Browse code
Update libnetwork commit
New Commit: fcf1c3b5e57833aaaa756ae3c4140ea54da00319
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Brian Goff authored on 2018/01/13 07:30:19Showing 6 changed files
- hack/dockerfile/binaries-commits
- vendor.conf
- vendor/github.com/docker/libnetwork/controller.go
- vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go
- vendor/github.com/docker/libnetwork/firewall_linux.go
- vendor/github.com/docker/libnetwork/firewall_others.go
| ... | ... |
@@ -10,7 +10,7 @@ RUNC_COMMIT=b2567b37d7b75eb4cf325b77297b140ea686ce8f |
| 10 | 10 |
# fixes or new APIs. |
| 11 | 11 |
CONTAINERD_COMMIT=89623f28b87a6004d4b785663257362d1658a729 # v1.0.0 |
| 12 | 12 |
TINI_COMMIT=949e6facb77383876aeff8a6944dde66b3089574 |
| 13 |
-LIBNETWORK_COMMIT=7b2b1feb1de4817d522cc372af149ff48d25028e |
|
| 13 |
+LIBNETWORK_COMMIT=fcf1c3b5e57833aaaa756ae3c4140ea54da00319 |
|
| 14 | 14 |
VNDR_COMMIT=a6e196d8b4b0cbbdc29aebdb20c59ac6926bb384 |
| 15 | 15 |
|
| 16 | 16 |
# Linting |
| ... | ... |
@@ -31,7 +31,7 @@ github.com/moby/buildkit aaff9d591ef128560018433fe61beb802e149de8 |
| 31 | 31 |
github.com/tonistiigi/fsutil dea3a0da73aee887fc02142d995be764106ac5e2 |
| 32 | 32 |
|
| 33 | 33 |
#get libnetwork packages |
| 34 |
-github.com/docker/libnetwork 315a076a4e9ded2abc950318c71d5f1637547977 |
|
| 34 |
+github.com/docker/libnetwork fcf1c3b5e57833aaaa756ae3c4140ea54da00319 |
|
| 35 | 35 |
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 |
| 36 | 36 |
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 |
| 37 | 37 |
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec |
| ... | ... |
@@ -711,7 +711,7 @@ func (n *network) initSandbox(restore bool) error {
|
| 711 | 711 |
n.setNetlinkSocket(nlSock) |
| 712 | 712 |
|
| 713 | 713 |
if err == nil {
|
| 714 |
- go n.watchMiss(nlSock) |
|
| 714 |
+ go n.watchMiss(nlSock, key) |
|
| 715 | 715 |
} else {
|
| 716 | 716 |
logrus.Errorf("failed to subscribe to neighbor group netlink messages for overlay network %s in sbox %s: %v",
|
| 717 | 717 |
n.id, sbox.Key(), err) |
| ... | ... |
@@ -720,7 +720,23 @@ func (n *network) initSandbox(restore bool) error {
|
| 720 | 720 |
return nil |
| 721 | 721 |
} |
| 722 | 722 |
|
| 723 |
-func (n *network) watchMiss(nlSock *nl.NetlinkSocket) {
|
|
| 723 |
+func (n *network) watchMiss(nlSock *nl.NetlinkSocket, nsPath string) {
|
|
| 724 |
+ // With the new version of the netlink library the deserialize function makes |
|
| 725 |
+ // requests about the interface of the netlink message. This can succeed only |
|
| 726 |
+ // if this go routine is in the target namespace. For this reason following we |
|
| 727 |
+ // lock the thread on that namespace |
|
| 728 |
+ runtime.LockOSThread() |
|
| 729 |
+ defer runtime.UnlockOSThread() |
|
| 730 |
+ newNs, err := netns.GetFromPath(nsPath) |
|
| 731 |
+ if err != nil {
|
|
| 732 |
+ logrus.WithError(err).Errorf("failed to get the namespace %s", nsPath)
|
|
| 733 |
+ return |
|
| 734 |
+ } |
|
| 735 |
+ defer newNs.Close() |
|
| 736 |
+ if err = netns.Set(newNs); err != nil {
|
|
| 737 |
+ logrus.WithError(err).Errorf("failed to enter the namespace %s", nsPath)
|
|
| 738 |
+ return |
|
| 739 |
+ } |
|
| 724 | 740 |
for {
|
| 725 | 741 |
msgs, err := nlSock.Receive() |
| 726 | 742 |
if err != nil {
|
| ... | ... |
@@ -7,6 +7,17 @@ import ( |
| 7 | 7 |
|
| 8 | 8 |
const userChain = "DOCKER-USER" |
| 9 | 9 |
|
| 10 |
+func (c *controller) arrangeUserFilterRule() {
|
|
| 11 |
+ c.Lock() |
|
| 12 |
+ arrangeUserFilterRule() |
|
| 13 |
+ c.Unlock() |
|
| 14 |
+ iptables.OnReloaded(func() {
|
|
| 15 |
+ c.Lock() |
|
| 16 |
+ arrangeUserFilterRule() |
|
| 17 |
+ c.Unlock() |
|
| 18 |
+ }) |
|
| 19 |
+} |
|
| 20 |
+ |
|
| 10 | 21 |
// This chain allow users to configure firewall policies in a way that persists |
| 11 | 22 |
// docker operations/restarts. Docker will not delete or modify any pre-existing |
| 12 | 23 |
// rules from the DOCKER-USER filter chain. |