Don't pass sandbox options to ProgramExternalConnectivity

The same sandbox options are passed to Join.

Signed-off-by: Rob Murray <rob.murray@docker.com>

Author: robmry

libnetwork/driverapi/driverapi.go

@@ -81,22 +81,19 @@ type Driver interface {
 
 // ExtConner is an optional interface for a network driver.
 type ExtConner interface {
-	// ProgramExternalConnectivity tells the driver a container's options (including
-	// port mapping options), so that it can configure the endpoint eid in network
-	// nid.
-	//
-	// Ids of the endpoints currently acting as the container's default gateway for
-	// IPv4 and IPv6 are passed as gw4Id/gw6Id. (Those endpoints may be managed by
-	// different network drivers. If there is no gateway, the id will be the
-	// empty string.)
+	// ProgramExternalConnectivity tells the driver the ids of the endpoints
+	// currently acting as the container's default gateway for IPv4 and IPv6,
+	// passed as gw4Id/gw6Id. (Those endpoints may be managed by different network
+	// drivers. If there is no gateway, the id will be the empty string.)
 	//
 	// This method is called after Driver.Join, before Driver.Leave, and when eid
-	// is or was equal to gw4Id or gw6Id, and there's a change.
+	// is or was equal to gw4Id or gw6Id, and there's a change. It may also be
+	// called when the gateways have not changed.
 	//
 	// When an endpoint acting as a gateway is deleted, this function is called
 	// with that endpoint's id in eid, and empty gateway ids (even if another
 	// is present and will shortly be selected as the gateway).
-	ProgramExternalConnectivity(ctx context.Context, nid, eid string, options map[string]interface{}, gw4Id, gw6Id string) error
+	ProgramExternalConnectivity(ctx context.Context, nid, eid string, gw4Id, gw6Id string) error
 }
 
 // GwAllocChecker is an optional interface for a network driver.

libnetwork/drivers/bridge/bridge_linux.go

@@ -1447,6 +1447,10 @@ func (d *driver) Join(ctx context.Context, nid, eid string, sboxKey string, jinf
 	if err != nil {
 		return err
 	}
+	endpoint.extConnConfig, err = parseConnectivityOptions(sbOpts)
+	if err != nil {
+		return err
+	}
 
 	iNames := jinfo.InterfaceName()
 	containerVethPrefix := defaultContainerVethPrefix
@@ -1499,7 +1503,7 @@ type portBindingMode struct {
 	ipv6 bool
 }
 
-func (d *driver) ProgramExternalConnectivity(ctx context.Context, nid, eid string, options map[string]interface{}, gw4Id, gw6Id string) (retErr error) {
+func (d *driver) ProgramExternalConnectivity(ctx context.Context, nid, eid string, gw4Id, gw6Id string) (retErr error) {
 	ctx, span := otel.Tracer("").Start(ctx, spanPrefix+".ProgramExternalConnectivity", trace.WithAttributes(
 		attribute.String("nid", nid),
 		attribute.String("eid", eid),
@@ -1526,15 +1530,6 @@ func (d *driver) ProgramExternalConnectivity(ctx context.Context, nid, eid strin
 		return endpointNotFoundError(eid)
 	}
 
-	// Only parse options if given (options may be nil when revoking gateway-ness, but that
-	// doesn't mean the endpoint's config has changed).
-	if options != nil {
-		endpoint.extConnConfig, err = parseConnectivityOptions(options)
-		if err != nil {
-			return err
-		}
-	}
-
 	var pbmReq portBindingMode
 	// Act as the IPv4 gateway if explicitly selected.
 	if gw4Id == eid {

libnetwork/drivers/bridge/bridge_linux_test.go

@@ -843,7 +843,7 @@ func testQueryEndpointInfo(t *testing.T, ulPxyEnabled bool) {
 		t.Fatalf("Failed to join the endpoint: %v", err)
 	}
 
-	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep1", sbOptions, "ep1", "")
+	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep1", "ep1", "")
 	if err != nil {
 		t.Fatalf("Failed to program external connectivity: %v", err)
 	}
@@ -874,7 +874,7 @@ func testQueryEndpointInfo(t *testing.T, ulPxyEnabled bool) {
 		}
 	}
 
-	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep1", nil, "", "")
+	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep1", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -947,7 +947,7 @@ func TestLinkContainers(t *testing.T) {
 		t.Fatalf("Failed to join the endpoint: %v", err)
 	}
 
-	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep1", sbOptions, "ep1", "")
+	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep1", "ep1", "")
 	if err != nil {
 		t.Fatalf("Failed to program external connectivity: %v", err)
 	}
@@ -978,7 +978,7 @@ func TestLinkContainers(t *testing.T) {
 		t.Fatal("Failed to link ep1 and ep2")
 	}
 
-	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep2", sbOptions, "ep2", "ep2")
+	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep2", "ep2", "ep2")
 	if err != nil {
 		t.Fatalf("Failed to program external connectivity: %v", err)
 	}
@@ -997,7 +997,7 @@ func TestLinkContainers(t *testing.T) {
 	}
 	checkLink(true)
 
-	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep2", nil, "", "")
+	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep2", "", "")
 	if err != nil {
 		t.Fatalf("Failed to revoke external connectivity: %v", err)
 	}
@@ -1017,7 +1017,7 @@ func TestLinkContainers(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep2", sbOptions, "ep2", "ep2")
+	err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep2", "ep2", "ep2")
 	assert.Check(t, err != nil, "Expected Join to fail given link conditions are not satisfied")
 	checkLink(false)
 }

libnetwork/drivers/bridge/port_mapping_linux_test.go

@@ -73,7 +73,7 @@ func TestPortMappingConfig(t *testing.T) {
 		t.Fatalf("Failed to join the endpoint: %v", err)
 	}
 
-	if err = d.ProgramExternalConnectivity(context.Background(), "dummy", "ep1", sbOptions, "ep1", ""); err != nil {
+	if err = d.ProgramExternalConnectivity(context.Background(), "dummy", "ep1", "ep1", ""); err != nil {
 		t.Fatalf("Failed to program external connectivity: %v", err)
 	}
 
@@ -102,7 +102,7 @@ func TestPortMappingConfig(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	err = d.ProgramExternalConnectivity(context.Background(), "dummy", "ep1", nil, "", "")
+	err = d.ProgramExternalConnectivity(context.Background(), "dummy", "ep1", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -159,7 +159,7 @@ func TestPortMappingV6Config(t *testing.T) {
 		t.Fatalf("Failed to join the endpoint: %v", err)
 	}
 
-	if err = d.ProgramExternalConnectivity(context.Background(), "dummy", "ep1", sbOptions, "ep1", "ep1"); err != nil {
+	if err = d.ProgramExternalConnectivity(context.Background(), "dummy", "ep1", "ep1", "ep1"); err != nil {
 		t.Fatalf("Failed to program external connectivity: %v", err)
 	}
 
@@ -178,7 +178,7 @@ func TestPortMappingV6Config(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	err = d.ProgramExternalConnectivity(context.Background(), "dummy", "ep1", nil, "", "")
+	err = d.ProgramExternalConnectivity(context.Background(), "dummy", "ep1", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}

libnetwork/drivers/remote/driver.go

@@ -1,8 +1,12 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.23
+
 package remote
 
 import (
 	"context"
 	"fmt"
+	"maps"
 	"net"
 	"sync"
 
@@ -30,8 +34,10 @@ type driver struct {
 	nwEndpointsMu  sync.Mutex
 }
 
+// State info for an endpoint.
 type nwEndpoint struct {
-	isGateway4 bool
+	sbOptions  map[string]any // Sandbox (container) options, from Join.
+	isGateway4 bool           // Whether ProgramExternalConnectivity reported that this ep is a gateway.
 	isGateway6 bool
 }
 
@@ -352,7 +358,7 @@ func (d *driver) Join(_ context.Context, nid, eid string, sboxKey string, jinfo
 
 	d.nwEndpointsMu.Lock()
 	defer d.nwEndpointsMu.Unlock()
-	d.nwEndpoints[eid] = &nwEndpoint{}
+	d.nwEndpoints[eid] = &nwEndpoint{sbOptions: options}
 	return nil
 }
 
@@ -372,7 +378,7 @@ func (d *driver) Leave(nid, eid string) error {
 }
 
 // ProgramExternalConnectivity is invoked to program the rules to allow external connectivity for the endpoint.
-func (d *driver) ProgramExternalConnectivity(_ context.Context, nid, eid string, options map[string]interface{}, gw4Id, gw6Id string) error {
+func (d *driver) ProgramExternalConnectivity(_ context.Context, nid, eid string, gw4Id, gw6Id string) error {
 	d.nwEndpointsMu.Lock()
 	ep, ok := d.nwEndpoints[eid]
 	d.nwEndpointsMu.Unlock()
@@ -387,6 +393,7 @@ func (d *driver) ProgramExternalConnectivity(_ context.Context, nid, eid string,
 		return d.revokeExternalConnectivity(nid, eid)
 	}
 	ep.isGateway4, ep.isGateway6 = isGw4, isGw6
+	options := ep.sbOptions
 	if !isGw6 && gw6Id != "" {
 		// If there is an IPv6 gateway, but it's not eid, set NoProxy6To4. This label was
 		// used to tell the bridge driver not to try to use the userland proxy for dual
@@ -395,6 +402,7 @@ func (d *driver) ProgramExternalConnectivity(_ context.Context, nid, eid string,
 		// remote driver, marked as being for internal use and subject to later removal.
 		// But, preserve it here for now as there's no other way for a remote driver to
 		// know it shouldn't try to deal with IPv6 in this case.
+		options = maps.Clone(ep.sbOptions)
 		options[netlabel.NoProxy6To4] = true
 	}
 	data := &api.ProgramExternalConnectivityRequest{

libnetwork/endpoint.go

@@ -638,12 +638,12 @@ func (ep *Endpoint) sbJoin(ctx context.Context, sb *Sandbox, options ...Endpoint
 	// If ep has taken over as a gateway and there were gateways before, update them.
 	if ep == gwepAfter4 || ep == gwepAfter6 {
 		if gwepBefore4 != nil {
-			if err := gwepBefore4.programExternalConnectivity(ctx, sb.Labels(), gwepAfter4, gwepAfter6); err != nil {
+			if err := gwepBefore4.programExternalConnectivity(ctx, gwepAfter4, gwepAfter6); err != nil {
 				return fmt.Errorf("updating external connectivity for IPv4 endpoint %s: %v", epShortId(gwepBefore4), err)
 			}
 			defer func() {
 				if retErr != nil {
-					if err := gwepBefore4.programExternalConnectivity(ctx, sb.Labels(), gwepBefore4, gwepBefore6); err != nil {
+					if err := gwepBefore4.programExternalConnectivity(ctx, gwepBefore4, gwepBefore6); err != nil {
 						log.G(ctx).WithFields(log.Fields{
 							"error":     err,
 							"restoreEp": epShortId(gwepBefore4),
@@ -653,12 +653,12 @@ func (ep *Endpoint) sbJoin(ctx context.Context, sb *Sandbox, options ...Endpoint
 			}()
 		}
 		if gwepBefore6 != nil {
-			if err := gwepBefore6.programExternalConnectivity(ctx, sb.Labels(), gwepAfter4, gwepAfter6); err != nil {
+			if err := gwepBefore6.programExternalConnectivity(ctx, gwepAfter4, gwepAfter6); err != nil {
 				return fmt.Errorf("updating external connectivity for IPv6 endpoint %s: %v", epShortId(gwepBefore6), err)
 			}
 			defer func() {
 				if retErr != nil {
-					if err := gwepBefore6.programExternalConnectivity(ctx, sb.Labels(), gwepBefore4, gwepBefore6); err != nil {
+					if err := gwepBefore6.programExternalConnectivity(ctx, gwepBefore4, gwepBefore6); err != nil {
 						log.G(ctx).WithFields(log.Fields{
 							"error":     err,
 							"restoreEp": epShortId(gwepBefore6),
@@ -669,8 +669,8 @@ func (ep *Endpoint) sbJoin(ctx context.Context, sb *Sandbox, options ...Endpoint
 		}
 	}
 
-	// Tell the new endpoint its port mappings, and whether it's a gateway.
-	if err := ep.programExternalConnectivity(ctx, sb.Labels(), gwepAfter4, gwepAfter6); err != nil {
+	// Tell the new endpoint whether it's a gateway.
+	if err := ep.programExternalConnectivity(ctx, gwepAfter4, gwepAfter6); err != nil {
 		return err
 	}
 
@@ -687,7 +687,7 @@ func (ep *Endpoint) sbJoin(ctx context.Context, sb *Sandbox, options ...Endpoint
 	return nil
 }
 
-func (ep *Endpoint) programExternalConnectivity(ctx context.Context, sbLabels map[string]any, gwep4, gwep6 *Endpoint) error {
+func (ep *Endpoint) programExternalConnectivity(ctx context.Context, gwep4, gwep6 *Endpoint) error {
 	n, err := ep.getNetworkFromStore()
 	if err != nil {
 		return types.InternalErrorf("failed to get network from store for programming external connectivity: %v", err)
@@ -703,7 +703,7 @@ func (ep *Endpoint) programExternalConnectivity(ctx context.Context, sbLabels ma
 			"gw4":  epShortId(gwep4),
 			"gw6":  epShortId(gwep6),
 		}).Debug("Programming external connectivity on endpoint")
-		if err := ecd.ProgramExternalConnectivity(context.WithoutCancel(ctx), n.ID(), ep.ID(), sbLabels, epId(gwep4), epId(gwep6)); err != nil {
+		if err := ecd.ProgramExternalConnectivity(context.WithoutCancel(ctx), n.ID(), ep.ID(), epId(gwep4), epId(gwep6)); err != nil {
 			return types.InternalErrorf("driver failed programming external connectivity on endpoint %s (%s): %v",
 				ep.Name(), ep.ID(), err)
 		}
@@ -820,7 +820,7 @@ func (ep *Endpoint) sbLeave(ctx context.Context, sb *Sandbox, force bool) error
 
 	if d != nil {
 		if ecd, ok := d.(driverapi.ExtConner); ok {
-			if err := ecd.ProgramExternalConnectivity(context.WithoutCancel(ctx), n.ID(), ep.ID(), nil, "", ""); err != nil {
+			if err := ecd.ProgramExternalConnectivity(context.WithoutCancel(ctx), n.ID(), ep.ID(), "", ""); err != nil {
 				log.G(ctx).WithError(err).Warn("driver failed revoking external connectivity on endpoint")
 			}
 		}
@@ -895,12 +895,12 @@ func (ep *Endpoint) sbLeave(ctx context.Context, sb *Sandbox, force bool) error
 	// Find new endpoint(s) to provide external connectivity for the sandbox.
 	gwepAfter4, gwepAfter6 := sb.getGatewayEndpoint()
 	if gwepAfter4 != nil {
-		if err := gwepAfter4.programExternalConnectivity(ctx, sb.Labels(), gwepAfter4, gwepAfter6); err != nil {
+		if err := gwepAfter4.programExternalConnectivity(ctx, gwepAfter4, gwepAfter6); err != nil {
 			log.G(ctx).WithError(err).Error("Failed to set IPv4 gateway")
 		}
 	}
 	if gwepAfter6 != nil && gwepAfter6 != gwepAfter4 {
-		if err := gwepAfter6.programExternalConnectivity(ctx, sb.Labels(), gwepAfter4, gwepAfter6); err != nil {
+		if err := gwepAfter6.programExternalConnectivity(ctx, gwepAfter4, gwepAfter6); err != nil {
 			log.G(ctx).WithError(err).Error("Failed to set IPv6 gateway")
 		}
 	}