add support --net=container with --mac-address, --add-host error out

[coolljt0725]

Signed-off-by: Lei Jitang leijitang@huawei.com

There are two commits in this PR, the first one is to do clean up
for --net=container with --link. The previous code suppose to
prevent user from using --link with --net=container,
but the code if *flNetMode == "container" never work
because the value of *flNetMode should
be like this container:xxxx, so both of us think --net=container
with --link is a desired behavior,
so I created PR #11369 (sorry for didn't realize it wasn't a
desired behavior at that time). What should
we do? revert #11369 and prevent user from using --link
with --net=container or keep #11369 and clean up the
invalid conflict checking? ping @LK4D4 @estesp @icecrime

The second commits is to fix --net=container with --dns no error out,
it's the same problem, if *flNetMode == "container" && flDns.Len() > 0
never work. Since a container with --net=container
means it have the same dns, hosts, mac address with its parent,
--add-host, --mac-address is invalid on creation,
so we should error out when user use these option on creation with --net=container

[estesp]

For reference, the "conflict" was added in #7780. Looking at the referenced bug, I'm not sure anyone consciously decided that --link and --net=container were absolutely in conflict, not to mention your prior/merged PR #11369 has made that a "working configuration". I guess we need others to weigh in on whether that seems reasonable to remove that conflict now that it works; not to mention as you note it isn't actually stopping users because of the logic bug :)

Adding your other "conflicts" (dns and mac addr. when --net=container) make sense to me.

@LK4D4 can you take a look?

[coolljt0725]

ping @estesp @LK4D4 @jfrazelle

[coolljt0725]

ping @estesp @cpuguy83 @jfrazelle @LK4D4 WDYT?

[coolljt0725]

hi all, WDYT?

[cpuguy83]

This one is hurting my head.

Would it be better to have a if config.NetworkMode.IsBridge() {, and then it's only one check, and it's a positive check?

If/when we have something more complicated than that we can always adjust (not that as it currently is wouldn't need to be adjusted anyway).

[cpuguy83]

Also I think this would need to be &&, not ||, since if anytime it's not host it wouldn't run the 2nd check anyway.

[cpuguy83]

And maybe instead of even that, we can do an IsShared(), assuming anything that is sharing can't change existing network options, and get rid of the need for multiple checks in runconfig.Parse

[coolljt0725]

my mistake here, This should be !config.NetworkMode.IsHost() && !config.NetworkMode.IsContainer() or config.NetworkMode.IsBridge || config.NetworkMode.IsNone, since only --net=bridge and --net=none has its
own private network stack at this time.
Do the checking in runconfig.Parse is to info the user
the setting for shared network mode is invalid or we have some
docs to tell the user what they can set in shared net mode.

[cpuguy83]

Some comments, also needs a rebase.

[coolljt0725]

updated ping @cpuguy83

[cpuguy83]

prefer positive checks instead of negative ones.
So if netMode.IsHost() || netMode.IsContainer()

[cpuguy83]

Maybe in a separate PR we can refactor this code so we aren't branching quite so much.

[estesp]

@coolljt0725 this needs a quick rebase due to merging the --link/--net=container test PR #11686. Also, I think this PR should not remove that conflict, as your other PR (#11369) fixed linking to a --net=container:other but it didn't fix using both flags together on the same container run command.

To be clear, I can get an error when I start 2 containers "foo" and "bar", and then try to link to one and set network to the other:
docker run -ti --rm --link=foo:foo --net=container:bar busybox /bin/sh

This produces a "can't find parent IP" error on container start. Of course, now that #11686 is merged, you can't produce this error on master as the use of the flags together now is correctly producing a conflicts error on parse of runconfig.

However, I agree with your added and corrected "conflicts" in this PR for --dns, --mac-address, and --add-host

[coolljt0725]

@estesp I see, I was a bit of confused at that time. the PR is updated. The first commit is to refactor the code of checking conflict option with --net, use netMode.IsHost instead of *flNetMode == "host" and so on. I think this is better.
The second commit is to add support --net=container with --mac-address, --add-host error out
and add some docs. Thanks

[cpuguy83]

These checks also need to happen in ContainerHostConfigFromJob, so the validations should probably be extracted out into their own function so they can be run in both places.

[dmcgowan]

Typo in name ErrConfiictNetworkHosts

[dmcgowan]

@cpuguy83 are you comments still valid with the job removal work?

[cpuguy83]

Yes, but I think it should go in verifyHostConfig

[coolljt0725]

@dmcgowan @cpuguy83 Thanks, I'll update

[coolljt0725]

@cpuguy83 This is a problem to move this check to verifyHostConfig due to the Hostname is not in the HostConfig, it's in the Config, so the conflict network and hostname can't be check in verifyHostConfig. Do you have any suggestion?

[icecrime]

Sorry, this needs another rebase :-(

[coolljt0725]

@icecrime rebased
@cpuguy83 Move these check to verifyHostConfig has a problem because Hostname is not in the HostConfig

[cpuguy83]

This looks like it can be combined with the check above it.

[cpuguy83]

One nit, but LGTM.

[coolljt0725]

update as @cpuguy83 's suggestion

[coolljt0725]

rebased because github show it contain conflict

[jessfraz]

LGTM

[jessfraz]

thanks!