Don't enforce new validation rules for existing networks

Signed-off-by: shechenglong <shechenglong@xfusion.com>

1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch

@@ -0,0 +1,64 @@
+From 1ae019fca2a6c7874afe2b54b7261dbf9a7d8efc Mon Sep 17 00:00:00 2001
+From: Rob Murray <rob.murray@docker.com>
+Date: Thu, 8 Feb 2024 17:40:54 +0000
+Subject: [PATCH 004/172] Don't enforce new validation rules for existing
+ networks
+
+Non-swarm networks created before network-creation-time validation
+was added in 25.0.0 continued working, because the checks are not
+re-run.
+
+But, swarm creates networks when needed (with 'agent=true'), to
+ensure they exist on each agent - ignoring the NetworkNameError
+that says the network already existed.
+
+By ignoring validation errors on creation of a network with
+agent=true, pre-existing swarm networks with IPAM config that would
+fail the new checks will continue to work too.
+
+New swarm (overlay) networks are still validated, because they are
+initially created with 'agent=false'.
+
+Signed-off-by: Rob Murray <rob.murray@docker.com>
+(cherry picked from commit 571af915d59d2fa68eb10cf0ec3cf9cd85b1eef2)
+Signed-off-by: Albin Kerouanton <albinker@gmail.com>
+---
+ daemon/network.go | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/network.go b/daemon/network.go
+index d2d9dd27fc..9fcf6b1fd6 100644
+--- a/daemon/network.go
++++ b/daemon/network.go
+@@ -332,7 +332,27 @@ func (daemon *Daemon) createNetwork(cfg *config.Config, create types.NetworkCrea
+ 	}
+ 
+ 	if err := network.ValidateIPAM(create.IPAM, create.EnableIPv6); err != nil {
+-		return nil, errdefs.InvalidParameter(err)
++		if agent {
++			// This function is called with agent=false for all networks. For swarm-scoped
++			// networks, the configuration is validated but ManagerRedirectError is returned
++			// and the network is not created. Then, each time a swarm-scoped network is
++			// needed, this function is called again with agent=true.
++			//
++			// Non-swarm networks created before ValidateIPAM was introduced continue to work
++			// as they did before-upgrade, even if they would fail the new checks on creation
++			// (for example, by having host-bits set in their subnet). Those networks are not
++			// seen again here.
++			//
++			// By dropping errors for agent networks, existing swarm-scoped networks also
++			// continue to behave as they did before upgrade - but new networks are still
++			// validated.
++			log.G(context.TODO()).WithFields(log.Fields{
++				"error":   err,
++				"network": create.Name,
++			}).Warn("Continuing with validation errors in agent IPAM")
++		} else {
++			return nil, errdefs.InvalidParameter(err)
++		}
+ 	}
+ 
+ 	if create.IPAM != nil {
+-- 
+2.27.0
+

moby.spec

@@ -7,7 +7,7 @@
 
 Name: 	  moby
 Version:  25.0.3
-Release:  24
+Release:  25
 Summary:  The open-source application container engine
 License:  Apache-2.0
 URL:	  https://www.docker.com
@@ -36,6 +36,7 @@ Patch1009:  1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch
 Patch1010:  1010-fix-CVE-2024-36621.patch
 Patch1011:  1011-fix-CVE-2024-36620.patch
 Patch1012:  1012-fix-CVE-2024-36623.patch
+Patch1013:  1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch
 # Patch 2001-2999 for tini
 Patch2001:  2001-tini.c-a-function-declaration-without-a-prototype-is.patch
 Requires(meta): %{name}-engine = %{version}-%{release}
@@ -227,6 +228,9 @@ fi
 %systemd_postun_with_restart docker.service
 
 %changelog
+* Thu Apr 17 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-25
+- Don't enforce new validation rules for existing networks
+
 * Thu Apr 17 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-24
 - fix build error on loongarch64