From 68bfea6f603e74180206c7f45d365e4ae07e6b13 Mon Sep 17 00:00:00 2001 From: Flavio Crisciani Date: Thu, 7 Jun 2018 13:02:04 -0700 Subject: [PATCH] Possible race on ingress programming Make sure that iptables operations on ingress are serialized. Before 2 racing routines trying to create the ingress chain were allowed and one was failing reporting the chain as already existing. The lock guarantees that this condition does not happen anymore Signed-off-by: Flavio Crisciani (cherry picked from commit 7bb62d0172f8e676388d4d78e510c4d9fd4c1d06) --- service_linux.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/service_linux.go b/service_linux.go index 68be3f19f3..4b2c8d8073 100644 --- a/service_linux.go +++ b/service_linux.go @@ -278,7 +278,7 @@ const ingressChain = "DOCKER-INGRESS" var ( ingressOnce sync.Once - ingressProxyMu sync.Mutex + ingressMu sync.Mutex // lock for operations on ingress ingressProxyTbl = make(map[string]io.Closer) portConfigMu sync.Mutex portConfigTbl = make(map[PortConfig]int) @@ -327,6 +327,9 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro addDelOpt = "-D" } + ingressMu.Lock() + defer ingressMu.Unlock() + chainExists := iptables.ExistChain(ingressChain, iptables.Nat) filterChainExists := iptables.ExistChain(ingressChain, iptables.Filter) @@ -496,13 +499,11 @@ func plumbProxy(iPort *PortConfig, isDelete bool) error { portSpec := fmt.Sprintf("%d/%s", iPort.PublishedPort, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)])) if isDelete { - ingressProxyMu.Lock() if listener, ok := ingressProxyTbl[portSpec]; ok { if listener != nil { listener.Close() } } - ingressProxyMu.Unlock() return nil } @@ -518,9 +519,7 @@ func plumbProxy(iPort *PortConfig, isDelete bool) error { return err } - ingressProxyMu.Lock() ingressProxyTbl[portSpec] = l - ingressProxyMu.Unlock() return nil }