Don't enforce new validation rules for existing networks

Signed-off-by: shechenglong <shechenglong@xfusion.com>
2025-04-17 16:23:18 +08:00 · 2025-04-17 16:23:18 +08:00 · 764fae967d
commit 764fae967d
parent b9af4a08ac
2 changed files with 69 additions and 1 deletions
--- a/1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch
+++ b/1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch
@ -0,0 +1,64 @@
 From 1ae019fca2a6c7874afe2b54b7261dbf9a7d8efc Mon Sep 17 00:00:00 2001
 From: Rob Murray <rob.murray@docker.com>
 Date: Thu, 8 Feb 2024 17:40:54 +0000
 Subject: [PATCH 004/172] Don't enforce new validation rules for existing
 networks
 Non-swarm networks created before network-creation-time validation
 was added in 25.0.0 continued working, because the checks are not
 re-run.
 But, swarm creates networks when needed (with 'agent=true'), to
 ensure they exist on each agent - ignoring the NetworkNameError
 that says the network already existed.
 By ignoring validation errors on creation of a network with
 agent=true, pre-existing swarm networks with IPAM config that would
 fail the new checks will continue to work too.
 New swarm (overlay) networks are still validated, because they are
 initially created with 'agent=false'.
 Signed-off-by: Rob Murray <rob.murray@docker.com>
 (cherry picked from commit 571af915d59d2fa68eb10cf0ec3cf9cd85b1eef2)
 Signed-off-by: Albin Kerouanton <albinker@gmail.com>
 ---
 daemon/network.go | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)
 diff --git a/daemon/network.go b/daemon/network.go
 index d2d9dd27fc..9fcf6b1fd6 100644
 --- a/daemon/network.go
 +++ b/daemon/network.go
@@ -332,7 +332,27 @@ func (daemon *Daemon) createNetwork(cfg *config.Config, create types.NetworkCrea
 	}
 	if err := network.ValidateIPAM(create.IPAM, create.EnableIPv6); err != nil {
 -		return nil, errdefs.InvalidParameter(err)
 +		if agent {
 +			// This function is called with agent=false for all networks. For swarm-scoped
 +			// networks, the configuration is validated but ManagerRedirectError is returned
 +			// and the network is not created. Then, each time a swarm-scoped network is
 +			// needed, this function is called again with agent=true.
 +			//
 +			// Non-swarm networks created before ValidateIPAM was introduced continue to work
 +			// as they did before-upgrade, even if they would fail the new checks on creation
 +			// (for example, by having host-bits set in their subnet). Those networks are not
 +			// seen again here.
 +			//
 +			// By dropping errors for agent networks, existing swarm-scoped networks also
 +			// continue to behave as they did before upgrade - but new networks are still
 +			// validated.
 +			log.G(context.TODO()).WithFields(log.Fields{
 +				"error":   err,
 +				"network": create.Name,
 +			}).Warn("Continuing with validation errors in agent IPAM")
 +		} else {
 +			return nil, errdefs.InvalidParameter(err)
 +		}
 	}
 	if create.IPAM != nil {
 -- 
 2.27.0
--- a/moby.spec
+++ b/moby.spec
@ -7,7 +7,7 @@
 Name: 	  moby
 Version:  25.0.3
-Release:  24
+Release:  25
 Summary:  The open-source application container engine
 License:  Apache-2.0
 URL:	  https://www.docker.com
@ -36,6 +36,7 @@ Patch1009:  1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch
 Patch1010:  1010-fix-CVE-2024-36621.patch
 Patch1011:  1011-fix-CVE-2024-36620.patch
 Patch1012:  1012-fix-CVE-2024-36623.patch
 Patch1013:  1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch
 # Patch 2001-2999 for tini
 Patch2001:  2001-tini.c-a-function-declaration-without-a-prototype-is.patch
 Requires(meta): %{name}-engine = %{version}-%{release}
@ -227,6 +228,9 @@ fi
 %systemd_postun_with_restart docker.service
 %changelog
 * Thu Apr 17 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-25
 - Don't enforce new validation rules for existing networks
 * Thu Apr 17 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-24
 - fix build error on loongarch64