From 89ea2469df7f87309f644cb3781f256c6457ce5e Mon Sep 17 00:00:00 2001 From: Cory Snider Date: Tue, 27 May 2025 14:09:23 -0400 Subject: [PATCH] libnetwork/d/overlay: drop initEncryption function The (*driver).Join function does many things to set up overlay networking. One of the first things it does is call (*network).joinSandbox, which in turn calls (*driver).initSandboxPeerDB. The initSandboxPeerDB function iterates through the peer db to add entries to the VXLAN FDB, neighbor table and IPsec security association database in the kernel for all known peers on the overlay network. One of the last things the (*driver).Join function does is call (*driver).initEncryption. The initEncryption function iterates through the peer db to add entries to the IPsec security association database in the kernel for all known peers on the overlay network. But the preceding initSandboxPeerDB call already did that! The initEncryption function is redundant and can safely be removed. Signed-off-by: Cory Snider (cherry picked from commit df6b4057967ef7c37b6f8610dd3e6fd6e1c5b994) Signed-off-by: Cory Snider --- libnetwork/drivers/overlay/encryption.go | 35 ------------------------ libnetwork/drivers/overlay/joinleave.go | 4 --- 2 files changed, 39 deletions(-) diff --git a/libnetwork/drivers/overlay/encryption.go b/libnetwork/drivers/overlay/encryption.go index d83a1c987d..9c30ebe15d 100644 --- a/libnetwork/drivers/overlay/encryption.go +++ b/libnetwork/drivers/overlay/encryption.go @@ -113,41 +113,6 @@ func (e *encrMap) String() string { return b.String() } -// initEncryption sets up IPsec encryption parameters for all known peers on a network. -func (d *driver) initEncryption(nid string) error { - log.G(context.TODO()).Debugf("initEncryption(%.7s)", nid) - - n := d.network(nid) - if n == nil || !n.secure { - return nil - } - - if len(d.keys) == 0 { - return types.ForbiddenErrorf("encryption key is not present") - } - - nodes := map[netip.Addr]struct{}{} - - if err := d.peerDbNetworkWalk(nid, func(_ netip.Addr, _ net.HardwareAddr, pEntry *peerEntry) bool { - if !pEntry.isLocal() { - nodes[pEntry.vtep] = struct{}{} - } - return false - }); err != nil { - log.G(context.TODO()).Warnf("Failed to retrieve list of participating nodes in overlay network %.5s: %v", nid, err) - } - - log.G(context.TODO()).Debugf("List of nodes: %s", nodes) - - for rIP := range nodes { - if err := d.setupEncryption(rIP); err != nil { - log.G(context.TODO()).Warnf("Failed to program network encryption to remote peer %s: %v", rIP, err) - } - } - - return nil -} - // setupEncryption programs the encryption parameters for secure communication // between the local node and a remote node. func (d *driver) setupEncryption(remoteIP netip.Addr) error { diff --git a/libnetwork/drivers/overlay/joinleave.go b/libnetwork/drivers/overlay/joinleave.go index e6cba240ba..d996b71e13 100644 --- a/libnetwork/drivers/overlay/joinleave.go +++ b/libnetwork/drivers/overlay/joinleave.go @@ -111,10 +111,6 @@ func (d *driver) Join(nid, eid string, sboxKey string, jinfo driverapi.JoinInfo, d.peerAdd(nid, eid, ep.addr, ep.mac, netip.Addr{}) - if err = d.initEncryption(nid); err != nil { - log.G(context.TODO()).Warn(err) - } - buf, err := proto.Marshal(&PeerRecord{ EndpointIP: ep.addr.String(), EndpointMAC: ep.mac.String(),