kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity
moby--moby/network.go

756 lines
20 KiB
Go
Raw Normal View History

Basic networking support with hardcoded addresses. Work in progress.
2013-02-21 01:47:09 +00:00
package docker
import (
Network: Do not assume that we are using a class C. Instead, compute the IP addresses range and network size in order to allocate an IP address.
2013-02-22 02:33:23 +00:00
"encoding/binary"
Network allocator
2013-02-25 18:45:23 +00:00
"errors"
Network: Automatically figure out the gateway and netmask by inspecting the lxc bridge interface
2013-02-21 02:20:18 +00:00
"fmt"
Create a subpackage for utils
2013-05-14 22:37:35 +00:00
"github.com/dotcloud/docker/utils"
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
"log"
Basic networking support with hardcoded addresses. Work in progress.
2013-02-21 01:47:09 +00:00
"net"
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
"os/exec"
"strconv"
"strings"
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
"sync"
Basic networking support with hardcoded addresses. Work in progress.
2013-02-21 01:47:09 +00:00
)
Put the bridge interface name in the command line
2013-04-03 21:53:09 +00:00
var NetworkBridgeIface string
Basic networking support with hardcoded addresses. Work in progress.
2013-02-21 01:47:09 +00:00
const (
Changed default bridge interface do 'docker0'
2013-04-05 21:16:19 +00:00
DefaultNetworkBridge = "docker0"
Support completely disabling network configuration with docker -d -b none
2013-07-22 00:49:09 +00:00
DisableNetworkBridge = "none"
Move the default bridge name to a constant
2013-04-04 12:33:28 +00:00
portRangeStart = 49153
portRangeEnd = 65535
Basic networking support with hardcoded addresses. Work in progress.
2013-02-21 01:47:09 +00:00
)
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
// Calculates the first and last IP addresses in an IPNet
Network: Do not assume that we are using a class C. Instead, compute the IP addresses range and network size in order to allocate an IP address.
2013-02-22 02:33:23 +00:00
func networkRange(network *net.IPNet) (net.IP, net.IP) {
netIP := network.IP.To4()
firstIP := netIP.Mask(network.Mask)
lastIP := net.IPv4(0, 0, 0, 0).To4()
for i := 0; i < len(lastIP); i++ {
lastIP[i] = netIP[i] | ^network.Mask[i]
}
return firstIP, lastIP
}
Add an helper function to check if two network overlaps. Also add unit tests for this function
2013-04-03 21:53:54 +00:00
// Detects overlap between one IPNet and another
func networkOverlaps(netX *net.IPNet, netY *net.IPNet) bool {
firstIP, _ := networkRange(netX)
if netY.Contains(firstIP) {
return true
}
firstIP, _ = networkRange(netY)
if netX.Contains(firstIP) {
return true
}
return false
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
// Converts a 4 bytes IP into a 32 bit integer
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
func ipToInt(ip net.IP) int32 {
return int32(binary.BigEndian.Uint32(ip.To4()))
Network: Do not assume that we are using a class C. Instead, compute the IP addresses range and network size in order to allocate an IP address.
2013-02-22 02:33:23 +00:00
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
// Converts 32 bit integer into a 4 bytes IP address
linted names
2013-06-04 18:00:22 +00:00
func intToIP(n int32) net.IP {
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
b := make([]byte, 4)
binary.BigEndian.PutUint32(b, uint32(n))
return net.IP(b)
Network: Do not assume that we are using a class C. Instead, compute the IP addresses range and network size in order to allocate an IP address.
2013-02-22 02:33:23 +00:00
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
// Given a netmask, calculates the number of available hosts
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
func networkSize(mask net.IPMask) int32 {
Integrated the network allocator into Docker. A networking environment is assigned to each container upon Start and released whenever the container exits.
2013-02-25 22:06:22 +00:00
m := net.IPv4Mask(0, 0, 0, 0)
Network: Do not assume that we are using a class C. Instead, compute the IP addresses range and network size in order to allocate an IP address.
2013-02-22 02:33:23 +00:00
for i := 0; i < net.IPv4len; i++ {
Integrated the network allocator into Docker. A networking environment is assigned to each container upon Start and released whenever the container exits.
2013-02-25 22:06:22 +00:00
m[i] = ^mask[i]
Network: Do not assume that we are using a class C. Instead, compute the IP addresses range and network size in order to allocate an IP address.
2013-02-22 02:33:23 +00:00
}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
return int32(binary.BigEndian.Uint32(m)) + 1
Network: Do not assume that we are using a class C. Instead, compute the IP addresses range and network size in order to allocate an IP address.
2013-02-22 02:33:23 +00:00
}
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
//Wrapper around the ip command
func ip(args ...string) (string, error) {
path, err := exec.LookPath("ip")
if err != nil {
return "", fmt.Errorf("command not found: ip")
}
output, err := exec.Command(path, args...).CombinedOutput()
if err != nil {
return "", fmt.Errorf("ip failed: ip %v", strings.Join(args, " "))
}
return string(output), nil
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
// Wrapper around the iptables command
func iptables(args ...string) error {
Looking for iptables in PATH
2013-03-27 18:29:58 +00:00
path, err := exec.LookPath("iptables")
if err != nil {
Return error when iptables is not found
2013-03-28 19:30:56 +00:00
return fmt.Errorf("command not found: iptables")
Looking for iptables in PATH
2013-03-27 18:29:58 +00:00
}
if err := exec.Command(path, args...).Run(); err != nil {
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
return fmt.Errorf("iptables failed: iptables %v", strings.Join(args, " "))
}
return nil
}
Make sure the routes IP are taken into consideration + add unit test for network overlap detection
2013-08-02 01:12:39 +00:00
func checkRouteOverlaps(routes string, dockerNetwork *net.IPNet) error {
utils.Debugf("Routes:\n\n%s", routes)
for _, line := range strings.Split(routes, "\n") {
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
if strings.Trim(line, "\r\n\t ") == "" || strings.Contains(line, "default") {
continue
}
Make sure the routes IP are taken into consideration + add unit test for network overlap detection
2013-08-02 01:12:39 +00:00
_, network, err := net.ParseCIDR(strings.Split(line, " ")[0])
if err != nil {
Handle ip route showing mask-less IP addresses Sometimes `ip route` will show mask-less IPs, so net.ParseCIDR will fail. If it does we check if we can net.ParseIP, and fail only if we can't. Fixes #1214 Fixes #362
2013-08-01 00:42:22 +00:00
// is this a mask-less IP address?
if ip := net.ParseIP(strings.Split(line, " ")[0]); ip == nil {
// fail only if it's neither a network nor a mask-less IP address
return fmt.Errorf("Unexpected ip route output: %s (%s)", err, line)
Make sure the routes IP are taken into consideration + add unit test for network overlap detection
2013-08-02 01:12:39 +00:00
} else {
_, network, err = net.ParseCIDR(ip.String() + "/32")
if err != nil {
return err
}
}
}
if err == nil && network != nil {
if networkOverlaps(dockerNetwork, network) {
return fmt.Errorf("Network %s is already routed: '%s'", dockerNetwork, line)
Handle ip route showing mask-less IP addresses Sometimes `ip route` will show mask-less IPs, so net.ParseCIDR will fail. If it does we check if we can net.ParseIP, and fail only if we can't. Fixes #1214 Fixes #362
2013-08-01 00:42:22 +00:00
}
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
}
}
return nil
}
Allocate a /16 IP range by default, with fallback to /24. Try a total of 12 ranges instead of 3.
2013-07-22 19:06:24 +00:00
// CreateBridgeIface creates a network bridge interface on the host system with the name `ifaceName`,
// and attempts to configure it with an address which doesn't conflict with any other interface on the host.
// If it can't find an address which doesn't conflict, it will return an error.
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
func CreateBridgeIface(ifaceName string) error {
Allocate a /16 IP range by default, with fallback to /24. Try a total of 12 ranges instead of 3.
2013-07-22 19:06:24 +00:00
addrs := []string{
// Here we don't follow the convention of using the 1st IP of the range for the gateway.
// This is to use the same gateway IPs as the /24 ranges, which predate the /16 ranges.
// In theory this shouldn't matter - in practice there's bound to be a few scripts relying
// on the internal addressing or other stupid things like that.
// The shouldn't, but hey, let's not break them unless we really have to.
change network range to avoid conflict with EC2 DNS
2013-08-07 00:24:10 +00:00
"172.17.42.1/16", // Don't use 172.16.0.0/16, it conflicts with EC2 DNS 172.16.0.23
"10.0.42.1/16", // Don't even try using the entire /8, that's too intrusive
Allocate a /16 IP range by default, with fallback to /24. Try a total of 12 ranges instead of 3.
2013-07-22 19:06:24 +00:00
"10.1.42.1/16",
"10.42.42.1/16",
"172.16.42.1/24",
"172.16.43.1/24",
"172.16.44.1/24",
"10.0.42.1/24",
"10.0.43.1/24",
"192.168.42.1/24",
"192.168.43.1/24",
"192.168.44.1/24",
}
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
var ifaceAddr string
for _, addr := range addrs {
_, dockerNetwork, err := net.ParseCIDR(addr)
if err != nil {
return err
}
Make sure the routes IP are taken into consideration + add unit test for network overlap detection
2013-08-02 01:12:39 +00:00
routes, err := ip("route")
if err != nil {
return err
}
if err := checkRouteOverlaps(routes, dockerNetwork); err == nil {
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
ifaceAddr = addr
break
} else {
Create a subpackage for utils
2013-05-14 22:37:35 +00:00
utils.Debugf("%s: %s", addr, err)
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
}
}
if ifaceAddr == "" {
Make it more clear when Docker fails to allocate a free IP range for its bridge
2013-04-09 01:16:58 +00:00
return fmt.Errorf("Could not find a free IP address range for interface '%s'. Please configure its address manually and run 'docker -b %s'", ifaceName, ifaceName)
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
}
drop/omit
2013-06-04 13:51:12 +00:00
utils.Debugf("Creating bridge %s with network %s", ifaceName, ifaceAddr)
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
if output, err := ip("link", "add", ifaceName, "type", "bridge"); err != nil {
return fmt.Errorf("Error creating bridge: %s (output: %s)", err, output)
}
if output, err := ip("addr", "add", ifaceAddr, "dev", ifaceName); err != nil {
return fmt.Errorf("Unable to add private network: %s (%s)", err, output)
}
if output, err := ip("link", "set", ifaceName, "up"); err != nil {
return fmt.Errorf("Unable to start network bridge: %s (%s)", err, output)
}
if err := iptables("-t", "nat", "-A", "POSTROUTING", "-s", ifaceAddr,
"!", "-d", ifaceAddr, "-j", "MASQUERADE"); err != nil {
return fmt.Errorf("Unable to enable network bridge NAT: %s", err)
}
return nil
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
// Return the IPv4 address of a network interface
Integrated the network allocator into Docker. A networking environment is assigned to each container upon Start and released whenever the container exits.
2013-02-25 22:06:22 +00:00
func getIfaceAddr(name string) (net.Addr, error) {
Network: Automatically figure out the gateway and netmask by inspecting the lxc bridge interface
2013-02-21 02:20:18 +00:00
iface, err := net.InterfaceByName(name)
if err != nil {
return nil, err
}
addrs, err := iface.Addrs()
if err != nil {
return nil, err
}
var addrs4 []net.Addr
for _, addr := range addrs {
ip := (addr.(*net.IPNet)).IP
if ip4 := ip.To4(); len(ip4) == net.IPv4len {
addrs4 = append(addrs4, addr)
}
}
switch {
case len(addrs4) == 0:
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
return nil, fmt.Errorf("Interface %v has no IP addresses", name)
Network: Automatically figure out the gateway and netmask by inspecting the lxc bridge interface
2013-02-21 02:20:18 +00:00
case len(addrs4) > 1:
When lxcbr0 has several associated IPs, default to first one found
2013-03-21 16:19:22 +00:00
fmt.Printf("Interface %v has more than 1 IPv4 address. Defaulting to using %v\n",
name, (addrs4[0].(*net.IPNet)).IP)
Network: Automatically figure out the gateway and netmask by inspecting the lxc bridge interface
2013-02-21 02:20:18 +00:00
}
return addrs4[0], nil
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
// Port mapper takes care of mapping external ports to containers by setting
// up iptables rules.
// It keeps track of all mappings and is able to unmap at will
type PortMapper struct {
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
tcpMapping map[int]*net.TCPAddr
tcpProxies map[int]Proxy
udpMapping map[int]*net.UDPAddr
udpProxies map[int]Proxy
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
func (mapper *PortMapper) cleanup() error {
// Ignore errors - This could mean the chains were never set up
Fix NAT problem with ports looping back to containers
2013-04-03 22:32:46 +00:00
iptables("-t", "nat", "-D", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER")
Exclude loopback-to-loopback connections from DNAT rules, to allow userland proxying
2013-04-20 02:32:32 +00:00
iptables("-t", "nat", "-D", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8", "-j", "DOCKER")
iptables("-t", "nat", "-D", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER") // Created in versions <= 0.1.6
Continue cleaning up iptables rules from previous version, to avoid crashing after an upgrade
2013-04-04 22:16:42 +00:00
// Also cleanup rules created by older versions, or -X might fail.
iptables("-t", "nat", "-D", "PREROUTING", "-j", "DOCKER")
iptables("-t", "nat", "-D", "OUTPUT", "-j", "DOCKER")
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
iptables("-t", "nat", "-F", "DOCKER")
iptables("-t", "nat", "-X", "DOCKER")
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
mapper.tcpMapping = make(map[int]*net.TCPAddr)
mapper.tcpProxies = make(map[int]Proxy)
mapper.udpMapping = make(map[int]*net.UDPAddr)
mapper.udpProxies = make(map[int]Proxy)
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
return nil
}
func (mapper *PortMapper) setup() error {
if err := iptables("-t", "nat", "-N", "DOCKER"); err != nil {
Handling iptables() errors more usefully during portmapper setup
2013-03-28 19:44:54 +00:00
return fmt.Errorf("Failed to create DOCKER chain: %s", err)
Network: Automatically figure out the gateway and netmask by inspecting the lxc bridge interface
2013-02-21 02:20:18 +00:00
}
Fix NAT problem with ports looping back to containers
2013-04-03 22:32:46 +00:00
if err := iptables("-t", "nat", "-A", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"); err != nil {
Handling iptables() errors more usefully during portmapper setup
2013-03-28 19:44:54 +00:00
return fmt.Errorf("Failed to inject docker in PREROUTING chain: %s", err)
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
Exclude loopback-to-loopback connections from DNAT rules, to allow userland proxying
2013-04-20 02:32:32 +00:00
if err := iptables("-t", "nat", "-A", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8", "-j", "DOCKER"); err != nil {
Handling iptables() errors more usefully during portmapper setup
2013-03-28 19:44:54 +00:00
return fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err)
Fixing Issue #98: Adding DOCKER to output chain during iptables setup
2013-03-22 14:06:14 +00:00
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
return nil
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
func (mapper *PortMapper) iptablesForward(rule string, port int, proto string, dest_addr string, dest_port int) error {
return iptables("-t", "nat", rule, "DOCKER", "-p", proto, "--dport", strconv.Itoa(port),
Let userland proxy handle container-bound traffic
2013-08-06 17:00:45 +00:00
"!", "-i", NetworkBridgeIface,
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
"-j", "DNAT", "--to-destination", net.JoinHostPort(dest_addr, strconv.Itoa(dest_port)))
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
func (mapper *PortMapper) Map(port int, backendAddr net.Addr) error {
if _, isTCP := backendAddr.(*net.TCPAddr); isTCP {
backendPort := backendAddr.(*net.TCPAddr).Port
backendIP := backendAddr.(*net.TCPAddr).IP
if err := mapper.iptablesForward("-A", port, "tcp", backendIP.String(), backendPort); err != nil {
return err
}
mapper.tcpMapping[port] = backendAddr.(*net.TCPAddr)
Let userland proxy handle container-bound traffic
2013-08-06 17:00:45 +00:00
proxy, err := NewProxy(&net.TCPAddr{IP: net.IPv4(0, 0, 0, 0), Port: port}, backendAddr)
Emulate DNAT in userland for loopback-to-loopback connections. This makes container ports available from localhost.
2013-04-20 02:35:44 +00:00
if err != nil {
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
mapper.Unmap(port, "tcp")
Emulate DNAT in userland for loopback-to-loopback connections. This makes container ports available from localhost.
2013-04-20 02:35:44 +00:00
return err
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
mapper.tcpProxies[port] = proxy
go proxy.Run()
} else {
backendPort := backendAddr.(*net.UDPAddr).Port
backendIP := backendAddr.(*net.UDPAddr).IP
if err := mapper.iptablesForward("-A", port, "udp", backendIP.String(), backendPort); err != nil {
return err
}
mapper.udpMapping[port] = backendAddr.(*net.UDPAddr)
Let userland proxy handle container-bound traffic
2013-08-06 17:00:45 +00:00
proxy, err := NewProxy(&net.UDPAddr{IP: net.IPv4(0, 0, 0, 0), Port: port}, backendAddr)
Emulate DNAT in userland for loopback-to-loopback connections. This makes container ports available from localhost.
2013-04-20 02:35:44 +00:00
if err != nil {
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
mapper.Unmap(port, "udp")
return err
Emulate DNAT in userland for loopback-to-loopback connections. This makes container ports available from localhost.
2013-04-20 02:35:44 +00:00
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
mapper.udpProxies[port] = proxy
go proxy.Run()
Emulate DNAT in userland for loopback-to-loopback connections. This makes container ports available from localhost.
2013-04-20 02:35:44 +00:00
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
return nil
Emulate DNAT in userland for loopback-to-loopback connections. This makes container ports available from localhost.
2013-04-20 02:35:44 +00:00
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
func (mapper *PortMapper) Unmap(port int, proto string) error {
if proto == "tcp" {
backendAddr, ok := mapper.tcpMapping[port]
if !ok {
return fmt.Errorf("Port tcp/%v is not mapped", port)
}
if proxy, exists := mapper.tcpProxies[port]; exists {
proxy.Close()
delete(mapper.tcpProxies, port)
}
if err := mapper.iptablesForward("-D", port, proto, backendAddr.IP.String(), backendAddr.Port); err != nil {
return err
}
delete(mapper.tcpMapping, port)
} else {
backendAddr, ok := mapper.udpMapping[port]
if !ok {
return fmt.Errorf("Port udp/%v is not mapped", port)
}
if proxy, exists := mapper.udpProxies[port]; exists {
proxy.Close()
delete(mapper.udpProxies, port)
}
if err := mapper.iptablesForward("-D", port, proto, backendAddr.IP.String(), backendAddr.Port); err != nil {
return err
}
delete(mapper.udpMapping, port)
Network: Do not assume that we are using a class C. Instead, compute the IP addresses range and network size in order to allocate an IP address.
2013-02-22 02:33:23 +00:00
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
return nil
}
func newPortMapper() (*PortMapper, error) {
mapper := &PortMapper{}
if err := mapper.cleanup(); err != nil {
Integrated the network allocator into Docker. A networking environment is assigned to each container upon Start and released whenever the container exits.
2013-02-25 22:06:22 +00:00
return nil, err
Basic networking support with hardcoded addresses. Work in progress.
2013-02-21 01:47:09 +00:00
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
if err := mapper.setup(); err != nil {
return nil, err
}
return mapper, nil
Basic networking support with hardcoded addresses. Work in progress.
2013-02-21 01:47:09 +00:00
}
Network allocator
2013-02-25 18:45:23 +00:00
Fixed typos
2013-08-12 17:53:06 +00:00
// Port allocator: Automatically allocate and release networking ports
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
type PortAllocator struct {
Mutex style change. For structs protected by a single mutex, embed the mutex for more concise usage. Also use a sync.Mutex directly, rather than a pointer, to avoid the need for initialization (because a Mutex's zero-value is valid and ready to be used).
2013-07-02 22:46:32 +00:00
sync.Mutex
Choose which TCP frontend port to allocate with '-p :PORT'
2013-04-05 05:58:01 +00:00
inUse map[int]struct{}
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
fountain chan int
quit chan bool
Network allocator
2013-02-25 18:45:23 +00:00
}
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
func (alloc *PortAllocator) runFountain() {
for {
for port := portRangeStart; port < portRangeEnd; port++ {
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
select {
case alloc.fountain <- port:
case quit := <-alloc.quit:
if quit {
return
}
}
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
}
Network allocator
2013-02-25 18:45:23 +00:00
}
}
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
// FIXME: Release can no longer fail, change its prototype to reflect that.
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
func (alloc *PortAllocator) Release(port int) error {
Create a subpackage for utils
2013-05-14 22:37:35 +00:00
utils.Debugf("Releasing %d", port)
Mutex style change. For structs protected by a single mutex, embed the mutex for more concise usage. Also use a sync.Mutex directly, rather than a pointer, to avoid the need for initialization (because a Mutex's zero-value is valid and ready to be used).
2013-07-02 22:46:32 +00:00
alloc.Lock()
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
delete(alloc.inUse, port)
Mutex style change. For structs protected by a single mutex, embed the mutex for more concise usage. Also use a sync.Mutex directly, rather than a pointer, to avoid the need for initialization (because a Mutex's zero-value is valid and ready to be used).
2013-07-02 22:46:32 +00:00
alloc.Unlock()
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
return nil
}
func (alloc *PortAllocator) Acquire(port int) (int, error) {
Create a subpackage for utils
2013-05-14 22:37:35 +00:00
utils.Debugf("Acquiring %d", port)
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
if port == 0 {
// Allocate a port from the fountain
for port := range alloc.fountain {
if _, err := alloc.Acquire(port); err == nil {
return port, nil
}
}
return -1, fmt.Errorf("Port generator ended unexpectedly")
Network allocator
2013-02-25 18:45:23 +00:00
}
Mutex style change. For structs protected by a single mutex, embed the mutex for more concise usage. Also use a sync.Mutex directly, rather than a pointer, to avoid the need for initialization (because a Mutex's zero-value is valid and ready to be used).
2013-07-02 22:46:32 +00:00
alloc.Lock()
defer alloc.Unlock()
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
if _, inUse := alloc.inUse[port]; inUse {
return -1, fmt.Errorf("Port already in use: %d", port)
}
alloc.inUse[port] = struct{}{}
return port, nil
Network allocator
2013-02-25 18:45:23 +00:00
}
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
func (alloc *PortAllocator) Close() error {
alloc.quit <- true
close(alloc.quit)
close(alloc.fountain)
return nil
}
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
func newPortAllocator() (*PortAllocator, error) {
allocator := &PortAllocator{
Go fmt
2013-04-12 14:37:24 +00:00
inUse: make(map[int]struct{}),
Fix a race condition when running the port allocator
2013-04-05 20:03:04 +00:00
fountain: make(chan int),
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
quit: make(chan bool),
Refactored PortAllocator to allow for same-frontend constraint
2013-04-05 05:56:12 +00:00
}
go allocator.runFountain()
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
return allocator, nil
}
Fixed typos
2013-08-12 17:53:06 +00:00
// IP allocator: Automatically allocate and release networking ports
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
type IPAllocator struct {
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
network *net.IPNet
queueAlloc chan allocatedIP
queueReleased chan net.IP
inUse map[int32]struct{}
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
quit chan bool
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
}
type allocatedIP struct {
ip net.IP
err error
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
func (alloc *IPAllocator) run() {
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
firstIP, _ := networkRange(alloc.network)
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
ipNum := ipToInt(firstIP)
ownIP := ipToInt(alloc.network.IP)
size := networkSize(alloc.network.Mask)
pos := int32(1)
max := size - 2 // -1 for the broadcast address, -1 for the gateway address
for {
var (
newNum int32
inUse bool
)
// Find first unused IP, give up after one whole round
for attempt := int32(0); attempt < max; attempt++ {
newNum = ipNum + pos
pos = pos%max + 1
// The network's IP is never okay to use
if newNum == ownIP {
continue
}
if _, inUse = alloc.inUse[newNum]; !inUse {
// We found an unused IP
break
}
Network allocator
2013-02-25 18:45:23 +00:00
}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
linted names
2013-06-04 18:00:22 +00:00
ip := allocatedIP{ip: intToIP(newNum)}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
if inUse {
ip.err = errors.New("No unallocated IP available")
Network allocator
2013-02-25 18:45:23 +00:00
}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
select {
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
case quit := <-alloc.quit:
if quit {
return
}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
case alloc.queueAlloc <- ip:
alloc.inUse[newNum] = struct{}{}
case released := <-alloc.queueReleased:
r := ipToInt(released)
delete(alloc.inUse, r)
if inUse {
// If we couldn't allocate a new IP, the released one
// will be the only free one now, so instantly use it
// next time
pos = r - ipNum
} else {
// Use same IP as last time
if pos == 1 {
pos = max
} else {
pos--
}
}
Network allocator
2013-02-25 18:45:23 +00:00
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
}
func (alloc *IPAllocator) Acquire() (net.IP, error) {
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
ip := <-alloc.queueAlloc
return ip.ip, ip.err
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
func (alloc *IPAllocator) Release(ip net.IP) {
alloc.queueReleased <- ip
Network allocator
2013-02-25 18:45:23 +00:00
}
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
func (alloc *IPAllocator) Close() error {
alloc.quit <- true
close(alloc.quit)
close(alloc.queueAlloc)
close(alloc.queueReleased)
return nil
}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
func newIPAllocator(network *net.IPNet) *IPAllocator {
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
alloc := &IPAllocator{
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
network: network,
queueAlloc: make(chan allocatedIP),
queueReleased: make(chan net.IP),
inUse: make(map[int32]struct{}),
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
quit: make(chan bool),
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
go alloc.run()
return alloc
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
// Network interface represents the networking stack of a container
type NetworkInterface struct {
IPNet net.IPNet
Gateway net.IP
manager *NetworkManager
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
extPorts []*Nat
Support completely disabling network configuration with docker -d -b none
2013-07-22 00:49:09 +00:00
disabled bool
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
// Allocate an external TCP port and map it to the interface
Choose which TCP frontend port to allocate with '-p :PORT'
2013-04-05 05:58:01 +00:00
func (iface *NetworkInterface) AllocatePort(spec string) (*Nat, error) {
Support completely disabling network configuration with docker -d -b none
2013-07-22 00:49:09 +00:00
if iface.disabled {
return nil, fmt.Errorf("Trying to allocate port for interface %v, which is disabled", iface) // FIXME
}
Choose which TCP frontend port to allocate with '-p :PORT'
2013-04-05 05:58:01 +00:00
nat, err := parseNat(spec)
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
if err != nil {
Choose which TCP frontend port to allocate with '-p :PORT'
2013-04-05 05:58:01 +00:00
return nil, err
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
if nat.Proto == "tcp" {
extPort, err := iface.manager.tcpPortAllocator.Acquire(nat.Frontend)
if err != nil {
return nil, err
}
backend := &net.TCPAddr{IP: iface.IPNet.IP, Port: nat.Backend}
if err := iface.manager.portMapper.Map(extPort, backend); err != nil {
iface.manager.tcpPortAllocator.Release(extPort)
return nil, err
}
nat.Frontend = extPort
} else {
extPort, err := iface.manager.udpPortAllocator.Acquire(nat.Frontend)
if err != nil {
return nil, err
}
backend := &net.UDPAddr{IP: iface.IPNet.IP, Port: nat.Backend}
if err := iface.manager.portMapper.Map(extPort, backend); err != nil {
iface.manager.udpPortAllocator.Release(extPort)
return nil, err
}
nat.Frontend = extPort
Choose which TCP frontend port to allocate with '-p :PORT'
2013-04-05 05:58:01 +00:00
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
iface.extPorts = append(iface.extPorts, nat)
Choose which TCP frontend port to allocate with '-p :PORT'
2013-04-05 05:58:01 +00:00
return nat, nil
}
type Nat struct {
Proto string
Frontend int
Backend int
}
func parseNat(spec string) (*Nat, error) {
var nat Nat
specify public port
2013-06-10 13:56:43 +00:00
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
if strings.Contains(spec, "/") {
specParts := strings.Split(spec, "/")
if len(specParts) != 2 {
return nil, fmt.Errorf("Invalid port format.")
}
proto := specParts[1]
spec = specParts[0]
if proto != "tcp" && proto != "udp" {
return nil, fmt.Errorf("Invalid port format: unknown protocol %v.", proto)
}
nat.Proto = proto
} else {
nat.Proto = "tcp"
}
specify public port
2013-06-10 13:56:43 +00:00
if strings.Contains(spec, ":") {
specParts := strings.Split(spec, ":")
if len(specParts) != 2 {
return nil, fmt.Errorf("Invalid port format.")
}
// If spec starts with ':', external and internal ports must be the same.
// This might fail if the requested external port is not available.
var sameFrontend bool
if len(specParts[0]) == 0 {
sameFrontend = true
} else {
front, err := strconv.ParseUint(specParts[0], 10, 16)
if err != nil {
return nil, err
}
nat.Frontend = int(front)
}
back, err := strconv.ParseUint(specParts[1], 10, 16)
if err != nil {
return nil, err
}
nat.Backend = int(back)
if sameFrontend {
nat.Frontend = nat.Backend
}
} else {
port, err := strconv.ParseUint(spec, 10, 16)
if err != nil {
return nil, err
}
nat.Backend = int(port)
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
Choose which TCP frontend port to allocate with '-p :PORT'
2013-04-05 05:58:01 +00:00
return &nat, nil
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
// Release: Network cleanup - release all resources
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
func (iface *NetworkInterface) Release() {
Support completely disabling network configuration with docker -d -b none
2013-07-22 00:49:09 +00:00
if iface.disabled {
return
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
for _, nat := range iface.extPorts {
utils.Debugf("Unmaping %v/%v", nat.Proto, nat.Frontend)
if err := iface.manager.portMapper.Unmap(nat.Frontend, nat.Proto); err != nil {
log.Printf("Unable to unmap port %v/%v: %v", nat.Proto, nat.Frontend, err)
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
if nat.Proto == "tcp" {
if err := iface.manager.tcpPortAllocator.Release(nat.Frontend); err != nil {
log.Printf("Unable to release port tcp/%v: %v", nat.Frontend, err)
}
} else if err := iface.manager.udpPortAllocator.Release(nat.Frontend); err != nil {
log.Printf("Unable to release port udp/%v: %v", nat.Frontend, err)
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
}
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
iface.manager.ipAllocator.Release(iface.IPNet.IP)
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
// Network Manager manages a set of network interfaces
// Only *one* manager per host machine should be used
type NetworkManager struct {
bridgeIface string
bridgeNetwork *net.IPNet
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
ipAllocator *IPAllocator
tcpPortAllocator *PortAllocator
udpPortAllocator *PortAllocator
portMapper *PortMapper
Support completely disabling network configuration with docker -d -b none
2013-07-22 00:49:09 +00:00
disabled bool
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
// Allocate a network interface
func (manager *NetworkManager) Allocate() (*NetworkInterface, error) {
Support completely disabling network configuration with docker -d -b none
2013-07-22 00:49:09 +00:00
if manager.disabled {
return &NetworkInterface{disabled: true}, nil
}
Make sure 'Ghost' container is available with allocated IP
2013-08-21 14:37:58 +00:00
var ip net.IP
var err error
ip, err = manager.ipAllocator.Acquire()
Network allocator
2013-02-25 18:45:23 +00:00
if err != nil {
Integrated the network allocator into Docker. A networking environment is assigned to each container upon Start and released whenever the container exits.
2013-02-25 22:06:22 +00:00
return nil, err
Network allocator
2013-02-25 18:45:23 +00:00
}
Just fixing gofmt issues in other people's code.
2013-08-30 00:49:11 +00:00
// avoid duplicate IP
Make sure 'Ghost' container is available with allocated IP
2013-08-21 14:37:58 +00:00
ipNum := ipToInt(ip)
firstIP := manager.ipAllocator.network.IP.To4().Mask(manager.ipAllocator.network.Mask)
firstIPNum := ipToInt(firstIP) + 1
if firstIPNum == ipNum {
ip, err = manager.ipAllocator.Acquire()
if err != nil {
return nil, err
}
}
Integrated the network allocator into Docker. A networking environment is assigned to each container upon Start and released whenever the container exits.
2013-02-25 22:06:22 +00:00
iface := &NetworkInterface{
Complete pull request #121, init TCPAddr with named field
2013-03-20 13:02:25 +00:00
IPNet: net.IPNet{IP: ip, Mask: manager.bridgeNetwork.Mask},
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
Gateway: manager.bridgeNetwork.IP,
manager: manager,
Integrated the network allocator into Docker. A networking environment is assigned to each container upon Start and released whenever the container exits.
2013-02-25 22:06:22 +00:00
}
return iface, nil
}
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
func (manager *NetworkManager) Close() error {
err1 := manager.tcpPortAllocator.Close()
err2 := manager.udpPortAllocator.Close()
err3 := manager.ipAllocator.Close()
if err1 != nil {
return err1
}
if err2 != nil {
return err2
}
return err3
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
func newNetworkManager(bridgeIface string) (*NetworkManager, error) {
Support completely disabling network configuration with docker -d -b none
2013-07-22 00:49:09 +00:00
if bridgeIface == DisableNetworkBridge {
manager := &NetworkManager{
disabled: true,
}
return manager, nil
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
addr, err := getIfaceAddr(bridgeIface)
if err != nil {
If bridge does not exists, try to create it
2013-04-03 22:57:57 +00:00
// If the iface is not found, try to create it
if err := CreateBridgeIface(bridgeIface); err != nil {
return nil, err
}
addr, err = getIfaceAddr(bridgeIface)
if err != nil {
return nil, err
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
network := addr.(*net.IPNet)
Make IP allocator lazy Instead of allocating all possible IPs in advance, generate them as needed. A loop will cycle through all possible IPs in sequential order, allocating them as needed and marking them as in use. Once the loop exhausts all IPs, it will wrap back to the beginning. IPs that are already in use will be skipped. When an IP is released, it will be cleared and be available for allocation again. Two decisions went into this design: 1) Minimize memory footprint by only allocating IPs that are actually in use 2) Minimize reuse of released IP addresses to avoid sending traffic to the wrong containers As a side effect, the functions for IP/Mask<->int conversion have been rewritten to never be able to fail in order to reduce the amount of error returns. Fixes gh-231
2013-03-30 22:32:10 +00:00
ipAllocator := newIPAllocator(network)
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
tcpPortAllocator, err := newPortAllocator()
if err != nil {
return nil, err
}
udpPortAllocator, err := newPortAllocator()
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
if err != nil {
return nil, err
}
portMapper, err := newPortMapper()
handle errors during the creation of port mapper example: 2013/03/22 21:42:55 Unable to setup port networking: Failed to create DOCKER chain (which was possibly introduced by commit 3c6b8bb88)
2013-03-23 04:43:31 +00:00
if err != nil {
return nil, err
}
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
manager := &NetworkManager{
Add support for UDP (closes #33) API Changes ----------- The port notation is extended to support "/udp" or "/tcp" at the *end* of the specifier string (and defaults to tcp if "/tcp" or "/udp" are missing) `docker ps` now shows UDP ports as "frontend->backend/udp". Nothing changes for TCP ports. `docker inspect` now displays two sub-dictionaries: "Tcp" and "Udp", under "PortMapping" in "NetworkSettings". Theses changes stand true for the values returned by the HTTP API too. This changeset will definitely break tools built upon the API (or upon `docker inspect`). A less intrusive way to add UDP ports in `docker inspect` would be to simply add "/udp" for UDP ports but it will still break existing applications which tries to convert the whole field to an integer. I believe that having two TCP/UDP sub-dictionaries is better because it makes the whole thing more clear and more easy to parse right away (i.e: you don't have to check the format of the string, split it and convert the right part to an integer) Code Changes ------------ Significant changes in network.go: - A second PortAllocator is instantiated for the UDP range; - PortMapper maintains separate mapping for TCP and UDP; - The extPorts array in NetworkInterface is now an array of Nat objects (so we can know on which protocol a given port was mapped when NetworkInterface.Release() is called); - TCP proxying on localhost has been moved away in network_proxy.go. localhost proxy code rewrite in network_proxy.go: We have to proxy the traffic between localhost:frontend-port and container:backend-port because Netfilter doesn't work properly on the loopback interface and DNAT iptable rules aren't applied there. - Goroutines in the TCP proxying code are now explicitly stopped when the proxy is stopped; - UDP connection tracking using a map (more infos in [1]); - Support for IPv6 (to be more accurate, the code is transparent to the Go net package, so you can use, tcp/tcp4/tcp6/udp/udp4/udp6); - Single Proxy interface for both UDP and TCP proxying; - Full test suite. [1] https://github.com/dotcloud/docker/issues/33#issuecomment-20010400
2013-06-11 22:46:23 +00:00
bridgeIface: bridgeIface,
bridgeNetwork: network,
ipAllocator: ipAllocator,
tcpPortAllocator: tcpPortAllocator,
udpPortAllocator: udpPortAllocator,
portMapper: portMapper,
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
}
Make sure to close the network allocators
2013-10-08 22:42:02 +00:00
Network: Port mapping support. Implemented a port allocator and a port mapper that is able to forward TCP ports from the host to the container.
2013-02-28 19:50:02 +00:00
return manager, nil
Network allocator
2013-02-25 18:45:23 +00:00
}