Vendoring libnetwork @9ab6e13
Signed-off-by: Santhosh Manohar <santhosh@docker.com>
This commit is contained in:
parent
877c860428
commit
8479a765dd
|
@ -70,7 +70,7 @@ clone git github.com/RackSec/srslog 365bf33cd9acc21ae1c355209865f17228ca534e
|
||||||
clone git github.com/imdario/mergo 0.2.1
|
clone git github.com/imdario/mergo 0.2.1
|
||||||
|
|
||||||
#get libnetwork packages
|
#get libnetwork packages
|
||||||
clone git github.com/docker/libnetwork f4338b6f1085ccfe5972e655cca8a1d15d73439d
|
clone git github.com/docker/libnetwork 9ab6e136fa628b5bb4af4a75f76609ef2c21c024
|
||||||
clone git github.com/docker/go-events 18b43f1bc85d9cdd42c05a6cd2d444c7a200a894
|
clone git github.com/docker/go-events 18b43f1bc85d9cdd42c05a6cd2d444c7a200a894
|
||||||
clone git github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
|
clone git github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
|
||||||
clone git github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
|
clone git github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
|
||||||
|
|
|
@ -328,22 +328,26 @@ func (c *controller) agentDriverNotify(d driverapi.Driver) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) agentClose() {
|
func (c *controller) agentClose() {
|
||||||
if c.agent == nil {
|
// Acquire current agent instance and reset its pointer
|
||||||
|
// then run closing functions
|
||||||
|
c.Lock()
|
||||||
|
agent := c.agent
|
||||||
|
c.agent = nil
|
||||||
|
c.Unlock()
|
||||||
|
|
||||||
|
if agent == nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, cancelFuncs := range c.agent.driverCancelFuncs {
|
for _, cancelFuncs := range agent.driverCancelFuncs {
|
||||||
for _, cancel := range cancelFuncs {
|
for _, cancel := range cancelFuncs {
|
||||||
cancel()
|
cancel()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
c.agent.epTblCancel()
|
|
||||||
|
|
||||||
c.agent.networkDB.Close()
|
agent.epTblCancel()
|
||||||
|
|
||||||
c.Lock()
|
agent.networkDB.Close()
|
||||||
c.agent = nil
|
|
||||||
c.Unlock()
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *network) isClusterEligible() bool {
|
func (n *network) isClusterEligible() bool {
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
package config
|
package config
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/BurntSushi/toml"
|
"github.com/BurntSushi/toml"
|
||||||
|
@ -15,6 +17,12 @@ import (
|
||||||
"github.com/docker/libnetwork/osl"
|
"github.com/docker/libnetwork/osl"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// RestrictedNameChars collects the characters allowed to represent a network or endpoint name.
|
||||||
|
const restrictedNameChars = `[a-zA-Z0-9][a-zA-Z0-9_.-]`
|
||||||
|
|
||||||
|
// RestrictedNamePattern is a regular expression to validate names against the collection of restricted characters.
|
||||||
|
var restrictedNamePattern = regexp.MustCompile(`^/?` + restrictedNameChars + `+$`)
|
||||||
|
|
||||||
// Config encapsulates configurations of various Libnetwork components
|
// Config encapsulates configurations of various Libnetwork components
|
||||||
type Config struct {
|
type Config struct {
|
||||||
Daemon DaemonCfg
|
Daemon DaemonCfg
|
||||||
|
@ -223,12 +231,12 @@ func (c *Config) ProcessOptions(options ...Option) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsValidName validates configuration objects supported by libnetwork
|
// ValidateName validates configuration objects supported by libnetwork
|
||||||
func IsValidName(name string) bool {
|
func ValidateName(name string) error {
|
||||||
if strings.TrimSpace(name) == "" {
|
if !restrictedNamePattern.MatchString(name) {
|
||||||
return false
|
return fmt.Errorf("%s includes invalid characters, only %q are allowed", name, restrictedNameChars)
|
||||||
}
|
}
|
||||||
return true
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// OptionLocalKVProvider function returns an option setter for kvstore provider
|
// OptionLocalKVProvider function returns an option setter for kvstore provider
|
||||||
|
|
|
@ -626,8 +626,8 @@ func (c *controller) NewNetwork(networkType, name string, id string, options ...
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if !config.IsValidName(name) {
|
if err := config.ValidateName(name); err != nil {
|
||||||
return nil, ErrInvalidName(name)
|
return nil, ErrInvalidName(err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
if id == "" {
|
if id == "" {
|
||||||
|
|
|
@ -145,7 +145,7 @@ func makeDefaultScopes() map[string]*ScopeCfg {
|
||||||
var defaultRootChain = []string{"docker", "network", "v1.0"}
|
var defaultRootChain = []string{"docker", "network", "v1.0"}
|
||||||
var rootChain = defaultRootChain
|
var rootChain = defaultRootChain
|
||||||
|
|
||||||
// DefaultScopes returns a map of default scopes and it's config for clients to use.
|
// DefaultScopes returns a map of default scopes and its config for clients to use.
|
||||||
func DefaultScopes(dataDir string) map[string]*ScopeCfg {
|
func DefaultScopes(dataDir string) map[string]*ScopeCfg {
|
||||||
if dataDir != "" {
|
if dataDir != "" {
|
||||||
defaultScopes[LocalScope].Client.Address = dataDir + "/network/files/local-kv.db"
|
defaultScopes[LocalScope].Client.Address = dataDir + "/network/files/local-kv.db"
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
package discoverapi
|
package discoverapi
|
||||||
|
|
||||||
// Discover is an interface to be implemented by the componenet interested in receiving discover events
|
// Discover is an interface to be implemented by the component interested in receiving discover events
|
||||||
// like new node joining the cluster or datastore updates
|
// like new node joining the cluster or datastore updates
|
||||||
type Discover interface {
|
type Discover interface {
|
||||||
// DiscoverNew is a notification for a new discovery event, Example:a new node joining a cluster
|
// DiscoverNew is a notification for a new discovery event, Example:a new node joining a cluster
|
||||||
|
|
|
@ -79,11 +79,11 @@ func (n *bridgeNetwork) setupIPTables(config *networkConfiguration, i *bridgeInt
|
||||||
Mask: i.bridgeIPv4.Mask,
|
Mask: i.bridgeIPv4.Mask,
|
||||||
}
|
}
|
||||||
if config.Internal {
|
if config.Internal {
|
||||||
if err = setupInternalNetworkRules(config.BridgeName, maskedAddrv4, true); err != nil {
|
if err = setupInternalNetworkRules(config.BridgeName, maskedAddrv4, config.EnableICC, true); err != nil {
|
||||||
return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
|
return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
|
||||||
}
|
}
|
||||||
n.registerIptCleanFunc(func() error {
|
n.registerIptCleanFunc(func() error {
|
||||||
return setupInternalNetworkRules(config.BridgeName, maskedAddrv4, false)
|
return setupInternalNetworkRules(config.BridgeName, maskedAddrv4, config.EnableICC, false)
|
||||||
})
|
})
|
||||||
} else {
|
} else {
|
||||||
if err = setupIPTablesInternal(config.BridgeName, maskedAddrv4, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
|
if err = setupIPTablesInternal(config.BridgeName, maskedAddrv4, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
|
||||||
|
@ -333,7 +333,7 @@ func removeIPChains() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func setupInternalNetworkRules(bridgeIface string, addr net.Addr, insert bool) error {
|
func setupInternalNetworkRules(bridgeIface string, addr net.Addr, icc, insert bool) error {
|
||||||
var (
|
var (
|
||||||
inDropRule = iptRule{table: iptables.Filter, chain: IsolationChain, args: []string{"-i", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"}}
|
inDropRule = iptRule{table: iptables.Filter, chain: IsolationChain, args: []string{"-i", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"}}
|
||||||
outDropRule = iptRule{table: iptables.Filter, chain: IsolationChain, args: []string{"-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"}}
|
outDropRule = iptRule{table: iptables.Filter, chain: IsolationChain, args: []string{"-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"}}
|
||||||
|
@ -344,5 +344,9 @@ func setupInternalNetworkRules(bridgeIface string, addr net.Addr, insert bool) e
|
||||||
if err := programChainRule(outDropRule, "DROP OUTGOING", insert); err != nil {
|
if err := programChainRule(outDropRule, "DROP OUTGOING", insert); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// Set Inter Container Communication.
|
||||||
|
if err := setIcc(bridgeIface, icc, insert); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -66,7 +66,7 @@ func (d *driver) CreateEndpoint(nid, eid string, ifInfo driverapi.InterfaceInfo,
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteEndpoint remove the endpoint and associated netlink interface
|
// DeleteEndpoint removes the endpoint and associated netlink interface
|
||||||
func (d *driver) DeleteEndpoint(nid, eid string) error {
|
func (d *driver) DeleteEndpoint(nid, eid string) error {
|
||||||
defer osl.InitOSContext()()
|
defer osl.InitOSContext()()
|
||||||
if err := validateID(nid, eid); err != nil {
|
if err := validateID(nid, eid); err != nil {
|
||||||
|
|
|
@ -124,7 +124,7 @@ func (d *driver) createNetwork(config *configuration) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteNetwork the network for the specified driver type
|
// DeleteNetwork deletes the network for the specified driver type
|
||||||
func (d *driver) DeleteNetwork(nid string) error {
|
func (d *driver) DeleteNetwork(nid string) error {
|
||||||
defer osl.InitOSContext()()
|
defer osl.InitOSContext()()
|
||||||
n := d.network(nid)
|
n := d.network(nid)
|
||||||
|
@ -171,7 +171,7 @@ func (d *driver) DeleteNetwork(nid string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// parseNetworkOptions parse docker network options
|
// parseNetworkOptions parses docker network options
|
||||||
func parseNetworkOptions(id string, option options.Generic) (*configuration, error) {
|
func parseNetworkOptions(id string, option options.Generic) (*configuration, error) {
|
||||||
var (
|
var (
|
||||||
err error
|
err error
|
||||||
|
@ -193,7 +193,7 @@ func parseNetworkOptions(id string, option options.Generic) (*configuration, err
|
||||||
return config, nil
|
return config, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// parseNetworkGenericOptions parse generic driver docker network options
|
// parseNetworkGenericOptions parses generic driver docker network options
|
||||||
func parseNetworkGenericOptions(data interface{}) (*configuration, error) {
|
func parseNetworkGenericOptions(data interface{}) (*configuration, error) {
|
||||||
var (
|
var (
|
||||||
err error
|
err error
|
||||||
|
|
|
@ -64,7 +64,7 @@ func setMacVlanMode(mode string) (netlink.MacvlanMode, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// parentExists check if the specified interface exists in the default namespace
|
// parentExists checks if the specified interface exists in the default namespace
|
||||||
func parentExists(ifaceStr string) bool {
|
func parentExists(ifaceStr string) bool {
|
||||||
_, err := ns.NlHandle().LinkByName(ifaceStr)
|
_, err := ns.NlHandle().LinkByName(ifaceStr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -469,12 +469,14 @@ func (ep *endpoint) sbJoin(sb *sandbox, options ...EndpointOption) error {
|
||||||
n.getController().watchSvcRecord(ep)
|
n.getController().watchSvcRecord(ep)
|
||||||
}
|
}
|
||||||
|
|
||||||
address := ""
|
if doUpdateHostsFile(n, sb) {
|
||||||
if ip := ep.getFirstInterfaceAddress(); ip != nil {
|
address := ""
|
||||||
address = ip.String()
|
if ip := ep.getFirstInterfaceAddress(); ip != nil {
|
||||||
}
|
address = ip.String()
|
||||||
if err = sb.updateHostsFile(address); err != nil {
|
}
|
||||||
return err
|
if err = sb.updateHostsFile(address); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if err = sb.updateDNS(n.enableIPv6); err != nil {
|
if err = sb.updateDNS(n.enableIPv6); err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -556,6 +558,10 @@ func (ep *endpoint) sbJoin(sb *sandbox, options ...EndpointOption) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func doUpdateHostsFile(n *network, sb *sandbox) bool {
|
||||||
|
return !n.ingress && n.Name() != libnGWNetwork
|
||||||
|
}
|
||||||
|
|
||||||
func (ep *endpoint) rename(name string) error {
|
func (ep *endpoint) rename(name string) error {
|
||||||
var err error
|
var err error
|
||||||
n := ep.getNetwork()
|
n := ep.getNetwork()
|
||||||
|
@ -783,7 +789,7 @@ func (ep *endpoint) Delete(force bool) error {
|
||||||
ep.releaseAddress()
|
ep.releaseAddress()
|
||||||
|
|
||||||
if err := n.getEpCnt().DecEndpointCnt(); err != nil {
|
if err := n.getEpCnt().DecEndpointCnt(); err != nil {
|
||||||
log.Warnf("failed to decrement endpoint coint for ep %s: %v", ep.ID(), err)
|
log.Warnf("failed to decrement endpoint count for ep %s: %v", ep.ID(), err)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
@ -1125,3 +1131,20 @@ func (c *controller) cleanupLocalEndpoints() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (ep *endpoint) setAliasIP(sb *sandbox, ip net.IP, add bool) error {
|
||||||
|
sb.Lock()
|
||||||
|
sbox := sb.osSbox
|
||||||
|
sb.Unlock()
|
||||||
|
|
||||||
|
for _, i := range sbox.Info().Interfaces() {
|
||||||
|
if ep.hasInterface(i.SrcName()) {
|
||||||
|
ipNet := &net.IPNet{IP: ip, Mask: []byte{255, 255, 255, 255}}
|
||||||
|
if err := i.SetAliasIP(ipNet, add); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
@ -69,7 +69,7 @@ func (ii ErrInvalidID) Error() string {
|
||||||
func (ii ErrInvalidID) BadRequest() {}
|
func (ii ErrInvalidID) BadRequest() {}
|
||||||
|
|
||||||
// ErrInvalidName is returned when a query-by-name or resource create method is
|
// ErrInvalidName is returned when a query-by-name or resource create method is
|
||||||
// invoked with an empty name parameter
|
// invoked with an invalid name parameter
|
||||||
type ErrInvalidName string
|
type ErrInvalidName string
|
||||||
|
|
||||||
func (in ErrInvalidName) Error() string {
|
func (in ErrInvalidName) Error() string {
|
||||||
|
@ -107,7 +107,7 @@ func (nnr NetworkNameError) Error() string {
|
||||||
// Forbidden denotes the type of this error
|
// Forbidden denotes the type of this error
|
||||||
func (nnr NetworkNameError) Forbidden() {}
|
func (nnr NetworkNameError) Forbidden() {}
|
||||||
|
|
||||||
// UnknownNetworkError is returned when libnetwork could not find in it's database
|
// UnknownNetworkError is returned when libnetwork could not find in its database
|
||||||
// a network with the same name and id.
|
// a network with the same name and id.
|
||||||
type UnknownNetworkError struct {
|
type UnknownNetworkError struct {
|
||||||
name string
|
name string
|
||||||
|
@ -135,7 +135,7 @@ func (aee *ActiveEndpointsError) Error() string {
|
||||||
// Forbidden denotes the type of this error
|
// Forbidden denotes the type of this error
|
||||||
func (aee *ActiveEndpointsError) Forbidden() {}
|
func (aee *ActiveEndpointsError) Forbidden() {}
|
||||||
|
|
||||||
// UnknownEndpointError is returned when libnetwork could not find in it's database
|
// UnknownEndpointError is returned when libnetwork could not find in its database
|
||||||
// an endpoint with the same name and id.
|
// an endpoint with the same name and id.
|
||||||
type UnknownEndpointError struct {
|
type UnknownEndpointError struct {
|
||||||
name string
|
name string
|
||||||
|
|
|
@ -326,6 +326,21 @@ func (c *ChainInfo) Remove() error {
|
||||||
|
|
||||||
// Exists checks if a rule exists
|
// Exists checks if a rule exists
|
||||||
func Exists(table Table, chain string, rule ...string) bool {
|
func Exists(table Table, chain string, rule ...string) bool {
|
||||||
|
return exists(false, table, chain, rule...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ExistsNative behaves as Exists with the difference it
|
||||||
|
// will always invoke `iptables` binary.
|
||||||
|
func ExistsNative(table Table, chain string, rule ...string) bool {
|
||||||
|
return exists(true, table, chain, rule...)
|
||||||
|
}
|
||||||
|
|
||||||
|
func exists(native bool, table Table, chain string, rule ...string) bool {
|
||||||
|
f := Raw
|
||||||
|
if native {
|
||||||
|
f = raw
|
||||||
|
}
|
||||||
|
|
||||||
if string(table) == "" {
|
if string(table) == "" {
|
||||||
table = Filter
|
table = Filter
|
||||||
}
|
}
|
||||||
|
@ -334,7 +349,7 @@ func Exists(table Table, chain string, rule ...string) bool {
|
||||||
|
|
||||||
if supportsCOpt {
|
if supportsCOpt {
|
||||||
// if exit status is 0 then return true, the rule exists
|
// if exit status is 0 then return true, the rule exists
|
||||||
_, err := Raw(append([]string{"-t", string(table), "-C", chain}, rule...)...)
|
_, err := f(append([]string{"-t", string(table), "-C", chain}, rule...)...)
|
||||||
return err == nil
|
return err == nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,7 @@ import (
|
||||||
"github.com/docker/libnetwork/ipamapi"
|
"github.com/docker/libnetwork/ipamapi"
|
||||||
"github.com/docker/libnetwork/netlabel"
|
"github.com/docker/libnetwork/netlabel"
|
||||||
"github.com/docker/libnetwork/netutils"
|
"github.com/docker/libnetwork/netutils"
|
||||||
|
"github.com/docker/libnetwork/networkdb"
|
||||||
"github.com/docker/libnetwork/options"
|
"github.com/docker/libnetwork/options"
|
||||||
"github.com/docker/libnetwork/types"
|
"github.com/docker/libnetwork/types"
|
||||||
)
|
)
|
||||||
|
@ -34,7 +35,7 @@ type Network interface {
|
||||||
Type() string
|
Type() string
|
||||||
|
|
||||||
// Create a new endpoint to this network symbolically identified by the
|
// Create a new endpoint to this network symbolically identified by the
|
||||||
// specified unique name. The options parameter carry driver specific options.
|
// specified unique name. The options parameter carries driver specific options.
|
||||||
CreateEndpoint(name string, options ...EndpointOption) (Endpoint, error)
|
CreateEndpoint(name string, options ...EndpointOption) (Endpoint, error)
|
||||||
|
|
||||||
// Delete the network.
|
// Delete the network.
|
||||||
|
@ -67,6 +68,11 @@ type NetworkInfo interface {
|
||||||
Labels() map[string]string
|
Labels() map[string]string
|
||||||
Dynamic() bool
|
Dynamic() bool
|
||||||
Created() time.Time
|
Created() time.Time
|
||||||
|
// Peers returns a slice of PeerInfo structures which has the information about the peer
|
||||||
|
// nodes participating in the same overlay network. This is currently the per-network
|
||||||
|
// gossip cluster. For non-dynamic overlay networks and bridge networks it returns an
|
||||||
|
// empty slice
|
||||||
|
Peers() []networkdb.PeerInfo
|
||||||
}
|
}
|
||||||
|
|
||||||
// EndpointWalker is a client provided function which will be used to walk the Endpoints.
|
// EndpointWalker is a client provided function which will be used to walk the Endpoints.
|
||||||
|
@ -848,8 +854,9 @@ func (n *network) addEndpoint(ep *endpoint) error {
|
||||||
|
|
||||||
func (n *network) CreateEndpoint(name string, options ...EndpointOption) (Endpoint, error) {
|
func (n *network) CreateEndpoint(name string, options ...EndpointOption) (Endpoint, error) {
|
||||||
var err error
|
var err error
|
||||||
if !config.IsValidName(name) {
|
|
||||||
return nil, ErrInvalidName(name)
|
if err = config.ValidateName(name); err != nil {
|
||||||
|
return nil, ErrInvalidName(err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, err = n.EndpointByName(name); err == nil {
|
if _, err = n.EndpointByName(name); err == nil {
|
||||||
|
@ -1459,6 +1466,24 @@ func (n *network) Info() NetworkInfo {
|
||||||
return n
|
return n
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (n *network) Peers() []networkdb.PeerInfo {
|
||||||
|
if !n.Dynamic() {
|
||||||
|
return []networkdb.PeerInfo{}
|
||||||
|
}
|
||||||
|
|
||||||
|
var nDB *networkdb.NetworkDB
|
||||||
|
n.ctrlr.Lock()
|
||||||
|
if n.ctrlr.agentInitDone == nil && n.ctrlr.agent != nil {
|
||||||
|
nDB = n.ctrlr.agent.networkDB
|
||||||
|
}
|
||||||
|
n.ctrlr.Unlock()
|
||||||
|
|
||||||
|
if nDB != nil {
|
||||||
|
return n.ctrlr.agent.networkDB.Peers(n.id)
|
||||||
|
}
|
||||||
|
return []networkdb.PeerInfo{}
|
||||||
|
}
|
||||||
|
|
||||||
func (n *network) DriverOptions() map[string]string {
|
func (n *network) DriverOptions() map[string]string {
|
||||||
n.Lock()
|
n.Lock()
|
||||||
defer n.Unlock()
|
defer n.Unlock()
|
||||||
|
|
|
@ -30,6 +30,10 @@ func (n *network) startResolver() {
|
||||||
options := n.Info().DriverOptions()
|
options := n.Info().DriverOptions()
|
||||||
hnsid := options[windows.HNSID]
|
hnsid := options[windows.HNSID]
|
||||||
|
|
||||||
|
if hnsid == "" {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
hnsresponse, err := hcsshim.HNSNetworkRequest("GET", hnsid, "")
|
hnsresponse, err := hcsshim.HNSNetworkRequest("GET", hnsid, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Errorf("Resolver Setup/Start failed for container %s, %q", n.Name(), err)
|
log.Errorf("Resolver Setup/Start failed for container %s, %q", n.Name(), err)
|
||||||
|
|
|
@ -91,6 +91,12 @@ type NetworkDB struct {
|
||||||
keyring *memberlist.Keyring
|
keyring *memberlist.Keyring
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PeerInfo represents the peer (gossip cluster) nodes of a network
|
||||||
|
type PeerInfo struct {
|
||||||
|
Name string
|
||||||
|
IP string
|
||||||
|
}
|
||||||
|
|
||||||
type node struct {
|
type node struct {
|
||||||
memberlist.Node
|
memberlist.Node
|
||||||
ltime serf.LamportTime
|
ltime serf.LamportTime
|
||||||
|
@ -200,6 +206,20 @@ func (nDB *NetworkDB) Close() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Peers returns the gossip peers for a given network.
|
||||||
|
func (nDB *NetworkDB) Peers(nid string) []PeerInfo {
|
||||||
|
nDB.RLock()
|
||||||
|
defer nDB.RUnlock()
|
||||||
|
peers := make([]PeerInfo, 0, len(nDB.networkNodes[nid]))
|
||||||
|
for _, nodeName := range nDB.networkNodes[nid] {
|
||||||
|
peers = append(peers, PeerInfo{
|
||||||
|
Name: nDB.nodes[nodeName].Name,
|
||||||
|
IP: nDB.nodes[nodeName].Addr.String(),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
return peers
|
||||||
|
}
|
||||||
|
|
||||||
// GetEntry retrieves the value of a table entry in a given (network,
|
// GetEntry retrieves the value of a table entry in a given (network,
|
||||||
// table, key) tuple
|
// table, key) tuple
|
||||||
func (nDB *NetworkDB) GetEntry(tname, nid, key string) ([]byte, error) {
|
func (nDB *NetworkDB) GetEntry(tname, nid, key string) ([]byte, error) {
|
||||||
|
|
|
@ -26,7 +26,6 @@ type nwIface struct {
|
||||||
mac net.HardwareAddr
|
mac net.HardwareAddr
|
||||||
address *net.IPNet
|
address *net.IPNet
|
||||||
addressIPv6 *net.IPNet
|
addressIPv6 *net.IPNet
|
||||||
ipAliases []*net.IPNet
|
|
||||||
llAddrs []*net.IPNet
|
llAddrs []*net.IPNet
|
||||||
routes []*net.IPNet
|
routes []*net.IPNet
|
||||||
bridge bool
|
bridge bool
|
||||||
|
@ -97,13 +96,6 @@ func (i *nwIface) LinkLocalAddresses() []*net.IPNet {
|
||||||
return i.llAddrs
|
return i.llAddrs
|
||||||
}
|
}
|
||||||
|
|
||||||
func (i *nwIface) IPAliases() []*net.IPNet {
|
|
||||||
i.Lock()
|
|
||||||
defer i.Unlock()
|
|
||||||
|
|
||||||
return i.ipAliases
|
|
||||||
}
|
|
||||||
|
|
||||||
func (i *nwIface) Routes() []*net.IPNet {
|
func (i *nwIface) Routes() []*net.IPNet {
|
||||||
i.Lock()
|
i.Lock()
|
||||||
defer i.Unlock()
|
defer i.Unlock()
|
||||||
|
@ -130,6 +122,28 @@ func (n *networkNamespace) Interfaces() []Interface {
|
||||||
return ifaces
|
return ifaces
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (i *nwIface) SetAliasIP(ip *net.IPNet, add bool) error {
|
||||||
|
i.Lock()
|
||||||
|
n := i.ns
|
||||||
|
i.Unlock()
|
||||||
|
|
||||||
|
n.Lock()
|
||||||
|
nlh := n.nlHandle
|
||||||
|
n.Unlock()
|
||||||
|
|
||||||
|
// Find the network interface identified by the DstName attribute.
|
||||||
|
iface, err := nlh.LinkByName(i.DstName())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
ipAddr := &netlink.Addr{IPNet: ip, Label: ""}
|
||||||
|
if add {
|
||||||
|
return nlh.AddrAdd(iface, ipAddr)
|
||||||
|
}
|
||||||
|
return nlh.AddrDel(iface, ipAddr)
|
||||||
|
}
|
||||||
|
|
||||||
func (i *nwIface) Remove() error {
|
func (i *nwIface) Remove() error {
|
||||||
i.Lock()
|
i.Lock()
|
||||||
n := i.ns
|
n := i.ns
|
||||||
|
@ -333,7 +347,6 @@ func configureInterface(nlh *netlink.Handle, iface netlink.Link, i *nwIface) err
|
||||||
{setInterfaceIPv6, fmt.Sprintf("error setting interface %q IPv6 to %v", ifaceName, i.AddressIPv6())},
|
{setInterfaceIPv6, fmt.Sprintf("error setting interface %q IPv6 to %v", ifaceName, i.AddressIPv6())},
|
||||||
{setInterfaceMaster, fmt.Sprintf("error setting interface %q master to %q", ifaceName, i.DstMaster())},
|
{setInterfaceMaster, fmt.Sprintf("error setting interface %q master to %q", ifaceName, i.DstMaster())},
|
||||||
{setInterfaceLinkLocalIPs, fmt.Sprintf("error setting interface %q link local IPs to %v", ifaceName, i.LinkLocalAddresses())},
|
{setInterfaceLinkLocalIPs, fmt.Sprintf("error setting interface %q link local IPs to %v", ifaceName, i.LinkLocalAddresses())},
|
||||||
{setInterfaceIPAliases, fmt.Sprintf("error setting interface %q IP Aliases to %v", ifaceName, i.IPAliases())},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, config := range ifaceConfigurators {
|
for _, config := range ifaceConfigurators {
|
||||||
|
@ -387,16 +400,6 @@ func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *nwIfac
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func setInterfaceIPAliases(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
|
|
||||||
for _, si := range i.IPAliases() {
|
|
||||||
ipAddr := &netlink.Addr{IPNet: si}
|
|
||||||
if err := nlh.AddrAdd(iface, ipAddr); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func setInterfaceName(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
|
func setInterfaceName(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
|
||||||
return nlh.LinkSetName(iface, i.DstName())
|
return nlh.LinkSetName(iface, i.DstName())
|
||||||
}
|
}
|
||||||
|
|
|
@ -66,12 +66,6 @@ func (n *networkNamespace) LinkLocalAddresses(list []*net.IPNet) IfaceOption {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *networkNamespace) IPAliases(list []*net.IPNet) IfaceOption {
|
|
||||||
return func(i *nwIface) {
|
|
||||||
i.ipAliases = list
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (n *networkNamespace) Routes(routes []*net.IPNet) IfaceOption {
|
func (n *networkNamespace) Routes(routes []*net.IPNet) IfaceOption {
|
||||||
return func(i *nwIface) {
|
return func(i *nwIface) {
|
||||||
i.routes = routes
|
i.routes = routes
|
||||||
|
|
|
@ -91,9 +91,6 @@ type IfaceOptionSetter interface {
|
||||||
// LinkLocalAddresses returns an option setter to set the link-local IP addresses.
|
// LinkLocalAddresses returns an option setter to set the link-local IP addresses.
|
||||||
LinkLocalAddresses([]*net.IPNet) IfaceOption
|
LinkLocalAddresses([]*net.IPNet) IfaceOption
|
||||||
|
|
||||||
// IPAliases returns an option setter to set IP address Aliases
|
|
||||||
IPAliases([]*net.IPNet) IfaceOption
|
|
||||||
|
|
||||||
// Master returns an option setter to set the master interface if any for this
|
// Master returns an option setter to set the master interface if any for this
|
||||||
// interface. The master interface name should refer to the srcname of a
|
// interface. The master interface name should refer to the srcname of a
|
||||||
// previously added interface of type bridge.
|
// previously added interface of type bridge.
|
||||||
|
@ -150,9 +147,6 @@ type Interface interface {
|
||||||
// LinkLocalAddresses returns the link-local IP addresses assigned to the interface.
|
// LinkLocalAddresses returns the link-local IP addresses assigned to the interface.
|
||||||
LinkLocalAddresses() []*net.IPNet
|
LinkLocalAddresses() []*net.IPNet
|
||||||
|
|
||||||
// IPAliases returns the IP address aliases assigned to the interface.
|
|
||||||
IPAliases() []*net.IPNet
|
|
||||||
|
|
||||||
// IP routes for the interface.
|
// IP routes for the interface.
|
||||||
Routes() []*net.IPNet
|
Routes() []*net.IPNet
|
||||||
|
|
||||||
|
@ -166,6 +160,10 @@ type Interface interface {
|
||||||
// and moving it out of the sandbox.
|
// and moving it out of the sandbox.
|
||||||
Remove() error
|
Remove() error
|
||||||
|
|
||||||
|
// SetAliasIP adds or deletes the passed IP as an alias on the interface.
|
||||||
|
// ex: set the vip of services in the same network as secondary IP.
|
||||||
|
SetAliasIP(ip *net.IPNet, add bool) error
|
||||||
|
|
||||||
// Statistics returns the statistics for this interface
|
// Statistics returns the statistics for this interface
|
||||||
Statistics() (*types.InterfaceStatistics, error)
|
Statistics() (*types.InterfaceStatistics, error)
|
||||||
}
|
}
|
||||||
|
|
|
@ -123,10 +123,10 @@ func FilterResolvDNS(resolvConf []byte, ipv6Enabled bool) (*File, error) {
|
||||||
// if the resulting resolvConf has no more nameservers defined, add appropriate
|
// if the resulting resolvConf has no more nameservers defined, add appropriate
|
||||||
// default DNS servers for IPv4 and (optionally) IPv6
|
// default DNS servers for IPv4 and (optionally) IPv6
|
||||||
if len(GetNameservers(cleanedResolvConf, types.IP)) == 0 {
|
if len(GetNameservers(cleanedResolvConf, types.IP)) == 0 {
|
||||||
logrus.Infof("No non-localhost DNS nameservers are left in resolv.conf. Using default external servers : %v", defaultIPv4Dns)
|
logrus.Infof("No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: %v", defaultIPv4Dns)
|
||||||
dns := defaultIPv4Dns
|
dns := defaultIPv4Dns
|
||||||
if ipv6Enabled {
|
if ipv6Enabled {
|
||||||
logrus.Infof("IPv6 enabled; Adding default IPv6 external servers : %v", defaultIPv6Dns)
|
logrus.Infof("IPv6 enabled; Adding default IPv6 external servers: %v", defaultIPv6Dns)
|
||||||
dns = append(dns, defaultIPv6Dns...)
|
dns = append(dns, defaultIPv6Dns...)
|
||||||
}
|
}
|
||||||
cleanedResolvConf = append(cleanedResolvConf, []byte("\n"+strings.Join(dns, "\n"))...)
|
cleanedResolvConf = append(cleanedResolvConf, []byte("\n"+strings.Join(dns, "\n"))...)
|
||||||
|
|
|
@ -725,10 +725,6 @@ func (sb *sandbox) restoreOslSandbox() error {
|
||||||
if len(i.llAddrs) != 0 {
|
if len(i.llAddrs) != 0 {
|
||||||
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().LinkLocalAddresses(i.llAddrs))
|
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().LinkLocalAddresses(i.llAddrs))
|
||||||
}
|
}
|
||||||
if len(ep.virtualIP) != 0 {
|
|
||||||
vipAlias := &net.IPNet{IP: ep.virtualIP, Mask: net.CIDRMask(32, 32)}
|
|
||||||
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().IPAliases([]*net.IPNet{vipAlias}))
|
|
||||||
}
|
|
||||||
Ifaces[fmt.Sprintf("%s+%s", i.srcName, i.dstPrefix)] = ifaceOptions
|
Ifaces[fmt.Sprintf("%s+%s", i.srcName, i.dstPrefix)] = ifaceOptions
|
||||||
if joinInfo != nil {
|
if joinInfo != nil {
|
||||||
for _, r := range joinInfo.StaticRoutes {
|
for _, r := range joinInfo.StaticRoutes {
|
||||||
|
@ -782,10 +778,6 @@ func (sb *sandbox) populateNetworkResources(ep *endpoint) error {
|
||||||
if len(i.llAddrs) != 0 {
|
if len(i.llAddrs) != 0 {
|
||||||
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().LinkLocalAddresses(i.llAddrs))
|
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().LinkLocalAddresses(i.llAddrs))
|
||||||
}
|
}
|
||||||
if len(ep.virtualIP) != 0 {
|
|
||||||
vipAlias := &net.IPNet{IP: ep.virtualIP, Mask: net.CIDRMask(32, 32)}
|
|
||||||
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().IPAliases([]*net.IPNet{vipAlias}))
|
|
||||||
}
|
|
||||||
if i.mac != nil {
|
if i.mac != nil {
|
||||||
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().MacAddress(i.mac))
|
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().MacAddress(i.mac))
|
||||||
}
|
}
|
||||||
|
|
|
@ -317,6 +317,14 @@ func (sb *sandbox) populateLoadbalancers(ep *endpoint) {
|
||||||
for _, ip := range lb.backEnds {
|
for _, ip := range lb.backEnds {
|
||||||
sb.addLBBackend(ip, lb.vip, lb.fwMark, lb.service.ingressPorts,
|
sb.addLBBackend(ip, lb.vip, lb.fwMark, lb.service.ingressPorts,
|
||||||
eIP, gwIP, addService, n.ingress)
|
eIP, gwIP, addService, n.ingress)
|
||||||
|
// For a new service program the vip as an alias on the task's sandbox interface
|
||||||
|
// connected to this network.
|
||||||
|
if !addService {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if err := ep.setAliasIP(sb, lb.vip, true); err != nil {
|
||||||
|
logrus.Errorf("Adding Service VIP %v to ep %v(%v) failed: %v", lb.vip, ep.ID(), ep.Name(), err)
|
||||||
|
}
|
||||||
addService = false
|
addService = false
|
||||||
}
|
}
|
||||||
lb.service.Unlock()
|
lb.service.Unlock()
|
||||||
|
@ -340,8 +348,16 @@ func (n *network) addLBBackend(ip, vip net.IP, fwMark uint32, ingressPorts []*Po
|
||||||
}
|
}
|
||||||
|
|
||||||
sb.addLBBackend(ip, vip, fwMark, ingressPorts, ep.Iface().Address(), gwIP, addService, n.ingress)
|
sb.addLBBackend(ip, vip, fwMark, ingressPorts, ep.Iface().Address(), gwIP, addService, n.ingress)
|
||||||
}
|
|
||||||
|
|
||||||
|
// For a new service program the vip as an alias on the task's sandbox interface
|
||||||
|
// connected to this network.
|
||||||
|
if !addService {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if err := ep.setAliasIP(sb, vip, true); err != nil {
|
||||||
|
logrus.Errorf("Adding Service VIP %v to ep %v(%v) failed: %v", vip, ep.ID(), ep.Name(), err)
|
||||||
|
}
|
||||||
|
}
|
||||||
return false
|
return false
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -363,8 +379,16 @@ func (n *network) rmLBBackend(ip, vip net.IP, fwMark uint32, ingressPorts []*Por
|
||||||
}
|
}
|
||||||
|
|
||||||
sb.rmLBBackend(ip, vip, fwMark, ingressPorts, ep.Iface().Address(), gwIP, rmService, n.ingress)
|
sb.rmLBBackend(ip, vip, fwMark, ingressPorts, ep.Iface().Address(), gwIP, rmService, n.ingress)
|
||||||
}
|
|
||||||
|
|
||||||
|
// If the service is being remove its vip alias on on the task's sandbox interface
|
||||||
|
// has to be removed as well.
|
||||||
|
if !rmService {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if err := ep.setAliasIP(sb, vip, false); err != nil {
|
||||||
|
logrus.Errorf("Removing Service VIP %v from ep %v(%v) failed: %v", vip, ep.ID(), ep.Name(), err)
|
||||||
|
}
|
||||||
|
}
|
||||||
return false
|
return false
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -935,6 +959,14 @@ func redirecter() {
|
||||||
rule := strings.Fields(fmt.Sprintf("-t nat -A PREROUTING -d %s -p %s --dport %d -j REDIRECT --to-port %d",
|
rule := strings.Fields(fmt.Sprintf("-t nat -A PREROUTING -d %s -p %s --dport %d -j REDIRECT --to-port %d",
|
||||||
eIP.String(), strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort, iPort.TargetPort))
|
eIP.String(), strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort, iPort.TargetPort))
|
||||||
rules = append(rules, rule)
|
rules = append(rules, rule)
|
||||||
|
// Allow only incoming connections to exposed ports
|
||||||
|
iRule := strings.Fields(fmt.Sprintf("-I INPUT -d %s -p %s --dport %d -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT",
|
||||||
|
eIP.String(), strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.TargetPort))
|
||||||
|
rules = append(rules, iRule)
|
||||||
|
// Allow only outgoing connections from exposed ports
|
||||||
|
oRule := strings.Fields(fmt.Sprintf("-I OUTPUT -s %s -p %s --sport %d -m conntrack --ctstate ESTABLISHED -j ACCEPT",
|
||||||
|
eIP.String(), strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.TargetPort))
|
||||||
|
rules = append(rules, oRule)
|
||||||
}
|
}
|
||||||
|
|
||||||
ns, err := netns.GetFromPath(os.Args[1])
|
ns, err := netns.GetFromPath(os.Args[1])
|
||||||
|
@ -952,7 +984,31 @@ func redirecter() {
|
||||||
for _, rule := range rules {
|
for _, rule := range rules {
|
||||||
if err := iptables.RawCombinedOutputNative(rule...); err != nil {
|
if err := iptables.RawCombinedOutputNative(rule...); err != nil {
|
||||||
logrus.Errorf("setting up rule failed, %v: %v", rule, err)
|
logrus.Errorf("setting up rule failed, %v: %v", rule, err)
|
||||||
os.Exit(5)
|
os.Exit(6)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(ingressPorts) == 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Ensure blocking rules for anything else in/to ingress network
|
||||||
|
for _, rule := range [][]string{
|
||||||
|
{"-d", eIP.String(), "-p", "udp", "-j", "DROP"},
|
||||||
|
{"-d", eIP.String(), "-p", "tcp", "-j", "DROP"},
|
||||||
|
} {
|
||||||
|
if !iptables.ExistsNative(iptables.Filter, "INPUT", rule...) {
|
||||||
|
if err := iptables.RawCombinedOutputNative(append([]string{"-A", "INPUT"}, rule...)...); err != nil {
|
||||||
|
logrus.Errorf("setting up rule failed, %v: %v", rule, err)
|
||||||
|
os.Exit(7)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
rule[0] = "-s"
|
||||||
|
if !iptables.ExistsNative(iptables.Filter, "OUTPUT", rule...) {
|
||||||
|
if err := iptables.RawCombinedOutputNative(append([]string{"-A", "OUTPUT"}, rule...)...); err != nil {
|
||||||
|
logrus.Errorf("setting up rule failed, %v: %v", rule, err)
|
||||||
|
os.Exit(8)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue