[27.2 backport] Allow 64-bit --ip-range #48326

robmry · 2024-08-13T14:46:02Z

backport Allow 64-bit --ip-range #48322

- What I did

Make it possible to use a --ip-range that ends on a 64-bit boundary.

Without this change ...

# docker network create --ipv6 --subnet fddd::/56 --ip-range fddd::/64 b46
Error response from daemon: failed to allocate gateway (): invalid bit range [0, 18446744073709551615)

# docker network create --ipv6 --subnet fddd::/64 --ip-range fddd::/64 b46
Error response from daemon: failed to allocate gateway (): invalid bit range [0, 18446744073709551615)

This is a workaround, although it should solve the issue in practice. I think the remaining issues are unlikely to be a problem (but added TestIPRangeAt64BitLimit to illustrate a limitation). A proper fix might be to make the Bitmap understand ranges >=64-bits.

Fixes bitseq: invalid bit range on IPv6 libnetwork#2296
- (Probably! I've not looked at old libnetwork code to check the issue actually is the same.)

- How I did it

When defaultipam.newPoolData is asked for a range of 64-bits or more, it ends up with an overflowed u64 - so, it just subtracts one to get a nearly-big-enough range (for a 64-bit subnet).

When defaultipam.getAddress is called with an ipr (sub-pool range), the range it calls bitmask.SetAnyInRange with is exclusive of end. So, its end param can't be MaxUint64, because that's the max value for the top end of the range and, when checking the range, SetAnyInRange fails.

(When fixed-cidr-v6 behaves more like fixed-cidr, it will ask for a 64-bit range if that's what fixed-cidr-v6 needs.)

Work around that limitation of the Bitmap, by matching the off-by-one when allocating a bit from a range.

The additional check for ipr == base avoids the issue in some cases, by ignoring the ipr/sub-pool range if ipr is the same as the pool itself (not really a sub-pool). But, it still fails when ipr!=base. For example:

docker network create --ipv6 --subnet fddd::/56 --ip-range fddd::/64 b46

So, also subtract one from end if it's going to hit the max value allowed by the Bitmap.

- How to verify it

Without this fix, to see the problem, try:

docker network create --ipv6 --subnet fddd::/64 --ip-range fddd::/64 b46

New tests, output ...

=== RUN   Test64BitIPRange
=== RUN   Test64BitIPRange/64-bit-subnet/no-range/no-gateway
=== RUN   Test64BitIPRange/64-bit-subnet/no-range/with-gateway
=== RUN   Test64BitIPRange/64-bit-subnet/64-bit-range/no-gateway
=== RUN   Test64BitIPRange/64-bit-subnet/64-bit-range/with-gateway
=== RUN   Test64BitIPRange/56-bit-subnet/no-range/no-gateway
=== RUN   Test64BitIPRange/56-bit-subnet/no-range/with-gateway
=== RUN   Test64BitIPRange/56-bit-subnet/64-bit-range/no-gateway
=== RUN   Test64BitIPRange/56-bit-subnet/64-bit-range/with-gateway
--- PASS: Test64BitIPRange (0.82s)
    --- PASS: Test64BitIPRange/64-bit-subnet/no-range/no-gateway (0.09s)
    --- PASS: Test64BitIPRange/64-bit-subnet/no-range/with-gateway (0.10s)
    --- PASS: Test64BitIPRange/64-bit-subnet/64-bit-range/no-gateway (0.10s)
    --- PASS: Test64BitIPRange/64-bit-subnet/64-bit-range/with-gateway (0.11s)
    --- PASS: Test64BitIPRange/56-bit-subnet/no-range/no-gateway (0.10s)
    --- PASS: Test64BitIPRange/56-bit-subnet/no-range/with-gateway (0.11s)
    --- PASS: Test64BitIPRange/56-bit-subnet/64-bit-range/no-gateway (0.11s)
    --- PASS: Test64BitIPRange/56-bit-subnet/64-bit-range/with-gateway (0.09s)
=== RUN   TestIPRangeAt64BitLimit
=== RUN   TestIPRangeAt64BitLimit/ipRange_before_end_of_64-bit_subnet
=== RUN   TestIPRangeAt64BitLimit/ipRange_at_end_of_64-bit_subnet
    bridge_test.go:196: XFAIL: Container startup failed with error: Error response from daemon: no available IPv6 addresses on this network's address pools: testnet (6e561e06c66648b1baaa5cb20fd474ee79c98907466ef77e0853537741ebb20c)
=== RUN   TestIPRangeAt64BitLimit/ipRange_at_64-bit_boundary_inside_56-bit_subnet
    bridge_test.go:196: XFAIL: Container startup failed with error: Error response from daemon: no available IPv6 addresses on this network's address pools: testnet (4ee6fa98e8d1feeb2a92e1ffa7f1e422e42174dcce33546fd29d03b60061aad8)
--- PASS: TestIPRangeAt64BitLimit (0.53s)
    --- PASS: TestIPRangeAt64BitLimit/ipRange_before_end_of_64-bit_subnet (0.29s)
    --- SKIP: TestIPRangeAt64BitLimit/ipRange_at_end_of_64-bit_subnet (0.12s)
    --- SKIP: TestIPRangeAt64BitLimit/ipRange_at_64-bit_boundary_inside_56-bit_subnet (0.11s)

- Description for the changelog

- Fixed an issue that prevented network creation with a `--ip-range` that ends on a 64-bit boundary.

When defaultipam.newPoolData is asked for a pool of 64-bits or more, it ends up with an overflowed u64 - so, it just subtracts one to get a nearly-big-enough range (for a 64-bit subnet). When defaultipam.getAddress is called with an ipr (sub-pool range), the range it calls bitmask.SetAnyInRange with is exclusive of end. So, its end param can't be MaxUint64, because that's the max value for the top end of the range and, when checking the range, SetAnyInRange fails. When fixed-cidr-v6 behaves more like fixed-cidr, it will ask for a 64-bit range if that's what fixed-cidr-v6 needs. So, it hits the bug when allocating an address for, for example: docker network create --ipv6 --subnet fddd::/64 --ip-range fddd::/64 b46 The additional check for "ipr == base" avoids the issue in this case, by ignoring the ipr/sub-pool range if ipr is the same as the pool itself (not really a sub-pool). But, it still fails when ipr!=base. For example: docker network create --ipv6 --subnet fddd::/56 --ip-range fddd::/64 b46 So, also subtract one from 'end' if it's going to hit the max value allowed by the Bitmap. Signed-off-by: Rob Murray <rob.murray@docker.com> (cherry picked from commit 496b457) Signed-off-by: Rob Murray <rob.murray@docker.com>

thaJeztah

LGTM

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/docker](https://redirect.github.com/docker/docker) | minor | `27.1.2` -> `27.2.0` | --- ### Release Notes <details> <summary>docker/docker (docker/docker)</summary> ### [`v27.2.0`](https://redirect.github.com/moby/moby/releases/tag/v27.2.0) [Compare Source](https://redirect.github.com/docker/docker/compare/v27.1.2...v27.2.0-rc.1) #### 27.2.0 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 27.2.0 milestone](https://redirect.github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.2.0) - [moby/moby, 27.2.0 milestone](https://redirect.github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.2.0) - Deprecated and removed features, see [Deprecated Features](https://redirect.github.com/docker/cli/blob/v27.2.0/docs/deprecated.md). - Changes to the Engine API, see [API version history](https://redirect.github.com/moby/moby/blob/v27.2.0/docs/api/version-history.md). ##### New - CLI: Add support for device-code flow login when authenticating to the official registry. [docker/cli#5349](https://redirect.github.com/docker/cli/pull/5349) - containerd image store: `docker image ls` now supports `--tree` flag that shows a multiplatform-aware image list. This is experimental and may change at any time without any backwards compatibility. [docker/cli#5353](https://redirect.github.com/docker/cli/pull/5353) ##### API - `GET /images/json` response now includes `Manifests` field, which contains information about the sub-manifests included in the image index. This includes things like platform-specific manifests and build attestations. The new field will only be populated if the request also sets the `manifests` query parameter to `true`. > \[!WARNING] > > This is experimental and may change at any time without any backward compatibility. ##### Bug fixes and enhancements - CLI: Fix issue with remote contexts over SSH where the CLI would allocate a pseudoterminal when connecting to the remote host, which causes issues in rare situations. [docker/cli#5351](https://redirect.github.com/docker/cli/pull/5351) - Fix an issue that prevented network creation with a `--ip-range` ending on a 64-bit boundary. [moby/moby#48326](https://redirect.github.com/moby/moby/pull/48326) - CLI: IPv6 addresses shown by `docker ps` in port bindings are now bracketed. [docker/cli#5365](https://redirect.github.com/docker/cli/pull/5365) - containerd image store: Fix early error exit from `docker load` in cases where unpacking the image would fail. [moby/moby#48376](https://redirect.github.com/moby/moby/pull/48376) - containerd image store: Fix the previous image not being persisted as dangling after `docker pull`. [moby/moby#48380](https://redirect.github.com/moby/moby/pull/48380) ##### Packaging updates - Update BuildKit to [v0.15.2](https://redirect.github.com/moby/buildkit/releases/tag/v0.15.2). [moby/moby#48341](https://redirect.github.com/moby/moby/pull/48341) - Update Compose to [v2.29.2](https://redirect.github.com/docker/compose/releases/tag/v2.29.2). [docker/docker-ce-packaging#1050](https://redirect.github.com/docker/docker-ce-packaging/pull/1050) - The canonical source for the dockerd(8) man page has been moved back to the same source tree as dockerd itself. [moby/moby#48378](https://redirect.github.com/moby/moby/pull/48378) - Update containerd to [v1.7.21](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.21). [moby/moby#48383](https://redirect.github.com/moby/moby/pull/48383), [docker/containerd-packaging#389](https://redirect.github.com/docker/containerd-packaging/pull/389) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/earthly/dind).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

robmry added area/networking Networking impact/changelog kind/bugfix PR's that fix bugs area/networking/ipv6 Networking area/networking/ipam Networking labels Aug 13, 2024

robmry added this to the 27.1.2 milestone Aug 13, 2024

robmry requested review from akerouanton and thaJeztah August 13, 2024 14:46

robmry self-assigned this Aug 13, 2024

thaJeztah approved these changes Aug 13, 2024

View reviewed changes

akerouanton approved these changes Aug 13, 2024

View reviewed changes

austinvazquez approved these changes Aug 14, 2024

View reviewed changes

akerouanton modified the milestones: 27.1.2, 27.2.0 Aug 14, 2024

akerouanton merged commit 5955778 into moby:27.x Aug 14, 2024

thaJeztah mentioned this pull request Sep 11, 2024

TestIPRangeAt64BitLimit: remove colon after XFAIL to help grepping #48480

Merged

robmry deleted the backport-27.2/64bit_iprange_fix branch September 16, 2024 08:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[27.2 backport] Allow 64-bit --ip-range #48326

[27.2 backport] Allow 64-bit --ip-range #48326

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[27.2 backport] Allow 64-bit --ip-range #48326

[27.2 backport] Allow 64-bit --ip-range #48326

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!