Add integration tests for Windows container functionality focusing on network drivers and container isolation modes.
Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
Call resolvconf.UserModified() in sandbox.setupDNS() to check if
resolv.conf was manually modified before regenerating it during
container restart for non-host network modes.
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
If the DNS name still resolves to an IP address, and that address is
assigned to a running container, the ping command will run indefinitely
and the test suite will time out for 10 mins.
This is confusing, as it looks like a daemon hang, or a test suite hang,
whereas it's just a test failure. Add '-c1' to ping to make it return
immediately.
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
Previous commit reverted a faulty change that broke DNS resolution for
non swarm-scoped networks once a node has joined a Swarm cluster.
This commit adds an integration test to verify that we don't break DNS
resolution again.
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
Add WithAPIVersion and WithAPIVersionFromEnv to be more clear on
the intent, and to align with other related options and fields.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make invalid states unrepresentable by moving away from stringly-typed
MAC address values in API structs. As go.dev/issue/29678 has not yet
been implemented, provide our own HardwareAddr byte-slice type which
implements TextMarshaler and TextUnmarshaler to retain compatibility
with the API wire format.
When stdlib's net.HardwareAddr type implements TextMarshaler and
TextUnmarshaler and GODEBUG=netmarshal becomes the default, we should be
able to make the type a straight alias for stdlib net.HardwareAddr as a
non-breaking change.
Signed-off-by: Cory Snider <csnider@mirantis.com>
- relates to 96b29f5a1f
- similar to 08e4e88482
The daemon currently provides support for API versions all the way back
to v1.24, which is the version of the API that shipped with docker 1.12.0
(released in 2016).
Such old versions of the client are rare, and supporting older API versions
has accumulated significant amounts of code to remain backward-compatible
(which is largely untested, and a "best-effort" at most).
This patch updates the minimum API version to v1.44, matching the minimum
version of the client, and matching the API version of docker v25.0, which
is the oldest supported version (through Mirantis MCR).
The intent is to start deprecating older API versions when daemons implementing
them reach EOL. This patch does not yet remove backward-compatibility code
for older API versions, and the DOCKER_MIN_API_VERSION environment variable
allows overriding the minimum version (to allow restoring the behavior from
before this patch), however, API versions below v1.44 should be considered
"best effort", and we may remove compatibility code to provide "degraded"
support.
With this patch the daemon defaults to API v1.44 as minimum:
docker version
Client:
Version: 28.5.0
API version: 1.51
Go version: go1.24.7
Git commit: 887030f
Built: Thu Oct 2 14:54:39 2025
OS/Arch: linux/arm64
Context: default
Server:
Engine:
Version: dev
API version: 1.52 (minimum version 1.44)
....
Trying to use an older version of the API produces an error:
DOCKER_API_VERSION=1.43 docker version
Client:
Version: 28.5.0
API version: 1.43 (downgraded from 1.51)
Go version: go1.24.7
Git commit: 887030f
Built: Thu Oct 2 14:54:39 2025
OS/Arch: linux/arm64
Context: default
Error response from daemon: client version 1.43 is too old. Minimum supported API version is 1.44, please upgrade your client to a newer version
To restore the previous minimum, users can start the daemon with the
DOCKER_MIN_API_VERSION environment variable set:
DOCKER_MIN_API_VERSION=1.24 dockerd
API 1.24 is the oldest supported API version;
docker version
Client:
Version: 28.5.0
API version: 1.24 (downgraded from 1.51)
Go version: go1.24.7
Git commit: 887030f
Built: Thu Oct 2 14:54:39 2025
OS/Arch: linux/arm64
Context: default
Server:
Engine:
Version: dev
API version: 1.52 (minimum version 1.24)
....
When using the `DOCKER_MIN_API_VERSION` with a version of the API that
is not supported, an error is produced when starting the daemon;
DOCKER_MIN_API_VERSION=1.23 dockerd --validate
invalid DOCKER_MIN_API_VERSION: minimum supported API version is 1.24: 1.23
DOCKER_MIN_API_VERSION=1.99 dockerd --validate
invalid DOCKER_MIN_API_VERSION: maximum supported API version is 1.52: 1.99
Specifying a malformed API version also produces the same error;
DOCKER_MIN_API_VERSION=hello dockerd --validate
invalid DOCKER_MIN_API_VERSION: minimum supported API version is 1.24: hello
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When running:
docker network create --ipv6 b46
docker run --rm -ti \
--network name=b46,driver-opt=com.docker.network.endpoint.sysctls=net.ipv6.conf.IFNAME.disable_ipv6=1 \
busybox
IPv6 is enabled in the container and the network, so an IPv6 address
will be allocated for the endpoint.
But, when the sysctl is applied, the IPv6 address will be removed
from the interface ... so, no unsolicited neighbour advertisement
should be (or can be) sent and, the endpoint should not be treated
as dual-stack when selecting a gateway endpoint and, if it is
selected as the gateway endpoint, setting up an IPv6 route via the
network will fail.
So, if the IPv6 address disappears after sysctls have been applied,
release the address and remove it from the endpoint's config.
Signed-off-by: Rob Murray <rob.murray@docker.com>
This package was originally internal, but was moved out when BuildKit
used it for its integration tests. That's no longer the case, so we
can make it internal again.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Move the option-types to the client and in some cases create a
copy for the backend. These types are used to construct query-
args, and not marshaled to JSON, and can be replaced with functional
options in the client.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This struct is only used to report the networking state for the default
bridge network when the container is connected to it.
It was deprecated in v1.09 (API v1.21), and scheduled for removal in
v1.11. Unfortunately, the deprecation warning was wrongly formatted in
the Go code. However, deprecation warnings are already present in
swagger.yaml, so don't touch it.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
The daemon started by the test-integration script needs to run without
firewalld integration to make sure that daemons started by networking
tests will handle firewalld reload without any interference (i.e.
without another daemon racing against them to recreate the iptables
chains).
Most tests are already running their own daemons, but the few that don't
and need firewalld integration are updated to start their own.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
The environment variables set by legacy links are not particularly
useful because you need to know the name of the linked container to use
them, or you need to scan all enviornment variables to find them.
Legacy links are deprecated / marked "legacy" since a long time, and we
want to replace them with non-legacy links. This will help make the
default bridge work like custom networks.
For now, stop setting these environment variables inside of linking
containers by default, but provide an escape hatch to allow users who
still rely on these to re-enable them.
The integration-cli tests `TestExecEnvLinksHost` and `TestLinksEnvs` are
removed as they need to run against a daemon with legacy links env vars
enabled, and a new integration test`TestLegacyLinksEnvVars` is added to
fill the gap. Similarly, the docker-py test `test_create_with_links` is
skipped.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
For nftables only, never enable IP forwarding on the host. Instead,
return an error on network creation if forwarding is not enabled,
required by a bridge network, and --ip-forward=true.
If IPv4 forwarding is not enabled when the daemon is started with
nftables enabled and other config at defaults, the daemon will
exit when it tries to create the default bridge.
Otherwise, network creation will fail with an error if IPv4/IPv6
forwarding is not enabled when a network is created with IPv4/IPv6.
It's the user's responsibility to configure and secure their host
when they run Docker with nftables.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Follow-up to 494677f93f, which added
the aliases, but did not yet replace our own use of the nat types.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make sure iptables rules are restored properly once firewalld
has deleted them.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
Packets with the given firewall mark are accepted by the bridge
driver's filter-FORWARD rules.
The value can either be an integer mark, or it can include a
mask in the format "<mark>/<mask>".
Signed-off-by: Rob Murray <rob.murray@docker.com>
