New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Few changes in encryption overlay #1354

Merged
merged 2 commits into from Mar 12, 2017

Conversation

Projects
None yet
4 participants
@aboch
Contributor

aboch commented Jul 25, 2016

  • Cleanup security states and policies when joining the swarm
  • Properly construct CIDR in policy selector, current code programs src/dst cidr like 192.168.100.126/128

Related to moby/moby/issues/30727

Signed-off-by: Alessandro Boch aboch@docker.com

Properly construct CIDR in policy selector
- Current code programs src/dst cidr like 192.168.100.126/128

Signed-off-by: Alessandro Boch <aboch@docker.com>

@aboch aboch changed the title from Properly construct CIDR in policy selector to Few changes in encryption overlay Feb 4, 2017

@@ -20,7 +20,7 @@ import (
)
const (
mark = uint32(0xD0C4E3)
r = 0xD0C4E3

This comment has been minimized.

@mavenugo

mavenugo Feb 7, 2017

Contributor

Why r ?

@mavenugo

mavenugo Feb 7, 2017

Contributor

Why r ?

This comment has been minimized.

@aboch

aboch Feb 7, 2017

Contributor

It's a simply a scalar, that the code use for creating two independent entities: a mark and a request id.
It has no meaning by itself, so I chose the first one char variable name it came to my mind.

@aboch

aboch Feb 7, 2017

Contributor

It's a simply a scalar, that the code use for creating two independent entities: a mark and a request id.
It has no meaning by itself, so I chose the first one char variable name it came to my mind.

Show outdated Hide outdated drivers/overlay/encryption.go Outdated
@@ -237,9 +243,11 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f
Proto: netlink.XFRM_PROTO_ESP,
Spi: spi.reverse,
Mode: netlink.XFRM_MODE_TRANSPORT,
Reqid: r,

This comment has been minimized.

@mavenugo

mavenugo Feb 7, 2017

Contributor

Can you pls explain why this is required ?

@mavenugo

mavenugo Feb 7, 2017

Contributor

Can you pls explain why this is required ?

This comment has been minimized.

@aboch

aboch Feb 7, 2017

Contributor

It is required to label the SAs that are programmed by us, so that we can remove only those when we do the cleanup and not disrupt any existing one on the system.

@aboch

aboch Feb 7, 2017

Contributor

It is required to label the SAs that are programmed by us, so that we can remove only those when we do the cleanup and not disrupt any existing one on the system.

This comment has been minimized.

@ventz

ventz Mar 22, 2017

Thank you for adding this fix!

@ventz

ventz Mar 22, 2017

Thank you for adding this fix!

Clear encryption states when joining cluster
- Use the request id for labelling our SAs

Signed-off-by: Alessandro Boch <aboch@docker.com>

@mavenugo mavenugo merged commit 4610dd6 into docker:master Mar 12, 2017

2 checks passed

ci/circleci Your tests passed on CircleCI!
Details
dco-signed All commits are signed

@aboch aboch referenced this pull request Mar 14, 2017

Merged

bump 17.04.0-rc1 #31811

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment