Browse code
daemon: Use short libnetwork ID in exec-root & update libnetwork
also updates libnetwork to d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23
full diff:
https://github.com/docker/libnetwork/compare/3eb39382bfa6a3c42f83674ab080ae13b0e34e5d...d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23
- docker/libnetwork#2482 [19.03 backport] Shorten controller ID in exec-root to not hit UNIX_PATH_MAX
- docker/libnetwork#2483 [19.03 backport] Fix panic in drivers/overlay/encryption.go
Signed-off-by: Grant Millar <rid@cylo.io>
(cherry picked from commit df7b8f458aec29400c76b8dc87b3ce087d3fa76c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Grant Millar authored on 2019/08/29 16:56:37Showing 7 changed files
- builder/builder-next/executor_unix.go
- daemon/oci_linux.go
- hack/dockerfile/install/proxy.installer
- vendor.conf
- vendor/github.com/docker/libnetwork/agent.go
- vendor/github.com/docker/libnetwork/drivers/overlay/overlay.go
- vendor/github.com/docker/libnetwork/sandbox_externalkey_unix.go
| ... | ... |
@@ -10,6 +10,7 @@ import ( |
| 10 | 10 |
|
| 11 | 11 |
"github.com/docker/docker/daemon/config" |
| 12 | 12 |
"github.com/docker/docker/pkg/idtools" |
| 13 |
+ "github.com/docker/docker/pkg/stringid" |
|
| 13 | 14 |
"github.com/docker/libnetwork" |
| 14 | 15 |
"github.com/moby/buildkit/executor" |
| 15 | 16 |
"github.com/moby/buildkit/executor/oci" |
| ... | ... |
@@ -100,11 +101,12 @@ func (iface *lnInterface) Set(s *specs.Spec) {
|
| 100 | 100 |
logrus.WithError(iface.err).Error("failed to set networking spec")
|
| 101 | 101 |
return |
| 102 | 102 |
} |
| 103 |
+ shortNetCtlrID := stringid.TruncateID(iface.provider.NetworkController.ID()) |
|
| 103 | 104 |
// attach netns to bridge within the container namespace, using reexec in a prestart hook |
| 104 | 105 |
s.Hooks = &specs.Hooks{
|
| 105 | 106 |
Prestart: []specs.Hook{{
|
| 106 | 107 |
Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
|
| 107 |
- Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), iface.provider.NetworkController.ID()},
|
|
| 108 |
+ Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), shortNetCtlrID},
|
|
| 108 | 109 |
}}, |
| 109 | 110 |
} |
| 110 | 111 |
} |
| ... | ... |
@@ -20,6 +20,7 @@ import ( |
| 20 | 20 |
"github.com/docker/docker/oci/caps" |
| 21 | 21 |
"github.com/docker/docker/pkg/idtools" |
| 22 | 22 |
"github.com/docker/docker/pkg/mount" |
| 23 |
+ "github.com/docker/docker/pkg/stringid" |
|
| 23 | 24 |
"github.com/docker/docker/rootless/specconv" |
| 24 | 25 |
volumemounts "github.com/docker/docker/volume/mounts" |
| 25 | 26 |
"github.com/opencontainers/runc/libcontainer/apparmor" |
| ... | ... |
@@ -66,13 +67,14 @@ func WithLibnetwork(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
| 66 | 66 |
for _, ns := range s.Linux.Namespaces {
|
| 67 | 67 |
if ns.Type == "network" && ns.Path == "" && !c.Config.NetworkDisabled {
|
| 68 | 68 |
target := filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe")
|
| 69 |
+ shortNetCtlrID := stringid.TruncateID(daemon.netController.ID()) |
|
| 69 | 70 |
s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{
|
| 70 | 71 |
Path: target, |
| 71 | 72 |
Args: []string{
|
| 72 | 73 |
"libnetwork-setkey", |
| 73 | 74 |
"-exec-root=" + daemon.configStore.GetExecRoot(), |
| 74 | 75 |
c.ID, |
| 75 |
- daemon.netController.ID(), |
|
| 76 |
+ shortNetCtlrID, |
|
| 76 | 77 |
}, |
| 77 | 78 |
}) |
| 78 | 79 |
} |
| ... | ... |
@@ -3,7 +3,7 @@ |
| 3 | 3 |
# LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When |
| 4 | 4 |
# updating the binary version, consider updating github.com/docker/libnetwork |
| 5 | 5 |
# in vendor.conf accordingly |
| 6 |
-LIBNETWORK_COMMIT=3eb39382bfa6a3c42f83674ab080ae13b0e34e5d # bump_19.03 branch |
|
| 6 |
+LIBNETWORK_COMMIT=d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23 # bump_19.03 branch |
|
| 7 | 7 |
|
| 8 | 8 |
install_proxy() {
|
| 9 | 9 |
case "$1" in |
| ... | ... |
@@ -38,7 +38,7 @@ github.com/gofrs/flock 7f43ea2e6a643ad441fc12d0ecc0 |
| 38 | 38 |
# libnetwork |
| 39 | 39 |
|
| 40 | 40 |
# When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly |
| 41 |
-github.com/docker/libnetwork 3eb39382bfa6a3c42f83674ab080ae13b0e34e5d # bump_19.03 branch |
|
| 41 |
+github.com/docker/libnetwork d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23 # bump_19.03 branch |
|
| 42 | 42 |
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 |
| 43 | 43 |
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 |
| 44 | 44 |
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec |
| ... | ... |
@@ -184,6 +184,16 @@ func (c *controller) handleKeyChange(keys []*types.EncryptionKey) error {
|
| 184 | 184 |
err := driver.DiscoverNew(discoverapi.EncryptionKeysUpdate, drvEnc) |
| 185 | 185 |
if err != nil {
|
| 186 | 186 |
logrus.Warnf("Failed to update datapath keys in driver %s: %v", name, err)
|
| 187 |
+ // Attempt to reconfigure keys in case of a update failure |
|
| 188 |
+ // which can arise due to a mismatch of keys |
|
| 189 |
+ // if worker nodes get temporarily disconnected |
|
| 190 |
+ logrus.Warnf("Reconfiguring datapath keys for %s", name)
|
|
| 191 |
+ drvCfgEnc := discoverapi.DriverEncryptionConfig{}
|
|
| 192 |
+ drvCfgEnc.Keys, drvCfgEnc.Tags = c.getKeys(subsysIPSec) |
|
| 193 |
+ err = driver.DiscoverNew(discoverapi.EncryptionKeysConfig, drvCfgEnc) |
|
| 194 |
+ if err != nil {
|
|
| 195 |
+ logrus.Warnf("Failed to reset datapath keys in driver %s: %v", name, err)
|
|
| 196 |
+ } |
|
| 187 | 197 |
} |
| 188 | 198 |
return false |
| 189 | 199 |
}) |
| ... | ... |
@@ -12,6 +12,7 @@ import ( |
| 12 | 12 |
"os" |
| 13 | 13 |
"path/filepath" |
| 14 | 14 |
|
| 15 |
+ "github.com/docker/docker/pkg/stringid" |
|
| 15 | 16 |
"github.com/docker/libnetwork/types" |
| 16 | 17 |
"github.com/opencontainers/runtime-spec/specs-go" |
| 17 | 18 |
"github.com/sirupsen/logrus" |
| ... | ... |
@@ -24,7 +25,7 @@ const ( |
| 24 | 24 |
) |
| 25 | 25 |
|
| 26 | 26 |
// processSetKeyReexec is a private function that must be called only on an reexec path |
| 27 |
-// It expects 3 args { [0] = "libnetwork-setkey", [1] = <container-id>, [2] = <controller-id> }
|
|
| 27 |
+// It expects 3 args { [0] = "libnetwork-setkey", [1] = <container-id>, [2] = <short-controller-id> }
|
|
| 28 | 28 |
// It also expects specs.State as a json string in <stdin> |
| 29 | 29 |
// Refer to https://github.com/opencontainers/runc/pull/160/ for more information |
| 30 | 30 |
// The docker exec-root can be specified as "-exec-root" flag. The default value is "/run/docker". |
| ... | ... |
@@ -41,14 +42,14 @@ func processSetKeyReexec() {
|
| 41 | 41 |
execRoot := flag.String("exec-root", defaultExecRoot, "docker exec root")
|
| 42 | 42 |
flag.Parse() |
| 43 | 43 |
|
| 44 |
- // expecting 3 os.Args {[0]="libnetwork-setkey", [1]=<container-id>, [2]=<controller-id> }
|
|
| 44 |
+ // expecting 3 os.Args {[0]="libnetwork-setkey", [1]=<container-id>, [2]=<short-controller-id> }
|
|
| 45 | 45 |
// (i.e. expecting 2 flag.Args()) |
| 46 | 46 |
args := flag.Args() |
| 47 | 47 |
if len(args) < 2 {
|
| 48 | 48 |
err = fmt.Errorf("Re-exec expects 2 args (after parsing flags), received : %d", len(args))
|
| 49 | 49 |
return |
| 50 | 50 |
} |
| 51 |
- containerID, controllerID := args[0], args[1] |
|
| 51 |
+ containerID, shortCtlrID := args[0], args[1] |
|
| 52 | 52 |
|
| 53 | 53 |
// We expect specs.State as a json string in <stdin> |
| 54 | 54 |
stateBuf, err := ioutil.ReadAll(os.Stdin) |
| ... | ... |
@@ -60,16 +61,16 @@ func processSetKeyReexec() {
|
| 60 | 60 |
return |
| 61 | 61 |
} |
| 62 | 62 |
|
| 63 |
- err = SetExternalKey(controllerID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot)
|
|
| 63 |
+ err = SetExternalKey(shortCtlrID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot)
|
|
| 64 | 64 |
} |
| 65 | 65 |
|
| 66 | 66 |
// SetExternalKey provides a convenient way to set an External key to a sandbox |
| 67 |
-func SetExternalKey(controllerID string, containerID string, key string, execRoot string) error {
|
|
| 67 |
+func SetExternalKey(shortCtlrID string, containerID string, key string, execRoot string) error {
|
|
| 68 | 68 |
keyData := setKeyData{
|
| 69 | 69 |
ContainerID: containerID, |
| 70 | 70 |
Key: key} |
| 71 | 71 |
|
| 72 |
- uds := filepath.Join(execRoot, execSubdir, controllerID+".sock") |
|
| 72 |
+ uds := filepath.Join(execRoot, execSubdir, shortCtlrID+".sock") |
|
| 73 | 73 |
c, err := net.Dial("unix", uds)
|
| 74 | 74 |
if err != nil {
|
| 75 | 75 |
return err |
| ... | ... |
@@ -120,7 +121,8 @@ func (c *controller) startExternalKeyListener() error {
|
| 120 | 120 |
if err := os.MkdirAll(udsBase, 0600); err != nil {
|
| 121 | 121 |
return err |
| 122 | 122 |
} |
| 123 |
- uds := filepath.Join(udsBase, c.id+".sock") |
|
| 123 |
+ shortCtlrID := stringid.TruncateID(c.id) |
|
| 124 |
+ uds := filepath.Join(udsBase, shortCtlrID+".sock") |
|
| 124 | 125 |
l, err := net.Listen("unix", uds)
|
| 125 | 126 |
if err != nil {
|
| 126 | 127 |
return err |