Validation of registry mirrors was performed during daemon startup,
but after the config-file was validated. As a result, the `--validate`
option would incorrectly print that the configuration was valid, but
the daemon would fail to start;
echo '{"registry-mirrors":["example.com"]}' > my-config.json
dockerd --config-file ./my-config.json --validate
configuration OK
dockerd --config-file ./my-config.json
# ...
failed to start daemon: invalid mirror: no scheme specified for "example.com": must use either 'https://' or 'http://'
With this patch applied, validation is also performed as part of the
daemon config validation;
echo '{"registry-mirrors":["example.com"]}' > my-config.json
dockerd --config-file ./my-config.json --validate
unable to configure the Docker daemon with file ./my-config.json: merged configuration validation from file and command line flags failed: invalid mirror: no scheme specified for "example.com": must use either 'https://' or 'http://'
# fix the invalid config
echo '{"registry-mirrors":["https://example.com"]}' > my-config.json
dockerd --config-file ./my-config.json --validate
configuration OK
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this patch, a missing scheme would sometimes produce a confusing
error message. If no scheme was specified at all, an empty "" would be
included in the message;
echo '{"registry-mirrors":["example.com"]}' > my-config.json
dockerd --config-file ./my-config.json
# ...
failed to start daemon: invalid mirror: unsupported scheme "" in "example.com"
If a scheme was missing, but a port was included, the hostname would be
printed as the scheme;
echo '{"registry-mirrors":["example.com:8080"]}' > my-config.json
dockerd --config-file ./my-config.json
# ...
failed to start daemon: invalid mirror: unsupported scheme "example.com" in "example.com:8080"
With this patch applied, the error messages are slightly more user-friendly;
echo '{"registry-mirrors":["example.com"]}' > my-config.json
dockerd --config-file ./my-config.json
# ...
failed to start daemon: invalid mirror: no scheme specified for "example.com": must use either 'https://' or 'http://'
echo '{"registry-mirrors":["example.com:8080"]}' > my-config.json
dockerd --config-file ./my-config.json
# ...
failed to start daemon: invalid mirror: no scheme specified for "example.com:8080": must use either 'https://' or 'http://'
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When libnetwork receives a watch event for a driver table entry from
NetworkDB it passes the event along to the interested driver. This code
contains a subtle bug: update events from NetworkDB are passed along to
the driver as Delete events! This bug was lying dormant as driver-table
entries can only be added by the driver, not updated. Now that NetworkDB
broadcasts an UpdateEvent to watchers if the entry is already known to
the local NetworkDB, irrespective of whether the event received from the
remote peer was a CREATE or UPDATE event, the bug is causing problems.
Whenever a remote node replaces an entry in the overlay_peer_table but
the intermediate delete state was not received by the local node, the
new CREATE event would be translated to an UpdateEvent by NetworkDB and
subsequently handled by the overlay driver as if the entry was deleted!
Bubble table UPDATE events up to the network driver as Update events.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Commit 8e6cd44ce4 added synchronisation to
wait for the container's status to be updated in memory. However, since
952902efbc, a defer was used to produce
the container's "stop" event.
As a result of the sychronisation that was added, the "die" event would
now be produced before the "stop" event.
This patch moves the locking inside the defer to restore the previous
behavior.
Unfortunately the order of events is still not guaranteed, because events
are emited from multiple goroutines that don't have synchronisation between
them; this is something to look at for follow ups. This patch keeps the status
quo and should preserve the old behavior, which was "more" correct in most
cases.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This field was added in 5130fe5d38, which
added it for use as intermediate struct when parsing CLI flags (through
`runconfig.ParseExec`) in c786a8ee5e.
Commit 9d9dff3d0d rewrote the CLI to use
Cobra, and as part of this introduced a separate `execOptions` type in
`api/client/container`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use the tagged version instead of the v2.0.0-20250613170222-a45be3cac15c
pseudo-version. The referenced commit has not changed.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Add a mention to stdcopy.StdCopy to the documentation, as the stream returned in the HijackedResponse is multiplexed when tty is disabled.
Signed-off-by: Medhy DOHOU <52136144+PowerPixel@users.noreply.github.com>
The IdentityMapping and Identity types are still used internally, but
should be considered transitional.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The Inter-Network Communication rules in the iptables chains
DOCKER-ISOLATION-STAGE-1 / DOCKER-ISOLATION-STAGE-2 (which are
called from filter-FORWARD) currently:
- Block access from containers in one bridge network, to ports
published to host addresses by containers in other bridge
networks, when the userland-proxy is disabled.
- But, that access is allowed when the proxy is enabled.
- Block access to all ports on container addresses in gateway
mode "nat-unprotected" networks.
- But, those ports can be accessed from anywhere else, including
other hosts. Just not other bridge networks.
- Allow access from containers in "nat" bridge networks to published
ports on container addresses in "routed" networks. But, to do that,
extra INC rules are added for the routed network.
The INC rules are no longer needed to block access from containers
in one network to unpublished ports on container addresses in
other networks. Direct routing to containers in NAT networks is
blocked by the "raw-PREROUTING" rules that block access from
untrusted interfaces (all interfaces apart from the network's
own bridge).
Drop these INC rules to resolve the inconsistencies listed above,
with this change:
- Published ports on host addresses can be accessed from containers
in other networks (even without the userland-proxy).
- The rules for direct routing between bridge networks are the same
as the rules for direct routing from outside the Docker host
(allowed for gw modes "routed" and "nat-unprotected", disallowed
for "nat").
Fewer rules, so it's simpler, and perhaps slightly faster.
Internal networks (with no access to networks outside the host)
are also implemented using rules in the DOCKER-ISOLATION chains.
This change moves those rules to a new chain, DOCKER-INTERNAL,
and drops the DOCKER-ISOLATION chains.
Signed-off-by: Rob Murray <rob.murray@docker.com>
A network node is responsible for both broadcasting table events for
entries it owns and for rebroadcasting table events from other nodes it
has received. Table events to be broadcast are added to a single queue
per network, including events for rebroadcasting. As the memberlist
TransmitLimitedQueue is (to a first approximation) LIFO, a flood of
events from other nodes could delay the broadcasting of
locally-generated events indefinitely. Prioritize broadcasting local
events by splitting up the queues and only pulling from the rebroadcast
queue if there is free space in the gossip packet after draining the
local-broadcast queue.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Log more details when assertions fail to provide a more complete picture
of what went wrong when TestCRUDTableEntries fails. Log the state of
each NetworkDB instance at various points in TestCRUDTableEntries to
provide an even more complete picture.
Increase the global logger verbosity in tests so warnings and debug logs
are printed to the test log.
Signed-off-by: Cory Snider <csnider@mirantis.com>
NetworkDB uses a muli-dimensional map of struct network to keep track of
network attachments for both remote nodes and the local node. Only a
subset of the struct fields are used for remote nodes' network
attachments. The tableBroadcasts pointer field in particular is
always initialized for network values representing local attachments
(read: nDB.networks[nDB.config.NodeID]) and always nil for remote
attachments. Consequently, unnecessary defensive nil-pointer checks are
peppered throughout the code despite the aforementioned invariant.
Enshrine the invariant that tableBroadcasts is initialized iff the
network attachment is for the local node in the type system. Pare down
struct network to only the fields needed for remote network attachments
and move the local-only fields into a new struct thisNodeNetwork. Elide
the unnecessary nil-checks.
Signed-off-by: Cory Snider <csnider@mirantis.com>
When joining a network that was previously joined but not yet reaped,
NetworkDB replaces the network struct value with a zeroed-out one with
the entries count copied over. This is also the case when joining a
network that is currently joined! Consequently, joining a network has
the side effect of clearing the broadcast queue. If the queue is cleared
while messages are still pending broadcast, convergence may be delayed
until the next bulk sync cycle.
Make it an error to join a network twice without leaving. Retain the
existing broadcast queue when rejoining a network that has not yet been
reaped.
Signed-off-by: Cory Snider <csnider@mirantis.com>
The map key for nDB.networks is the network ID. The struct field is not
actually used anywhere in practice.
Signed-off-by: Cory Snider <csnider@mirantis.com>
