Browse code
Merge pull request #40084 from thaJeztah/hostconfig_const_cleanup
api/types: hostconfig: add some constants/enums and minor code cleanup
Akihiro Suda authored on 2021/08/28 00:21:31Showing 8 changed files
- api/server/router/container/container_routes.go
- api/types/container/host_config.go
- cmd/dockerd/config_unix.go
- daemon/config/config_linux.go
- daemon/daemon_unix.go
- daemon/logger/loggerutils/cache/local_cache.go
- daemon/oci_linux_test.go
- integration/container/ipcmode_linux_test.go
| ... | ... |
@@ -491,13 +491,13 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo |
| 491 | 491 |
|
| 492 | 492 |
// Older clients (API < 1.40) expects the default to be shareable, make them happy |
| 493 | 493 |
if hostConfig.IpcMode.IsEmpty() {
|
| 494 |
- hostConfig.IpcMode = container.IpcMode("shareable")
|
|
| 494 |
+ hostConfig.IpcMode = container.IPCModeShareable |
|
| 495 | 495 |
} |
| 496 | 496 |
} |
| 497 | 497 |
if hostConfig != nil && versions.LessThan(version, "1.41") && !s.cgroup2 {
|
| 498 | 498 |
// Older clients expect the default to be "host" on cgroup v1 hosts |
| 499 | 499 |
if hostConfig.CgroupnsMode.IsEmpty() {
|
| 500 |
- hostConfig.CgroupnsMode = container.CgroupnsMode("host")
|
|
| 500 |
+ hostConfig.CgroupnsMode = container.CgroupnsModeHost |
|
| 501 | 501 |
} |
| 502 | 502 |
} |
| 503 | 503 |
|
| ... | ... |
@@ -13,19 +13,26 @@ import ( |
| 13 | 13 |
// CgroupnsMode represents the cgroup namespace mode of the container |
| 14 | 14 |
type CgroupnsMode string |
| 15 | 15 |
|
| 16 |
+// cgroup namespace modes for containers |
|
| 17 |
+const ( |
|
| 18 |
+ CgroupnsModeEmpty CgroupnsMode = "" |
|
| 19 |
+ CgroupnsModePrivate CgroupnsMode = "private" |
|
| 20 |
+ CgroupnsModeHost CgroupnsMode = "host" |
|
| 21 |
+) |
|
| 22 |
+ |
|
| 16 | 23 |
// IsPrivate indicates whether the container uses its own private cgroup namespace |
| 17 | 24 |
func (c CgroupnsMode) IsPrivate() bool {
|
| 18 |
- return c == "private" |
|
| 25 |
+ return c == CgroupnsModePrivate |
|
| 19 | 26 |
} |
| 20 | 27 |
|
| 21 | 28 |
// IsHost indicates whether the container shares the host's cgroup namespace |
| 22 | 29 |
func (c CgroupnsMode) IsHost() bool {
|
| 23 |
- return c == "host" |
|
| 30 |
+ return c == CgroupnsModeHost |
|
| 24 | 31 |
} |
| 25 | 32 |
|
| 26 | 33 |
// IsEmpty indicates whether the container cgroup namespace mode is unset |
| 27 | 34 |
func (c CgroupnsMode) IsEmpty() bool {
|
| 28 |
- return c == "" |
|
| 35 |
+ return c == CgroupnsModeEmpty |
|
| 29 | 36 |
} |
| 30 | 37 |
|
| 31 | 38 |
// Valid indicates whether the cgroup namespace mode is valid |
| ... | ... |
@@ -37,60 +44,69 @@ func (c CgroupnsMode) Valid() bool {
|
| 37 | 37 |
// values are platform specific |
| 38 | 38 |
type Isolation string |
| 39 | 39 |
|
| 40 |
+// Isolation modes for containers |
|
| 41 |
+const ( |
|
| 42 |
+ IsolationEmpty Isolation = "" // IsolationEmpty is unspecified (same behavior as default) |
|
| 43 |
+ IsolationDefault Isolation = "default" // IsolationDefault is the default isolation mode on current daemon |
|
| 44 |
+ IsolationProcess Isolation = "process" // IsolationProcess is process isolation mode |
|
| 45 |
+ IsolationHyperV Isolation = "hyperv" // IsolationHyperV is HyperV isolation mode |
|
| 46 |
+) |
|
| 47 |
+ |
|
| 40 | 48 |
// IsDefault indicates the default isolation technology of a container. On Linux this |
| 41 | 49 |
// is the native driver. On Windows, this is a Windows Server Container. |
| 42 | 50 |
func (i Isolation) IsDefault() bool {
|
| 43 |
- return strings.ToLower(string(i)) == "default" || string(i) == "" |
|
| 51 |
+ // TODO consider making isolation-mode strict (case-sensitive) |
|
| 52 |
+ v := Isolation(strings.ToLower(string(i))) |
|
| 53 |
+ return v == IsolationDefault || v == IsolationEmpty |
|
| 44 | 54 |
} |
| 45 | 55 |
|
| 46 | 56 |
// IsHyperV indicates the use of a Hyper-V partition for isolation |
| 47 | 57 |
func (i Isolation) IsHyperV() bool {
|
| 48 |
- return strings.ToLower(string(i)) == "hyperv" |
|
| 58 |
+ // TODO consider making isolation-mode strict (case-sensitive) |
|
| 59 |
+ return Isolation(strings.ToLower(string(i))) == IsolationHyperV |
|
| 49 | 60 |
} |
| 50 | 61 |
|
| 51 | 62 |
// IsProcess indicates the use of process isolation |
| 52 | 63 |
func (i Isolation) IsProcess() bool {
|
| 53 |
- return strings.ToLower(string(i)) == "process" |
|
| 64 |
+ // TODO consider making isolation-mode strict (case-sensitive) |
|
| 65 |
+ return Isolation(strings.ToLower(string(i))) == IsolationProcess |
|
| 54 | 66 |
} |
| 55 | 67 |
|
| 56 |
-const ( |
|
| 57 |
- // IsolationEmpty is unspecified (same behavior as default) |
|
| 58 |
- IsolationEmpty = Isolation("")
|
|
| 59 |
- // IsolationDefault is the default isolation mode on current daemon |
|
| 60 |
- IsolationDefault = Isolation("default")
|
|
| 61 |
- // IsolationProcess is process isolation mode |
|
| 62 |
- IsolationProcess = Isolation("process")
|
|
| 63 |
- // IsolationHyperV is HyperV isolation mode |
|
| 64 |
- IsolationHyperV = Isolation("hyperv")
|
|
| 65 |
-) |
|
| 66 |
- |
|
| 67 | 68 |
// IpcMode represents the container ipc stack. |
| 68 | 69 |
type IpcMode string |
| 69 | 70 |
|
| 71 |
+// IpcMode constants |
|
| 72 |
+const ( |
|
| 73 |
+ IPCModeNone IpcMode = "none" |
|
| 74 |
+ IPCModeHost IpcMode = "host" |
|
| 75 |
+ IPCModeContainer IpcMode = "container" |
|
| 76 |
+ IPCModePrivate IpcMode = "private" |
|
| 77 |
+ IPCModeShareable IpcMode = "shareable" |
|
| 78 |
+) |
|
| 79 |
+ |
|
| 70 | 80 |
// IsPrivate indicates whether the container uses its own private ipc namespace which can not be shared. |
| 71 | 81 |
func (n IpcMode) IsPrivate() bool {
|
| 72 |
- return n == "private" |
|
| 82 |
+ return n == IPCModePrivate |
|
| 73 | 83 |
} |
| 74 | 84 |
|
| 75 | 85 |
// IsHost indicates whether the container shares the host's ipc namespace. |
| 76 | 86 |
func (n IpcMode) IsHost() bool {
|
| 77 |
- return n == "host" |
|
| 87 |
+ return n == IPCModeHost |
|
| 78 | 88 |
} |
| 79 | 89 |
|
| 80 | 90 |
// IsShareable indicates whether the container's ipc namespace can be shared with another container. |
| 81 | 91 |
func (n IpcMode) IsShareable() bool {
|
| 82 |
- return n == "shareable" |
|
| 92 |
+ return n == IPCModeShareable |
|
| 83 | 93 |
} |
| 84 | 94 |
|
| 85 | 95 |
// IsContainer indicates whether the container uses another container's ipc namespace. |
| 86 | 96 |
func (n IpcMode) IsContainer() bool {
|
| 87 |
- parts := strings.SplitN(string(n), ":", 2) |
|
| 88 |
- return len(parts) > 1 && parts[0] == "container" |
|
| 97 |
+ return strings.HasPrefix(string(n), string(IPCModeContainer)+":") |
|
| 89 | 98 |
} |
| 90 | 99 |
|
| 91 | 100 |
// IsNone indicates whether container IpcMode is set to "none". |
| 92 | 101 |
func (n IpcMode) IsNone() bool {
|
| 93 |
- return n == "none" |
|
| 102 |
+ return n == IPCModeNone |
|
| 94 | 103 |
} |
| 95 | 104 |
|
| 96 | 105 |
// IsEmpty indicates whether container IpcMode is empty |
| ... | ... |
@@ -105,9 +121,8 @@ func (n IpcMode) Valid() bool {
|
| 105 | 105 |
|
| 106 | 106 |
// Container returns the name of the container ipc stack is going to be used. |
| 107 | 107 |
func (n IpcMode) Container() string {
|
| 108 |
- parts := strings.SplitN(string(n), ":", 2) |
|
| 109 |
- if len(parts) > 1 && parts[0] == "container" {
|
|
| 110 |
- return parts[1] |
|
| 108 |
+ if n.IsContainer() {
|
|
| 109 |
+ return strings.TrimPrefix(string(n), string(IPCModeContainer)+":") |
|
| 111 | 110 |
} |
| 112 | 111 |
return "" |
| 113 | 112 |
} |
| ... | ... |
@@ -326,7 +341,7 @@ type LogMode string |
| 326 | 326 |
|
| 327 | 327 |
// Available logging modes |
| 328 | 328 |
const ( |
| 329 |
- LogModeUnset = "" |
|
| 329 |
+ LogModeUnset LogMode = "" |
|
| 330 | 330 |
LogModeBlocking LogMode = "blocking" |
| 331 | 331 |
LogModeNonBlock LogMode = "non-blocking" |
| 332 | 332 |
) |
| ... | ... |
@@ -62,15 +62,15 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
|
| 62 | 62 |
flags.StringVar(&conf.SeccompProfile, "seccomp-profile", config.SeccompProfileDefault, `Path to seccomp profile. Use "unconfined" to disable the default seccomp profile`) |
| 63 | 63 |
flags.Var(&conf.ShmSize, "default-shm-size", "Default shm size for containers") |
| 64 | 64 |
flags.BoolVar(&conf.NoNewPrivileges, "no-new-privileges", false, "Set no-new-privileges by default for new containers") |
| 65 |
- flags.StringVar(&conf.IpcMode, "default-ipc-mode", config.DefaultIpcMode, `Default mode for containers ipc ("shareable" | "private")`)
|
|
| 65 |
+ flags.StringVar(&conf.IpcMode, "default-ipc-mode", string(config.DefaultIpcMode), `Default mode for containers ipc ("shareable" | "private")`)
|
|
| 66 | 66 |
flags.Var(&conf.NetworkConfig.DefaultAddressPools, "default-address-pool", "Default address pools for node specific local networks") |
| 67 | 67 |
// rootless needs to be explicitly specified for running "rootful" dockerd in rootless dockerd (#38702) |
| 68 | 68 |
// Note that defaultUserlandProxyPath and honorXDG are configured according to the value of rootless.RunningWithRootlessKit, not the value of --rootless. |
| 69 | 69 |
flags.BoolVar(&conf.Rootless, "rootless", rootless.RunningWithRootlessKit(), "Enable rootless mode; typically used with RootlessKit") |
| 70 |
- defaultCgroupNamespaceMode := "host" |
|
| 71 |
- if cgroups.Mode() == cgroups.Unified {
|
|
| 72 |
- defaultCgroupNamespaceMode = "private" |
|
| 70 |
+ defaultCgroupNamespaceMode := config.DefaultCgroupNamespaceMode |
|
| 71 |
+ if cgroups.Mode() != cgroups.Unified {
|
|
| 72 |
+ defaultCgroupNamespaceMode = config.DefaultCgroupV1NamespaceMode |
|
| 73 | 73 |
} |
| 74 |
- flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", defaultCgroupNamespaceMode, `Default mode for containers cgroup namespace ("host" | "private")`)
|
|
| 74 |
+ flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", string(defaultCgroupNamespaceMode), `Default mode for containers cgroup namespace ("host" | "private")`)
|
|
| 75 | 75 |
return nil |
| 76 | 76 |
} |
| ... | ... |
@@ -12,7 +12,13 @@ import ( |
| 12 | 12 |
|
| 13 | 13 |
const ( |
| 14 | 14 |
// DefaultIpcMode is default for container's IpcMode, if not set otherwise |
| 15 |
- DefaultIpcMode = "private" |
|
| 15 |
+ DefaultIpcMode = containertypes.IPCModePrivate |
|
| 16 |
+ |
|
| 17 |
+ // DefaultCgroupNamespaceMode is the default mode for containers cgroup namespace when using cgroups v2. |
|
| 18 |
+ DefaultCgroupNamespaceMode = containertypes.CgroupnsModePrivate |
|
| 19 |
+ |
|
| 20 |
+ // DefaultCgroupV1NamespaceMode is the default mode for containers cgroup namespace when using cgroups v1. |
|
| 21 |
+ DefaultCgroupV1NamespaceMode = containertypes.CgroupnsModeHost |
|
| 16 | 22 |
) |
| 17 | 23 |
|
| 18 | 24 |
// BridgeConfig stores all the bridge driver specific |
| ... | ... |
@@ -347,9 +347,9 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf |
| 347 | 347 |
if hostConfig.IpcMode.IsEmpty() {
|
| 348 | 348 |
m := config.DefaultIpcMode |
| 349 | 349 |
if daemon.configStore != nil {
|
| 350 |
- m = daemon.configStore.IpcMode |
|
| 350 |
+ m = containertypes.IpcMode(daemon.configStore.IpcMode) |
|
| 351 | 351 |
} |
| 352 |
- hostConfig.IpcMode = containertypes.IpcMode(m) |
|
| 352 |
+ hostConfig.IpcMode = m |
|
| 353 | 353 |
} |
| 354 | 354 |
|
| 355 | 355 |
// Set default cgroup namespace mode, if unset for container |
| ... | ... |
@@ -357,16 +357,16 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf |
| 357 | 357 |
// for cgroup v2: unshare cgroupns even for privileged containers |
| 358 | 358 |
// https://github.com/containers/libpod/pull/4374#issuecomment-549776387 |
| 359 | 359 |
if hostConfig.Privileged && cgroups.Mode() != cgroups.Unified {
|
| 360 |
- hostConfig.CgroupnsMode = containertypes.CgroupnsMode("host")
|
|
| 360 |
+ hostConfig.CgroupnsMode = containertypes.CgroupnsModeHost |
|
| 361 | 361 |
} else {
|
| 362 |
- m := "host" |
|
| 362 |
+ m := containertypes.CgroupnsModeHost |
|
| 363 | 363 |
if cgroups.Mode() == cgroups.Unified {
|
| 364 |
- m = "private" |
|
| 364 |
+ m = containertypes.CgroupnsModePrivate |
|
| 365 | 365 |
} |
| 366 | 366 |
if daemon.configStore != nil {
|
| 367 |
- m = daemon.configStore.CgroupNamespaceMode |
|
| 367 |
+ m = containertypes.CgroupnsMode(daemon.configStore.CgroupNamespaceMode) |
|
| 368 | 368 |
} |
| 369 |
- hostConfig.CgroupnsMode = containertypes.CgroupnsMode(m) |
|
| 369 |
+ hostConfig.CgroupnsMode = m |
|
| 370 | 370 |
} |
| 371 | 371 |
} |
| 372 | 372 |
|
| ... | ... |
@@ -36,7 +36,7 @@ func WithLocalCache(l logger.Logger, info logger.Info) (logger.Logger, error) {
|
| 36 | 36 |
return nil, errors.Wrap(err, "error initializing local log cache driver") |
| 37 | 37 |
} |
| 38 | 38 |
|
| 39 |
- if info.Config["mode"] == container.LogModeUnset || container.LogMode(info.Config["mode"]) == container.LogModeNonBlock {
|
|
| 39 |
+ if container.LogMode(info.Config["mode"]) == container.LogModeUnset || container.LogMode(info.Config["mode"]) == container.LogModeNonBlock {
|
|
| 40 | 40 |
var size int64 = -1 |
| 41 | 41 |
if s, exists := info.Config["max-buffer-size"]; exists {
|
| 42 | 42 |
size, err = units.RAMInBytes(s) |
| ... | ... |
@@ -66,7 +66,7 @@ func TestTmpfsDevShmNoDupMount(t *testing.T) {
|
| 66 | 66 |
c := &container.Container{
|
| 67 | 67 |
ShmPath: "foobar", // non-empty, for c.IpcMounts() to work |
| 68 | 68 |
HostConfig: &containertypes.HostConfig{
|
| 69 |
- IpcMode: containertypes.IpcMode("shareable"), // default mode
|
|
| 69 |
+ IpcMode: containertypes.IPCModeShareable, // default mode |
|
| 70 | 70 |
// --tmpfs /dev/shm:rw,exec,size=NNN |
| 71 | 71 |
Tmpfs: map[string]string{
|
| 72 | 72 |
"/dev/shm": "rw,exec,size=1g", |
| ... | ... |
@@ -88,7 +88,7 @@ func TestIpcPrivateVsReadonly(t *testing.T) {
|
| 88 | 88 |
skip.If(t, os.Getuid() != 0, "skipping test that requires root") |
| 89 | 89 |
c := &container.Container{
|
| 90 | 90 |
HostConfig: &containertypes.HostConfig{
|
| 91 |
- IpcMode: containertypes.IpcMode("private"),
|
|
| 91 |
+ IpcMode: containertypes.IPCModePrivate, |
|
| 92 | 92 |
ReadonlyRootfs: true, |
| 93 | 93 |
}, |
| 94 | 94 |
} |