe
libnetwork: remove global store from overlay driver
The overlay driver was creating a global store whenever
netlabel.GlobalKVClient was specified in its config argument. This
specific label is not used anymore since 142b522 (moby/moby#44875).

golangci-lint now detects dead code. This will be fixed in subsequent
commits.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:33:04 +02:00
Albin Kerouanton
00037cd44b
libnetwork: remove ovrouter cmd
This command was useful when overlay networks based on external KV store
was developed but is unused nowadays.

As the last reference to OverlayBindInterface and OverlayNeighborIP
netlabels are in the ovrouter cmd, they're removed too.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-04-06 19:33:04 +02:00
Cory Snider
4d04068184 libn/d/overlay: only program xt_bpf rules
Drop support for platforms which only have xt_u32 but not xt_bpf. No
attempt is made to clean up old xt_u32 iptables rules left over from a
previous daemon instance.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-04-05 11:50:03 -04:00
Sebastiaan van Stijn
878ee341d6
Merge pull request from GHSA-232p-vwff-86mp
libnetwork: ensure encryption is mandatory on encrypted overlay networks
2023-04-04 20:03:51 +02:00
Sebastiaan van Stijn
ae64fd8d6f
Merge pull request #45247 from akerouanton/drop-ElectInterfaceAddress
libnetwork/netutils: drop ElectInterfaceAddresses
2023-03-31 19:27:40 +02:00
Albin Kerouanton
f6b50d52d4
libnetwork/netutils: drop ElectInterfaceAddresses
This is a follow-up of 48ad9e1. This commit removed the function
ElectInterfaceAddresses from utils_linux.go but not their FreeBSD &
Windows counterpart. As these functions are never called, they can be
safely removed.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-03-31 09:37:03 +02:00
Sebastiaan van Stijn
b8e963595e libnetwork: sbState: rename ExtDNS2 back to ExtDNS
The ExtDNS2 field was added in
aad1632c15
to migrate existing state from < 1.14 to a new type. As it's unlikely
that installations still have state from before 1.14, rename ExtDNS2
back to ExtDNS and drop the migration code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Co-authored-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-03-30 18:44:24 -04:00
Cory Snider
9e3a6ccf69 libn/i/setmatrix: make generic and constructorless
Allow SetMatrix to be used as a value type with a ready-to-use zero
value. SetMatrix values are already non-copyable by virtue of having a
mutex field so there is no harm in allowing non-pointer values to be
used as local variables or struct fields. Any attempts to pass around
by-value copies, e.g. as function arguments, will be flagged by go vet.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-03-29 13:31:12 -04:00