moby--moby/libnetwork/drivers/bridge/setup_device.go

//go:build linux
// +build linux

package bridge

import (
	"fmt"
	"os"
	"path/filepath"

	"github.com/docker/docker/libnetwork/netutils"
	"github.com/sirupsen/logrus"
	"github.com/vishvananda/netlink"
)

// SetupDevice create a new bridge interface/
func setupDevice(config *networkConfiguration, i *bridgeInterface) error {
	// We only attempt to create the bridge when the requested device name is
	// the default one.
	if config.BridgeName != DefaultBridgeName && config.DefaultBridge {
		return NonDefaultBridgeExistError(config.BridgeName)
	}

	// Set the bridgeInterface netlink.Bridge.
	i.Link = &netlink.Bridge{
		LinkAttrs: netlink.LinkAttrs{
			Name: config.BridgeName,
		},
	}

	// Set the bridge's MAC address. Requires kernel version 3.3 or up.
	hwAddr := netutils.GenerateRandomMAC()
	i.Link.Attrs().HardwareAddr = hwAddr
	logrus.Debugf("Setting bridge mac address to %s", hwAddr)

	if err := i.nlh.LinkAdd(i.Link); err != nil {
		logrus.Debugf("Failed to create bridge %s via netlink. Trying ioctl", config.BridgeName)
		return ioctlCreateBridge(config.BridgeName, hwAddr.String())
	}

	return nil
}

func setupDefaultSysctl(config *networkConfiguration, i *bridgeInterface) error {
	// Disable IPv6 router advertisements originating on the bridge
	sysPath := filepath.Join("/proc/sys/net/ipv6/conf/", config.BridgeName, "accept_ra")
	if _, err := os.Stat(sysPath); err != nil {
		logrus.
			WithField("bridge", config.BridgeName).
			WithField("syspath", sysPath).
			Info("failed to read ipv6 net.ipv6.conf.<bridge>.accept_ra")
		return nil
	}
	if err := os.WriteFile(sysPath, []byte{'0', '\n'}, 0644); err != nil {
		logrus.WithError(err).Warn("unable to disable IPv6 router advertisement")
	}
	return nil
}

// SetupDeviceUp ups the given bridge interface.
func setupDeviceUp(config *networkConfiguration, i *bridgeInterface) error {
	err := i.nlh.LinkSetUp(i.Link)
	if err != nil {
		return fmt.Errorf("Failed to set link up for %s: %v", config.BridgeName, err)
	}

	// Attempt to update the bridge interface to refresh the flags status,
	// ignoring any failure to do so.
	if lnk, err := i.nlh.LinkByName(config.BridgeName); err == nil {
		i.Link = lnk
	} else {
		logrus.Warnf("Failed to retrieve link for interface (%s): %v", config.BridgeName, err)
	}
	return nil
}
Update to Go 1.17.0, and gofmt with Go 1.17 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-08-23 15:14:53 +02:00			`//go:build linux`
Fix some windows issues in libnetwork tests Fix build constraints for linux-only network drivers Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2021-05-25 23:48:54 +00:00			`// +build linux`

WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 17:24:22 -08:00			`package bridge`

			`import (`
Prefer Netlink calls over ioctl As seen in https://github.com/docker/docker/issues/14738 there is general instability in the later kernels under race conditions when ioctl calls are used in parallel with netlink calls for various operations. (We are yet to narrow down to the exact root-cause on the kernel). For those older kernels which doesnt support some of the netlink APIs, we can fallback to using ioctl calls. Hence bringing back the original code that used netlink (https://github.com/docker/libnetwork/pull/349). Also, there was an existing bug in bridge creation using netlink which was setting bridge mac during bridge creation. That operation is not supported in the netlink library (and doesnt throw an error either). Included a fix for that condition by setting the bridge mac after creating the bridge. Signed-off-by: Madhu Venugopal <madhu@docker.com> 2015-07-30 06:02:23 -07:00			`"fmt"`
bridge: disable IPv6 router advertisements Signed-off-by: Samuel Karp <skarp@amazon.com> (cherry picked from commit 9489546c44d94d37337191c263879a7ac075a331) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-04-03 16:23:18 -07:00			`"os"`
			`"path/filepath"`
Prefer Netlink calls over ioctl As seen in https://github.com/docker/docker/issues/14738 there is general instability in the later kernels under race conditions when ioctl calls are used in parallel with netlink calls for various operations. (We are yet to narrow down to the exact root-cause on the kernel). For those older kernels which doesnt support some of the netlink APIs, we can fallback to using ioctl calls. Hence bringing back the original code that used netlink (https://github.com/docker/libnetwork/pull/349). Also, there was an existing bug in bridge creation using netlink which was setting bridge mac during bridge creation. That operation is not supported in the netlink library (and doesnt throw an error either). Included a fix for that condition by setting the bridge mac after creating the bridge. Signed-off-by: Madhu Venugopal <madhu@docker.com> 2015-07-30 06:02:23 -07:00
Fix libnetwork imports After moving libnetwork to this repo, we need to update all the import paths for libnetwork to point to docker/docker/libnetwork instead of docker/libnetwork. This change implements that. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2021-04-06 00:24:47 +00:00			`"github.com/docker/docker/libnetwork/netutils"`
Update logrus to v1.0.1 Fix case sensitivity issue Update docker and runc vendors Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2017-07-26 14:18:31 -07:00			`"github.com/sirupsen/logrus"`
WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 17:24:22 -08:00			`"github.com/vishvananda/netlink"`
			`)`

WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 21:11:12 -08:00			`// SetupDevice create a new bridge interface/`
Support network options in rest api - Also unexporting configuration structures in bridge - Changes in dnet/network.go to set bridge name = network name Signed-off-by: Alessandro Boch <aboch@docker.com> 2015-05-22 10:56:36 -07:00			`func setupDevice(config networkConfiguration, i bridgeInterface) error {`
WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 17:24:22 -08:00			`// We only attempt to create the bridge when the requested device name is`
			`// the default one.`
Fixed a few more issues observed during docker integration - DisableBridgeCreation is misleading. change it to DefaultBridge - Dont fail the init if localstore cannot be initialized - added a convenience function to get endpoint for a container Signed-off-by: Madhu Venugopal <madhu@docker.com> 2015-09-25 09:02:18 -07:00			`if config.BridgeName != DefaultBridgeName && config.DefaultBridge {`
Changed all the naked error returns in bridge driver to proper error types, except the naked error returns which were just prefixing strings to previously returned error strings. Signed-off-by: Jana Radhakrishnan <mrjana@docker.com> 2015-04-17 02:47:12 +00:00			`return NonDefaultBridgeExistError(config.BridgeName)`
WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 17:24:22 -08:00			`}`

Remove golint warnings Fix all golint warnings, mostly by making exported types internal. Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-03-04 13:25:43 -08:00			`// Set the bridgeInterface netlink.Bridge.`
WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 17:58:52 -08:00			`i.Link = &netlink.Bridge{`
WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 17:24:22 -08:00			`LinkAttrs: netlink.LinkAttrs{`
Added driver specific config support - Added api enhancement to pass driver specific config - Refactored simple bridge driver code for driver specific config - Added an undocumented option to add non-default bridges without manual pre-provisioning to help libnetwork testing - Reenabled libnetwork test to do api testing - Updated README.md Signed-off-by: Jana Radhakrishnan <mrjana@docker.com> 2015-04-15 05:25:42 +00:00			`Name: config.BridgeName,`
WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 17:24:22 -08:00			`},`
			`}`

drivers/bridge: skip kernel version check All distros that are supported by Docker now have at least kernel version 3.10, so this check should no longer be needed. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-31 20:37:01 +02:00			`// Set the bridge's MAC address. Requires kernel version 3.3 or up.`
			`hwAddr := netutils.GenerateRandomMAC()`
			`i.Link.Attrs().HardwareAddr = hwAddr`
			`logrus.Debugf("Setting bridge mac address to %s", hwAddr)`
bridge: Fix hwaddr set race between us and udev systemd and udev in their default configuration attempt to set a persistent MAC address for network interfaces that don't have one already [systemd-def-link]. We set the address only after creating the interface, so there is a race between us and udev. There are several outcomes (that actually occur, this race is very much not a theoretical one): * We set the address before udev gets to the networking rules, so udev sees `/sys/devices/virtual/net/docker0/addr_assign_type = 3` (NET_ADDR_SET). This means there's no need to assign a different address and everything is fine. * udev reads `/sys/devices/virtual/net/docker0/addr_assign_type` before we set the address, gets `1` (NET_ADDR_RANDOM), and proceeds to generate and set a persistent address. Old versions of udev (pre-v242, i.e. without [udev-patch]) would then fail to generate an address, spit out "Could not generate persistent MAC address for docker0: No such file or directory" (see [udev-issue], and everything would be probably fine as well. Current version of udev (with [udev-patch]) will generate an address just fine and then race us setting it. As udev does more work than we, the most probable outcome is that udev will overwrite the address we set and possibly cause some trouble later on. On a clean Debian Buster (from Vagrant) VM with systemd/udev 242 from Debian Experimental, `docker network create net1` up to `net7` resulted in 3 bridges having a 02:42: address and 4 bridges having a seemingly random (actually generated from interface name) address. With systemd 241, the result would be all bridges having a 02:42:, but some "Could not generate persistent MAC address for" messages in the log. The fix is to revert the MAC address setting fix from 6901ea51dc9f99b9, as it is no longer necessary with current netlink [netlink-addr-add], and set the address atomically when creating the bridge interface, not after that. [systemd-def-link]: https://github.com/systemd/systemd/blob/a166cd3aacdbfd4df196bb4ca9f43cff19cf9fec/network/99-default.link [udev-patch]: https://github.com/systemd/systemd/commit/6d36464065601f79a352367cf099be8907d8f9aa [udev-issue]: https://github.com/systemd/systemd/issues/3374 [netlink-addr-add]: https://github.com/vishvananda/netlink/commit/7d9b424492b5319e5993c5d6e8bef48e583aabd6 ... Do note that a similar race happens when creating veth devices as well. I wasn't able to reproduce getting a wrong (non-02:42:) address, possibly because the address is set by docker later, maybe only after the interface is moved to another network namespace (but I'm just guessing here). Still, different timings result in various error messages being logged ("link_config: could not get ethtool features for vethd9c938e" and the like) depending on when the interface disappears from the primary network namespace. I'm not sure how to fix this and I don't intend to dig deeper into this. Signed-off-by: Tomas Janousek <tomi@nomi.cz> 2019-05-19 18:22:39 +02:00
drivers/bridge: skip kernel version check All distros that are supported by Docker now have at least kernel version 3.10, so this check should no longer be needed. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-31 20:37:01 +02:00			`if err := i.nlh.LinkAdd(i.Link); err != nil {`
Prefer Netlink calls over ioctl As seen in https://github.com/docker/docker/issues/14738 there is general instability in the later kernels under race conditions when ioctl calls are used in parallel with netlink calls for various operations. (We are yet to narrow down to the exact root-cause on the kernel). For those older kernels which doesnt support some of the netlink APIs, we can fallback to using ioctl calls. Hence bringing back the original code that used netlink (https://github.com/docker/libnetwork/pull/349). Also, there was an existing bug in bridge creation using netlink which was setting bridge mac during bridge creation. That operation is not supported in the netlink library (and doesnt throw an error either). Included a fix for that condition by setting the bridge mac after creating the bridge. Signed-off-by: Madhu Venugopal <madhu@docker.com> 2015-07-30 06:02:23 -07:00			`logrus.Debugf("Failed to create bridge %s via netlink. Trying ioctl", config.BridgeName)`
drivers/bridge: skip kernel version check All distros that are supported by Docker now have at least kernel version 3.10, so this check should no longer be needed. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-31 20:37:01 +02:00			`return ioctlCreateBridge(config.BridgeName, hwAddr.String())`
Prefer Netlink calls over ioctl As seen in https://github.com/docker/docker/issues/14738 there is general instability in the later kernels under race conditions when ioctl calls are used in parallel with netlink calls for various operations. (We are yet to narrow down to the exact root-cause on the kernel). For those older kernels which doesnt support some of the netlink APIs, we can fallback to using ioctl calls. Hence bringing back the original code that used netlink (https://github.com/docker/libnetwork/pull/349). Also, there was an existing bug in bridge creation using netlink which was setting bridge mac during bridge creation. That operation is not supported in the netlink library (and doesnt throw an error either). Included a fix for that condition by setting the bridge mac after creating the bridge. Signed-off-by: Madhu Venugopal <madhu@docker.com> 2015-07-30 06:02:23 -07:00			`}`

drivers/bridge: skip kernel version check All distros that are supported by Docker now have at least kernel version 3.10, so this check should no longer be needed. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-31 20:37:01 +02:00			`return nil`
WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 17:24:22 -08:00			`}`

bridge: disable IPv6 router advertisements Signed-off-by: Samuel Karp <skarp@amazon.com> (cherry picked from commit 9489546c44d94d37337191c263879a7ac075a331) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-04-03 16:23:18 -07:00			`func setupDefaultSysctl(config networkConfiguration, i bridgeInterface) error {`
			`// Disable IPv6 router advertisements originating on the bridge`
			`sysPath := filepath.Join("/proc/sys/net/ipv6/conf/", config.BridgeName, "accept_ra")`
			`if _, err := os.Stat(sysPath); err != nil {`
			`logrus.`
			`WithField("bridge", config.BridgeName).`
			`WithField("syspath", sysPath).`
			`Info("failed to read ipv6 net.ipv6.conf.<bridge>.accept_ra")`
			`return nil`
			`}`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated in Go 1.16. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-08-24 18:10:50 +08:00			`if err := os.WriteFile(sysPath, []byte{'0', '\n'}, 0644); err != nil {`
log error instead if disabling IPv6 router advertisement failed Previously, failing to disable IPv6 router advertisement prevented the daemon to start. An issue was reported by a user that started docker using `systemd-nspawn "machine"`, which produced an error; failed to start daemon: Error initializing network controller: Error creating default "bridge" network: libnetwork: Unable to disable IPv6 router advertisement: open /proc/sys/net/ipv6/conf/docker0/accept_ra: read-only file system This patch changes the error to a log-message instead. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-06-05 14:01:18 +02:00			`logrus.WithError(err).Warn("unable to disable IPv6 router advertisement")`
bridge: disable IPv6 router advertisements Signed-off-by: Samuel Karp <skarp@amazon.com> (cherry picked from commit 9489546c44d94d37337191c263879a7ac075a331) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-04-03 16:23:18 -07:00			`}`
			`return nil`
			`}`

WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 21:11:12 -08:00			`// SetupDeviceUp ups the given bridge interface.`
Support network options in rest api - Also unexporting configuration structures in bridge - Changes in dnet/network.go to set bridge name = network name Signed-off-by: Alessandro Boch <aboch@docker.com> 2015-05-22 10:56:36 -07:00			`func setupDeviceUp(config networkConfiguration, i bridgeInterface) error {`
Migrate libnetwork to use netlink.Handle Signed-off-by: Alessandro Boch <aboch@docker.com> 2016-05-16 11:51:40 -07:00			`err := i.nlh.LinkSetUp(i.Link)`
Add tests Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-24 11:19:00 -08:00			`if err != nil {`
Migrate libnetwork to use netlink.Handle Signed-off-by: Alessandro Boch <aboch@docker.com> 2016-05-16 11:51:40 -07:00			`return fmt.Errorf("Failed to set link up for %s: %v", config.BridgeName, err)`
Add tests Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-24 11:19:00 -08:00			`}`

			`// Attempt to update the bridge interface to refresh the flags status,`
			`// ignoring any failure to do so.`
Migrate libnetwork to use netlink.Handle Signed-off-by: Alessandro Boch <aboch@docker.com> 2016-05-16 11:51:40 -07:00			`if lnk, err := i.nlh.LinkByName(config.BridgeName); err == nil {`
Add tests Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-24 11:19:00 -08:00			`i.Link = lnk`
Migrate libnetwork to use netlink.Handle Signed-off-by: Alessandro Boch <aboch@docker.com> 2016-05-16 11:51:40 -07:00			`} else {`
			`logrus.Warnf("Failed to retrieve link for interface (%s): %v", config.BridgeName, err)`
Add tests Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-24 11:19:00 -08:00			`}`
			`return nil`
WIP - Bridge refactoring Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-02-22 17:24:22 -08:00			`}`