diff --git a/vendor.conf b/vendor.conf index e06832e875..b3484fbd42 100644 --- a/vendor.conf +++ b/vendor.conf @@ -23,7 +23,7 @@ github.com/RackSec/srslog 456df3a81436d29ba874f3590eeeee25d666f8a5 github.com/imdario/mergo 0.2.1 #get libnetwork packages -github.com/docker/libnetwork 1a019214c9cb80bd56219e5d6994a22caf302895 +github.com/docker/libnetwork 4610dd67c7b9828bb4719d8aa2ac53a7f1f739d2 github.com/docker/go-events 18b43f1bc85d9cdd42c05a6cd2d444c7a200a894 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec diff --git a/vendor/github.com/docker/libnetwork/agent.go b/vendor/github.com/docker/libnetwork/agent.go index b0c65cba98..feda2c2846 100644 --- a/vendor/github.com/docker/libnetwork/agent.go +++ b/vendor/github.com/docker/libnetwork/agent.go @@ -44,6 +44,8 @@ type agent struct { sync.Mutex } +const libnetworkEPTable = "endpoint_table" + func getBindAddr(ifaceName string) (string, error) { iface, err := net.InterfaceByName(ifaceName) if err != nil { @@ -285,7 +287,7 @@ func (c *controller) agentInit(listenAddr, bindAddrOrInterface, advertiseAddr st return err } - ch, cancel := nDB.Watch("endpoint_table", "", "") + ch, cancel := nDB.Watch(libnetworkEPTable, "", "") nodeCh, cancel := nDB.Watch(networkdb.NodeTable, "", "") c.Lock() @@ -385,6 +387,111 @@ func (c *controller) agentClose() { agent.networkDB.Close() } +// Task has the backend container details +type Task struct { + Name string + EndpointID string + EndpointIP string + Info map[string]string +} + +// ServiceInfo has service specific details along with the list of backend tasks +type ServiceInfo struct { + VIP string + LocalLBIndex int + Tasks []Task + Ports []string +} + +type epRecord struct { + ep EndpointRecord + info map[string]string + lbIndex int +} + +func (n *network) Services() map[string]ServiceInfo { + eps := make(map[string]epRecord) + + if !n.isClusterEligible() { + return nil + } + agent := n.getController().getAgent() + if agent == nil { + return nil + } + + // Walk through libnetworkEPTable and fetch the driver agnostic endpoint info + entries := agent.networkDB.GetTableByNetwork(libnetworkEPTable, n.id) + for eid, value := range entries { + var epRec EndpointRecord + nid := n.ID() + if err := proto.Unmarshal(value.([]byte), &epRec); err != nil { + logrus.Errorf("Unmarshal of libnetworkEPTable failed for endpoint %s in network %s, %v", eid, nid, err) + continue + } + i := n.getController().getLBIndex(epRec.ServiceID, nid, epRec.IngressPorts) + eps[eid] = epRecord{ + ep: epRec, + lbIndex: i, + } + } + + // Walk through the driver's tables, have the driver decode the entries + // and return the tuple {ep ID, value}. value is a string that coveys + // relevant info about the endpoint. + d, err := n.driver(true) + if err != nil { + logrus.Errorf("Could not resolve driver for network %s/%s while fetching services: %v", n.networkType, n.ID(), err) + return nil + } + for _, table := range n.driverTables { + if table.objType != driverapi.EndpointObject { + continue + } + entries := agent.networkDB.GetTableByNetwork(table.name, n.id) + for key, value := range entries { + epID, info := d.DecodeTableEntry(table.name, key, value.([]byte)) + if ep, ok := eps[epID]; !ok { + logrus.Errorf("Inconsistent driver and libnetwork state for endpoint %s", epID) + } else { + ep.info = info + eps[epID] = ep + } + } + } + + // group the endpoints into a map keyed by the service name + sinfo := make(map[string]ServiceInfo) + for ep, epr := range eps { + var ( + s ServiceInfo + ok bool + ) + if s, ok = sinfo[epr.ep.ServiceName]; !ok { + s = ServiceInfo{ + VIP: epr.ep.VirtualIP, + LocalLBIndex: epr.lbIndex, + } + } + ports := []string{} + if s.Ports == nil { + for _, port := range epr.ep.IngressPorts { + p := fmt.Sprintf("Target: %d, Publish: %d", port.TargetPort, port.PublishedPort) + ports = append(ports, p) + } + s.Ports = ports + } + s.Tasks = append(s.Tasks, Task{ + Name: epr.ep.Name, + EndpointID: ep, + EndpointIP: epr.ep.EndpointIP, + Info: epr.info, + }) + sinfo[epr.ep.ServiceName] = s + } + return sinfo +} + func (n *network) isClusterEligible() bool { if n.driverScope() != datastore.GlobalScope { return false @@ -508,7 +615,7 @@ func (ep *endpoint) addServiceInfoToCluster() error { } if agent != nil { - if err := agent.networkDB.CreateEntry("endpoint_table", n.ID(), ep.ID(), buf); err != nil { + if err := agent.networkDB.CreateEntry(libnetworkEPTable, n.ID(), ep.ID(), buf); err != nil { return err } } @@ -541,7 +648,7 @@ func (ep *endpoint) deleteServiceInfoFromCluster() error { } if agent != nil { - if err := agent.networkDB.DeleteEntry("endpoint_table", n.ID(), ep.ID()); err != nil { + if err := agent.networkDB.DeleteEntry(libnetworkEPTable, n.ID(), ep.ID()); err != nil { return err } } @@ -559,8 +666,8 @@ func (n *network) addDriverWatches() { if agent == nil { return } - for _, tableName := range n.driverTables { - ch, cancel := agent.networkDB.Watch(tableName, n.ID(), "") + for _, table := range n.driverTables { + ch, cancel := agent.networkDB.Watch(table.name, n.ID(), "") agent.Lock() agent.driverCancelFuncs[n.ID()] = append(agent.driverCancelFuncs[n.ID()], cancel) agent.Unlock() @@ -571,9 +678,9 @@ func (n *network) addDriverWatches() { return } - agent.networkDB.WalkTable(tableName, func(nid, key string, value []byte) bool { + agent.networkDB.WalkTable(table.name, func(nid, key string, value []byte) bool { if nid == n.ID() { - d.EventNotify(driverapi.Create, nid, tableName, key, value) + d.EventNotify(driverapi.Create, nid, table.name, key, value) } return false diff --git a/vendor/github.com/docker/libnetwork/driverapi/driverapi.go b/vendor/github.com/docker/libnetwork/driverapi/driverapi.go index 7fe6f611a4..074438ef88 100644 --- a/vendor/github.com/docker/libnetwork/driverapi/driverapi.go +++ b/vendor/github.com/docker/libnetwork/driverapi/driverapi.go @@ -72,6 +72,16 @@ type Driver interface { // only invoked for the global scope driver. EventNotify(event EventType, nid string, tableName string, key string, value []byte) + // DecodeTableEntry passes the driver a key, value pair from table it registered + // with libnetwork. Driver should return {object ID, map[string]string} tuple. + // If DecodeTableEntry is called for a table associated with NetworkObject or + // EndpointObject the return object ID should be the network id or endppoint id + // associated with that entry. map should have information about the object that + // can be presented to the user. + // For exampe: overlay driver returns the VTEP IP of the host that has the endpoint + // which is shown in 'network inspect --verbose' + DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) + // Type returns the type of this driver, the network type this driver manages Type() string @@ -84,7 +94,7 @@ type Driver interface { type NetworkInfo interface { // TableEventRegister registers driver interest in a given // table name. - TableEventRegister(tableName string) error + TableEventRegister(tableName string, objType ObjectType) error } // InterfaceInfo provides a go interface for drivers to retrive @@ -175,3 +185,28 @@ const ( // Delete event is generated when a table entry is deleted. Delete ) + +// ObjectType represents the type of object driver wants to store in libnetwork's networkDB +type ObjectType int + +const ( + // EndpointObject should be set for libnetwork endpoint object related data + EndpointObject ObjectType = 1 + iota + // NetworkObject should be set for libnetwork network object related data + NetworkObject + // OpaqueObject is for driver specific data with no corresponding libnetwork object + OpaqueObject +) + +// IsValidType validates the passed in type against the valid object types +func IsValidType(objType ObjectType) bool { + switch objType { + case EndpointObject: + fallthrough + case NetworkObject: + fallthrough + case OpaqueObject: + return true + } + return false +} diff --git a/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go b/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go index fa051bde5a..13446f82ea 100644 --- a/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go +++ b/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go @@ -575,6 +575,10 @@ func (d *driver) NetworkFree(id string) error { func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} + // Create a new network using bridge plugin func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo driverapi.NetworkInfo, ipV4Data, ipV6Data []driverapi.IPAMData) error { if len(ipV4Data) == 0 || ipV4Data[0].Pool.String() == "0.0.0.0/0" { diff --git a/vendor/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go b/vendor/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go index 1ac7fbc808..b2720c54f7 100644 --- a/vendor/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go +++ b/vendor/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go @@ -140,7 +140,6 @@ func setupIPTablesInternal(bridgeIface string, addr net.Addr, icc, ipmasq, hairp hpNatRule = iptRule{table: iptables.Nat, chain: "POSTROUTING", preArgs: []string{"-t", "nat"}, args: []string{"-m", "addrtype", "--src-type", "LOCAL", "-o", bridgeIface, "-j", "MASQUERADE"}} skipDNAT = iptRule{table: iptables.Nat, chain: DockerChain, preArgs: []string{"-t", "nat"}, args: []string{"-i", bridgeIface, "-j", "RETURN"}} outRule = iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", bridgeIface, "!", "-o", bridgeIface, "-j", "ACCEPT"}} - inRule = iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-o", bridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}} ) // Set NAT. @@ -173,11 +172,6 @@ func setupIPTablesInternal(bridgeIface string, addr net.Addr, icc, ipmasq, hairp return err } - // Set Accept on incoming packets for existing connections. - if err := programChainRule(inRule, "ACCEPT INCOMING", enable); err != nil { - return err - } - return nil } diff --git a/vendor/github.com/docker/libnetwork/drivers/host/host.go b/vendor/github.com/docker/libnetwork/drivers/host/host.go index 3bc9099761..7b4a986e6c 100644 --- a/vendor/github.com/docker/libnetwork/drivers/host/host.go +++ b/vendor/github.com/docker/libnetwork/drivers/host/host.go @@ -35,6 +35,10 @@ func (d *driver) NetworkFree(id string) error { func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} + func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo driverapi.NetworkInfo, ipV4Data, ipV6Data []driverapi.IPAMData) error { d.Lock() defer d.Unlock() diff --git a/vendor/github.com/docker/libnetwork/drivers/ipvlan/ipvlan.go b/vendor/github.com/docker/libnetwork/drivers/ipvlan/ipvlan.go index cd0c830f79..296804dc1a 100644 --- a/vendor/github.com/docker/libnetwork/drivers/ipvlan/ipvlan.go +++ b/vendor/github.com/docker/libnetwork/drivers/ipvlan/ipvlan.go @@ -108,3 +108,7 @@ func (d *driver) DiscoverDelete(dType discoverapi.DiscoveryType, data interface{ func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { } + +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} diff --git a/vendor/github.com/docker/libnetwork/drivers/macvlan/macvlan.go b/vendor/github.com/docker/libnetwork/drivers/macvlan/macvlan.go index 23fa850edc..49b9fbae00 100644 --- a/vendor/github.com/docker/libnetwork/drivers/macvlan/macvlan.go +++ b/vendor/github.com/docker/libnetwork/drivers/macvlan/macvlan.go @@ -110,3 +110,7 @@ func (d *driver) DiscoverDelete(dType discoverapi.DiscoveryType, data interface{ func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { } + +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} diff --git a/vendor/github.com/docker/libnetwork/drivers/null/null.go b/vendor/github.com/docker/libnetwork/drivers/null/null.go index 03f9777040..7f2a5e32f7 100644 --- a/vendor/github.com/docker/libnetwork/drivers/null/null.go +++ b/vendor/github.com/docker/libnetwork/drivers/null/null.go @@ -35,6 +35,10 @@ func (d *driver) NetworkFree(id string) error { func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} + func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo driverapi.NetworkInfo, ipV4Data, ipV6Data []driverapi.IPAMData) error { d.Lock() defer d.Unlock() diff --git a/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go b/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go index b4c3aade49..1d59f238b0 100644 --- a/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go +++ b/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go @@ -20,7 +20,7 @@ import ( ) const ( - mark = uint32(0xD0C4E3) + r = 0xD0C4E3 timeout = 30 pktExpansion = 26 // SPI(4) + SeqN(4) + IV(8) + PadLength(1) + NextHeader(1) + ICV(8) ) @@ -31,6 +31,8 @@ const ( bidir ) +var spMark = netlink.XfrmMark{Value: uint32(r), Mask: 0xffffffff} + type key struct { value []byte tag uint32 @@ -201,7 +203,7 @@ func programMangle(vni uint32, add bool) (err error) { var ( p = strconv.FormatUint(uint64(vxlanPort), 10) c = fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8) - m = strconv.FormatUint(uint64(mark), 10) + m = strconv.FormatUint(uint64(r), 10) chain = "OUTPUT" rule = []string{"-p", "udp", "--dport", p, "-m", "u32", "--u32", c, "-j", "MARK", "--set-mark", m} a = "-A" @@ -271,6 +273,7 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f Proto: netlink.XFRM_PROTO_ESP, Spi: spi.reverse, Mode: netlink.XFRM_MODE_TRANSPORT, + Reqid: r, } if add { rSA.Aead = buildAeadAlgo(k, spi.reverse) @@ -296,6 +299,7 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f Proto: netlink.XFRM_PROTO_ESP, Spi: spi.forward, Mode: netlink.XFRM_MODE_TRANSPORT, + Reqid: r, } if add { fSA.Aead = buildAeadAlgo(k, spi.forward) @@ -325,17 +329,18 @@ func programSP(fSA *netlink.XfrmState, rSA *netlink.XfrmState, add bool) error { xfrmProgram = ns.NlHandle().XfrmPolicyAdd } - fullMask := net.CIDRMask(8*len(fSA.Src), 8*len(fSA.Src)) + // Create a congruent cidr + s := types.GetMinimalIP(fSA.Src) + d := types.GetMinimalIP(fSA.Dst) + fullMask := net.CIDRMask(8*len(s), 8*len(s)) fPol := &netlink.XfrmPolicy{ - Src: &net.IPNet{IP: fSA.Src, Mask: fullMask}, - Dst: &net.IPNet{IP: fSA.Dst, Mask: fullMask}, + Src: &net.IPNet{IP: s, Mask: fullMask}, + Dst: &net.IPNet{IP: d, Mask: fullMask}, Dir: netlink.XFRM_DIR_OUT, Proto: 17, DstPort: 4789, - Mark: &netlink.XfrmMark{ - Value: mark, - }, + Mark: &spMark, Tmpls: []netlink.XfrmPolicyTmpl{ { Src: fSA.Src, @@ -343,6 +348,7 @@ func programSP(fSA *netlink.XfrmState, rSA *netlink.XfrmState, add bool) error { Proto: netlink.XFRM_PROTO_ESP, Mode: netlink.XFRM_MODE_TRANSPORT, Spi: fSA.Spi, + Reqid: r, }, }, } @@ -426,6 +432,8 @@ func (d *driver) secMapWalk(f func(string, []*spi) ([]*spi, bool)) error { } func (d *driver) setKeys(keys []*key) error { + // Remove any stale policy, state + clearEncryptionStates() // Accept the encryption keys and clear any stale encryption map d.Lock() d.keys = keys @@ -526,7 +534,7 @@ func updateNodeKey(lIP, aIP, rIP net.IP, idxs []*spi, curKeys []*key, newIdx, pr } if newIdx > -1 { - // +RSA2 + // +rSA2 programSA(lIP, rIP, spis[newIdx], curKeys[newIdx], reverse, true) } @@ -535,16 +543,17 @@ func updateNodeKey(lIP, aIP, rIP net.IP, idxs []*spi, curKeys []*key, newIdx, pr fSA2, _, _ := programSA(lIP, rIP, spis[priIdx], curKeys[priIdx], forward, true) // +fSP2, -fSP1 - fullMask := net.CIDRMask(8*len(fSA2.Src), 8*len(fSA2.Src)) + s := types.GetMinimalIP(fSA2.Src) + d := types.GetMinimalIP(fSA2.Dst) + fullMask := net.CIDRMask(8*len(s), 8*len(s)) + fSP1 := &netlink.XfrmPolicy{ - Src: &net.IPNet{IP: fSA2.Src, Mask: fullMask}, - Dst: &net.IPNet{IP: fSA2.Dst, Mask: fullMask}, + Src: &net.IPNet{IP: s, Mask: fullMask}, + Dst: &net.IPNet{IP: d, Mask: fullMask}, Dir: netlink.XFRM_DIR_OUT, Proto: 17, DstPort: 4789, - Mark: &netlink.XfrmMark{ - Value: mark, - }, + Mark: &spMark, Tmpls: []netlink.XfrmPolicyTmpl{ { Src: fSA2.Src, @@ -552,6 +561,7 @@ func updateNodeKey(lIP, aIP, rIP net.IP, idxs []*spi, curKeys []*key, newIdx, pr Proto: netlink.XFRM_PROTO_ESP, Mode: netlink.XFRM_MODE_TRANSPORT, Spi: fSA2.Spi, + Reqid: r, }, }, } @@ -597,3 +607,33 @@ func (n *network) maxMTU() int { } return mtu } + +func clearEncryptionStates() { + nlh := ns.NlHandle() + spList, err := nlh.XfrmPolicyList(netlink.FAMILY_ALL) + if err != nil { + logrus.Warnf("Failed to retrieve SP list for cleanup: %v", err) + } + saList, err := nlh.XfrmStateList(netlink.FAMILY_ALL) + if err != nil { + logrus.Warnf("Failed to retrieve SA list for cleanup: %v", err) + } + for _, sp := range spList { + if sp.Mark != nil && sp.Mark.Value == spMark.Value { + if err := nlh.XfrmPolicyDel(&sp); err != nil { + logrus.Warnf("Failed to delete stale SP %s: %v", sp, err) + continue + } + logrus.Debugf("Removed stale SP: %s", sp) + } + } + for _, sa := range saList { + if sa.Reqid == r { + if err := nlh.XfrmStateDel(&sa); err != nil { + logrus.Warnf("Failed to delete stale SA %s: %v", sa, err) + continue + } + logrus.Debugf("Removed stale SA: %s", sa) + } + } +} diff --git a/vendor/github.com/docker/libnetwork/drivers/overlay/joinleave.go b/vendor/github.com/docker/libnetwork/drivers/overlay/joinleave.go index 26743a12fa..0af09b71ba 100644 --- a/vendor/github.com/docker/libnetwork/drivers/overlay/joinleave.go +++ b/vendor/github.com/docker/libnetwork/drivers/overlay/joinleave.go @@ -145,6 +145,23 @@ func (d *driver) Join(nid, eid string, sboxKey string, jinfo driverapi.JoinInfo, return nil } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + if tablename != ovPeerTable { + logrus.Errorf("DecodeTableEntry: unexpected table name %s", tablename) + return "", nil + } + + var peer PeerRecord + if err := proto.Unmarshal(value, &peer); err != nil { + logrus.Errorf("DecodeTableEntry: failed to unmarshal peer record for key %s: %v", key, err) + return "", nil + } + + return key, map[string]string{ + "Host IP": peer.TunnelEndpointIP, + } +} + func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { if tableName != ovPeerTable { logrus.Errorf("Unexpected table notification for table %s received", tableName) diff --git a/vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go b/vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go index 173cd606d1..d2c6f6784f 100644 --- a/vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go +++ b/vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go @@ -159,7 +159,7 @@ func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo d } if nInfo != nil { - if err := nInfo.TableEventRegister(ovPeerTable); err != nil { + if err := nInfo.TableEventRegister(ovPeerTable, driverapi.EndpointObject); err != nil { return err } } diff --git a/vendor/github.com/docker/libnetwork/drivers/overlay/ovmanager/ovmanager.go b/vendor/github.com/docker/libnetwork/drivers/overlay/ovmanager/ovmanager.go index 2c4c771e58..dce8f98b8e 100644 --- a/vendor/github.com/docker/libnetwork/drivers/overlay/ovmanager/ovmanager.go +++ b/vendor/github.com/docker/libnetwork/drivers/overlay/ovmanager/ovmanager.go @@ -199,6 +199,10 @@ func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo d func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} + func (d *driver) DeleteNetwork(nid string) error { return types.NotImplementedErrorf("not implemented") } diff --git a/vendor/github.com/docker/libnetwork/drivers/remote/driver.go b/vendor/github.com/docker/libnetwork/drivers/remote/driver.go index 12dbc121ce..49a7fb4951 100644 --- a/vendor/github.com/docker/libnetwork/drivers/remote/driver.go +++ b/vendor/github.com/docker/libnetwork/drivers/remote/driver.go @@ -116,6 +116,10 @@ func (d *driver) NetworkFree(id string) error { func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} + func (d *driver) CreateNetwork(id string, options map[string]interface{}, nInfo driverapi.NetworkInfo, ipV4Data, ipV6Data []driverapi.IPAMData) error { create := &api.CreateNetworkRequest{ NetworkID: id, diff --git a/vendor/github.com/docker/libnetwork/drivers/solaris/bridge/bridge.go b/vendor/github.com/docker/libnetwork/drivers/solaris/bridge/bridge.go index 53092efeeb..13dd5f14bc 100644 --- a/vendor/github.com/docker/libnetwork/drivers/solaris/bridge/bridge.go +++ b/vendor/github.com/docker/libnetwork/drivers/solaris/bridge/bridge.go @@ -175,6 +175,10 @@ func (d *driver) NetworkFree(id string) error { func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} + func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo driverapi.NetworkInfo, ipV4Data, ipV6Data []driverapi.IPAMData) error { if len(ipV4Data) == 0 || ipV4Data[0].Pool.String() == "0.0.0.0/0" { return types.BadRequestErrorf("ipv4 pool is empty") diff --git a/vendor/github.com/docker/libnetwork/drivers/solaris/overlay/joinleave.go b/vendor/github.com/docker/libnetwork/drivers/solaris/overlay/joinleave.go index f213b1fe7c..fd411988d1 100644 --- a/vendor/github.com/docker/libnetwork/drivers/solaris/overlay/joinleave.go +++ b/vendor/github.com/docker/libnetwork/drivers/solaris/overlay/joinleave.go @@ -149,6 +149,10 @@ func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key stri d.peerAdd(nid, eid, addr.IP, addr.Mask, mac, vtep, true) } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} + // Leave method is invoked when a Sandbox detaches from an endpoint. func (d *driver) Leave(nid, eid string) error { if err := validateID(nid, eid); err != nil { diff --git a/vendor/github.com/docker/libnetwork/drivers/solaris/overlay/ov_network.go b/vendor/github.com/docker/libnetwork/drivers/solaris/overlay/ov_network.go index e9b27ba5bd..5e3dd5abe1 100644 --- a/vendor/github.com/docker/libnetwork/drivers/solaris/overlay/ov_network.go +++ b/vendor/github.com/docker/libnetwork/drivers/solaris/overlay/ov_network.go @@ -153,7 +153,7 @@ func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo d } if nInfo != nil { - if err := nInfo.TableEventRegister(ovPeerTable); err != nil { + if err := nInfo.TableEventRegister(ovPeerTable, driverapi.EndpointObject); err != nil { return err } } diff --git a/vendor/github.com/docker/libnetwork/drivers/windows/overlay/joinleave_windows.go b/vendor/github.com/docker/libnetwork/drivers/windows/overlay/joinleave_windows.go index 310b8381af..91dcf28b32 100644 --- a/vendor/github.com/docker/libnetwork/drivers/windows/overlay/joinleave_windows.go +++ b/vendor/github.com/docker/libnetwork/drivers/windows/overlay/joinleave_windows.go @@ -93,6 +93,10 @@ func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key stri d.peerAdd(nid, eid, addr.IP, addr.Mask, mac, vtep, true) } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} + // Leave method is invoked when a Sandbox detaches from an endpoint. func (d *driver) Leave(nid, eid string) error { if err := validateID(nid, eid); err != nil { diff --git a/vendor/github.com/docker/libnetwork/drivers/windows/overlay/ov_network_windows.go b/vendor/github.com/docker/libnetwork/drivers/windows/overlay/ov_network_windows.go index 64a9e8af9b..65b7e38d3b 100644 --- a/vendor/github.com/docker/libnetwork/drivers/windows/overlay/ov_network_windows.go +++ b/vendor/github.com/docker/libnetwork/drivers/windows/overlay/ov_network_windows.go @@ -169,7 +169,7 @@ func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo d n.interfaceName = interfaceName if nInfo != nil { - if err := nInfo.TableEventRegister(ovPeerTable); err != nil { + if err := nInfo.TableEventRegister(ovPeerTable, driverapi.EndpointObject); err != nil { return err } } diff --git a/vendor/github.com/docker/libnetwork/drivers/windows/windows.go b/vendor/github.com/docker/libnetwork/drivers/windows/windows.go index 39d862aeb4..b6591a1d6d 100644 --- a/vendor/github.com/docker/libnetwork/drivers/windows/windows.go +++ b/vendor/github.com/docker/libnetwork/drivers/windows/windows.go @@ -183,6 +183,10 @@ func (c *networkConfiguration) processIPAM(id string, ipamV4Data, ipamV6Data []d func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key string, value []byte) { } +func (d *driver) DecodeTableEntry(tablename string, key string, value []byte) (string, map[string]string) { + return "", nil +} + // Create a new network func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo driverapi.NetworkInfo, ipV4Data, ipV6Data []driverapi.IPAMData) error { if _, err := d.getNetwork(id); err == nil { diff --git a/vendor/github.com/docker/libnetwork/iptables/iptables.go b/vendor/github.com/docker/libnetwork/iptables/iptables.go index d4f4aa23dd..34f7dee09d 100644 --- a/vendor/github.com/docker/libnetwork/iptables/iptables.go +++ b/vendor/github.com/docker/libnetwork/iptables/iptables.go @@ -50,8 +50,7 @@ var ( bestEffortLock sync.Mutex // ErrIptablesNotFound is returned when the rule is not found. ErrIptablesNotFound = errors.New("Iptables not found") - probeOnce sync.Once - firewalldOnce sync.Once + initOnce sync.Once ) // ChainInfo defines the iptables chain. @@ -86,22 +85,32 @@ func initFirewalld() { } } +func detectIptables() { + path, err := exec.LookPath("iptables") + if err != nil { + return + } + iptablesPath = path + supportsXlock = exec.Command(iptablesPath, "--wait", "-L", "-n").Run() == nil + mj, mn, mc, err := GetVersion() + if err != nil { + logrus.Warnf("Failed to read iptables version: %v", err) + return + } + supportsCOpt = supportsCOption(mj, mn, mc) +} + +func initIptables() { + probe() + initFirewalld() + detectIptables() +} + func initCheck() error { + initOnce.Do(initIptables) + if iptablesPath == "" { - probeOnce.Do(probe) - firewalldOnce.Do(initFirewalld) - path, err := exec.LookPath("iptables") - if err != nil { - return ErrIptablesNotFound - } - iptablesPath = path - supportsXlock = exec.Command(iptablesPath, "--wait", "-L", "-n").Run() == nil - mj, mn, mc, err := GetVersion() - if err != nil { - logrus.Warnf("Failed to read iptables version: %v", err) - return nil - } - supportsCOpt = supportsCOption(mj, mn, mc) + return ErrIptablesNotFound } return nil } @@ -189,6 +198,26 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) err } } + establish := []string{ + "-o", bridgeName, + "-m", "conntrack", + "--ctstate", "RELATED,ESTABLISHED", + "-j", "ACCEPT"} + if !Exists(Filter, "FORWARD", establish...) && enable { + insert := append([]string{string(Insert), "FORWARD"}, establish...) + if output, err := Raw(insert...); err != nil { + return err + } else if len(output) != 0 { + return fmt.Errorf("Could not create establish rule to %s: %s", c.Table, output) + } + } else if Exists(Filter, "FORWARD", establish...) && !enable { + del := append([]string{string(Delete), "FORWARD"}, establish...) + if output, err := Raw(del...); err != nil { + return err + } else if len(output) != 0 { + return fmt.Errorf("Could not delete establish rule from %s: %s", c.Table, output) + } + } } return nil } @@ -353,7 +382,11 @@ func exists(native bool, table Table, chain string, rule ...string) bool { table = Filter } - initCheck() + if err := initCheck(); err != nil { + // The exists() signature does not allow us to return an error, but at least + // we can skip the (likely invalid) exec invocation. + return false + } if supportsCOpt { // if exit status is 0 then return true, the rule exists @@ -436,9 +469,9 @@ func ExistChain(chain string, table Table) bool { return false } -// GetVersion reads the iptables version numbers +// GetVersion reads the iptables version numbers during initialization func GetVersion() (major, minor, micro int, err error) { - out, err := Raw("--version") + out, err := exec.Command(iptablesPath, "--version").CombinedOutput() if err == nil { major, minor, micro = parseVersionNumbers(string(out)) } diff --git a/vendor/github.com/docker/libnetwork/network.go b/vendor/github.com/docker/libnetwork/network.go index e5c2eab173..2b9f422538 100644 --- a/vendor/github.com/docker/libnetwork/network.go +++ b/vendor/github.com/docker/libnetwork/network.go @@ -74,6 +74,9 @@ type NetworkInfo interface { // gossip cluster. For non-dynamic overlay networks and bridge networks it returns an // empty slice Peers() []networkdb.PeerInfo + //Services returns a map of services keyed by the service name with the details + //of all the tasks that belong to the service. Applicable only in swarm mode. + Services() map[string]ServiceInfo } // EndpointWalker is a client provided function which will be used to walk the Endpoints. @@ -108,6 +111,11 @@ type servicePorts struct { target []serviceTarget } +type networkDBTable struct { + name string + objType driverapi.ObjectType +} + // IpamConf contains all the ipam related configurations for a network type IpamConf struct { // The master address pool for containers and network interfaces @@ -208,7 +216,7 @@ type network struct { attachable bool inDelete bool ingress bool - driverTables []string + driverTables []networkDBTable dynamic bool sync.Mutex } @@ -1607,11 +1615,18 @@ func (n *network) Labels() map[string]string { return lbls } -func (n *network) TableEventRegister(tableName string) error { +func (n *network) TableEventRegister(tableName string, objType driverapi.ObjectType) error { + if !driverapi.IsValidType(objType) { + return fmt.Errorf("invalid object type %v in registering table, %s", objType, tableName) + } + + t := networkDBTable{ + name: tableName, + objType: objType, + } n.Lock() defer n.Unlock() - - n.driverTables = append(n.driverTables, tableName) + n.driverTables = append(n.driverTables, t) return nil } diff --git a/vendor/github.com/docker/libnetwork/networkdb/networkdb.go b/vendor/github.com/docker/libnetwork/networkdb/networkdb.go index c3aab99335..9e5e61caef 100644 --- a/vendor/github.com/docker/libnetwork/networkdb/networkdb.go +++ b/vendor/github.com/docker/libnetwork/networkdb/networkdb.go @@ -307,6 +307,22 @@ func (nDB *NetworkDB) UpdateEntry(tname, nid, key string, value []byte) error { return nil } +// GetTableByNetwork walks the networkdb by the give table and network id and +// returns a map of keys and values +func (nDB *NetworkDB) GetTableByNetwork(tname, nid string) map[string]interface{} { + entries := make(map[string]interface{}) + nDB.indexes[byTable].WalkPrefix(fmt.Sprintf("/%s/%s", tname, nid), func(k string, v interface{}) bool { + entry := v.(*entry) + if entry.deleting { + return false + } + key := k[strings.LastIndex(k, "/")+1:] + entries[key] = entry.value + return false + }) + return entries +} + // DeleteEntry deletes a table entry in NetworkDB for given (network, // table, key) tuple and if the NetworkDB is part of the cluster // propagates this event to the cluster. diff --git a/vendor/github.com/docker/libnetwork/service_common.go b/vendor/github.com/docker/libnetwork/service_common.go index 04f807aea8..049d308423 100644 --- a/vendor/github.com/docker/libnetwork/service_common.go +++ b/vendor/github.com/docker/libnetwork/service_common.go @@ -18,6 +18,26 @@ func newService(name string, id string, ingressPorts []*PortConfig, aliases []st } } +func (c *controller) getLBIndex(sid, nid string, ingressPorts []*PortConfig) int { + skey := serviceKey{ + id: sid, + ports: portConfigs(ingressPorts).String(), + } + c.Lock() + s, ok := c.serviceBindings[skey] + c.Unlock() + + if !ok { + return 0 + } + + s.Lock() + lb := s.loadBalancers[nid] + s.Unlock() + + return int(lb.fwMark) +} + func (c *controller) cleanupServiceBindings(cleanupNID string) { var cleanupFuncs []func()