Makes TestDaemonDefaultNetworkPools re-runnable, and stops the
accumulation of bridges from the others.
Signed-off-by: Rob Murray <rob.murray@docker.com>
The test checks that it's possible to set a per-interface sysctl
using '--sysctl' - but, after API v1.46, it's not (and driver option
'com.docker.network.endpoint.sysctls' must be used instead).
Test added in commit fde80fe2
Per-interface sysctls added, with API changes, in commit 00718322
Signed-off-by: Rob Murray <rob.murray@docker.com>
Switch to use github.com/containerd/platforms module, because containerd's
platforms package has moved to a separate module. This allows updating the
platforms parsing independent of the containerd module itself.
The package in containerd is deprecated, but kept as an alias to provide
compatibility between codebases.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This moves the `ContainerJSONBase`, `ContainerJSON` and `ContainerNode`
types to the api/types/container package and deprecates the old location.
- `ContainerJSONBase` was renamed to `InspectBase`
- `ContainerJSON` was rnamed to `InspectResponse`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This moves the `Container` type to the containere package, rename
it to `Summary`, and deprecates the old location.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This moves the `Health` and `HealthcheckResult` types to the container package,
as well as the related `NoHealthcheck`, `Starting`, `Healthy`, and `Unhealthy`
consts.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The execution-driver was replaced with containerd since docker 1.11 (API
v1.23) in 9c4570a958, after which the value
was no longer set. The field was left in the type definition.
Commit 1fb1136fec removed its use from the
CLI and [docker/engine-api@39c7d7e] removed it from the API type, followed
by an update to the API docs in 3c6ef4c29d.
Changes to the API types were not pulled into the engine until v1.13, and
probably because of that gated it on API version < 1.25 instead of < 1.24
(see 6d98e344c7); setting a "not supported"
value for older versions.
Based on the above; this field was deprecated in API v1.23, and empty
since then. Given that the minimum API version supported by the engine
is not v1.24, we can safely remove it.
[docker/engine-api@39c7d7e]: 39c7d7ec19
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Regression introduced in 01eecb6.
A port mapping from a specific IPv6 host address can be used
by a container on an IPv4-only network, docker-proxy makes the
connection.
Signed-off-by: Rob Murray <rob.murray@docker.com>
This is a follow-up to 6da604aa6a, which
deprecated external graphdriver plugins.
This patch removes the functionality; some warnings / errors are kept in
place, but can be removed in a follow-up release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Graphdriver plugins] are an experimental feature that allow extending the
Docker Engine with custom storage drivers for storing images and containers.
This feature was not maintained since its inception, and will no longer be
supported in upcoming releases.
Users of this feature are recommended to instead configure the Docker Engine
to use the [containerd image store], and a custom [snapshotter].
This patch:
- Disables loading graphdriver plugins by default, producing an error instead.
- Introduces a temporary `DOCKERD_DEPRECATED_GRAPHDRIVER_PLUGINS` environment
variable to re-enable the deprecated features; this allows users to still
use the feature on a v27.0 daemon, but disabling it by default will give a
strong message that it will no longer be supported.
[Graphdriver plugins]: https://github.com/docker/cli/blob/v26.1.4/docs/extend/plugins_graphdriver.md
[containerd image store]: https://docs.docker.com/storage/containerd/
[snapshotter]: https://github.com/containerd/containerd/tree/v1.7.18/docs/snapshotters
Before this patch (ignore the "Unable to load plugin" errors, as there's no plugin);
dockerd --experimental -s my-driver
...
INFO[2024-06-21T10:42:49.574901255Z] containerd successfully booted in 0.011384s
INFO[2024-06-21T10:42:50.575891922Z] [graphdriver] trying configured driver: my-driver
WARN[2024-06-21T10:42:50.576121547Z] Unable to locate plugin: my-driver, retrying in 1s
WARN[2024-06-21T10:42:51.577131506Z] Unable to locate plugin: my-driver, retrying in 2s
WARN[2024-06-21T10:42:53.582637715Z] Unable to locate plugin: my-driver, retrying in 4s
With this patch:
dockerd --experimental -s my-driver
...
INFO[2024-06-21T10:32:35.123078845Z] [graphdriver] trying configured driver: my-driver
ERRO[2024-06-21T10:32:35.123127012Z] Failed to GetDriver graph driver=my-driver error="DEPRECATED: Experimental graphdriver plugins are deprecated, and disabled by default. This feature will be removed in the next release. See https://docs.docker.com/go/deprecated/" home-dir=/var/lib/docker
INFO[2024-06-21T10:32:35.124735595Z] stopping healthcheck following graceful shutdown module=libcontainerd
INFO[2024-06-21T10:32:35.124743137Z] stopping event stream following graceful shutdown error="context canceled" module=libcontainerd namespace=plugins.moby
failed to start daemon: error initializing graphdriver: driver not supported: my-driver
With the `DOCKERD_DEPRECATED_GRAPHDRIVER_PLUGINS` env-var set:
DOCKERD_DEPRECATED_GRAPHDRIVER_PLUGINS=1 dockerd --experimental -s my-driver
...
INFO[2024-06-21T10:35:04.149901970Z] containerd successfully booted in 0.013614s
INFO[2024-06-21T10:35:05.148195845Z] [graphdriver] trying configured driver: my-driver
WARN[2024-06-21T10:35:05.150647679Z] Unable to locate plugin: my-driver, retrying in 1s
WARN[2024-06-21T10:35:06.152531221Z] Unable to locate plugin: my-driver, retrying in 2s
WARN[2024-06-21T10:35:08.158452389Z] Unable to locate plugin: my-driver, retrying in 4s
WARN[2024-06-21T10:35:12.163699293Z] Unable to locate plugin: my-driver, retrying in 8s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Following changes to the port mapping code, the DNAT iptables rule was
inserted into the nat table rather than appended.
This meant DNAT was applied before the rule that should have skipped
it when a packet was from a bridge network.
So, packets sent from a container on one network to a mapped port on
the host's address were DNAT'd before docker-proxy could pick them up,
then they were dropped by a rule intended to isolate the networks.
Signed-off-by: Rob Murray <rob.murray@docker.com>
This reverts commit 18f4f775ed.
Because buildkit doesn't run an internal resolver, and it bases its
/etc/resolv.conf on the host's ... when buildkit is run in a container
that has 'nameserver 127.0.0.11', its build containers will use Google's
DNS servers as a fallback (unless the build container uses host
networking).
Before, when the 127.0.0.11 resolver was not used for the default network,
the buildkit container would have inherited a site-local nameserver. So,
the build containers it created would also have inherited that DNS
server - and they'd be able to resolve site-local hostnames.
By replacing the site-local nameserver with Google's, we broke access
to local DNS and its hostnames.
Signed-off-by: Rob Murray <rob.murray@docker.com>
This populates the "Image" field on containerd containers, but only when
using the containerd image store.
This allows containerd clients to look up the image information.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This package was originally added in 46833ee1c3
for use in the devicemapper graphdriver. The devicemapper graphdriver was
deprecated and has been removed. The only remaining consumer is an integration
test.
Deprecate the package and mark it for removal in the next release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The only case where macvlan interfaces are unable to share a parent is
when the macvlan mode is passthru. This change tightens the check to
that situation.
It also makes the error message more specific to avoid suggesting that
sharing parents is never correct.
Signed-off-by: Andrew Baxter <423qpsxzhh8k3h@s.rendaw.me>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When the container stops or during `restore`, `daemon.releaseNetwork` is
used to clear all net-related state carried by a container. However, the
fields `SandboxID` and `SandboxKey` are never cleared. On the next start,
these fields will be replaced with new values. There's no point in
preserving these data since they became invalid as soon as the container
stopped.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
When the daemon crashes, the host unexpectedly reboot, or the daemon
restarts with live-restore enabled, running containers might stop and the
on-disk state for containers might diverge from reality. All these
situations are currently handled by the daemon's `restore` method.
That method calls `daemon.Cleanup()` for all the dead containers. In
turn, `Cleanup` calls `daemon.releaseNetwork()`. However, this last
method won't do anything because it expects the `netController` to be
initialized when it's called. That's not the case in the `restore` code
path -- the `netController` is initialized _after_ cleaning up dead
containers.
There's a chicken-egg problem here, and fixing that would require some
important architectural changes (eg. change the way libnet's controller
is initialized).
Since `releaseNetwork()` early exits, dead containers won't ever have
their networking state cleaned. This led to bugs in Docker Desktop,
among other things.
Fix that by calling `releaseNetwork` after initializing the
`netController`.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
26.1.1 added env var DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE to make it
possible to create an IPv4-only network, even with a read-only
"/proc/sys/net" that meant IPv6 could not be disabled on an
interface.
In 27.0 it's easier to enable IPv6, just '--ipv6' when creating the
network - in particular, there's no need to allocate a subnet, because
a unique-local prefix will be assigned by default).
So, this change removes the env-var workaround. Now, the workarounds
are to enable IPv6, mount "/proc/sys/net" read-write, disable IPv6
by default in OS configuration, or remove support for IPv6 from the
kernel.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Add bridge driver options...
com.docker.network.bridge.gateway_mode_ipv4=<nat|routed>
com.docker.network.bridge.gateway_mode_ipv6=<nat|routed>
If set to "routed", no NAT or masquerade rules are set up for port
mappings.
When NAT is disabled, the mapping is shown in 'inspect' output with
no host port number. For example, for "-p 80" with NAT disabled for
IPv6 but not IPv4:
"80/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "32768"
},
{
"HostIp": "::",
"HostPort": ""
}
Signed-off-by: Rob Murray <rob.murray@docker.com>
This moves the type to api/types/container and creates an alias for
exec attach; ContainerExecAttach currently uses the same type as
ContainerExecStart, but does not all the same options (and some
options cannot be used).
We need to split the actual types, but lets start with aliasing.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Until now, containers on the default bridge network have been configured
to talk directly to external DNS servers - their resolv.conf files have
either been populated with nameservers from the host's resolv.conf, or
with servers from '--dns' (or with Google's nameservers as a fallback).
This change makes the internal bridge more like other networks by using
the internal resolver. But, the internal resolver is not populated with
container names or aliases - it's only for external DNS lookups.
Containers on the default network, on a host that has a loopback
resolver (like systemd's on 127.0.0.53) will now use that resolver
via the internal resolver. So, the logic used to find systemd's current
set of resolvers is no longer needed by the daemon.
Legacy links work just as they did before, using '/etc/hosts' and magic.
(Buildkit does not use libnetwork, so it can't use the internal resolver.
But it does use libnetwork/resolvconf's logic to configure resolv.conf.
So, code to set up resolv.conf for a legacy networking without an internal
resolver can't be removed yet.)
Signed-off-by: Rob Murray <rob.murray@docker.com>
Update to containerd 1.7.18, which now migrated to the errdefs module. The
existing errdefs package is now an alias for the module, and should no longer
be used directly.
This patch:
- updates the containerd dependency: https://github.com/containerd/containerd/compare/v1.7.17...v1.7.18
- replaces uses of the old package in favor of the new module
- adds a linter check to prevent accidental re-introduction of the old package
- adds a linter check to prevent using the "log" package, which was also
migrated to a separate module.
There are still some uses of the old package in (indirect) dependencies,
which should go away over time.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Currently, starting dockerd with
`--default-network-opt=bridge=com.docker.network.enable_ipv6=true` has
no effect as `NetworkCreateRequest.EnableIPv6` is a basic bool.
This change makes it a `*bool` to make it optional. If clients don't
specify it, the default-network-opt will be applied.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
This moves the type to the api/types/network package, but also introduces
a "Summary" alias; the intent here is to allow diverging the types used
for "list" and "inspect" operations, as list operations may only be
producing a subset of the fields available.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The types.NetworkInspectOptions type was moved to the networks package
in 5bea0c38bc and deprecated, but use of it
was re-introduced in cd3804655a, which was
merged out-of-order.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
