From 6fc151fa8590f11e6dd4c1999c748a4f693c95a6 Mon Sep 17 00:00:00 2001 From: Flavio Crisciani Date: Thu, 7 Jun 2018 13:02:04 -0700 Subject: [PATCH] Possible race on ingress programming Make sure that iptables operations on ingress are serialized. Before 2 racing routines trying to create the ingress chain were allowed and one was failing reporting the chain as already existing. The lock guarantees that this condition does not happen anymore Signed-off-by: Flavio Crisciani (cherry picked from commit 7bb62d0172f8e676388d4d78e510c4d9fd4c1d06) Signed-off-by: Sebastiaan van Stijn --- service_linux.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/service_linux.go b/service_linux.go index ef0590df78..a95ece8a08 100644 --- a/service_linux.go +++ b/service_linux.go @@ -279,7 +279,7 @@ const ingressChain = "DOCKER-INGRESS" var ( ingressOnce sync.Once - ingressProxyMu sync.Mutex + ingressMu sync.Mutex // lock for operations on ingress ingressProxyTbl = make(map[string]io.Closer) portConfigMu sync.Mutex portConfigTbl = make(map[PortConfig]int) @@ -328,6 +328,9 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro addDelOpt = "-D" } + ingressMu.Lock() + defer ingressMu.Unlock() + chainExists := iptables.ExistChain(ingressChain, iptables.Nat) filterChainExists := iptables.ExistChain(ingressChain, iptables.Filter) @@ -497,13 +500,11 @@ func plumbProxy(iPort *PortConfig, isDelete bool) error { portSpec := fmt.Sprintf("%d/%s", iPort.PublishedPort, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)])) if isDelete { - ingressProxyMu.Lock() if listener, ok := ingressProxyTbl[portSpec]; ok { if listener != nil { listener.Close() } } - ingressProxyMu.Unlock() return nil } @@ -523,9 +524,7 @@ func plumbProxy(iPort *PortConfig, isDelete bool) error { return err } - ingressProxyMu.Lock() ingressProxyTbl[portSpec] = l - ingressProxyMu.Unlock() return nil }