Update swarmkit vendoring

Needed for libnetwork vendoring

Update Secret API name change correspondingly

Signed-off-by: Justin Cormack <justin.cormack@docker.com>

daemon/cluster/convert/swarm.go

@@ -136,13 +136,13 @@ func SwarmSpecUpdateAcceptancePolicy(spec *swarmapi.ClusterSpec, acceptancePolic
 					hashPwd, _ = bcrypt.GenerateFromPassword([]byte(*p.Secret), 0)
 					hashs[*p.Secret] = hashPwd
 				}
-				policy.Secret = &swarmapi.AcceptancePolicy_RoleAdmissionPolicy_HashedSecret{
+				policy.Secret = &swarmapi.AcceptancePolicy_RoleAdmissionPolicy_Secret{
 					Data: hashPwd,
 					Alg:  "bcrypt",
 				}
 			}
 		} else if oldSecret := getOldSecret(oldSpec, policy.Role); oldSecret != nil { // else use the old one.
-			policy.Secret = &swarmapi.AcceptancePolicy_RoleAdmissionPolicy_HashedSecret{
+			policy.Secret = &swarmapi.AcceptancePolicy_RoleAdmissionPolicy_Secret{
 				Data: oldSecret.Data,
 				Alg:  oldSecret.Alg,
 			}
@@ -153,7 +153,7 @@ func SwarmSpecUpdateAcceptancePolicy(spec *swarmapi.ClusterSpec, acceptancePolic
 	return nil
 }
 
-func getOldSecret(oldSpec *swarmapi.ClusterSpec, role swarmapi.NodeRole) *swarmapi.AcceptancePolicy_RoleAdmissionPolicy_HashedSecret {
+func getOldSecret(oldSpec *swarmapi.ClusterSpec, role swarmapi.NodeRole) *swarmapi.AcceptancePolicy_RoleAdmissionPolicy_Secret {
 	if oldSpec == nil {
 		return nil
 	}

hack/vendor.sh

@@ -139,7 +139,7 @@ clone git github.com/docker/docker-credential-helpers v0.3.0
 clone git github.com/docker/containerd 1b3a81545ca79456086dc2aa424357be98b962ee
 
 # cluster
-clone git github.com/docker/swarmkit 24eaf0021a2eea7938fce7493ce4731f53c2b87c
+clone git github.com/docker/swarmkit 16fa595d3b6fec012830179dc8e9b2d90335527d
 clone git github.com/golang/mock bd3c8e81be01eef76d4b503f5e687d2d1354d2d9
 clone git github.com/gogo/protobuf 43a2e0b1c32252bfbbdf81f7faa7a88fb3fa4028
 clone git github.com/cloudflare/cfssl b895b0549c0ff676f92cf09ba971ae02bb41367b

vendor/src/github.com/docker/swarmkit/agent/agent.go

@@ -195,6 +195,8 @@ func (a *Agent) run(ctx context.Context) {
 				log.G(ctx).WithError(err).Error("agent: closing session failed")
 			}
 			sessionq = nil
+			// if we're here before <-registered, do nothing for that event
+			registered = nil
 		case <-session.closed:
 			log.G(ctx).Debugf("agent: rebuild session")
 

vendor/src/github.com/docker/swarmkit/api/types.proto

@@ -426,10 +426,10 @@ message IssuanceStatus {
 
 message AcceptancePolicy {
 	message RoleAdmissionPolicy {
-		message HashedSecret {
-			// The actual hashed content
+		message Secret {
+			// The actual content (possibly hashed)
 			bytes data = 1;
-			// The type of hash we are using
+			// The type of hash we are using, or "plaintext"
 			string alg = 2;
 		}
 
@@ -439,13 +439,12 @@ message AcceptancePolicy {
 		bool autoaccept = 2;
 		// Secret represents a user-provided string that is necessary for new
 		// nodes to join the cluster
-		HashedSecret secret = 3;
+		Secret secret = 3;
 	}
 
 	repeated RoleAdmissionPolicy policies = 1;
 }
 
-
 message ExternalCA {
 	enum CAProtocol {
 		CFSSL = 0 [(gogoproto.enumvalue_customname) = "CAProtocolCFSSL"];

vendor/src/github.com/docker/swarmkit/ca/server.go

@@ -1,6 +1,8 @@
 package ca
 
 import (
+	"crypto/subtle"
+	"errors"
 	"fmt"
 	"strings"
 	"sync"
@@ -255,7 +257,7 @@ func (s *Server) IssueNodeCertificate(ctx context.Context, request *api.IssueNod
 }
 
 // checkSecretValidity verifies if a secret string matches the secret hash stored in the
-// Acceptance Policy. It currently only supports bcrypted hashes.
+// Acceptance Policy. It currently only supports bcrypted hashes and plaintext.
 func checkSecretValidity(policy *api.AcceptancePolicy_RoleAdmissionPolicy, secret string) error {
 	if policy == nil || secret == "" {
 		return fmt.Errorf("invalid policy or secret")
@@ -264,6 +266,11 @@ func checkSecretValidity(policy *api.AcceptancePolicy_RoleAdmissionPolicy, secre
 	switch strings.ToLower(policy.Secret.Alg) {
 	case "bcrypt":
 		return bcrypt.CompareHashAndPassword(policy.Secret.Data, []byte(secret))
+	case "plaintext":
+		if subtle.ConstantTimeCompare(policy.Secret.Data, []byte(secret)) == 1 {
+			return nil
+		}
+		return errors.New("incorrect secret")
 	}
 
 	return fmt.Errorf("hash algorithm not supported: %s", policy.Secret.Alg)

vendor/src/github.com/docker/swarmkit/identity/randomid.go

@@ -16,9 +16,8 @@ var (
 // parameters for random identifier generation. We can tweak this when there is
 // time for further analysis.
 const (
-	randomIDEntropyBytes     = 16
-	randomNodeIDEntropyBytes = 8
-	randomIDBase             = 36
+	randomIDEntropyBytes = 16
+	randomIDBase         = 36
 
 	// To ensure that all identifiers are fixed length, we make sure they
 	// get padded out to 25 characters, which is the maximum for the base36
@@ -28,8 +27,7 @@ const (
 	// was calculated from floor(log(2^128-1, 36)) + 1.
 	//
 	// See http://mathworld.wolfram.com/NumberLength.html for more information.
-	maxRandomIDLength     = 25
-	maxRandomNodeIDLength = 13
+	maxRandomIDLength = 25
 )
 
 // NewID generates a new identifier for use where random identifiers with low

vendor/src/github.com/docker/swarmkit/manager/allocator/networkallocator/networkallocator.go

@@ -8,6 +8,8 @@ import (
 	"github.com/docker/libnetwork/drivers/overlay/ovmanager"
 	"github.com/docker/libnetwork/drvregistry"
 	"github.com/docker/libnetwork/ipamapi"
+	builtinIpam "github.com/docker/libnetwork/ipams/builtin"
+	nullIpam "github.com/docker/libnetwork/ipams/null"
 	"github.com/docker/swarmkit/api"
 	"github.com/docker/swarmkit/log"
 	"golang.org/x/net/context"
@@ -76,6 +78,15 @@ func New() (*NetworkAllocator, error) {
 		return nil, err
 	}
 
+	for _, fn := range [](func(ipamapi.Callback, interface{}, interface{}) error){
+		builtinIpam.Init,
+		nullIpam.Init,
+	} {
+		if err := fn(reg, nil, nil); err != nil {
+			return nil, err
+		}
+	}
+
 	pa, err := newPortAllocator()
 	if err != nil {
 		return nil, err

vendor/src/github.com/docker/swarmkit/manager/controlapi/node.go

@@ -2,6 +2,7 @@ package controlapi
 
 import (
 	"github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/manager/state/raft/membership"
 	"github.com/docker/swarmkit/manager/state/store"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
@@ -188,8 +189,10 @@ func (s *Server) UpdateNode(ctx context.Context, request *api.UpdateNodeRequest)
 
 	var (
 		node   *api.Node
+		member *membership.Member
 		demote bool
 	)
+
 	err := s.store.Update(func(tx store.Tx) error {
 		node = store.GetNode(tx, request.NodeID)
 		if node == nil {
@@ -199,13 +202,25 @@ func (s *Server) UpdateNode(ctx context.Context, request *api.UpdateNodeRequest)
 		// Demotion sanity checks.
 		if node.Spec.Role == api.NodeRoleManager && request.Spec.Role == api.NodeRoleWorker {
 			demote = true
+
+			// Check for manager entries in Store.
 			managers, err := store.FindNodes(tx, store.ByRole(api.NodeRoleManager))
 			if err != nil {
 				return grpc.Errorf(codes.Internal, "internal store error: %v", err)
 			}
 			if len(managers) == 1 && managers[0].ID == node.ID {
 				return grpc.Errorf(codes.FailedPrecondition, "attempting to demote the last manager of the swarm")
 			}
+
+			// Check for node in memberlist
+			if member = s.raft.GetMemberByNodeID(request.NodeID); member == nil {
+				return grpc.Errorf(codes.NotFound, "can't find manager in raft memberlist")
+			}
+
+			// Quorum safeguard
+			if !s.raft.CanRemoveMember(member.RaftID) {
+				return grpc.Errorf(codes.FailedPrecondition, "can't remove member from the raft: this would result in a loss of quorum")
+			}
 		}
 
 		node.Meta.Version = *request.NodeVersion
@@ -220,14 +235,12 @@ func (s *Server) UpdateNode(ctx context.Context, request *api.UpdateNodeRequest)
 	}
 
 	if demote && s.raft != nil {
-		memberlist := s.raft.GetMemberlist()
-		for raftID, member := range memberlist {
-			if member.NodeID == request.NodeID {
-				if err := s.raft.RemoveMember(ctx, raftID); err != nil {
-					return nil, err
-				}
-				break
-			}
+		// TODO(abronan): the remove can potentially fail and leave the node with
+		// an incorrect role (worker rather than manager), we need to reconcile the
+		// memberlist with the desired state rather than attempting to remove the
+		// member once.
+		if err := s.raft.RemoveMember(ctx, member.RaftID); err != nil {
+			return nil, grpc.Errorf(codes.Internal, "cannot demote manager to worker: %v", err)
 		}
 	}
 

vendor/src/github.com/docker/swarmkit/manager/controlapi/service.go

@@ -7,6 +7,7 @@ import (
 	"github.com/docker/engine-api/types/reference"
 	"github.com/docker/swarmkit/api"
 	"github.com/docker/swarmkit/identity"
+	"github.com/docker/swarmkit/manager/scheduler"
 	"github.com/docker/swarmkit/manager/state/store"
 	"github.com/docker/swarmkit/protobuf/ptypes"
 	"golang.org/x/net/context"
@@ -75,6 +76,14 @@ func validateRestartPolicy(rp *api.RestartPolicy) error {
 	return nil
 }
 
+func validatePlacement(placement *api.Placement) error {
+	if placement == nil {
+		return nil
+	}
+	_, err := scheduler.ParseExprs(placement.Constraints)
+	return err
+}
+
 func validateUpdate(uc *api.UpdateConfig) error {
 	if uc == nil {
 		return nil
@@ -101,6 +110,10 @@ func validateTask(taskSpec api.TaskSpec) error {
 		return err
 	}
 
+	if err := validatePlacement(taskSpec.Placement); err != nil {
+		return err
+	}
+
 	if taskSpec.GetRuntime() == nil {
 		return grpc.Errorf(codes.InvalidArgument, "TaskSpec: missing runtime")
 	}

vendor/src/github.com/docker/swarmkit/manager/dispatcher/dispatcher.go

@@ -328,14 +328,14 @@ func (d *Dispatcher) isRunning() bool {
 }
 
 // register is used for registration of node with particular dispatcher.
-func (d *Dispatcher) register(ctx context.Context, nodeID string, description *api.NodeDescription) (string, string, error) {
+func (d *Dispatcher) register(ctx context.Context, nodeID string, description *api.NodeDescription) (string, error) {
 	// prevent register until we're ready to accept it
 	if err := d.isRunningLocked(); err != nil {
-		return "", "", err
+		return "", err
 	}
 
 	if err := d.nodes.CheckRateLimit(nodeID); err != nil {
-		return "", "", err
+		return "", err
 	}
 
 	// create or update node in store
@@ -355,7 +355,7 @@ func (d *Dispatcher) register(ctx context.Context, nodeID string, description *a
 
 	})
 	if err != nil {
-		return "", "", err
+		return "", err
 	}
 
 	expireFunc := func() {
@@ -377,7 +377,7 @@ func (d *Dispatcher) register(ctx context.Context, nodeID string, description *a
 	// time a node registers, we invalidate the session and issue a new
 	// session, once identity is proven. This will cause misbehaved agents to
 	// be kicked when multiple connections are made.
-	return rn.Node.ID, rn.SessionID, nil
+	return rn.SessionID, nil
 }
 
 // UpdateTaskStatus updates status of task. Node should send such updates
@@ -650,7 +650,7 @@ func (d *Dispatcher) Session(r *api.SessionRequest, stream api.Dispatcher_Sessio
 	}
 
 	// register the node.
-	nodeID, sessionID, err := d.register(stream.Context(), nodeID, r.Description)
+	sessionID, err := d.register(stream.Context(), nodeID, r.Description)
 	if err != nil {
 		return err
 	}

vendor/src/github.com/docker/swarmkit/manager/orchestrator/services.go

@@ -70,6 +70,15 @@ func (r *ReplicatedOrchestrator) resolveService(ctx context.Context, task *api.T
 	return service
 }
 
+type tasksByRunningState []*api.Task
+
+func (ts tasksByRunningState) Len() int      { return len(ts) }
+func (ts tasksByRunningState) Swap(i, j int) { ts[i], ts[j] = ts[j], ts[i] }
+
+func (ts tasksByRunningState) Less(i, j int) bool {
+	return ts[i].Status.State == api.TaskStateRunning && ts[j].Status.State != api.TaskStateRunning
+}
+
 type taskWithIndex struct {
 	task *api.Task
 
@@ -139,6 +148,14 @@ func (r *ReplicatedOrchestrator) reconcile(ctx context.Context, service *api.Ser
 
 		// Preferentially remove tasks on the nodes that have the most
 		// copies of this service, to leave a more balanced result.
+
+		// First sort tasks such that tasks which are currently running
+		// (in terms of observed state) appear before non-running tasks.
+		// This will cause us to prefer to remove non-running tasks, all
+		// other things being equal in terms of node balance.
+
+		sort.Sort(tasksByRunningState(runningTasks))
+
 		// Assign each task an index that counts it as the nth copy of
 		// of the service on its node (1, 2, 3, ...), and sort the
 		// tasks by this counter value.

vendor/src/github.com/docker/swarmkit/manager/scheduler/constraint.go

@@ -18,14 +18,19 @@ type ConstraintFilter struct {
 
 // SetTask returns true when the filter is enable for a given task.
 func (f *ConstraintFilter) SetTask(t *api.Task) bool {
-	if t.Spec.Placement != nil && len(t.Spec.Placement.Constraints) > 0 {
-		constraints, err := ParseExprs(t.Spec.Placement.Constraints)
-		if err == nil {
-			f.constraints = constraints
-			return true
-		}
+	if t.Spec.Placement == nil || len(t.Spec.Placement.Constraints) == 0 {
+		return false
+	}
+
+	constraints, err := ParseExprs(t.Spec.Placement.Constraints)
+	if err != nil {
+		// constraints have been validated at controlapi
+		// if in any case it finds an error here, treat this task
+		// as constraint filter disabled.
+		return false
 	}
-	return false
+	f.constraints = constraints
+	return true
 }
 
 // Check returns true if the task's constraint is supported by the given node.

vendor/src/github.com/docker/swarmkit/manager/state/raft/membership/cluster.go

@@ -165,19 +165,11 @@ func (c *Cluster) ValidateConfigurationChange(cc raftpb.ConfChange) error {
 // that might block or harm the Cluster on Member recovery
 func (c *Cluster) CanRemoveMember(from uint64, id uint64) bool {
 	members := c.Members()
-
-	nmembers := 0
 	nreachable := 0
 
 	for _, m := range members {
-		// Skip the node that is going to be deleted
-		if m.RaftID == id {
-			continue
-		}
-
 		// Local node from where the remove is issued
 		if m.RaftID == from {
-			nmembers++
 			nreachable++
 			continue
 		}
@@ -186,16 +178,14 @@ func (c *Cluster) CanRemoveMember(from uint64, id uint64) bool {
 		if err == nil && connState == grpc.Ready {
 			nreachable++
 		}
-
-		nmembers++
 	}
 
 	// Special case of 2 managers
 	if nreachable == 1 && len(members) <= 2 {
 		return false
 	}
 
-	nquorum := nmembers/2 + 1
+	nquorum := (len(members)+1)/2 + 1
 	if nreachable < nquorum {
 		return false
 	}