diff --git a/vendor.conf b/vendor.conf index 648532cdb8..862242b1b4 100644 --- a/vendor.conf +++ b/vendor.conf @@ -131,7 +131,7 @@ github.com/containerd/ttrpc f02858b1457c5ca3aaec3a0803eb0d59f96e41d6 github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef # cluster -github.com/docker/swarmkit 415dc72789e2b733ea884f09188c286ca187d8ec +github.com/docker/swarmkit 18e7e58ea1a5ec016625a636d0d52500eea123bc github.com/gogo/protobuf v1.2.0 github.com/cloudflare/cfssl 1.3.2 github.com/fernet/fernet-go 1b2437bc582b3cfbb341ee5a29f8ef5b42912ff2 diff --git a/vendor/github.com/docker/swarmkit/manager/controlapi/node.go b/vendor/github.com/docker/swarmkit/manager/controlapi/node.go index 68a759fc02..5308b7419e 100644 --- a/vendor/github.com/docker/swarmkit/manager/controlapi/node.go +++ b/vendor/github.com/docker/swarmkit/manager/controlapi/node.go @@ -254,25 +254,23 @@ func (s *Server) UpdateNode(ctx context.Context, request *api.UpdateNodeRequest) }, nil } -func removeNodeAttachments(tx store.Tx, nodeID string) error { - // orphan the node's attached containers. if we don't do this, the - // network these attachments are connected to will never be removeable +func orphanNodeTasks(tx store.Tx, nodeID string) error { + // when a node is deleted, all of its tasks are irrecoverably removed. + // additionally, the Dispatcher can no longer be relied on to update the + // task status. Therefore, when the node is removed, we must additionally + // move all of its assigned tasks to the Orphaned state, so that their + // resources can be cleaned up. tasks, err := store.FindTasks(tx, store.ByNodeID(nodeID)) if err != nil { return err } for _, task := range tasks { - // if the task is an attachment, then we just delete it. the allocator - // will do the heavy lifting. basically, GetAttachment will return the - // attachment if that's the kind of runtime, or nil if it's not. - if task.Spec.GetAttachment() != nil { - // don't delete the task. instead, update it to `ORPHANED` so that - // the taskreaper will clean it up. - task.Status.State = api.TaskStateOrphaned - if err := store.UpdateTask(tx, task); err != nil { - return err - } + task.Status = api.TaskStatus{ + Timestamp: gogotypes.TimestampNow(), + State: api.TaskStateOrphaned, + Message: "Task belonged to a node that has been deleted", } + store.UpdateTask(tx, task) } return nil } @@ -342,7 +340,7 @@ func (s *Server) RemoveNode(ctx context.Context, request *api.RemoveNodeRequest) return err } - if err := removeNodeAttachments(tx, request.NodeID); err != nil { + if err := orphanNodeTasks(tx, request.NodeID); err != nil { return err } diff --git a/vendor/github.com/docker/swarmkit/manager/controlapi/service.go b/vendor/github.com/docker/swarmkit/manager/controlapi/service.go index a3ee2c7a4a..8296821beb 100644 --- a/vendor/github.com/docker/swarmkit/manager/controlapi/service.go +++ b/vendor/github.com/docker/swarmkit/manager/controlapi/service.go @@ -392,6 +392,21 @@ func validateConfigRefsSpec(spec api.TaskSpec) error { return nil } + // check if we're using a config as a CredentialSpec -- if so, we need to + // verify + var ( + credSpecConfig string + credSpecConfigFound bool + ) + if p := container.Privileges; p != nil { + if cs := p.CredentialSpec; cs != nil { + // if there is no config in the credspec, then this will just be + // assigned to emptystring anyway, so we don't need to check + // existence. + credSpecConfig = cs.GetConfig() + } + } + // Keep a map to track all the targets that will be exposed // The string returned is only used for logging. It could as well be struct{}{} existingTargets := make(map[string]string) @@ -421,6 +436,20 @@ func validateConfigRefsSpec(spec api.TaskSpec) error { existingTargets[fileName] = configRef.ConfigName } + + if configRef.GetRuntime() != nil { + if configRef.ConfigID == credSpecConfig { + credSpecConfigFound = true + } + } + } + + if credSpecConfig != "" && !credSpecConfigFound { + return status.Errorf( + codes.InvalidArgument, + "CredentialSpec references config '%s', but that config isn't in config references with RuntimeTarget", + credSpecConfig, + ) } return nil