From 764fae967dc7b6b75c10c2dfb0fecf7fcc20ad19 Mon Sep 17 00:00:00 2001 From: shechenglong Date: Thu, 17 Apr 2025 16:23:18 +0800 Subject: [PATCH] Don't enforce new validation rules for existing networks Signed-off-by: shechenglong --- ...w-validation-rules-for-existing-netw.patch | 64 +++++++++++++++++++ moby.spec | 6 +- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch diff --git a/1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch b/1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch new file mode 100644 index 0000000..532b232 --- /dev/null +++ b/1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch @@ -0,0 +1,64 @@ +From 1ae019fca2a6c7874afe2b54b7261dbf9a7d8efc Mon Sep 17 00:00:00 2001 +From: Rob Murray +Date: Thu, 8 Feb 2024 17:40:54 +0000 +Subject: [PATCH 004/172] Don't enforce new validation rules for existing + networks + +Non-swarm networks created before network-creation-time validation +was added in 25.0.0 continued working, because the checks are not +re-run. + +But, swarm creates networks when needed (with 'agent=true'), to +ensure they exist on each agent - ignoring the NetworkNameError +that says the network already existed. + +By ignoring validation errors on creation of a network with +agent=true, pre-existing swarm networks with IPAM config that would +fail the new checks will continue to work too. + +New swarm (overlay) networks are still validated, because they are +initially created with 'agent=false'. + +Signed-off-by: Rob Murray +(cherry picked from commit 571af915d59d2fa68eb10cf0ec3cf9cd85b1eef2) +Signed-off-by: Albin Kerouanton +--- + daemon/network.go | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/daemon/network.go b/daemon/network.go +index d2d9dd27fc..9fcf6b1fd6 100644 +--- a/daemon/network.go ++++ b/daemon/network.go +@@ -332,7 +332,27 @@ func (daemon *Daemon) createNetwork(cfg *config.Config, create types.NetworkCrea + } + + if err := network.ValidateIPAM(create.IPAM, create.EnableIPv6); err != nil { +- return nil, errdefs.InvalidParameter(err) ++ if agent { ++ // This function is called with agent=false for all networks. For swarm-scoped ++ // networks, the configuration is validated but ManagerRedirectError is returned ++ // and the network is not created. Then, each time a swarm-scoped network is ++ // needed, this function is called again with agent=true. ++ // ++ // Non-swarm networks created before ValidateIPAM was introduced continue to work ++ // as they did before-upgrade, even if they would fail the new checks on creation ++ // (for example, by having host-bits set in their subnet). Those networks are not ++ // seen again here. ++ // ++ // By dropping errors for agent networks, existing swarm-scoped networks also ++ // continue to behave as they did before upgrade - but new networks are still ++ // validated. ++ log.G(context.TODO()).WithFields(log.Fields{ ++ "error": err, ++ "network": create.Name, ++ }).Warn("Continuing with validation errors in agent IPAM") ++ } else { ++ return nil, errdefs.InvalidParameter(err) ++ } + } + + if create.IPAM != nil { +-- +2.27.0 + diff --git a/moby.spec b/moby.spec index 51ccede..46b21af 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: moby Version: 25.0.3 -Release: 24 +Release: 25 Summary: The open-source application container engine License: Apache-2.0 URL: https://www.docker.com @@ -36,6 +36,7 @@ Patch1009: 1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch Patch1010: 1010-fix-CVE-2024-36621.patch Patch1011: 1011-fix-CVE-2024-36620.patch Patch1012: 1012-fix-CVE-2024-36623.patch +Patch1013: 1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch # Patch 2001-2999 for tini Patch2001: 2001-tini.c-a-function-declaration-without-a-prototype-is.patch Requires(meta): %{name}-engine = %{version}-%{release} @@ -227,6 +228,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Thu Apr 17 2025 shechenglong - 25.0.3-25 +- Don't enforce new validation rules for existing networks + * Thu Apr 17 2025 shechenglong - 25.0.3-24 - fix build error on loongarch64 -- Gitee