diff --git a/builder/builder-next/executor_unix.go b/builder/builder-next/executor_unix.go index 4aee34cf30..d684b9f6e2 100644 --- a/builder/builder-next/executor_unix.go +++ b/builder/builder-next/executor_unix.go @@ -10,6 +10,7 @@ import ( "github.com/docker/docker/daemon/config" "github.com/docker/docker/pkg/idtools" + "github.com/docker/docker/pkg/stringid" "github.com/docker/libnetwork" "github.com/moby/buildkit/executor" "github.com/moby/buildkit/executor/oci" @@ -100,11 +101,12 @@ func (iface *lnInterface) Set(s *specs.Spec) { logrus.WithError(iface.err).Error("failed to set networking spec") return } + shortNetCtlrID := stringid.TruncateID(iface.provider.NetworkController.ID()) // attach netns to bridge within the container namespace, using reexec in a prestart hook s.Hooks = &specs.Hooks{ Prestart: []specs.Hook{{ Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"), - Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), iface.provider.NetworkController.ID()}, + Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), shortNetCtlrID}, }}, } } diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index ddb4192060..2577dca99a 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -20,6 +20,7 @@ import ( "github.com/docker/docker/oci/caps" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/mount" + "github.com/docker/docker/pkg/stringid" "github.com/docker/docker/rootless/specconv" volumemounts "github.com/docker/docker/volume/mounts" "github.com/opencontainers/runc/libcontainer/apparmor" @@ -66,13 +67,14 @@ func WithLibnetwork(daemon *Daemon, c *container.Container) coci.SpecOpts { for _, ns := range s.Linux.Namespaces { if ns.Type == "network" && ns.Path == "" && !c.Config.NetworkDisabled { target := filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe") + shortNetCtlrID := stringid.TruncateID(daemon.netController.ID()) s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ Path: target, Args: []string{ "libnetwork-setkey", "-exec-root=" + daemon.configStore.GetExecRoot(), c.ID, - daemon.netController.ID(), + shortNetCtlrID, }, }) } diff --git a/hack/dockerfile/install/proxy.installer b/hack/dockerfile/install/proxy.installer index 26bf89a674..920bed4bdd 100755 --- a/hack/dockerfile/install/proxy.installer +++ b/hack/dockerfile/install/proxy.installer @@ -3,7 +3,7 @@ # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When # updating the binary version, consider updating github.com/docker/libnetwork # in vendor.conf accordingly -LIBNETWORK_COMMIT=3eb39382bfa6a3c42f83674ab080ae13b0e34e5d # bump_19.03 branch +LIBNETWORK_COMMIT=d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23 # bump_19.03 branch install_proxy() { case "$1" in diff --git a/vendor.conf b/vendor.conf index 3bb2cc43d1..1b4e23694b 100644 --- a/vendor.conf +++ b/vendor.conf @@ -38,7 +38,7 @@ github.com/gofrs/flock 7f43ea2e6a643ad441fc12d0ecc0 # libnetwork # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly -github.com/docker/libnetwork 3eb39382bfa6a3c42f83674ab080ae13b0e34e5d # bump_19.03 branch +github.com/docker/libnetwork d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23 # bump_19.03 branch github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec diff --git a/vendor/github.com/docker/libnetwork/agent.go b/vendor/github.com/docker/libnetwork/agent.go index f7d57e23a2..fa6ec525b6 100644 --- a/vendor/github.com/docker/libnetwork/agent.go +++ b/vendor/github.com/docker/libnetwork/agent.go @@ -184,6 +184,16 @@ func (c *controller) handleKeyChange(keys []*types.EncryptionKey) error { err := driver.DiscoverNew(discoverapi.EncryptionKeysUpdate, drvEnc) if err != nil { logrus.Warnf("Failed to update datapath keys in driver %s: %v", name, err) + // Attempt to reconfigure keys in case of a update failure + // which can arise due to a mismatch of keys + // if worker nodes get temporarily disconnected + logrus.Warnf("Reconfiguring datapath keys for %s", name) + drvCfgEnc := discoverapi.DriverEncryptionConfig{} + drvCfgEnc.Keys, drvCfgEnc.Tags = c.getKeys(subsysIPSec) + err = driver.DiscoverNew(discoverapi.EncryptionKeysConfig, drvCfgEnc) + if err != nil { + logrus.Warnf("Failed to reset datapath keys in driver %s: %v", name, err) + } } return false }) diff --git a/vendor/github.com/docker/libnetwork/drivers/overlay/overlay.go b/vendor/github.com/docker/libnetwork/drivers/overlay/overlay.go index 1ec1e0070b..6f83e6de06 100644 --- a/vendor/github.com/docker/libnetwork/drivers/overlay/overlay.go +++ b/vendor/github.com/docker/libnetwork/drivers/overlay/overlay.go @@ -378,7 +378,7 @@ func (d *driver) DiscoverNew(dType discoverapi.DiscoveryType, data interface{}) } } if err := d.updateKeys(newKey, priKey, delKey); err != nil { - logrus.Warn(err) + return err } default: } diff --git a/vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go b/vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go index 5006583c5b..d0f60deda7 100644 --- a/vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go +++ b/vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go @@ -12,6 +12,7 @@ import ( "os" "path/filepath" + "github.com/docker/docker/pkg/stringid" "github.com/docker/libnetwork/types" "github.com/opencontainers/runtime-spec/specs-go" "github.com/sirupsen/logrus" @@ -24,7 +25,7 @@ const ( ) // processSetKeyReexec is a private function that must be called only on an reexec path -// It expects 3 args { [0] = "libnetwork-setkey", [1] = , [2] = } +// It expects 3 args { [0] = "libnetwork-setkey", [1] = , [2] = } // It also expects specs.State as a json string in // Refer to https://github.com/opencontainers/runc/pull/160/ for more information // The docker exec-root can be specified as "-exec-root" flag. The default value is "/run/docker". @@ -41,14 +42,14 @@ func processSetKeyReexec() { execRoot := flag.String("exec-root", defaultExecRoot, "docker exec root") flag.Parse() - // expecting 3 os.Args {[0]="libnetwork-setkey", [1]=, [2]= } + // expecting 3 os.Args {[0]="libnetwork-setkey", [1]=, [2]= } // (i.e. expecting 2 flag.Args()) args := flag.Args() if len(args) < 2 { err = fmt.Errorf("Re-exec expects 2 args (after parsing flags), received : %d", len(args)) return } - containerID, controllerID := args[0], args[1] + containerID, shortCtlrID := args[0], args[1] // We expect specs.State as a json string in stateBuf, err := ioutil.ReadAll(os.Stdin) @@ -60,16 +61,16 @@ func processSetKeyReexec() { return } - err = SetExternalKey(controllerID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot) + err = SetExternalKey(shortCtlrID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot) } // SetExternalKey provides a convenient way to set an External key to a sandbox -func SetExternalKey(controllerID string, containerID string, key string, execRoot string) error { +func SetExternalKey(shortCtlrID string, containerID string, key string, execRoot string) error { keyData := setKeyData{ ContainerID: containerID, Key: key} - uds := filepath.Join(execRoot, execSubdir, controllerID+".sock") + uds := filepath.Join(execRoot, execSubdir, shortCtlrID+".sock") c, err := net.Dial("unix", uds) if err != nil { return err @@ -120,7 +121,8 @@ func (c *controller) startExternalKeyListener() error { if err := os.MkdirAll(udsBase, 0600); err != nil { return err } - uds := filepath.Join(udsBase, c.id+".sock") + shortCtlrID := stringid.TruncateID(c.id) + uds := filepath.Join(udsBase, shortCtlrID+".sock") l, err := net.Listen("unix", uds) if err != nil { return err