package remote import ( "context" "fmt" "net" "net/netip" "github.com/containerd/log" "github.com/docker/docker/libnetwork/ipamapi" "github.com/docker/docker/libnetwork/ipams/remote/api" "github.com/docker/docker/libnetwork/types" "github.com/docker/docker/pkg/plugingetter" "github.com/docker/docker/pkg/plugins" "github.com/pkg/errors" ) type allocator struct { endpoint *plugins.Client name string } // PluginResponse is the interface for the plugin request responses type PluginResponse interface { IsSuccess() bool GetError() string } func newAllocator(name string, client *plugins.Client) ipamapi.Ipam { a := &allocator{name: name, endpoint: client} return a } // Register registers a remote ipam when its plugin is activated. func Register(cb ipamapi.Registerer, pg plugingetter.PluginGetter) error { newPluginHandler := func(name string, client *plugins.Client) { a := newAllocator(name, client) if cps, err := a.(*allocator).getCapabilities(); err == nil { if err := cb.RegisterIpamDriverWithCapabilities(name, a, cps); err != nil { log.G(context.TODO()).Errorf("error registering remote ipam driver %s due to %v", name, err) } } else { log.G(context.TODO()).Infof("remote ipam driver %s does not support capabilities", name) log.G(context.TODO()).Debug(err) if err := cb.RegisterIpamDriver(name, a); err != nil { log.G(context.TODO()).Errorf("error registering remote ipam driver %s due to %v", name, err) } } } // Unit test code is unaware of a true PluginStore. So we fall back to v1 plugins. handleFunc := plugins.Handle if pg != nil { handleFunc = pg.Handle activePlugins := pg.GetAllManagedPluginsByCap(ipamapi.PluginEndpointType) for _, ap := range activePlugins { client, err := getPluginClient(ap) if err != nil { return err } newPluginHandler(ap.Name(), client) } } handleFunc(ipamapi.PluginEndpointType, newPluginHandler) return nil } func getPluginClient(p plugingetter.CompatPlugin) (*plugins.Client, error) { if v1, ok := p.(plugingetter.PluginWithV1Client); ok { return v1.Client(), nil } pa, ok := p.(plugingetter.PluginAddr) if !ok { return nil, errors.Errorf("unknown plugin type %T", p) } if pa.Protocol() != plugins.ProtocolSchemeHTTPV1 { return nil, errors.Errorf("unsupported plugin protocol %s", pa.Protocol()) } addr := pa.Addr() client, err := plugins.NewClientWithTimeout(addr.Network()+"://"+addr.String(), nil, pa.Timeout()) if err != nil { return nil, errors.Wrap(err, "error creating plugin client") } return client, nil } func (a *allocator) call(methodName string, arg interface{}, retVal PluginResponse) error { method := ipamapi.PluginEndpointType + "." + methodName err := a.endpoint.Call(method, arg, retVal) if err != nil { return err } if !retVal.IsSuccess() { return fmt.Errorf("remote: %s", retVal.GetError()) } return nil } func (a *allocator) getCapabilities() (*ipamapi.Capability, error) { var res api.GetCapabilityResponse if err := a.call("GetCapabilities", nil, &res); err != nil { return nil, err } return res.ToCapability(), nil } // GetDefaultAddressSpaces returns the local and global default address spaces func (a *allocator) GetDefaultAddressSpaces() (string, string, error) { res := &api.GetAddressSpacesResponse{} if err := a.call("GetDefaultAddressSpaces", nil, res); err != nil { return "", "", err } return res.LocalDefaultAddressSpace, res.GlobalDefaultAddressSpace, nil } // RequestPool requests an address pool in the specified address space. // // This is a bug-for-bug re-implementation of the logic originally found in // requestPoolHelper prior to v27. See https://github.com/moby/moby/blob/faf84d7f0a1f2e6badff6f720a3e1e559c356fff/libnetwork/network.go#L1518-L1570 func (a *allocator) RequestPool(req ipamapi.PoolRequest) (ipamapi.AllocatedPool, error) { var tmpPoolLeases []string defer func() { // Release all pools we held on to. for _, pID := range tmpPoolLeases { if err := a.ReleasePool(pID); err != nil { log.G(context.TODO()).Warnf("Failed to release overlapping pool") } } }() _, globalSpace, err := a.GetDefaultAddressSpaces() if err != nil { return ipamapi.AllocatedPool{}, err } remoteReq := &api.RequestPoolRequest{ AddressSpace: req.AddressSpace, Pool: req.Pool, SubPool: req.SubPool, Options: req.Options, V6: req.V6, } for { alloc, err := a.requestPool(remoteReq) if err != nil { return alloc, err } // If the network pool was explicitly chosen, the network belongs to // global address space, or it is invalid ("0.0.0.0/0"), then we don't // perform check for overlaps. // // FIXME(thaJeztah): why are we ignoring invalid pools here? // // The "invalid" conditions was added in [libnetwork#1095][1], which // moved code to reduce os-specific dependencies in the ipam package, // but also introduced a types.IsIPNetValid() function, which considers // "0.0.0.0/0" invalid, and added it to the conditions below. // // Unfortunately review does not mention this change, so there's no // context why. Possibly this was done to prevent errors further down // the line (when checking for overlaps), but returning an error here // instead would likely have avoided that as well, so we can only guess. // // [1]: https://github.com/moby/libnetwork/commit/5ca79d6b87873264516323a7b76f0af7d0298492#diff-bdcd879439d041827d334846f9aba01de6e3683ed8fdd01e63917dae6df23846 if req.Pool != "" || req.AddressSpace == globalSpace || alloc.Pool.String() == "0.0.0.0/0" { return alloc, nil } // Check for overlap and if none found, we have found the right pool. if !checkOverlaps(alloc, req.Exclude) { return alloc, nil } // Pool obtained in this iteration is overlapping. Hold onto the pool // and don't release it yet, because we don't want IPAM to give us back // the same pool over again. But make sure we still do a deferred release // when we have either obtained a non-overlapping pool or ran out of // pre-defined pools. tmpPoolLeases = append(tmpPoolLeases, alloc.PoolID) } } func (a *allocator) requestPool(req *api.RequestPoolRequest) (ipamapi.AllocatedPool, error) { res := &api.RequestPoolResponse{} if err := a.call("RequestPool", req, res); err != nil { return ipamapi.AllocatedPool{}, err } retPool, err := netip.ParsePrefix(res.Pool) return ipamapi.AllocatedPool{ PoolID: res.PoolID, Pool: retPool, Meta: res.Data, }, err } // checkOverlaps returns true if the 'pool' overlaps with some prefix in 'reserved'. func checkOverlaps(pool ipamapi.AllocatedPool, reserved []netip.Prefix) bool { for _, r := range reserved { if r.Overlaps(pool.Pool) { return true } } return false } // ReleasePool removes an address pool from the specified address space func (a *allocator) ReleasePool(poolID string) error { req := &api.ReleasePoolRequest{PoolID: poolID} res := &api.ReleasePoolResponse{} return a.call("ReleasePool", req, res) } // RequestAddress requests an address from the address pool func (a *allocator) RequestAddress(poolID string, address net.IP, options map[string]string) (*net.IPNet, map[string]string, error) { var ( prefAddress string retAddress *net.IPNet err error ) if address != nil { prefAddress = address.String() } req := &api.RequestAddressRequest{PoolID: poolID, Address: prefAddress, Options: options} res := &api.RequestAddressResponse{} if err := a.call("RequestAddress", req, res); err != nil { return nil, nil, err } if res.Address != "" { retAddress, err = types.ParseCIDR(res.Address) } else { return nil, nil, ipamapi.ErrNoIPReturned } return retAddress, res.Data, err } // ReleaseAddress releases the address from the specified address pool func (a *allocator) ReleaseAddress(poolID string, address net.IP) error { var relAddress string if address != nil { relAddress = address.String() } req := &api.ReleaseAddressRequest{PoolID: poolID, Address: relAddress} res := &api.ReleaseAddressResponse{} return a.call("ReleaseAddress", req, res) } func (a *allocator) IsBuiltIn() bool { return false }