4f0d95fa |
package daemon // import "github.com/docker/docker/daemon" |
fb48bf51 |
import (
"fmt" |
b0a7b012 |
"os" |
9fa44906 |
"path" |
fb48bf51 |
"path/filepath" |
9fa44906 |
"runtime"
"strings" |
fb48bf51 |
"time"
|
91e197d6 |
containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/strslice" |
fb48bf51 |
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/network" |
d453fe35 |
"github.com/docker/docker/errdefs" |
fb48bf51 |
"github.com/docker/docker/image" |
80d7bfd5 |
"github.com/docker/docker/oci/caps" |
c424be21 |
"github.com/docker/docker/opts" |
bfa0885c |
"github.com/docker/docker/pkg/signal"
"github.com/docker/docker/pkg/system" |
fb48bf51 |
"github.com/docker/docker/pkg/truncindex" |
7917a36c |
"github.com/docker/docker/runconfig" |
6a70fd22 |
volumemounts "github.com/docker/docker/volume/mounts" |
bfa0885c |
"github.com/docker/go-connections/nat" |
a8216806 |
"github.com/opencontainers/selinux/go-selinux" |
ebcb7d6b |
"github.com/pkg/errors" |
10c97b93 |
"github.com/sirupsen/logrus" |
fb48bf51 |
)
// GetContainer looks for a container using the provided information, which could be
// one of the following inputs from the caller:
// - A full container ID, which will exact match a container in daemon's list
// - A container name, which will only exact match via the GetByName() function
// - A partial container ID prefix (e.g. short ID) of any length that is
// unique enough to only return a single container object
// If none of these searches succeed, an error is returned
func (daemon *Daemon) GetContainer(prefixOrName string) (*container.Container, error) {
if len(prefixOrName) == 0 { |
ebcb7d6b |
return nil, errors.WithStack(invalidIdentifier(prefixOrName)) |
fb48bf51 |
}
if containerByID := daemon.containers.Get(prefixOrName); containerByID != nil {
// prefix is an exact match to a full container ID
return containerByID, nil
}
// GetByName will match only an exact name provided; we ignore errors
if containerByName, _ := daemon.GetByName(prefixOrName); containerByName != nil {
// prefix is an exact match to a full container Name
return containerByName, nil
}
containerID, indexError := daemon.idIndex.Get(prefixOrName)
if indexError != nil {
// When truncindex defines an error type, use that instead
if indexError == truncindex.ErrNotExist { |
ebcb7d6b |
return nil, containerNotFound(prefixOrName) |
fb48bf51 |
} |
87a12421 |
return nil, errdefs.System(indexError) |
fb48bf51 |
}
return daemon.containers.Get(containerID), nil
}
|
12485d62 |
// checkContainer make sure the specified container validates the specified conditions
func (daemon *Daemon) checkContainer(container *container.Container, conditions ...func(*container.Container) error) error {
for _, condition := range conditions {
if err := condition(container); err != nil {
return err
}
}
return nil
}
|
fb48bf51 |
// Exists returns a true if a container of the specified ID or name exists,
// false otherwise.
func (daemon *Daemon) Exists(id string) bool {
c, _ := daemon.GetContainer(id)
return c != nil
}
// IsPaused returns a bool indicating if the specified container is paused.
func (daemon *Daemon) IsPaused(id string) bool {
c, _ := daemon.GetContainer(id)
return c.State.IsPaused()
}
func (daemon *Daemon) containerRoot(id string) string {
return filepath.Join(daemon.repository, id)
}
// Load reads the contents of a container from disk
// This is typically done at startup.
func (daemon *Daemon) load(id string) (*container.Container, error) { |
eb14d936 |
ctr := daemon.newBaseContainer(id) |
fb48bf51 |
|
eb14d936 |
if err := ctr.FromDisk(); err != nil { |
fb48bf51 |
return nil, err
} |
a8216806 |
selinux.ReserveLabel(ctr.ProcessLabel) |
fb48bf51 |
|
eb14d936 |
if ctr.ID != id {
return ctr, fmt.Errorf("Container %s is stored at %s", ctr.ID, id) |
fb48bf51 |
}
|
eb14d936 |
return ctr, nil |
fb48bf51 |
}
// Register makes a container object usable by the daemon as <container.ID> |
eed4c7b7 |
func (daemon *Daemon) Register(c *container.Container) error { |
fb48bf51 |
// Attach to stdout and stderr
if c.Config.OpenStdin { |
5ea75bb6 |
c.StreamConfig.NewInputPipes() |
fb48bf51 |
} else { |
5ea75bb6 |
c.StreamConfig.NewNopInputPipe() |
fb48bf51 |
}
|
eed4c7b7 |
// once in the memory store it is visible to other goroutines |
aacddda8 |
// grab a Lock until it has been checkpointed to avoid races |
eed4c7b7 |
c.Lock()
defer c.Unlock()
|
fb48bf51 |
daemon.containers.Add(c.ID, c)
daemon.idIndex.Add(c.ID) |
aacddda8 |
return c.CheckpointTo(daemon.containersReplica) |
fb48bf51 |
}
|
0380fbff |
func (daemon *Daemon) newContainer(name string, operatingSystem string, config *containertypes.Config, hostConfig *containertypes.HostConfig, imgID image.ID, managed bool) (*container.Container, error) { |
fb48bf51 |
var (
id string
err error
noExplicitName = name == ""
)
id, name, err = daemon.generateIDAndName(name)
if err != nil {
return nil, err
}
|
b0a7b012 |
if hostConfig.NetworkMode.IsHost() {
if config.Hostname == "" {
config.Hostname, err = os.Hostname()
if err != nil { |
87a12421 |
return nil, errdefs.System(err) |
b0a7b012 |
}
}
} else {
daemon.generateHostname(id, config)
} |
fb48bf51 |
entrypoint, args := daemon.getEntrypointAndArgs(config.Entrypoint, config.Cmd)
base := daemon.newBaseContainer(id)
base.Created = time.Now().UTC() |
534a90a9 |
base.Managed = managed |
fb48bf51 |
base.Path = entrypoint |
f4f56b11 |
base.Args = args // FIXME: de-duplicate from config |
fb48bf51 |
base.Config = config
base.HostConfig = &containertypes.HostConfig{}
base.ImageID = imgID
base.NetworkSettings = &network.Settings{IsAnonymousEndpoint: noExplicitName}
base.Name = name |
0dab53ff |
base.Driver = daemon.imageService.GraphDriverForOS(operatingSystem) |
0380fbff |
base.OS = operatingSystem |
fb48bf51 |
return base, err
}
// GetByName returns a container given a name.
func (daemon *Daemon) GetByName(name string) (*container.Container, error) {
if len(name) == 0 {
return nil, fmt.Errorf("No container name supplied")
}
fullName := name
if name[0] != '/' {
fullName = "/" + name
} |
1128fc1a |
id, err := daemon.containersReplica.Snapshot().GetID(fullName) |
fb48bf51 |
if err != nil {
return nil, fmt.Errorf("Could not find entity for %s", name)
}
e := daemon.containers.Get(id)
if e == nil {
return nil, fmt.Errorf("Could not find container for entity id %s", id)
}
return e, nil
} |
bfa0885c |
// newBaseContainer creates a new container with its initial
// configuration based on the root storage from the daemon.
func (daemon *Daemon) newBaseContainer(id string) *container.Container {
return container.NewBaseContainer(id, daemon.containerRoot(id))
}
func (daemon *Daemon) getEntrypointAndArgs(configEntrypoint strslice.StrSlice, configCmd strslice.StrSlice) (string, []string) {
if len(configEntrypoint) != 0 {
return configEntrypoint[0], append(configEntrypoint[1:], configCmd...)
}
return configCmd[0], configCmd[1:]
}
func (daemon *Daemon) generateHostname(id string, config *containertypes.Config) {
// Generate default hostname
if config.Hostname == "" {
config.Hostname = id[:12]
}
}
func (daemon *Daemon) setSecurityOptions(container *container.Container, hostConfig *containertypes.HostConfig) error {
container.Lock()
defer container.Unlock() |
d7fda019 |
return daemon.parseSecurityOpt(container, hostConfig) |
bfa0885c |
}
func (daemon *Daemon) setHostConfig(container *container.Container, hostConfig *containertypes.HostConfig) error {
// Do not lock while creating volumes since this could be calling out to external plugins
// Don't want to block other actions, like `docker ps` because we're waiting on an external plugin
if err := daemon.registerMountPoints(container, hostConfig); err != nil {
return err
}
container.Lock()
defer container.Unlock()
// Register any links from the host config before starting the container
if err := daemon.registerLinks(container, hostConfig); err != nil {
return err
}
|
7917a36c |
runconfig.SetDefaultNetModeIfBlank(hostConfig) |
bfa0885c |
container.HostConfig = hostConfig |
edad5270 |
return container.CheckpointTo(daemon.containersReplica) |
bfa0885c |
}
// verifyContainerSettings performs validation of the hostconfig and config
// structures. |
10c97b93 |
func (daemon *Daemon) verifyContainerSettings(platform string, hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) (warnings []string, err error) { |
bfa0885c |
// First perform verification of settings common across all platforms. |
f6002117 |
if err = validateContainerConfig(config, platform); err != nil {
return warnings, err
}
if err := validateHostConfig(hostConfig, platform); err != nil {
return warnings, err
} |
bfa0885c |
|
f6002117 |
// Now do platform-specific verification
warnings, err = verifyPlatformContainerSettings(daemon, hostConfig, update)
for _, w := range warnings {
logrus.Warn(w)
}
return warnings, err
} |
bfa0885c |
|
f6002117 |
func validateContainerConfig(config *containertypes.Config, platform string) error {
if config == nil {
return nil
}
if err := translateWorkingDir(config, platform); err != nil {
return err
}
if len(config.StopSignal) > 0 {
if _, err := signal.ParseSignal(config.StopSignal); err != nil {
return err |
818d55c3 |
} |
f6002117 |
}
// Validate if Env contains empty variable or not (e.g., ``, `=foo`)
for _, env := range config.Env {
if _, err := opts.ValidateEnv(env); err != nil {
return err |
e399c558 |
} |
bfa0885c |
} |
f6002117 |
return validateHealthCheck(config.Healthcheck)
} |
bfa0885c |
|
f6002117 |
func validateHostConfig(hostConfig *containertypes.HostConfig, platform string) error { |
bfa0885c |
if hostConfig == nil { |
f6002117 |
return nil |
bfa0885c |
} |
03b3ec1d |
|
3c2886d8 |
if hostConfig.AutoRemove && !hostConfig.RestartPolicy.IsNone() { |
f6002117 |
return errors.Errorf("can't create 'AutoRemove' container with restart policy") |
3c2886d8 |
} |
7cb96ba3 |
// Validate mounts; check if host directories still exist |
6a70fd22 |
parser := volumemounts.NewParser(platform) |
7cb96ba3 |
for _, cfg := range hostConfig.Mounts {
if err := parser.ValidateMountConfig(&cfg); err != nil { |
f6002117 |
return err |
7cb96ba3 |
}
} |
d524dd95 |
for _, extraHost := range hostConfig.ExtraHosts {
if _, err := opts.ValidateExtraHost(extraHost); err != nil { |
f6002117 |
return err |
d524dd95 |
}
} |
c0697c27 |
if err := validatePortBindings(hostConfig.PortBindings); err != nil { |
f6002117 |
return err |
bfa0885c |
} |
e1809510 |
if err := validateRestartPolicy(hostConfig.RestartPolicy); err != nil { |
f6002117 |
return err |
94e95e47 |
} |
80d7bfd5 |
if err := validateCapabilities(hostConfig); err != nil {
return err
} |
e6bfe9cd |
if !hostConfig.Isolation.IsValid() { |
f6002117 |
return errors.Errorf("invalid isolation '%s' on %s", hostConfig.Isolation, runtime.GOOS) |
6e78fdb7 |
} |
f6002117 |
return nil |
bfa0885c |
} |
6a7da0b3 |
|
80d7bfd5 |
func validateCapabilities(hostConfig *containertypes.HostConfig) error {
if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapAdd); err != nil {
return errors.Wrap(err, "invalid CapAdd")
}
if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapDrop); err != nil {
return errors.Wrap(err, "invalid CapDrop")
}
// TODO consider returning warnings if "Privileged" is combined with Capabilities, CapAdd and/or CapDrop
return nil
}
|
6a7da0b3 |
// validateHealthCheck validates the healthcheck params of Config
func validateHealthCheck(healthConfig *containertypes.HealthConfig) error {
if healthConfig == nil {
return nil
}
if healthConfig.Interval != 0 && healthConfig.Interval < containertypes.MinimumDuration {
return errors.Errorf("Interval in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
}
if healthConfig.Timeout != 0 && healthConfig.Timeout < containertypes.MinimumDuration {
return errors.Errorf("Timeout in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
}
if healthConfig.Retries < 0 {
return errors.Errorf("Retries in Healthcheck cannot be negative")
}
if healthConfig.StartPeriod != 0 && healthConfig.StartPeriod < containertypes.MinimumDuration {
return errors.Errorf("StartPeriod in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
}
return nil
} |
e1809510 |
|
c0697c27 |
func validatePortBindings(ports nat.PortMap) error {
for port := range ports {
_, portStr := nat.SplitProtoPort(string(port))
if _, err := nat.ParsePort(portStr); err != nil {
return errors.Errorf("invalid port specification: %q", portStr)
}
for _, pb := range ports[port] {
_, err := nat.NewPort(nat.SplitProtoPort(pb.HostPort))
if err != nil {
return errors.Errorf("invalid port specification: %q", pb.HostPort)
}
}
}
return nil
}
|
e1809510 |
func validateRestartPolicy(policy containertypes.RestartPolicy) error {
switch policy.Name {
case "always", "unless-stopped", "no":
if policy.MaximumRetryCount != 0 {
return errors.Errorf("maximum retry count cannot be used with restart policy '%s'", policy.Name)
}
case "on-failure":
if policy.MaximumRetryCount < 0 {
return errors.Errorf("maximum retry count cannot be negative")
}
case "":
// do nothing
return nil
default:
return errors.Errorf("invalid restart policy '%s'", policy.Name)
}
return nil
} |
5fc0f034 |
// translateWorkingDir translates the working-dir for the target platform,
// and returns an error if the given path is not an absolute path.
func translateWorkingDir(config *containertypes.Config, platform string) error {
if config.WorkingDir == "" {
return nil
}
wd := config.WorkingDir
switch {
case runtime.GOOS != platform:
// LCOW. Force Unix semantics
wd = strings.Replace(wd, string(os.PathSeparator), "/", -1)
if !path.IsAbs(wd) {
return fmt.Errorf("the working directory '%s' is invalid, it needs to be an absolute path", config.WorkingDir)
}
default:
wd = filepath.FromSlash(wd) // Ensure in platform semantics
if !system.IsAbs(wd) {
return fmt.Errorf("the working directory '%s' is invalid, it needs to be an absolute path", config.WorkingDir)
}
}
config.WorkingDir = wd
return nil
} |