-
Notifications
You must be signed in to change notification settings - Fork 18.9k
Expand file tree
/
Copy pathcontainer.go
More file actions
368 lines (332 loc) · 12.7 KB
/
container.go
File metadata and controls
368 lines (332 loc) · 12.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
package daemon
import (
"context"
"fmt"
"maps"
"os"
"path/filepath"
"runtime"
"slices"
"strings"
"time"
"github.com/containerd/log"
containertypes "github.com/moby/moby/api/types/container"
"github.com/moby/moby/api/types/mount"
networktypes "github.com/moby/moby/api/types/network"
"github.com/moby/moby/v2/daemon/config"
"github.com/moby/moby/v2/daemon/container"
"github.com/moby/moby/v2/daemon/internal/image"
"github.com/moby/moby/v2/daemon/network"
"github.com/moby/moby/v2/daemon/pkg/oci/caps"
"github.com/moby/moby/v2/daemon/pkg/opts"
volumemounts "github.com/moby/moby/v2/daemon/volume/mounts"
"github.com/moby/moby/v2/errdefs"
"github.com/moby/sys/signal"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/opencontainers/selinux/go-selinux"
"github.com/pkg/errors"
)
// GetContainer looks for a container using the provided information, which could be
// one of the following inputs from the caller:
// - A full container ID, which will exact match a container in daemon's list
// - A container name, which will only exact match via the GetByName() function
// - A partial container ID prefix (e.g. short ID) of any length that is
// unique enough to only return a single container object
// If none of these searches succeed, an error is returned
func (daemon *Daemon) GetContainer(prefixOrName string) (*container.Container, error) {
if prefixOrName == "" {
return nil, errors.WithStack(invalidIdentifier(prefixOrName))
}
if containerByID := daemon.containers.Get(prefixOrName); containerByID != nil {
// prefix is an exact match to a full container ID
return containerByID, nil
}
// GetByName will match only an exact name provided; we ignore errors
if containerByName, _ := daemon.GetByName(prefixOrName); containerByName != nil {
// prefix is an exact match to a full container Name
return containerByName, nil
}
containerID, err := daemon.containersReplica.GetByPrefix(prefixOrName)
if err != nil {
return nil, err
}
ctr := daemon.containers.Get(containerID)
if ctr == nil {
// Updates to the daemon.containersReplica ViewDB are not atomic
// or consistent w.r.t. the live daemon.containers Store so
// while reaching this code path may be indicative of a bug,
// it is not _necessarily_ the case.
log.G(context.TODO()).WithField("prefixOrName", prefixOrName).
WithField("id", containerID).
Debugf("daemon.GetContainer: container is known to daemon.containersReplica but not daemon.containers")
return nil, containerNotFound(prefixOrName)
}
return ctr, nil
}
// Load reads the contents of a container from disk
// This is typically done at startup.
func (daemon *Daemon) load(id string) (*container.Container, error) {
ctr := container.NewBaseContainer(id, filepath.Join(daemon.repository, id))
if err := ctr.FromDisk(); err != nil {
return nil, err
}
selinux.ReserveLabel(ctr.ProcessLabel)
if ctr.ID != id {
return ctr, fmt.Errorf("Container %s is stored at %s", ctr.ID, id)
}
return ctr, nil
}
// register makes a container object usable by the daemon as [container.Container.ID].
func (daemon *Daemon) register(ctx context.Context, c *container.Container) error {
// Attach to stdout and stderr
if c.Config.OpenStdin {
c.StreamConfig.NewInputPipes()
} else {
c.StreamConfig.NewNopInputPipe()
}
// once in the memory store it is visible to other goroutines
// grab a Lock until it has been checkpointed to avoid races
c.Lock()
defer c.Unlock()
// FIXME(thaJeztah): this logic may not be atomic:
//
// - daemon.containers.Add does not promise to "add", allows overwriting a container with the given ID.
// - c.CheckpointTo may fail, in which case we registered a container, but failed to write to disk
//
// We should consider:
//
// - changing the signature of containers.Add to return an error if the
// given ID exists (potentially adding an alternative to "set" / "update")
// - adding a defer to rollback the "Add" when failing to CheckPoint.
daemon.containers.Add(c.ID, c)
return c.CheckpointTo(ctx, daemon.containersReplica)
}
func (daemon *Daemon) newContainer(name string, platform ocispec.Platform, config *containertypes.Config, hostConfig *containertypes.HostConfig, imgID image.ID, managed bool) (*container.Container, error) {
var (
id string
err error
)
id, name, err = daemon.generateIDAndName(name)
if err != nil {
return nil, err
}
if config.Hostname == "" {
if hostConfig.NetworkMode.IsHost() {
config.Hostname, err = os.Hostname()
if err != nil {
return nil, errdefs.System(err)
}
} else {
// default hostname is the container's short-ID
config.Hostname = id[:12]
}
}
entrypoint, args := getEntrypointAndArgs(config.Entrypoint, config.Cmd)
base := container.NewBaseContainer(id, filepath.Join(daemon.repository, id))
base.Created = time.Now().UTC()
base.Managed = managed
base.Path = entrypoint
base.Args = args // FIXME: de-duplicate from config
base.Config = config
base.HostConfig = hostConfig
base.ImageID = imgID
base.NetworkSettings = &network.Settings{}
base.Name = name
base.Driver = daemon.imageService.StorageDriver()
base.ImagePlatform = platform
base.OS = platform.OS //nolint:staticcheck // ignore SA1019: field is deprecated, but still set for compatibility
return base, err
}
func getEntrypointAndArgs(configEntrypoint, configCmd []string) (string, []string) {
if len(configEntrypoint) == 0 {
return configCmd[0], configCmd[1:]
}
return configEntrypoint[0], append(configEntrypoint[1:], configCmd...)
}
// GetByName returns a container given a name.
func (daemon *Daemon) GetByName(name string) (*container.Container, error) {
if name == "" {
return nil, errors.New("No container name supplied")
}
fullName := name
if name[0] != '/' {
fullName = "/" + name
}
id, err := daemon.containersReplica.Snapshot().GetID(fullName)
if err != nil {
return nil, fmt.Errorf("Could not find entity for %s", name)
}
e := daemon.containers.Get(id)
if e == nil {
return nil, fmt.Errorf("Could not find container for entity id %s", id)
}
return e, nil
}
// GetDependentContainers returns a list of containers that depend on the given container.
// Dependencies are determined by:
// - Network mode dependencies (--network=container:xxx)
// - Legacy container links (--link)
//
// This is primarily used during daemon startup to determine container startup order,
// ensuring that dependent containers are started after their dependencies are running.
// Upon error, it returns the last known dependent containers, which may be empty.
func (daemon *Daemon) GetDependentContainers(c *container.Container) []*container.Container {
var dependentContainers []*container.Container
if c.HostConfig.NetworkMode.IsContainer() {
// If the container is using a network mode that depends on another container,
// we need to find that container and add it to the dependency map.
dependencyContainer, err := daemon.GetContainer(c.HostConfig.NetworkMode.ConnectedContainer())
if err != nil {
log.G(context.TODO()).WithError(err).Errorf("Could not find dependent container for %s", c.ID)
return dependentContainers
}
dependentContainers = append(dependentContainers, dependencyContainer)
}
return append(dependentContainers, slices.Collect(maps.Values(daemon.linkIndex.children(c)))...)
}
func (daemon *Daemon) setSecurityOptions(cfg *config.Config, container *container.Container) error {
container.Lock()
defer container.Unlock()
return daemon.parseSecurityOpt(cfg, &container.SecurityOptions, container.HostConfig)
}
// verifyContainerSettings performs validation of the hostconfig and config
// structures.
func (daemon *Daemon) verifyContainerSettings(daemonCfg *configStore, hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) (warnings []string, _ error) {
// First perform verification of settings common across all platforms.
if err := validateContainerConfig(config); err != nil {
return nil, err
}
warns, err := validateHostConfig(hostConfig)
warnings = append(warnings, warns...)
if err != nil {
return warnings, err
}
// Now do platform-specific verification
warns, err = verifyPlatformContainerSettings(daemon, daemonCfg, hostConfig, update)
warnings = append(warnings, warns...)
return warnings, err
}
func validateContainerConfig(config *containertypes.Config) error {
if config == nil {
return nil
}
if err := translateWorkingDir(config); err != nil {
return err
}
if config.StopSignal != "" {
if _, err := signal.ParseSignal(config.StopSignal); err != nil {
return err
}
}
// Validate if Env contains empty variable or not (e.g., ``, `=foo`)
for _, env := range config.Env {
if _, err := opts.ValidateEnv(env); err != nil {
return err
}
}
return validateHealthCheck(config.Healthcheck)
}
func validateHostConfig(hostConfig *containertypes.HostConfig) (warnings []string, _ error) {
if hostConfig == nil {
return nil, nil
}
if hostConfig.AutoRemove && !hostConfig.RestartPolicy.IsNone() {
return warnings, errors.Errorf("can't create 'AutoRemove' container with restart policy")
}
// Validate mounts; check if host directories still exist
parser := volumemounts.NewParser()
for _, c := range hostConfig.Mounts {
cfg := c
if cfg.Type == mount.TypeImage {
warnings = append(warnings, "Image mount is an experimental feature")
}
if err := parser.ValidateMountConfig(&cfg); err != nil {
return warnings, err
}
}
for _, extraHost := range hostConfig.ExtraHosts {
if _, err := opts.ValidateExtraHost(extraHost); err != nil {
return warnings, err
}
}
if err := validatePortBindings(hostConfig.PortBindings); err != nil {
return warnings, err
}
if err := containertypes.ValidateRestartPolicy(hostConfig.RestartPolicy); err != nil {
return warnings, err
}
if err := validateCapabilities(hostConfig); err != nil {
return warnings, err
}
if !hostConfig.Isolation.IsValid() {
return warnings, errors.Errorf("invalid isolation '%s' on %s", hostConfig.Isolation, runtime.GOOS)
}
for k := range hostConfig.Annotations {
if k == "" {
return warnings, errors.Errorf("invalid Annotations: the empty string is not permitted as an annotation key")
}
}
return warnings, nil
}
func validateCapabilities(hostConfig *containertypes.HostConfig) error {
if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapAdd); err != nil {
return errors.Wrap(err, "invalid CapAdd")
}
if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapDrop); err != nil {
return errors.Wrap(err, "invalid CapDrop")
}
// TODO consider returning warnings if "Privileged" is combined with Capabilities, CapAdd and/or CapDrop
return nil
}
// validateHealthCheck validates the healthcheck params of Config
func validateHealthCheck(healthConfig *containertypes.HealthConfig) error {
if healthConfig == nil {
return nil
}
if healthConfig.Interval != 0 && healthConfig.Interval < containertypes.MinimumDuration {
return errors.Errorf("Interval in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
}
if healthConfig.Timeout != 0 && healthConfig.Timeout < containertypes.MinimumDuration {
return errors.Errorf("Timeout in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
}
if healthConfig.Retries < 0 {
return errors.Errorf("Retries in Healthcheck cannot be negative")
}
if healthConfig.StartPeriod != 0 && healthConfig.StartPeriod < containertypes.MinimumDuration {
return errors.Errorf("StartPeriod in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
}
if healthConfig.StartInterval != 0 && healthConfig.StartInterval < containertypes.MinimumDuration {
return errors.Errorf("StartInterval in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
}
return nil
}
func validatePortBindings(ports networktypes.PortMap) error {
for port := range ports {
if !port.IsValid() || port.Num() == 0 {
return errors.Errorf("invalid port specification: %q", port.String())
}
for _, pb := range ports[port] {
if pb.HostPort == "" {
// Empty HostPort means to map to an ephemeral port.
continue
}
if _, err := networktypes.ParsePortRange(pb.HostPort); err != nil {
return errors.Errorf("invalid port specification: %q", pb.HostPort)
}
}
}
return nil
}
// translateWorkingDir translates the working-dir for the target platform,
// and returns an error if the given path is not an absolute path.
func translateWorkingDir(config *containertypes.Config) error {
if config.WorkingDir == "" {
return nil
}
wd := filepath.FromSlash(config.WorkingDir) // Ensure in platform semantics
if !filepath.IsAbs(wd) && !strings.HasPrefix(wd, string(os.PathSeparator)) {
return fmt.Errorf("the working directory '%s' is invalid, it needs to be an absolute path", config.WorkingDir)
}
config.WorkingDir = filepath.Clean(wd)
return nil
}