Commit graph

1450 commits

Author SHA1 Message Date
Jiri Popelka
bc71145164 React to firewalld's reload/restart
When firewalld (or iptables service) restarts/reloads,
all previously added docker firewall rules are flushed.

With firewalld we can react to its Reloaded() [1]
D-Bus signal and recreate the firewall rules.
Also when firewalld gets restarted (stopped & started)
we can catch the NameOwnerChanged signal [2].
To specify which signals we want to react to we use AddMatch [3].

Libvirt has been doing this for quite a long time now.

Docker changes firewall rules on basically 3 places.
1) daemon/networkdriver/portmapper/mapper.go - port mappings
   Portmapper fortunatelly keeps list of mapped ports,
   so we can easily recreate firewall rules on firewalld restart/reload
   New ReMapAll() function does that
2) daemon/networkdriver/bridge/driver.go
   When setting a bridge, basic firewall rules are created.
   This is done at once during start, it's parametrized and nowhere
   tracked so how can one know what and how to set it again when
   there's been firewalld restart/reload ?
   The only solution that came to my mind is using of closures [4],
   i.e. I keep list of references to closures (anonymous functions
   together with a referencing environment) and when there's firewalld
   restart/reload I re-call them in the same order.
3) links/links.go - linking containers
   Link is added in Enable() and removed in Disable().
   In Enable() we add a callback function, which creates the link,
   that's OK so far.
   It'd be ideal if we could remove the same function from
   the list in Disable(). Unfortunatelly that's not possible AFAICT,
   because we don't know the reference to that function
   at that moment, so we can only add a reference to function,
   which removes the link. That means that after creating and
   removing a link there are 2 functions in the list,
   one adding and one removing the link and after
   firewalld restart/reload both are called.
   It works, but it's far from ideal.

[1] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.Signals.Reloaded
[2] http://dbus.freedesktop.org/doc/dbus-specification.html#bus-messages-name-owner-changed
[3] http://dbus.freedesktop.org/doc/dbus-specification.html#message-bus-routing-match-rules
[4] https://en.wikipedia.org/wiki/Closure_%28computer_programming%29

Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2015-04-20 13:02:09 +02:00
Jiri Popelka
5e167a6493 Support for Firewalld
Firewalld [1] is a firewall managing daemon with D-Bus interface.

What sort of problem are we trying to solve with this ?

Firewalld internally also executes iptables/ip6tables to change firewall settings.
It might happen on systems where both docker and firewalld are running
concurrently, that both of them try to call iptables at the same time.
The result is that the second one fails because the first one is holding a xtables lock.
One workaround is to use --wait/-w option in both
docker & firewalld when calling iptables.
It's already been done in both upstreams:
b315c380f4
b3b451d6f8
But it'd still be better if docker used firewalld when it's running.

Other problem the firewalld support would solve is that
iptables/firewalld service's restart flushes all firewall rules
previously added by docker.
See next patch for possible solution.

This patch utilizes firewalld's D-Bus interface.
If firewalld is running, we call direct.passthrough() [2] method instead
of executing iptables directly.
direct.passthrough() takes the same arguments as iptables tool itself
and passes them through to iptables tool.
It might be better to use other methods, like direct.addChain and
direct.addRule [3] so it'd be more intergrated with firewalld, but
that'd make the patch much bigger.
If firewalld is not running, everything works as before.

[1] http://www.firewalld.org/
[2] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.passthrough
[3] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addChain
    https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addRule

Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2015-04-20 13:02:03 +02:00
Doug Davis
b140321e2e Merge pull request #12438 from ourcolorfuldays/fixtypo
fix some typos
2015-04-18 07:17:55 -04:00
bin liu
34fbb6c622 fix some typos
Signed-off-by: bin liu <liubin0329@gmail.com>
2015-04-17 08:12:13 +00:00
Lei Jitang
c9f6e6de37 Fix weird terminal output format
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-04-17 15:28:12 +08:00
Antonio Murdaca
221acfd266 Add minor stylistic fixes
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-16 21:22:32 +02:00
Jason Smith
7b823090ed added documentation for functions
Signed-off-by: Jason Smith <jasonrichardsmith@gmail.com>
2015-04-15 19:28:01 -07:00
Alexander Morozov
6a30cca4ed Merge pull request #12369 from runcom/fix-links-graph-ref
Fix wrong graphdb refs paths purging
2015-04-15 11:34:58 -07:00
Phil Estes
1a59c1698e Merge pull request #12360 from yestin/11601-supplement-tests-part-2
Improve test accuracy for pkg/chrootarchive (part 2)
2015-04-14 21:00:12 -04:00
Antonio Murdaca
b12971703d Fix wrong graphdb refs paths purging
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-14 23:10:43 +02:00
Brian Goff
504425a9ff Merge pull request #12214 from ahmetalpbalkan/namesgenerator/localrand
names-generator: use local random instance
2015-04-14 13:10:26 -04:00
Alexander Morozov
8005f59382 Merge pull request #12374 from kostickm/12343-fix-vet-warning-archive
Fix vet warning in archive.go
2015-04-14 10:06:04 -07:00
Megan Kostick
967f4dc067 Fix vet warning in archive.go
Signed-off-by: Megan Kostick <mkostick@us.ibm.com>
2015-04-14 09:13:50 -07:00
Yestin Sun
6ae14a2625 Improve test accuracy for pkg/chrootarchive (part 2)
Check test correctness of untar by comparing destination with
source. For part 2, it checkes hashes of source and destination
files or the target files of symbolic links.

This is a supplement to the #11601 fix.

Signed-off-by: Yestin Sun <sunyi0804@gmail.com>
2015-04-13 21:46:14 -07:00
Ahmet Alp Balkan
627d5ea83b names-generator: use local random instance
Instead of seeding/polluting the global random instance,
creating a local `rand.Random` instance which provides the same
level of randomness.

Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-04-14 02:35:16 +00:00
Antonio Murdaca
d7a5d5b94c Refactor utils/utils, fixes #11923
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-14 01:37:36 +02:00
Michael Crosby
b15e56b3ef Merge pull request #12044 from reteptilian/11721-remove-randomstring-3
fixes 11721 replace stringutils.GenerateRandomString with stringid.GenerateRandomID
2015-04-13 13:47:50 -07:00
Evan Hazlett
86168f3594 Merge pull request #12204 from yestin/11601-supplement-tests-part-1
Improve test accuracy for pkg/chrootarchive (part 1)
2015-04-13 16:14:18 -04:00
Michael Crosby
08ddc4edc5 Merge pull request #12342 from LK4D4/fix_vet_warn
Fix vet warning
2015-04-13 12:56:47 -07:00
Evan Hazlett
347857acba Merge pull request #12276 from estesp/10246-really-fix-arg-list
Send archive options via pipe in chrootarchive
2015-04-13 14:44:47 -04:00
Alexander Morozov
2f1072efe0 Fix vet warning
pkg/archive/archive_test.go:496: arg changes for printf verb %s of wrong type: []archive.Change

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-04-13 11:43:30 -07:00
Michael Crosby
a07cb3c4e6 Merge pull request #12297 from vdemeester/11603-pkg-archive-test-coverage
Add test on archive.go (#11603)
2015-04-13 10:54:21 -07:00
Deshi Xiao
3aad0991ea correct pkg/stdcopy NewStdWriter function comments
pkg/stdcopy NewStdWriter function has wrong doc comment,
utils is not correct, it should be stdcopy

Signed-off-by: Deshi Xiao <xiaods@gmail.com>
2015-04-13 17:21:27 +08:00
Phil Estes
70210e11f2 Send archive options via pipe in chrootarchive
After finding our initial thinking on env. space versus arg list space
was wrong, we need to solve this by using a pipe between the caller and
child to marshall the (potentially very large) options array to the
archiver.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-04-12 21:16:54 -04:00
Vincent Demeester
2fd964cc1d Add test on archive.go (#11603)
- Trying to add or complete unit test to each ``func``
- Removing dead code (``escapeName``)

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-04-11 23:21:37 +02:00
Brendan Dixon
a15746e7cf Turned off Ctrl+C processing by Windows shell
Signed-off-by: Brendan Dixon <brendand@microsoft.com>
2015-04-10 15:43:35 -07:00
Tibor Vass
34332b8151 Merge pull request #12238 from brendandixon/win-cli/fixes
Corrected int16 overflow and buffer sizes
2015-04-10 13:36:23 -04:00
Richard Burnison
a513a8b8e0 Only use fallback to short IDs when obvious.
As reported in #11294, the Docker daemon will execute contains it
shouldn't run in the event that a requested tag is present in an image's
ID. This leads to the wrong image being started up silently.

This change reduces the risk of such a collision by using the short ID
iff the actual revOrTag looks like a short ID (not that it necessarily
is).

Signed-off-by: Richard Burnison <rburnison@ebay.com>
2015-04-10 13:20:44 -04:00
WiseTrem
fb7d4d784e Remove pools_nopool.go & build tag from pools.go
Fix #11576

Signed-off-by: Gleb Shepelev <shepelyov.g@gmail.com>
2015-04-10 02:32:55 +03:00
Brendan Dixon
06eb6c91a0 Corrected int16 overflow and buffer sizes
Signed-off-by: Brendan Dixon <brendand@microsoft.com>
2015-04-09 09:03:04 -07:00
Ahmet Alp Balkan
b4cd20a3ad namesgenerator: Proposing Kilby/Noyce
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-04-09 04:11:06 -07:00
Yestin Sun
f16c4275d2 Improve test accuracy for pkg/chrootarchive (part 1)
Check test correctness of untar by comparing destination with
source. For part one, it only compares the directories.

This is a supplement to the #11601 fix.

Signed-off-by: Yestin Sun <yestin.sun@polyera.com>
2015-04-08 14:07:31 -07:00
Chris Stivers
4f5c0ee46d Proposing Seymour Cray
Signed-off-by: Chris Stivers <chris@stivers.us>
2015-04-08 13:17:22 -07:00
Jessie Frazelle
ecea125be8 Merge pull request #11909 from runcom/11908-refactor-utils-utils-daemon
Refactor utils/utils_daemon
2015-04-07 13:24:24 -07:00
53738aa452 Merge pull request #12033 from rhvgoyal/devmapper-cleanup
Devmapper Graph Driver Misc cleanup
2015-04-07 15:49:32 -04:00
Ahmet Alp Balkan
cdead8bb8f Swap width/height in GetWinsize and monitorTtySize
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-04-06 14:31:42 -07:00
Brendan Dixon
52a4467d1d Windows console fixes
Corrected integer size passed to Windows
Corrected DisableEcho / SetRawTerminal to not modify state
Cleaned up and made routines more idiomatic
Corrected raw mode state bits
Removed duplicate IsTerminal
Corrected off-by-one error
Minor idiomatic change

Signed-off-by: Brendan Dixon <brendand@microsoft.com>
2015-04-03 15:02:52 -07:00
Jessie Frazelle
165fb82759 Merge pull request #11886 from jamiehannaford/pkg-mnt-docs
Document exported functions and consts in pkg/mount
2015-04-03 21:28:11 +00:00
Antonio Murdaca
c38e2a81e4 Refactor ultis/utils_daemon, fixes #11908
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-03 20:20:04 +02:00
Jamie Hannaford
bd4431719e Add documentation for exported functions and types
Signed-off-by: Jamie Hannaford <jamie.hannaford@rackspace.com>
2015-04-03 11:33:34 +02:00
Joey Gibson
11603e6535 Fix vet warnings in pkg/requestdecorator/requestdecorator_test.go #12041
Signed-off-by: Joey Gibson <joey@joeygibson.com>
2015-04-03 00:18:21 -04:00
Vivek Goyal
4401f264f9 devmapper: Use a pointer as argument to deferred function UdevWait()
UdevWait() is deferred and takes uint cookie as an argument. As arguments
to deferred functions are calculated at the time of call, it is possible
that any update to cookie later by libdm are not taken into account when
UdevWait() is called. Hence use a pointer to uint as argument to UdevWait()
function.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-04-02 16:47:14 -04:00
Vivek Goyal
ee419fae0c devicemapper: Remove debug messages from RemoveDevice()
devmapper graph driver retries device removal 1000 times in case of failure
and if this fills up console with 1000 messages (when daemon is running in
debug mode). So remove these debug messages.
 
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-04-02 16:47:14 -04:00
Peter Esbensen
88e878b013 Fixes #11721 removed GenerateRandomString
Signed-off-by: Peter Esbensen <pkesbensen@gmail.com>

gofmt

Signed-off-by: Peter Esbensen <pkesbensen@gmail.com>
2015-04-02 08:07:52 -07:00
Peter Esbensen
ae440baf74 Added unit tests for stringutils GenerateRandomAlphaOnlyString and GenerateRandomAsciiString
Signed-off-by: Peter Esbensen <pkesbensen@gmail.com>
2015-04-02 07:12:47 -07:00
7bde17186d Merge pull request #11099 from iavael/bugfix/tar-symlinks
Fixed handling hardlinks to symlinks in tar stream
2015-04-01 18:34:00 -04:00
unclejack
d9fa79b73c pkg/broadcastwriter: reset after 4 KB w/o stream
Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
2015-04-01 01:26:19 +03:00
Alexander Morozov
61ad4654f5 Skip heavy operations if there is no jsonlog writers
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-04-01 01:02:18 +03:00
unclejack
dd54d0419c pkg/broadcastwriter: use []byte to lower alloc
Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
2015-04-01 01:02:18 +03:00
unclejack
90c3318cb6 pkg/jsonlog: add JSONLogBytes for low allocations
Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
2015-04-01 01:02:18 +03:00