diff --git a/daemon/libnetwork/agent.go b/daemon/libnetwork/agent.go index 3021044eda..78f0b30109 100644 --- a/daemon/libnetwork/agent.go +++ b/daemon/libnetwork/agent.go @@ -109,7 +109,7 @@ func resolveAddr(addrOrInterface string) (net.IP, error) { return addr.IP, nil } -func (c *Controller) handleKeyChange(keys []*types.EncryptionKey) error { +func (c *Controller) handleKeyChange(encryptionKeys []*types.EncryptionKey) error { drvEnc := discoverapi.DriverEncryptionUpdate{} agent := c.getAgent() @@ -126,7 +126,7 @@ func (c *Controller) handleKeyChange(keys []*types.EncryptionKey) error { j := len(c.keys) for i := 0; i < j; { same := false - for _, key := range keys { + for _, key := range encryptionKeys { if same = key.LamportTime == c.keys[i].LamportTime; same { break } @@ -150,7 +150,7 @@ func (c *Controller) handleKeyChange(keys []*types.EncryptionKey) error { c.keys = c.keys[:j] // Find the new key and add it to the key ring - for _, key := range keys { + for _, key := range encryptionKeys { same := false for _, cKey := range c.keys { if same = cKey.LamportTime == key.LamportTime; same { @@ -198,16 +198,23 @@ func (c *Controller) handleKeyChange(keys []*types.EncryptionKey) error { return false } if err := dr.DiscoverNew(discoverapi.EncryptionKeysUpdate, drvEnc); err != nil { - log.G(context.TODO()).Warnf("Failed to update datapath keys in driver %s: %v", name, err) + log.G(context.TODO()).WithFields(log.Fields{ + "error": err, + "driver": name, + }).Warn("Failed to update datapath keys; resetting datapath keys") // Attempt to reconfigure keys in case of a update failure // which can arise due to a mismatch of keys // if worker nodes get temporarily disconnected - log.G(context.TODO()).Warnf("Reconfiguring datapath keys for %s", name) - drvCfgEnc := discoverapi.DriverEncryptionConfig{} - drvCfgEnc.Keys, drvCfgEnc.Tags = c.getKeys(subsysIPSec) - err = dr.DiscoverNew(discoverapi.EncryptionKeysConfig, drvCfgEnc) + keys, tags := c.getKeys(subsysIPSec) + err = dr.DiscoverNew(discoverapi.EncryptionKeysConfig, discoverapi.DriverEncryptionConfig{ + Keys: keys, + Tags: tags, + }) if err != nil { - log.G(context.TODO()).Warnf("Failed to reset datapath keys in driver %s: %v", name, err) + log.G(context.TODO()).WithFields(log.Fields{ + "error": err, + "driver": name, + }).Warn("Failed to reset datapath keys") } } return false diff --git a/daemon/libnetwork/drivers/overlay/encryption.go b/daemon/libnetwork/drivers/overlay/encryption.go index 27f2642431..8a436b4d79 100644 --- a/daemon/libnetwork/drivers/overlay/encryption.go +++ b/daemon/libnetwork/drivers/overlay/encryption.go @@ -16,6 +16,7 @@ import ( "syscall" "github.com/containerd/log" + "github.com/moby/moby/v2/daemon/libnetwork/discoverapi" "github.com/moby/moby/v2/daemon/libnetwork/drivers/overlay/overlayutils" "github.com/moby/moby/v2/daemon/libnetwork/iptables" "github.com/moby/moby/v2/daemon/libnetwork/ns" @@ -449,7 +450,14 @@ func buildAeadAlgo(k *key, s int) *netlink.XfrmStateAlgo { } } -func (d *driver) setKeys(keys []*key) error { +func (d *driver) setKeys(ctx context.Context, encrData discoverapi.DriverEncryptionConfig) error { + keys := make([]*key, 0, len(encrData.Keys)) + for i := 0; i < len(encrData.Keys); i++ { + keys = append(keys, &key{ + value: encrData.Keys[i], + tag: uint32(encrData.Tags[i]), + }) + } d.encrMu.Lock() defer d.encrMu.Unlock() @@ -458,19 +466,47 @@ func (d *driver) setKeys(keys []*key) error { // Accept the encryption keys and clear any stale encryption map d.secMap = encrMap{} d.keys = keys - log.G(context.TODO()).Debugf("Initial encryption keys: %v", keys) + + log.G(ctx).WithFields(log.Fields{ + "driver": "overlay", + "keys": d.keys, + }).Debug("Set initial encryption keys") return nil } // updateKeys allows to add a new key and/or change the primary key and/or prune an existing key // The primary key is the key used in transmission and will go in first position in the list. -func (d *driver) updateKeys(newKey, primary, pruneKey *key) error { +func (d *driver) updateKeys(ctx context.Context, encrData discoverapi.DriverEncryptionUpdate) error { + var newKey, primaryKey, pruneKey *key + if encrData.Key != nil { + newKey = &key{ + value: encrData.Key, + tag: uint32(encrData.Tag), + } + } + if encrData.Primary != nil { + primaryKey = &key{ + value: encrData.Primary, + tag: uint32(encrData.PrimaryTag), + } + } + if encrData.Prune != nil { + pruneKey = &key{ + value: encrData.Prune, + tag: uint32(encrData.PruneTag), + } + } + d.encrMu.Lock() defer d.encrMu.Unlock() - log.G(context.TODO()).Debugf("Updating Keys. New: %v, Primary: %v, Pruned: %v", newKey, primary, pruneKey) - - log.G(context.TODO()).Debugf("Current: %v", d.keys) + log.G(ctx).WithFields(log.Fields{ + "driver": "overlay", + "current": d.keys, + "new": newKey, + "primary": primaryKey, + "prune": pruneKey, + }).Debug("Updating encryption keys") var ( newIdx = -1 @@ -486,7 +522,7 @@ func (d *driver) updateKeys(newKey, primary, pruneKey *key) error { newIdx += len(d.keys) } for i, k := range d.keys { - if primary != nil && k.tag == primary.tag { + if primaryKey != nil && k.tag == primaryKey.tag { priIdx = i } if pruneKey != nil && k.tag == pruneKey.tag { @@ -495,7 +531,7 @@ func (d *driver) updateKeys(newKey, primary, pruneKey *key) error { } if (newKey != nil && newIdx == -1) || - (primary != nil && priIdx == -1) || + (primaryKey != nil && priIdx == -1) || (pruneKey != nil && delIdx == -1) { return types.InvalidParameterErrorf("cannot find proper key indices while processing key update:"+ "(newIdx,priIdx,delIdx):(%d, %d, %d)", newIdx, priIdx, delIdx) @@ -524,8 +560,10 @@ func (d *driver) updateKeys(newKey, primary, pruneKey *key) error { d.keys = append(d.keys[:delIdx], d.keys[delIdx+1:]...) } - log.G(context.TODO()).Debugf("Updated: %v", d.keys) - + log.G(ctx).WithFields(log.Fields{ + "driver": "overlay", + "keys": d.keys, + }).Debug("Updated encryption keys") return nil } diff --git a/daemon/libnetwork/drivers/overlay/overlay.go b/daemon/libnetwork/drivers/overlay/overlay.go index f1f876cb47..e09bce6764 100644 --- a/daemon/libnetwork/drivers/overlay/overlay.go +++ b/daemon/libnetwork/drivers/overlay/overlay.go @@ -11,7 +11,6 @@ import ( "net/netip" "sync" - "github.com/containerd/log" "github.com/moby/moby/v2/daemon/libnetwork/discoverapi" "github.com/moby/moby/v2/daemon/libnetwork/driverapi" "github.com/moby/moby/v2/daemon/libnetwork/scope" @@ -121,49 +120,18 @@ func (d *driver) DiscoverNew(dType discoverapi.DiscoveryType, data any) error { case discoverapi.EncryptionKeysConfig: encrData, ok := data.(discoverapi.DriverEncryptionConfig) if !ok { - return errors.New("invalid encryption key notification data") - } - keys := make([]*key, 0, len(encrData.Keys)) - for i := 0; i < len(encrData.Keys); i++ { - k := &key{ - value: encrData.Keys[i], - tag: uint32(encrData.Tags[i]), - } - keys = append(keys, k) - } - if err := d.setKeys(keys); err != nil { - log.G(context.TODO()).Warn(err) + return fmt.Errorf("invalid encryption key notification data type: %T", data) } + return d.setKeys(context.TODO(), encrData) case discoverapi.EncryptionKeysUpdate: - var newKey, delKey, priKey *key encrData, ok := data.(discoverapi.DriverEncryptionUpdate) if !ok { - return errors.New("invalid encryption key notification data") - } - if encrData.Key != nil { - newKey = &key{ - value: encrData.Key, - tag: uint32(encrData.Tag), - } - } - if encrData.Primary != nil { - priKey = &key{ - value: encrData.Primary, - tag: uint32(encrData.PrimaryTag), - } - } - if encrData.Prune != nil { - delKey = &key{ - value: encrData.Prune, - tag: uint32(encrData.PruneTag), - } - } - if err := d.updateKeys(newKey, priKey, delKey); err != nil { - return err + return fmt.Errorf("invalid encryption key notification data type: %T", data) } + return d.updateKeys(context.TODO(), encrData) default: + return nil } - return nil } // DiscoverDelete is a notification for a discovery delete event, such as a node leaving a cluster