From 045072826763e4f66dae721675761e00101867fa Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 20 Jan 2021 17:48:05 +0100 Subject: [PATCH] vendor: docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46 full diff: https://github.com/docker/libnetwork/compare/fa125a3512ee0f6187721c88582bf8c4378bd4d7...b3507428be5b458cb0e2b4086b13531fb0706e46 - fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609) - fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes" - Fix regression in docker-proxy - introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604) - fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607) - fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858) - Use hostIP to decide on Portmapper version - fixes docker-proxy not being stopped correctly Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when listening on "any" IP address. Various tests had to be updated to take multiple mappings into account. Signed-off-by: Sebastiaan van Stijn --- hack/dockerfile/install/proxy.installer | 2 +- integration-cli/docker_cli_port_test.go | 26 ++++++++++++++----- vendor.conf | 2 +- .../libnetwork/drivers/bridge/port_mapping.go | 25 +++++++++++------- .../docker/libnetwork/iptables/iptables.go | 8 +++++- 5 files changed, 45 insertions(+), 18 deletions(-) diff --git a/hack/dockerfile/install/proxy.installer b/hack/dockerfile/install/proxy.installer index a9562dfa8c..b7ce672fad 100755 --- a/hack/dockerfile/install/proxy.installer +++ b/hack/dockerfile/install/proxy.installer @@ -3,7 +3,7 @@ # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When # updating the binary version, consider updating github.com/docker/libnetwork # in vendor.conf accordingly -: "${LIBNETWORK_COMMIT:=fa125a3512ee0f6187721c88582bf8c4378bd4d7}" +: "${LIBNETWORK_COMMIT:=b3507428be5b458cb0e2b4086b13531fb0706e46}" install_proxy() { case "$1" in diff --git a/integration-cli/docker_cli_port_test.go b/integration-cli/docker_cli_port_test.go index 46722ae471..dd41d9891f 100644 --- a/integration-cli/docker_cli_port_test.go +++ b/integration-cli/docker_cli_port_test.go @@ -20,13 +20,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) { out, _ = dockerCmd(c, "port", firstID, "80") - err := assertPortList(c, out, []string{"0.0.0.0:9876"}) + err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"}) // Port list is not correct assert.NilError(c, err) out, _ = dockerCmd(c, "port", firstID) - err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876"}) + err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876", "80/tcp -> [::]:9876"}) // Port list is not correct assert.NilError(c, err) @@ -42,7 +42,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) { out, _ = dockerCmd(c, "port", ID, "80") - err = assertPortList(c, out, []string{"0.0.0.0:9876"}) + err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"}) // Port list is not correct assert.NilError(c, err) @@ -50,8 +50,11 @@ func (s *DockerSuite) TestPortList(c *testing.T) { err = assertPortList(c, out, []string{ "80/tcp -> 0.0.0.0:9876", + "80/tcp -> [::]:9876", "81/tcp -> 0.0.0.0:9877", + "81/tcp -> [::]:9877", "82/tcp -> 0.0.0.0:9878", + "82/tcp -> [::]:9878", }) // Port list is not correct assert.NilError(c, err) @@ -69,7 +72,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) { out, _ = dockerCmd(c, "port", ID, "80") - err = assertPortList(c, out, []string{"0.0.0.0:9876", "0.0.0.0:9999"}) + err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876", "0.0.0.0:9999", "[::]:9999"}) // Port list is not correct assert.NilError(c, err) @@ -78,8 +81,12 @@ func (s *DockerSuite) TestPortList(c *testing.T) { err = assertPortList(c, out, []string{ "80/tcp -> 0.0.0.0:9876", "80/tcp -> 0.0.0.0:9999", + "80/tcp -> [::]:9876", + "80/tcp -> [::]:9999", "81/tcp -> 0.0.0.0:9877", + "81/tcp -> [::]:9877", "82/tcp -> 0.0.0.0:9878", + "82/tcp -> [::]:9878", }) // Port list is not correct assert.NilError(c, err) @@ -94,7 +101,10 @@ func (s *DockerSuite) TestPortList(c *testing.T) { out, _ = dockerCmd(c, "port", IDs[i]) - err = assertPortList(c, out, []string{fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i)}) + err = assertPortList(c, out, []string{ + fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i), + fmt.Sprintf("80/tcp -> [::]:%d", 9090+i), + }) // Port list is not correct assert.NilError(c, err) } @@ -127,9 +137,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) { err = assertPortList(c, out, []string{ "80/tcp -> 0.0.0.0:9800", + "80/tcp -> [::]:9800", "81/tcp -> 0.0.0.0:9801", + "81/tcp -> [::]:9801", "82/tcp -> 0.0.0.0:9802", + "82/tcp -> [::]:9802", "83/tcp -> 0.0.0.0:9803", + "83/tcp -> [::]:9803", }) // Port list is not correct assert.NilError(c, err) @@ -305,7 +319,7 @@ func (s *DockerSuite) TestPortHostBinding(c *testing.T) { out, _ = dockerCmd(c, "port", firstID, "80") - err := assertPortList(c, out, []string{"0.0.0.0:9876"}) + err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"}) // Port list is not correct assert.NilError(c, err) diff --git a/vendor.conf b/vendor.conf index 4381943aed..abedda4ee8 100644 --- a/vendor.conf +++ b/vendor.conf @@ -47,7 +47,7 @@ github.com/grpc-ecosystem/go-grpc-middleware 3c51f7f332123e8be5a157c0802a # libnetwork # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly -github.com/docker/libnetwork fa125a3512ee0f6187721c88582bf8c4378bd4d7 +github.com/docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46 github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec diff --git a/vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go b/vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go index 56a9271ea7..946130ecdd 100644 --- a/vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go +++ b/vendor/github.com/docker/libnetwork/drivers/bridge/port_mapping.go @@ -49,8 +49,16 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont } bs = append(bs, bIPv4) } + // Allocate IPv6 Port mappings - if ok := n.validatePortBindingIPv6(&bIPv6, containerIPv6, defHostIP); ok { + // If the container has no IPv6 address, allow proxying host IPv6 traffic to it + // by setting up the binding with the IPv4 interface if the userland proxy is enabled + // This change was added to keep backward compatibility + containerIP := containerIPv6 + if ulPxyEnabled && (containerIPv6 == nil) { + containerIP = containerIPv4 + } + if ok := n.validatePortBindingIPv6(&bIPv6, containerIP, defHostIP); ok { if err := n.allocatePort(&bIPv6, ulPxyEnabled); err != nil { // On allocation failure, release previously allocated ports. On cleanup error, just log a warning message if cuErr := n.releasePortsInternal(bs); cuErr != nil { @@ -67,7 +75,7 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont // validatePortBindingIPv4 validates the port binding, populates the missing Host IP field and returns true // if this is a valid IPv4 binding, else returns false func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containerIPv4, defHostIP net.IP) bool { - //Return early if there is a valid Host IP, but its not a IPv6 address + //Return early if there is a valid Host IP, but its not a IPv4 address if len(bnd.HostIP) > 0 && bnd.HostIP.To4() == nil { return false } @@ -85,10 +93,10 @@ func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containe } // validatePortBindingIPv6 validates the port binding, populates the missing Host IP field and returns true -// if this is a valid IP6v binding, else returns false -func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIPv6, defHostIP net.IP) bool { - // Return early if there is no IPv6 container endpoint - if containerIPv6 == nil { +// if this is a valid IPv6 binding, else returns false +func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIP, defHostIP net.IP) bool { + // Return early if there is no container endpoint + if containerIP == nil { return false } // Return early if there is a valid Host IP, which is a IPv4 address @@ -108,9 +116,8 @@ func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containe return false } } - bnd.IP = containerIPv6 + bnd.IP = containerIP return true - } func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool) error { @@ -132,7 +139,7 @@ func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool) portmapper := n.portMapper - if bnd.IP.To4() == nil { + if bnd.HostIP.To4() == nil { portmapper = n.portMapperV6 } diff --git a/vendor/github.com/docker/libnetwork/iptables/iptables.go b/vendor/github.com/docker/libnetwork/iptables/iptables.go index 20c35d46de..9bd100f1e8 100644 --- a/vendor/github.com/docker/libnetwork/iptables/iptables.go +++ b/vendor/github.com/docker/libnetwork/iptables/iptables.go @@ -512,8 +512,14 @@ func filterOutput(start time.Time, output []byte, args ...string) []byte { // Raw calls 'iptables' system command, passing supplied arguments. func (iptable IPTable) Raw(args ...string) ([]byte, error) { if firewalldRunning { + // select correct IP version for firewalld + ipv := Iptables + if iptable.Version == IPv6 { + ipv = IP6Tables + } + startTime := time.Now() - output, err := Passthrough(Iptables, args...) + output, err := Passthrough(ipv, args...) if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") { return filterOutput(startTime, output, args...), err }