diff --git a/libnetwork/agent.go b/libnetwork/agent.go index d33d00fa5d..7b68fd7c06 100644 --- a/libnetwork/agent.go +++ b/libnetwork/agent.go @@ -164,82 +164,6 @@ func (c *controller) handleKeyChange(keys []*types.EncryptionKey) error { return nil } -func (c *controller) handleKeyChangeV1(keys []*types.EncryptionKey) error { - drvEnc := discoverapi.DriverEncryptionUpdate{} - - // Find the new key and add it to the key ring - a := c.agent - for _, key := range keys { - same := false - for _, cKey := range c.keys { - if same = cKey.LamportTime == key.LamportTime; same { - break - } - } - if !same { - c.keys = append(c.keys, key) - if key.Subsystem == subsysGossip { - a.networkDB.SetKey(key.Key) - } - if key.Subsystem == subsysGossip /*subsysIPSec*/ { - drvEnc.Key = key.Key - drvEnc.Tag = key.LamportTime - } - break - } - } - // Find the deleted key. If the deleted key was the primary key, - // a new primary key should be set before removing if from keyring. - deleted := []byte{} - for i, cKey := range c.keys { - same := false - for _, key := range keys { - if same = key.LamportTime == cKey.LamportTime; same { - break - } - } - if !same { - if cKey.Subsystem == subsysGossip { - deleted = cKey.Key - } - if cKey.Subsystem == subsysGossip /*subsysIPSec*/ { - drvEnc.Prune = cKey.Key - drvEnc.PruneTag = cKey.LamportTime - } - c.keys = append(c.keys[:i], c.keys[i+1:]...) - break - } - } - - sort.Sort(ByTime(c.keys)) - for _, key := range c.keys { - if key.Subsystem == subsysGossip { - a.networkDB.SetPrimaryKey(key.Key) - break - } - } - for _, key := range c.keys { - if key.Subsystem == subsysGossip /*subsysIPSec*/ { - drvEnc.Primary = key.Key - drvEnc.PrimaryTag = key.LamportTime - break - } - } - if len(deleted) > 0 { - a.networkDB.RemoveKey(deleted) - } - - c.drvRegistry.WalkDrivers(func(name string, driver driverapi.Driver, capability driverapi.Capability) bool { - err := driver.DiscoverNew(discoverapi.EncryptionKeysUpdate, drvEnc) - if err != nil { - logrus.Warnf("Failed to update datapath keys in driver %s: %v", name, err) - } - return false - }) - - return nil -} - func (c *controller) agentSetup() error { clusterProvider := c.cfg.Daemon.ClusterProvider @@ -287,9 +211,6 @@ func (c *controller) getKeys(subsys string) ([][]byte, []uint64) { } } - if len(keys) < keyringSize { - return keys, tags - } keys[0], keys[1] = keys[1], keys[0] tags[0], tags[1] = tags[1], tags[0] return keys, tags @@ -305,9 +226,6 @@ func (c *controller) getPrimaryKeyTag(subsys string) ([]byte, uint64, error) { keys = append(keys, key) } } - if len(keys) < 2 { - return nil, 0, fmt.Errorf("primary key for subsystem %s not found", subsys) - } return keys[1].Key, keys[1].LamportTime, nil } diff --git a/libnetwork/controller.go b/libnetwork/controller.go index 912f7da941..382e64cdfb 100644 --- a/libnetwork/controller.go +++ b/libnetwork/controller.go @@ -250,6 +250,21 @@ func (c *controller) SetKeys(keys []*types.EncryptionKey) error { clusterConfigAvailable := c.clusterConfigAvailable agent := c.agent c.Unlock() + + subsysKeys := make(map[string]int) + for _, key := range keys { + if key.Subsystem != subsysGossip && + key.Subsystem != subsysIPSec { + return fmt.Errorf("key received for unrecognized subsystem") + } + subsysKeys[key.Subsystem]++ + } + for s, count := range subsysKeys { + if count != keyringSize { + return fmt.Errorf("incorrect number of keys for susbsystem %v", s) + } + } + if len(existingKeys) == 0 { c.Lock() c.keys = keys @@ -269,9 +284,6 @@ func (c *controller) SetKeys(keys []*types.EncryptionKey) error { c.Unlock() return nil } - if len(keys) < keyringSize { - return c.handleKeyChangeV1(keys) - } return c.handleKeyChange(keys) }