6bb0d181 |
// +build linux freebsd
package daemon
import ( |
cfdf84d5 |
"context" |
6bb0d181 |
"fmt" |
3716ec25 |
"io/ioutil" |
6bb0d181 |
"os"
"path/filepath"
"strconv"
"time"
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/links" |
d453fe35 |
"github.com/docker/docker/errdefs" |
6bb0d181 |
"github.com/docker/docker/pkg/idtools" |
427c70d9 |
"github.com/docker/docker/pkg/mount" |
6bb0d181 |
"github.com/docker/docker/pkg/stringid"
"github.com/docker/docker/runconfig" |
600f0ad2 |
"github.com/docker/libnetwork" |
abbbf914 |
"github.com/opencontainers/selinux/go-selinux/label" |
857e60c2 |
"github.com/pkg/errors" |
1009e6a4 |
"github.com/sirupsen/logrus" |
069fdc8a |
"golang.org/x/sys/unix" |
6bb0d181 |
)
func (daemon *Daemon) setupLinkedContainers(container *container.Container) ([]string, error) {
var env []string |
0f9f9950 |
children := daemon.children(container) |
6bb0d181 |
|
e8026d8a |
bridgeSettings := container.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] |
99a98ccc |
if bridgeSettings == nil || bridgeSettings.EndpointSettings == nil { |
6bb0d181 |
return nil, nil
}
|
0f9f9950 |
for linkAlias, child := range children {
if !child.IsRunning() { |
a793564b |
return nil, fmt.Errorf("Cannot link to a non running container: %s AS %s", child.Name, linkAlias) |
0f9f9950 |
} |
6bb0d181 |
|
e8026d8a |
childBridgeSettings := child.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] |
99a98ccc |
if childBridgeSettings == nil || childBridgeSettings.EndpointSettings == nil { |
0f9f9950 |
return nil, fmt.Errorf("container %s not attached to default bridge network", child.ID)
} |
6bb0d181 |
|
0f9f9950 |
link := links.NewLink(
bridgeSettings.IPAddress,
childBridgeSettings.IPAddress,
linkAlias,
child.Config.Env,
child.Config.ExposedPorts,
) |
6bb0d181 |
|
64238fef |
env = append(env, link.ToEnv()...) |
6bb0d181 |
} |
0f9f9950 |
|
6bb0d181 |
return env, nil
}
|
7120976d |
func (daemon *Daemon) getIpcContainer(id string) (*container.Container, error) {
errMsg := "can't join IPC of container " + id
// Check the container exists
container, err := daemon.GetContainer(id) |
6bb0d181 |
if err != nil { |
7120976d |
return nil, errors.Wrap(err, errMsg) |
6bb0d181 |
} |
7120976d |
// Check the container is running and not restarting
if err := daemon.checkContainer(container, containerIsRunning, containerIsNotRestarting); err != nil {
return nil, errors.Wrap(err, errMsg)
}
// Check the container ipc is shareable
if st, err := os.Stat(container.ShmPath); err != nil || !st.IsDir() {
if err == nil || os.IsNotExist(err) {
return nil, errors.New(errMsg + ": non-shareable IPC")
}
// stat() failed?
return nil, errors.Wrap(err, errMsg+": unexpected error from stat "+container.ShmPath)
}
return container, nil |
6bb0d181 |
}
|
fb43ef64 |
func (daemon *Daemon) getPidContainer(container *container.Container) (*container.Container, error) {
containerID := container.HostConfig.PidMode.Container() |
12485d62 |
container, err := daemon.GetContainer(containerID) |
fb43ef64 |
if err != nil { |
db8de0d0 |
return nil, errors.Wrapf(err, "cannot join PID of a non running container: %s", containerID) |
fb43ef64 |
} |
12485d62 |
return container, daemon.checkContainer(container, containerIsRunning, containerIsNotRestarting)
}
func containerIsRunning(c *container.Container) error { |
fb43ef64 |
if !c.IsRunning() { |
87a12421 |
return errdefs.Conflict(errors.Errorf("container %s is not running", c.ID)) |
fb43ef64 |
} |
12485d62 |
return nil
}
func containerIsNotRestarting(c *container.Container) error { |
fb43ef64 |
if c.IsRestarting() { |
12485d62 |
return errContainerIsRestarting(c.ID) |
fb43ef64 |
} |
12485d62 |
return nil |
fb43ef64 |
}
|
6bb0d181 |
func (daemon *Daemon) setupIpcDirs(c *container.Container) error { |
7120976d |
ipcMode := c.HostConfig.IpcMode |
9c4570a9 |
|
7120976d |
switch {
case ipcMode.IsContainer():
ic, err := daemon.getIpcContainer(ipcMode.Container()) |
6bb0d181 |
if err != nil {
return err
} |
9c4570a9 |
c.ShmPath = ic.ShmPath |
7120976d |
case ipcMode.IsHost(): |
9c4570a9 |
if _, err := os.Stat("/dev/shm"); err != nil {
return fmt.Errorf("/dev/shm is not mounted, but must be for --ipc=host") |
6bb0d181 |
} |
9c4570a9 |
c.ShmPath = "/dev/shm" |
7120976d |
case ipcMode.IsPrivate(), ipcMode.IsNone():
// c.ShmPath will/should not be used, so make it empty.
// Container's /dev/shm mount comes from OCI spec.
c.ShmPath = ""
case ipcMode.IsEmpty():
// A container was created by an older version of the daemon.
// The default behavior used to be what is now called "shareable".
fallthrough
case ipcMode.IsShareable(): |
93fbdb69 |
rootIDs := daemon.idMappings.RootPair() |
9c4570a9 |
if !c.HasMountFor("/dev/shm") {
shmPath, err := c.ShmResourcePath()
if err != nil {
return err
} |
6bb0d181 |
|
09cd96c5 |
if err := idtools.MkdirAllAndChown(shmPath, 0700, rootIDs); err != nil { |
9c4570a9 |
return err
}
|
0fb1fb1c |
shmproperty := "mode=1777,size=" + strconv.FormatInt(c.HostConfig.ShmSize, 10) |
069fdc8a |
if err := unix.Mount("shm", shmPath, "tmpfs", uintptr(unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV), label.FormatMountLabel(shmproperty, c.GetMountLabel())); err != nil { |
9c4570a9 |
return fmt.Errorf("mounting shm tmpfs: %s", err)
} |
09cd96c5 |
if err := os.Chown(shmPath, rootIDs.UID, rootIDs.GID); err != nil { |
9c4570a9 |
return err
} |
7120976d |
c.ShmPath = shmPath |
6bb0d181 |
} |
9c4570a9 |
|
7120976d |
default:
return fmt.Errorf("invalid IPC mode: %v", ipcMode) |
6bb0d181 |
}
return nil
} |
3716ec25 |
|
0c170a76 |
func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { |
bebd472e |
if len(c.SecretReferences) == 0 { |
6d12de53 |
return nil
}
|
eaa51928 |
localMountPath, err := c.SecretMountPath()
if err != nil {
return errors.Wrap(err, "error getting secrets mount dir")
} |
3716ec25 |
logrus.Debugf("secrets: setting up secret dir: %s", localMountPath)
|
9e9fc7b5 |
// retrieve possible remapped range start for root UID, GID |
93fbdb69 |
rootIDs := daemon.idMappings.RootPair() |
9e9fc7b5 |
// create tmpfs |
09cd96c5 |
if err := idtools.MkdirAllAndChown(localMountPath, 0700, rootIDs); err != nil { |
9e9fc7b5 |
return errors.Wrap(err, "error creating secret local mount path")
}
|
00237a96 |
defer func() {
if setupErr != nil { |
857e60c2 |
// cleanup
_ = detachMounted(localMountPath)
if err := os.RemoveAll(localMountPath); err != nil { |
e221b74b |
logrus.Errorf("error cleaning up secret mount: %s", err) |
857e60c2 |
}
} |
00237a96 |
}() |
857e60c2 |
|
09cd96c5 |
tmpfsOwnership := fmt.Sprintf("uid=%d,gid=%d", rootIDs.UID, rootIDs.GID) |
8119809b |
if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "nodev,nosuid,noexec,"+tmpfsOwnership); err != nil { |
0c170a76 |
return errors.Wrap(err, "unable to setup secret mount") |
3716ec25 |
}
|
9e9fc7b5 |
if c.DependencyStore == nil {
return fmt.Errorf("secret store is not initialized")
} |
bebd472e |
|
9e9fc7b5 |
for _, s := range c.SecretReferences { |
bebd472e |
// TODO (ehazlett): use type switch when more are supported
if s.File == nil { |
9e9fc7b5 |
logrus.Error("secret target type is not a file target")
continue |
bebd472e |
}
|
37ce91dd |
// secrets are created in the SecretMountPath on the host, at a
// single level |
eaa51928 |
fPath, err := c.SecretFilePath(*s)
if err != nil {
return errors.Wrap(err, "error getting secret file path")
} |
09cd96c5 |
if err := idtools.MkdirAllAndChown(filepath.Dir(fPath), 0700, rootIDs); err != nil { |
0c170a76 |
return errors.Wrap(err, "error creating secret mount path") |
3716ec25 |
}
|
857e60c2 |
logrus.WithFields(logrus.Fields{ |
bebd472e |
"name": s.File.Name, |
857e60c2 |
"path": fPath,
}).Debug("injecting secret") |
79b940fe |
secret, err := c.DependencyStore.Secrets().Get(s.SecretID)
if err != nil {
return errors.Wrap(err, "unable to get secret from secret store") |
bebd472e |
}
if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { |
0c170a76 |
return errors.Wrap(err, "error injecting secret") |
3716ec25 |
}
|
bebd472e |
uid, err := strconv.Atoi(s.File.UID) |
b2e4c7f3 |
if err != nil {
return err
} |
bebd472e |
gid, err := strconv.Atoi(s.File.GID) |
b2e4c7f3 |
if err != nil {
return err
}
|
09cd96c5 |
if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil { |
0c170a76 |
return errors.Wrap(err, "error setting ownership for secret") |
3716ec25 |
}
}
|
b11af7b2 |
label.Relabel(localMountPath, c.MountLabel, false)
|
3716ec25 |
// remount secrets ro |
8119809b |
if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "remount,ro,"+tmpfsOwnership); err != nil { |
0c170a76 |
return errors.Wrap(err, "unable to remount secret dir as readonly") |
3716ec25 |
}
|
0c170a76 |
return nil |
3716ec25 |
}
|
9e9fc7b5 |
func (daemon *Daemon) setupConfigDir(c *container.Container) (setupErr error) {
if len(c.ConfigReferences) == 0 {
return nil
}
|
eaa51928 |
localPath, err := c.ConfigsDirPath()
if err != nil {
return err
} |
9e9fc7b5 |
logrus.Debugf("configs: setting up config dir: %s", localPath)
// retrieve possible remapped range start for root UID, GID |
93fbdb69 |
rootIDs := daemon.idMappings.RootPair() |
9e9fc7b5 |
// create tmpfs |
09cd96c5 |
if err := idtools.MkdirAllAndChown(localPath, 0700, rootIDs); err != nil { |
9e9fc7b5 |
return errors.Wrap(err, "error creating config dir")
}
defer func() {
if setupErr != nil {
if err := os.RemoveAll(localPath); err != nil {
logrus.Errorf("error cleaning up config dir: %s", err)
}
}
}()
if c.DependencyStore == nil {
return fmt.Errorf("config store is not initialized")
}
for _, configRef := range c.ConfigReferences {
// TODO (ehazlett): use type switch when more are supported
if configRef.File == nil {
logrus.Error("config target type is not a file target")
continue
}
|
eaa51928 |
fPath, err := c.ConfigFilePath(*configRef)
if err != nil {
return err
} |
9e9fc7b5 |
log := logrus.WithFields(logrus.Fields{"name": configRef.File.Name, "path": fPath})
|
09cd96c5 |
if err := idtools.MkdirAllAndChown(filepath.Dir(fPath), 0700, rootIDs); err != nil { |
9e9fc7b5 |
return errors.Wrap(err, "error creating config path")
}
log.Debug("injecting config") |
79b940fe |
config, err := c.DependencyStore.Configs().Get(configRef.ConfigID)
if err != nil {
return errors.Wrap(err, "unable to get config from config store") |
9e9fc7b5 |
}
if err := ioutil.WriteFile(fPath, config.Spec.Data, configRef.File.Mode); err != nil {
return errors.Wrap(err, "error injecting config")
}
uid, err := strconv.Atoi(configRef.File.UID)
if err != nil {
return err
}
gid, err := strconv.Atoi(configRef.File.GID)
if err != nil {
return err
}
|
09cd96c5 |
if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil { |
9e9fc7b5 |
return errors.Wrap(err, "error setting ownership for config")
} |
472c03a8 |
label.Relabel(fPath, c.MountLabel, false) |
9e9fc7b5 |
}
return nil
}
|
49211715 |
func killProcessDirectly(cntr *container.Container) error { |
cfdf84d5 |
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
// Block until the container to stops or timeout. |
49211715 |
status := <-cntr.Wait(ctx, container.WaitConditionNotRunning) |
cfdf84d5 |
if status.Err() != nil { |
6bb0d181 |
// Ensure that we don't kill ourselves |
49211715 |
if pid := cntr.GetPID(); pid != 0 {
logrus.Infof("Container %s failed to exit within 10 seconds of kill - trying direct SIGKILL", stringid.TruncateID(cntr.ID)) |
069fdc8a |
if err := unix.Kill(pid, 9); err != nil {
if err != unix.ESRCH { |
6bb0d181 |
return err
} |
1a729c3d |
e := errNoSuchProcess{pid, 9}
logrus.Debug(e)
return e |
6bb0d181 |
}
}
}
return nil
}
func detachMounted(path string) error { |
069fdc8a |
return unix.Unmount(path, unix.MNT_DETACH) |
6bb0d181 |
}
func isLinkable(child *container.Container) bool {
// A container is linkable only if it belongs to the default network |
e8026d8a |
_, ok := child.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] |
6bb0d181 |
return ok
} |
a793564b |
|
1991f6eb |
func enableIPOnPredefinedNetwork() bool {
return false
} |
50f02b58 |
func (daemon *Daemon) isNetworkHotPluggable() bool {
return true
} |
600f0ad2 |
func setupPathsAndSandboxOptions(container *container.Container, sboxOptions *[]libnetwork.SandboxOption) error {
var err error
container.HostsPath, err = container.GetRootResourcePath("hosts")
if err != nil {
return err
}
*sboxOptions = append(*sboxOptions, libnetwork.OptionHostsPath(container.HostsPath))
container.ResolvConfPath, err = container.GetRootResourcePath("resolv.conf")
if err != nil {
return err
}
*sboxOptions = append(*sboxOptions, libnetwork.OptionResolvConfPath(container.ResolvConfPath))
return nil
}
|
349913ce |
func (daemon *Daemon) initializeNetworkingPaths(container *container.Container, nc *container.Container) error { |
600f0ad2 |
container.HostnamePath = nc.HostnamePath
container.HostsPath = nc.HostsPath
container.ResolvConfPath = nc.ResolvConfPath |
349913ce |
return nil |
600f0ad2 |
} |
eaa51928 |
func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error {
// get the root mount path so we can make it unbindable
p, err := c.MountsResourcePath("")
if err != nil {
return err
}
if err := idtools.MkdirAllAndChown(p, 0700, daemon.idMappings.RootPair()); err != nil {
return err
}
if err := mount.MakeUnbindable(p); err != nil {
// Setting unbindable is a precaution and is not neccessary for correct operation.
// Do not error out if this fails.
logrus.WithError(err).WithField("resource", p).WithField("container", c.ID).Warn("Error setting container resource mounts to unbindable, this may cause mount leakages, preventing removal of this container.")
}
return nil
} |