package daemon // import "github.com/docker/docker/daemon" import ( "context" "errors" "fmt" "net" "sort" "strconv" "strings" "sync" "github.com/containerd/log" "github.com/docker/docker/api/types/backend" containertypes "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/events" "github.com/docker/docker/api/types/filters" networktypes "github.com/docker/docker/api/types/network" "github.com/docker/docker/container" clustertypes "github.com/docker/docker/daemon/cluster/provider" "github.com/docker/docker/daemon/config" "github.com/docker/docker/daemon/network" "github.com/docker/docker/errdefs" "github.com/docker/docker/internal/otelutil" "github.com/docker/docker/libnetwork" lncluster "github.com/docker/docker/libnetwork/cluster" "github.com/docker/docker/libnetwork/driverapi" "github.com/docker/docker/libnetwork/ipamapi" "github.com/docker/docker/libnetwork/netlabel" "github.com/docker/docker/libnetwork/networkdb" "github.com/docker/docker/libnetwork/options" lntypes "github.com/docker/docker/libnetwork/types" "github.com/docker/docker/opts" "github.com/docker/docker/pkg/plugingetter" "github.com/docker/go-connections/nat" "go.opentelemetry.io/otel/baggage" ) // PredefinedNetworkError is returned when user tries to create predefined network that already exists. type PredefinedNetworkError string func (pnr PredefinedNetworkError) Error() string { return fmt.Sprintf("operation is not permitted on predefined %s network ", string(pnr)) } // Forbidden denotes the type of this error func (pnr PredefinedNetworkError) Forbidden() {} // NetworkController returns the network controller created by the daemon. func (daemon *Daemon) NetworkController() *libnetwork.Controller { return daemon.netController } // FindNetwork returns a network based on: // 1. Full ID // 2. Full Name // 3. Partial ID // as long as there is no ambiguity func (daemon *Daemon) FindNetwork(term string) (*libnetwork.Network, error) { var listByFullName, listByPartialID []*libnetwork.Network for _, nw := range daemon.getAllNetworks() { nwID := nw.ID() if nwID == term { return nw, nil } if strings.HasPrefix(nw.ID(), term) { listByPartialID = append(listByPartialID, nw) } if nw.Name() == term { listByFullName = append(listByFullName, nw) } } switch { case len(listByFullName) == 1: return listByFullName[0], nil case len(listByFullName) > 1: return nil, errdefs.InvalidParameter(fmt.Errorf("network %s is ambiguous (%d matches found on name)", term, len(listByFullName))) case len(listByPartialID) == 1: return listByPartialID[0], nil case len(listByPartialID) > 1: return nil, errdefs.InvalidParameter(fmt.Errorf("network %s is ambiguous (%d matches found based on ID prefix)", term, len(listByPartialID))) } // Be very careful to change the error type here, the // libnetwork.ErrNoSuchNetwork error is used by the controller // to retry the creation of the network as managed through the swarm manager return nil, errdefs.NotFound(libnetwork.ErrNoSuchNetwork(term)) } // GetNetworkByID function returns a network whose ID matches the given ID. // It fails with an error if no matching network is found. func (daemon *Daemon) GetNetworkByID(id string) (*libnetwork.Network, error) { c := daemon.netController if c == nil { return nil, fmt.Errorf("netcontroller is nil: %w", libnetwork.ErrNoSuchNetwork(id)) } return c.NetworkByID(id) } // GetNetworkByName function returns a network for a given network name. // If no network name is given, the default network is returned. func (daemon *Daemon) GetNetworkByName(name string) (*libnetwork.Network, error) { c := daemon.netController if c == nil { return nil, libnetwork.ErrNoSuchNetwork(name) } if name == "" { name = c.Config().DefaultNetwork } return c.NetworkByName(name) } // GetNetworksByIDPrefix returns a list of networks whose ID partially matches zero or more networks func (daemon *Daemon) GetNetworksByIDPrefix(partialID string) []*libnetwork.Network { c := daemon.netController if c == nil { return nil } list := []*libnetwork.Network{} l := func(nw *libnetwork.Network) bool { if strings.HasPrefix(nw.ID(), partialID) { list = append(list, nw) } return false } c.WalkNetworks(l) return list } // getAllNetworks returns a list containing all networks func (daemon *Daemon) getAllNetworks() []*libnetwork.Network { c := daemon.netController if c == nil { return nil } ctx := context.TODO() return c.Networks(ctx) } type ingressJob struct { create *clustertypes.NetworkCreateRequest ip net.IP jobDone chan struct{} } var ( ingressWorkerOnce sync.Once ingressJobsChannel chan *ingressJob ingressID string ) func (daemon *Daemon) startIngressWorker() { ingressJobsChannel = make(chan *ingressJob, 100) go func() { for r := range ingressJobsChannel { if r.create != nil { daemon.setupIngress(&daemon.config().Config, r.create, r.ip, ingressID) ingressID = r.create.ID } else { daemon.releaseIngress(ingressID) ingressID = "" } close(r.jobDone) } }() } // enqueueIngressJob adds a ingress add/rm request to the worker queue. // It guarantees the worker is started. func (daemon *Daemon) enqueueIngressJob(job *ingressJob) { ingressWorkerOnce.Do(daemon.startIngressWorker) ingressJobsChannel <- job } // SetupIngress setups ingress networking. // The function returns a channel which will signal the caller when the programming is completed. func (daemon *Daemon) SetupIngress(create clustertypes.NetworkCreateRequest, nodeIP string) (<-chan struct{}, error) { ip, _, err := net.ParseCIDR(nodeIP) if err != nil { return nil, err } done := make(chan struct{}) daemon.enqueueIngressJob(&ingressJob{&create, ip, done}) return done, nil } // ReleaseIngress releases the ingress networking. // The function returns a channel which will signal the caller when the programming is completed. func (daemon *Daemon) ReleaseIngress() (<-chan struct{}, error) { done := make(chan struct{}) daemon.enqueueIngressJob(&ingressJob{nil, nil, done}) return done, nil } func (daemon *Daemon) setupIngress(cfg *config.Config, create *clustertypes.NetworkCreateRequest, ip net.IP, staleID string) { controller := daemon.netController controller.AgentInitWait() if staleID != "" && staleID != create.ID { daemon.releaseIngress(staleID) } ctx := baggage.ContextWithBaggage(context.TODO(), otelutil.MustNewBaggage( otelutil.MustNewMemberRaw(otelutil.TriggerKey, "daemon.setupIngress"), )) if _, err := daemon.createNetwork(ctx, cfg, create.CreateRequest, create.ID, true); err != nil { // If it is any other error other than already // exists error log error and return. if _, ok := err.(libnetwork.NetworkNameError); !ok { log.G(ctx).Errorf("Failed creating ingress network: %v", err) return } // Otherwise continue down the call to create or recreate sandbox. } _, err := daemon.GetNetworkByID(create.ID) if err != nil { log.G(context.TODO()).Errorf("Failed getting ingress network by id after creating: %v", err) } } func (daemon *Daemon) releaseIngress(id string) { controller := daemon.netController if id == "" { return } n, err := controller.NetworkByID(id) if err != nil { log.G(context.TODO()).Errorf("failed to retrieve ingress network %s: %v", id, err) return } if err := n.Delete(libnetwork.NetworkDeleteOptionRemoveLB); err != nil { log.G(context.TODO()).Errorf("Failed to delete ingress network %s: %v", n.ID(), err) return } } // SetNetworkBootstrapKeys sets the bootstrap keys. func (daemon *Daemon) SetNetworkBootstrapKeys(keys []*lntypes.EncryptionKey) error { if err := daemon.netController.SetKeys(keys); err != nil { return err } // Upon successful key setting dispatch the keys available event daemon.cluster.SendClusterEvent(lncluster.EventNetworkKeysAvailable) return nil } // UpdateAttachment notifies the attacher about the attachment config. func (daemon *Daemon) UpdateAttachment(networkName, networkID, containerID string, config *networktypes.NetworkingConfig) error { if daemon.clusterProvider == nil { return fmt.Errorf("cluster provider is not initialized") } if err := daemon.clusterProvider.UpdateAttachment(networkName, containerID, config); err != nil { return daemon.clusterProvider.UpdateAttachment(networkID, containerID, config) } return nil } // WaitForDetachment makes the cluster manager wait for detachment of // the container from the network. func (daemon *Daemon) WaitForDetachment(ctx context.Context, networkName, networkID, taskID, containerID string) error { if daemon.clusterProvider == nil { return fmt.Errorf("cluster provider is not initialized") } return daemon.clusterProvider.WaitForDetachment(ctx, networkName, networkID, taskID, containerID) } // CreateManagedNetwork creates an agent network. func (daemon *Daemon) CreateManagedNetwork(create clustertypes.NetworkCreateRequest) error { _, err := daemon.createNetwork(context.TODO(), &daemon.config().Config, create.CreateRequest, create.ID, true) return err } // CreateNetwork creates a network with the given name, driver and other optional parameters func (daemon *Daemon) CreateNetwork(ctx context.Context, create networktypes.CreateRequest) (*networktypes.CreateResponse, error) { return daemon.createNetwork(ctx, &daemon.config().Config, create, "", false) } func (daemon *Daemon) createNetwork(ctx context.Context, cfg *config.Config, create networktypes.CreateRequest, id string, agent bool) (*networktypes.CreateResponse, error) { if network.IsPredefined(create.Name) { return nil, PredefinedNetworkError(create.Name) } c := daemon.netController driver := create.Driver if driver == "" { driver = c.Config().DefaultDriver } if driver == "overlay" && !daemon.cluster.IsManager() && !agent { return nil, errdefs.Forbidden(errors.New(`This node is not a swarm manager. Use "docker swarm init" or "docker swarm join" to connect this node to swarm and try again.`)) } networkOptions := make(map[string]string) for k, v := range create.Options { networkOptions[k] = v } if defaultOpts, ok := cfg.DefaultNetworkOpts[driver]; create.ConfigFrom == nil && ok { for k, v := range defaultOpts { if _, ok := networkOptions[k]; !ok { log.G(ctx).WithFields(log.Fields{"driver": driver, "network": id, k: v}).Debug("Applying network default option") networkOptions[k] = v } } } enableIPv4 := true if create.EnableIPv4 != nil { enableIPv4 = *create.EnableIPv4 // Make sure there's no conflicting DefaultNetworkOpts value (it'd be ignored but // would look wrong in inspect output). delete(networkOptions, netlabel.EnableIPv4) } else if v, ok := networkOptions[netlabel.EnableIPv4]; ok { var err error if enableIPv4, err = strconv.ParseBool(v); err != nil { return nil, errdefs.InvalidParameter(fmt.Errorf("driver-opt %q is not a valid bool", netlabel.EnableIPv4)) } } var enableIPv6 bool if create.EnableIPv6 != nil { enableIPv6 = *create.EnableIPv6 // Make sure there's no conflicting DefaultNetworkOpts value (it'd be ignored but // would look wrong in inspect output). delete(networkOptions, netlabel.EnableIPv6) } else if v, ok := networkOptions[netlabel.EnableIPv6]; ok { var err error if enableIPv6, err = strconv.ParseBool(v); err != nil { return nil, errdefs.InvalidParameter(fmt.Errorf("driver-opt %q is not a valid bool", netlabel.EnableIPv6)) } } nwOptions := []libnetwork.NetworkOption{ libnetwork.NetworkOptionEnableIPv4(enableIPv4), libnetwork.NetworkOptionEnableIPv6(enableIPv6), libnetwork.NetworkOptionDriverOpts(networkOptions), libnetwork.NetworkOptionLabels(create.Labels), libnetwork.NetworkOptionAttachable(create.Attachable), libnetwork.NetworkOptionIngress(create.Ingress), libnetwork.NetworkOptionScope(create.Scope), } if create.ConfigOnly { nwOptions = append(nwOptions, libnetwork.NetworkOptionConfigOnly()) } if err := networktypes.ValidateIPAM(create.IPAM, enableIPv6); err != nil { if agent { // This function is called with agent=false for all networks. For swarm-scoped // networks, the configuration is validated but ManagerRedirectError is returned // and the network is not created. Then, each time a swarm-scoped network is // needed, this function is called again with agent=true. // // Non-swarm networks created before ValidateIPAM was introduced continue to work // as they did before-upgrade, even if they would fail the new checks on creation // (for example, by having host-bits set in their subnet). Those networks are not // seen again here. // // By dropping errors for agent networks, existing swarm-scoped networks also // continue to behave as they did before upgrade - but new networks are still // validated. log.G(ctx).WithFields(log.Fields{ "error": err, "network": create.Name, }).Warn("Continuing with validation errors in agent IPAM") } else { return nil, errdefs.InvalidParameter(err) } } if create.IPAM != nil { ipam := create.IPAM v4Conf, v6Conf, err := getIpamConfig(ipam.Config) if err != nil { return nil, err } nwOptions = append(nwOptions, libnetwork.NetworkOptionIpam(ipam.Driver, "", v4Conf, v6Conf, ipam.Options)) } if create.Internal { nwOptions = append(nwOptions, libnetwork.NetworkOptionInternalNetwork()) } if agent { nwOptions = append(nwOptions, libnetwork.NetworkOptionDynamic()) nwOptions = append(nwOptions, libnetwork.NetworkOptionPersist(false)) } if create.ConfigFrom != nil { nwOptions = append(nwOptions, libnetwork.NetworkOptionConfigFrom(create.ConfigFrom.Network)) } if agent && driver == "overlay" { nodeIP, exists := daemon.GetAttachmentStore().GetIPForNetwork(id) if !exists { return nil, fmt.Errorf("failed to find a load balancer IP to use for network: %v", id) } nwOptions = append(nwOptions, libnetwork.NetworkOptionLBEndpoint(nodeIP)) } n, err := c.NewNetwork(ctx, driver, create.Name, id, nwOptions...) if err != nil { return nil, err } daemon.pluginRefCount(driver, driverapi.NetworkPluginEndpointType, plugingetter.Acquire) if create.IPAM != nil { daemon.pluginRefCount(create.IPAM.Driver, ipamapi.PluginEndpointType, plugingetter.Acquire) } daemon.LogNetworkEvent(n, events.ActionCreate) return &networktypes.CreateResponse{ID: n.ID()}, nil } func (daemon *Daemon) pluginRefCount(driver, capability string, mode int) { var builtinDrivers []string switch capability { case driverapi.NetworkPluginEndpointType: builtinDrivers = daemon.netController.BuiltinDrivers() case ipamapi.PluginEndpointType: builtinDrivers = daemon.netController.BuiltinIPAMDrivers() default: // other capabilities can be ignored for now } for _, d := range builtinDrivers { if d == driver { return } } if daemon.PluginStore != nil { _, err := daemon.PluginStore.Get(driver, capability, mode) if err != nil { log.G(context.TODO()).WithError(err).WithFields(log.Fields{"mode": mode, "driver": driver}).Error("Error handling plugin refcount operation") } } } func getIpamConfig(data []networktypes.IPAMConfig) ([]*libnetwork.IpamConf, []*libnetwork.IpamConf, error) { ipamV4Cfg := []*libnetwork.IpamConf{} ipamV6Cfg := []*libnetwork.IpamConf{} for _, d := range data { iCfg := libnetwork.IpamConf{} iCfg.PreferredPool = d.Subnet iCfg.SubPool = d.IPRange iCfg.Gateway = d.Gateway iCfg.AuxAddresses = d.AuxAddress ip, _, err := net.ParseCIDR(d.Subnet) if err != nil { return nil, nil, fmt.Errorf("Invalid subnet %s : %v", d.Subnet, err) } if ip.To4() != nil { ipamV4Cfg = append(ipamV4Cfg, &iCfg) } else { ipamV6Cfg = append(ipamV6Cfg, &iCfg) } } return ipamV4Cfg, ipamV6Cfg, nil } // UpdateContainerServiceConfig updates a service configuration. func (daemon *Daemon) UpdateContainerServiceConfig(containerName string, serviceConfig *clustertypes.ServiceConfig) error { ctr, err := daemon.GetContainer(containerName) if err != nil { return err } ctr.NetworkSettings.Service = serviceConfig return nil } // ConnectContainerToNetwork connects the given container to the given // network. If either cannot be found, an err is returned. If the // network cannot be set up, an err is returned. func (daemon *Daemon) ConnectContainerToNetwork(ctx context.Context, containerName, networkName string, endpointConfig *networktypes.EndpointSettings) error { ctr, err := daemon.GetContainer(containerName) if err != nil { return err } return daemon.ConnectToNetwork(ctx, ctr, networkName, endpointConfig) } // DisconnectContainerFromNetwork disconnects the given container from // the given network. If either cannot be found, an err is returned. func (daemon *Daemon) DisconnectContainerFromNetwork(containerName string, networkName string, force bool) error { ctr, err := daemon.GetContainer(containerName) if err != nil { if force { return daemon.ForceEndpointDelete(containerName, networkName) } return err } return daemon.DisconnectFromNetwork(context.TODO(), ctr, networkName, force) } // GetNetworkDriverList returns the list of plugins drivers // registered for network. func (daemon *Daemon) GetNetworkDriverList(ctx context.Context) []string { if daemon.netController == nil { return nil } pluginList := daemon.netController.BuiltinDrivers() managedPlugins := daemon.PluginStore.GetAllManagedPluginsByCap(driverapi.NetworkPluginEndpointType) for _, plugin := range managedPlugins { pluginList = append(pluginList, plugin.Name()) } pluginMap := make(map[string]bool) for _, plugin := range pluginList { pluginMap[plugin] = true } networks := daemon.netController.Networks(ctx) for _, nw := range networks { if !pluginMap[nw.Type()] { pluginList = append(pluginList, nw.Type()) pluginMap[nw.Type()] = true } } sort.Strings(pluginList) return pluginList } // DeleteManagedNetwork deletes an agent network. // The requirement of networkID is enforced. func (daemon *Daemon) DeleteManagedNetwork(networkID string) error { n, err := daemon.GetNetworkByID(networkID) if err != nil { return err } return daemon.deleteNetwork(n, true) } // DeleteNetwork destroys a network unless it's one of docker's predefined networks. func (daemon *Daemon) DeleteNetwork(networkID string) error { n, err := daemon.GetNetworkByID(networkID) if err != nil { return fmt.Errorf("could not find network by ID: %w", err) } return daemon.deleteNetwork(n, false) } func (daemon *Daemon) deleteNetwork(nw *libnetwork.Network, dynamic bool) error { if network.IsPredefined(nw.Name()) && !dynamic { err := fmt.Errorf("%s is a pre-defined network and cannot be removed", nw.Name()) return errdefs.Forbidden(err) } if dynamic && !nw.Dynamic() { if network.IsPredefined(nw.Name()) { // Predefined networks now support swarm services. Make this // a no-op when cluster requests to remove the predefined network. return nil } err := fmt.Errorf("%s is not a dynamic network", nw.Name()) return errdefs.Forbidden(err) } if err := nw.Delete(); err != nil { return fmt.Errorf("error while removing network: %w", err) } // If this is not a configuration only network, we need to // update the corresponding remote drivers' reference counts if !nw.ConfigOnly() { daemon.pluginRefCount(nw.Type(), driverapi.NetworkPluginEndpointType, plugingetter.Release) ipamType, _, _, _ := nw.IpamConfig() daemon.pluginRefCount(ipamType, ipamapi.PluginEndpointType, plugingetter.Release) daemon.LogNetworkEvent(nw, events.ActionDestroy) } return nil } // GetNetworks returns a list of all networks func (daemon *Daemon) GetNetworks(filter filters.Args, config backend.NetworkListConfig) ([]networktypes.Inspect, error) { var idx map[string]*libnetwork.Network if config.Detailed { idx = make(map[string]*libnetwork.Network) } allNetworks := daemon.getAllNetworks() networks := make([]networktypes.Inspect, 0, len(allNetworks)) for _, n := range allNetworks { nr := buildNetworkResource(n) networks = append(networks, nr) if config.Detailed { idx[nr.ID] = n } } var err error networks, err = network.FilterNetworks(networks, filter) if err != nil { return nil, err } if config.Detailed { for i, nw := range networks { networks[i].Containers = buildContainerAttachments(idx[nw.ID]) if config.Verbose { networks[i].Services = buildServiceAttachments(idx[nw.ID]) } } } return networks, nil } // buildNetworkResource builds a [types.NetworkResource] from the given // [libnetwork.Network], to be returned by the API. func buildNetworkResource(nw *libnetwork.Network) networktypes.Inspect { if nw == nil { return networktypes.Inspect{} } return networktypes.Inspect{ Name: nw.Name(), ID: nw.ID(), Created: nw.Created(), Scope: nw.Scope(), Driver: nw.Type(), EnableIPv4: nw.IPv4Enabled(), EnableIPv6: nw.IPv6Enabled(), IPAM: buildIPAMResources(nw), Internal: nw.Internal(), Attachable: nw.Attachable(), Ingress: nw.Ingress(), ConfigFrom: networktypes.ConfigReference{Network: nw.ConfigFrom()}, ConfigOnly: nw.ConfigOnly(), Containers: map[string]networktypes.EndpointResource{}, Options: nw.DriverOptions(), Labels: nw.Labels(), Peers: buildPeerInfoResources(nw.Peers()), } } // buildContainerAttachments creates a [types.EndpointResource] map of all // containers attached to the network. It is used when listing networks in // detailed mode. func buildContainerAttachments(nw *libnetwork.Network) map[string]networktypes.EndpointResource { containers := make(map[string]networktypes.EndpointResource) for _, e := range nw.Endpoints() { ei := e.Info() if ei == nil { continue } if sb := ei.Sandbox(); sb != nil { containers[sb.ContainerID()] = buildEndpointResource(e, ei) } else { containers["ep-"+e.ID()] = buildEndpointResource(e, ei) } } return containers } // buildServiceAttachments creates a [network.ServiceInfo] map of all services // attached to the network. It is used when listing networks in "verbose" mode. func buildServiceAttachments(nw *libnetwork.Network) map[string]networktypes.ServiceInfo { services := make(map[string]networktypes.ServiceInfo) for name, service := range nw.Services() { tasks := make([]networktypes.Task, 0, len(service.Tasks)) for _, t := range service.Tasks { tasks = append(tasks, networktypes.Task{ Name: t.Name, EndpointID: t.EndpointID, EndpointIP: t.EndpointIP, Info: t.Info, }) } services[name] = networktypes.ServiceInfo{ VIP: service.VIP, Ports: service.Ports, Tasks: tasks, LocalLBIndex: service.LocalLBIndex, } } return services } // buildPeerInfoResources converts a list of [networkdb.PeerInfo] to a // [network.PeerInfo] for inclusion in API responses. It returns nil if // the list of peers is empty. func buildPeerInfoResources(peers []networkdb.PeerInfo) []networktypes.PeerInfo { if len(peers) == 0 { return nil } peerInfo := make([]networktypes.PeerInfo, 0, len(peers)) for _, peer := range peers { peerInfo = append(peerInfo, networktypes.PeerInfo(peer)) } return peerInfo } // buildIPAMResources constructs a [network.IPAM] from the network's // IPAM information for inclusion in API responses. func buildIPAMResources(nw *libnetwork.Network) networktypes.IPAM { var ipamConfig []networktypes.IPAMConfig ipamDriver, ipamOptions, ipv4Conf, ipv6Conf := nw.IpamConfig() hasIPv4Config := false for _, cfg := range ipv4Conf { if cfg.PreferredPool == "" { continue } hasIPv4Config = true ipamConfig = append(ipamConfig, networktypes.IPAMConfig{ Subnet: cfg.PreferredPool, IPRange: cfg.SubPool, Gateway: cfg.Gateway, AuxAddress: cfg.AuxAddresses, }) } hasIPv6Config := false for _, cfg := range ipv6Conf { if cfg.PreferredPool == "" { continue } hasIPv6Config = true ipamConfig = append(ipamConfig, networktypes.IPAMConfig{ Subnet: cfg.PreferredPool, IPRange: cfg.SubPool, Gateway: cfg.Gateway, AuxAddress: cfg.AuxAddresses, }) } if !hasIPv4Config || !hasIPv6Config { ipv4Info, ipv6Info := nw.IpamInfo() if !hasIPv4Config { for _, info := range ipv4Info { var gw string if info.IPAMData.Gateway != nil { gw = info.IPAMData.Gateway.IP.String() } ipamConfig = append(ipamConfig, networktypes.IPAMConfig{ Subnet: info.IPAMData.Pool.String(), Gateway: gw, }) } } if !hasIPv6Config { for _, info := range ipv6Info { if info.IPAMData.Pool == nil { continue } var gw string if info.IPAMData.Gateway != nil { gw = info.IPAMData.Gateway.IP.String() } ipamConfig = append(ipamConfig, networktypes.IPAMConfig{ Subnet: info.IPAMData.Pool.String(), Gateway: gw, }) } } } return networktypes.IPAM{ Driver: ipamDriver, Options: ipamOptions, Config: ipamConfig, } } // buildEndpointResource combines information from the endpoint and additional // endpoint-info into a [types.EndpointResource]. func buildEndpointResource(ep *libnetwork.Endpoint, info libnetwork.EndpointInfo) networktypes.EndpointResource { er := networktypes.EndpointResource{ EndpointID: ep.ID(), Name: ep.Name(), } if iface := info.Iface(); iface != nil { if mac := iface.MacAddress(); mac != nil { er.MacAddress = mac.String() } if ip := iface.Address(); ip != nil && len(ip.IP) > 0 { er.IPv4Address = ip.String() } if ip := iface.AddressIPv6(); ip != nil && len(ip.IP) > 0 { er.IPv6Address = ip.String() } } return er } // clearAttachableNetworks removes the attachable networks // after disconnecting any connected container func (daemon *Daemon) clearAttachableNetworks() { for _, n := range daemon.getAllNetworks() { if !n.Attachable() { continue } for _, ep := range n.Endpoints() { epInfo := ep.Info() if epInfo == nil { continue } sb := epInfo.Sandbox() if sb == nil { continue } containerID := sb.ContainerID() if err := daemon.DisconnectContainerFromNetwork(containerID, n.ID(), true); err != nil { log.G(context.TODO()).Warnf("Failed to disconnect container %s from swarm network %s on cluster leave: %v", containerID, n.Name(), err) } } if err := daemon.DeleteManagedNetwork(n.ID()); err != nil { log.G(context.TODO()).Warnf("Failed to remove swarm network %s on cluster leave: %v", n.Name(), err) } } } // buildCreateEndpointOptions builds endpoint options from a given network. func buildCreateEndpointOptions(c *container.Container, n *libnetwork.Network, epConfig *network.EndpointSettings, sb *libnetwork.Sandbox, daemonDNS []string) ([]libnetwork.EndpointOption, error) { var createOptions []libnetwork.EndpointOption genericOptions := make(options.Generic) nwName := n.Name() if epConfig != nil { if ipam := epConfig.IPAMConfig; ipam != nil { var ipList []net.IP for _, ips := range ipam.LinkLocalIPs { linkIP := net.ParseIP(ips) if linkIP == nil && ips != "" { return nil, fmt.Errorf("invalid link-local IP address: %s", ipam.LinkLocalIPs) } ipList = append(ipList, linkIP) } ip := net.ParseIP(ipam.IPv4Address) if ip == nil && ipam.IPv4Address != "" { return nil, fmt.Errorf("invalid IPv4 address: %s", ipam.IPv4Address) } ip6 := net.ParseIP(ipam.IPv6Address) if ip6 == nil && ipam.IPv6Address != "" { return nil, fmt.Errorf("invalid IPv6 address: %s", ipam.IPv6Address) } createOptions = append(createOptions, libnetwork.CreateOptionIpam(ip, ip6, ipList, nil)) } createOptions = append(createOptions, libnetwork.CreateOptionDNSNames(epConfig.DNSNames)) for k, v := range epConfig.DriverOpts { createOptions = append(createOptions, libnetwork.EndpointOptionGeneric(options.Generic{k: v})) } if epConfig.DesiredMacAddress != "" { mac, err := net.ParseMAC(epConfig.DesiredMacAddress) if err != nil { return nil, err } genericOptions[netlabel.MacAddress] = mac } } if svcCfg := c.NetworkSettings.Service; svcCfg != nil { nwID := n.ID() var vip net.IP if virtualAddress := svcCfg.VirtualAddresses[nwID]; virtualAddress != nil { vip = net.ParseIP(virtualAddress.IPv4) } var portConfigs []*libnetwork.PortConfig for _, portConfig := range svcCfg.ExposedPorts { portConfigs = append(portConfigs, &libnetwork.PortConfig{ Name: portConfig.Name, Protocol: libnetwork.PortConfig_Protocol(portConfig.Protocol), TargetPort: portConfig.TargetPort, PublishedPort: portConfig.PublishedPort, }) } createOptions = append(createOptions, libnetwork.CreateOptionService(svcCfg.Name, svcCfg.ID, vip, portConfigs, svcCfg.Aliases[nwID])) } if !containertypes.NetworkMode(nwName).IsUserDefined() { createOptions = append(createOptions, libnetwork.CreateOptionDisableResolution()) } epOpts, err := buildPortsRelatedCreateEndpointOptions(c, n, sb) if err != nil { return nil, err } createOptions = append(createOptions, epOpts...) // On Windows, DNS config is a per-adapter config option whereas on Linux, it's a sandbox-wide parameter; hence why // we're dealing with DNS config both here and in buildSandboxOptions. Following DNS options are only honored by // Windows netdrivers, whereas DNS options in buildSandboxOptions are only honored by Linux netdrivers. if !n.Internal() { if len(c.HostConfig.DNS) > 0 { createOptions = append(createOptions, libnetwork.CreateOptionDNS(c.HostConfig.DNS)) } else if len(daemonDNS) > 0 { createOptions = append(createOptions, libnetwork.CreateOptionDNS(daemonDNS)) } } createOptions = append(createOptions, libnetwork.EndpointOptionGeneric(genericOptions)) // IPv6 may be enabled on the network, but disabled in the container. if n.IPv6Enabled() { if sbIPv6, ok := sb.IPv6Enabled(); ok && !sbIPv6 { createOptions = append(createOptions, libnetwork.CreateOptionDisableIPv6()) } } if path, ok := sb.NetnsPath(); ok { createOptions = append(createOptions, libnetwork.WithNetnsPath(path)) } return createOptions, nil } // buildPortsRelatedCreateEndpointOptions returns the appropriate endpoint options to apply config related to port // mapping and exposed ports. func buildPortsRelatedCreateEndpointOptions(c *container.Container, n *libnetwork.Network, sb *libnetwork.Sandbox) ([]libnetwork.EndpointOption, error) { // Port-mapping rules belong to the container & applicable only to non-internal networks. // // TODO(thaJeztah): Look if we can provide a more minimal function for getPortMapInfo, as it does a lot, and we only need the "length". if n.Internal() || len(getPortMapInfo(sb)) > 0 { return nil, nil } bindings := make(nat.PortMap) if c.HostConfig.PortBindings != nil { for p, b := range c.HostConfig.PortBindings { bindings[p] = []nat.PortBinding{} for _, bb := range b { bindings[p] = append(bindings[p], nat.PortBinding{ HostIP: bb.HostIP, HostPort: bb.HostPort, }) } } } // TODO(thaJeztah): Move this code to a method on nat.PortSet. ports := make([]nat.Port, 0, len(c.Config.ExposedPorts)) for p := range c.Config.ExposedPorts { ports = append(ports, p) } nat.SortPortMap(ports, bindings) var ( exposedPorts []lntypes.TransportPort publishedPorts []lntypes.PortBinding ) for _, port := range ports { portProto := lntypes.ParseProtocol(port.Proto()) portNum := uint16(port.Int()) exposedPorts = append(exposedPorts, lntypes.TransportPort{ Proto: portProto, Port: portNum, }) for _, binding := range bindings[port] { newP, err := nat.NewPort(nat.SplitProtoPort(binding.HostPort)) var portStart, portEnd int if err == nil { portStart, portEnd, err = newP.Range() } if err != nil { return nil, fmt.Errorf("error parsing HostPort value (%s): %w", binding.HostPort, err) } publishedPorts = append(publishedPorts, lntypes.PortBinding{ Proto: portProto, Port: portNum, HostIP: net.ParseIP(binding.HostIP), HostPort: uint16(portStart), HostPortEnd: uint16(portEnd), }) } if c.HostConfig.PublishAllPorts && len(bindings[port]) == 0 { publishedPorts = append(publishedPorts, lntypes.PortBinding{ Proto: portProto, Port: portNum, }) } } return []libnetwork.EndpointOption{ libnetwork.CreateOptionPortMapping(publishedPorts), libnetwork.CreateOptionExposedPorts(exposedPorts), }, nil } // getPortMapInfo retrieves the current port-mapping programmed for the given sandbox func getPortMapInfo(sb *libnetwork.Sandbox) nat.PortMap { pm := nat.PortMap{} if sb == nil { return pm } for _, ep := range sb.Endpoints() { getEndpointPortMapInfo(pm, ep) } return pm } func getEndpointPortMapInfo(pm nat.PortMap, ep *libnetwork.Endpoint) { driverInfo, _ := ep.DriverInfo() if driverInfo == nil { // It is not an error for epInfo to be nil return } if expData, ok := driverInfo[netlabel.ExposedPorts]; ok { if exposedPorts, ok := expData.([]lntypes.TransportPort); ok { for _, tp := range exposedPorts { natPort, err := nat.NewPort(tp.Proto.String(), strconv.Itoa(int(tp.Port))) if err != nil { log.G(context.TODO()).Errorf("invalid exposed port %s: %v", tp.String(), err) continue } if _, ok := pm[natPort]; !ok { pm[natPort] = nil } } } } mapData, ok := driverInfo[netlabel.PortMap] if !ok { return } if portMapping, ok := mapData.([]lntypes.PortBinding); ok { for _, pp := range portMapping { // Use an empty string for the host port if there's no port assigned. natPort, err := nat.NewPort(pp.Proto.String(), strconv.Itoa(int(pp.Port))) if err != nil { log.G(context.TODO()).Errorf("invalid port binding %s: %v", pp, err) continue } var hp string if pp.HostPort > 0 { hp = strconv.Itoa(int(pp.HostPort)) } natBndg := nat.PortBinding{HostIP: pp.HostIP.String(), HostPort: hp} pm[natPort] = append(pm[natPort], natBndg) } } } // buildEndpointInfo sets endpoint-related fields on container.NetworkSettings based on the provided network and endpoint. func buildEndpointInfo(networkSettings *network.Settings, n *libnetwork.Network, ep *libnetwork.Endpoint) error { if ep == nil { return errors.New("endpoint cannot be nil") } if networkSettings == nil { return errors.New("network cannot be nil") } epInfo := ep.Info() if epInfo == nil { // It is not an error to get an empty endpoint info return nil } nwName := n.Name() if _, ok := networkSettings.Networks[nwName]; !ok { networkSettings.Networks[nwName] = &network.EndpointSettings{ EndpointSettings: &networktypes.EndpointSettings{}, } } networkSettings.Networks[nwName].NetworkID = n.ID() networkSettings.Networks[nwName].EndpointID = ep.ID() iface := epInfo.Iface() if iface == nil { return nil } if iface.MacAddress() != nil { networkSettings.Networks[nwName].MacAddress = iface.MacAddress().String() } if iface.Address() != nil { ones, _ := iface.Address().Mask.Size() networkSettings.Networks[nwName].IPAddress = iface.Address().IP.String() networkSettings.Networks[nwName].IPPrefixLen = ones } if iface.AddressIPv6() != nil && iface.AddressIPv6().IP.To16() != nil { onesv6, _ := iface.AddressIPv6().Mask.Size() networkSettings.Networks[nwName].GlobalIPv6Address = iface.AddressIPv6().IP.String() networkSettings.Networks[nwName].GlobalIPv6PrefixLen = onesv6 } return nil } // buildJoinOptions builds endpoint Join options from a given network. func buildJoinOptions(settings *network.Settings, n interface{ Name() string }) ([]libnetwork.EndpointOption, error) { epConfig, ok := settings.Networks[n.Name()] if !ok { return []libnetwork.EndpointOption{}, nil } joinOptions := []libnetwork.EndpointOption{ libnetwork.JoinOptionPriority(epConfig.GwPriority), } for _, str := range epConfig.Links { name, alias, err := opts.ParseLink(str) if err != nil { return nil, err } joinOptions = append(joinOptions, libnetwork.CreateOptionAlias(name, alias)) } for k, v := range epConfig.DriverOpts { joinOptions = append(joinOptions, libnetwork.EndpointOptionGeneric(options.Generic{k: v})) } return joinOptions, nil }