github.com/demonoid81/moby@v0.0.0-20200517203328-62dd8e17c460/daemon/container.go (about) 1 package daemon // import "github.com/demonoid81/moby/daemon" 2 3 import ( 4 "fmt" 5 "os" 6 "path" 7 "path/filepath" 8 "runtime" 9 "strings" 10 "time" 11 12 containertypes "github.com/demonoid81/moby/api/types/container" 13 "github.com/demonoid81/moby/api/types/strslice" 14 "github.com/demonoid81/moby/container" 15 "github.com/demonoid81/moby/daemon/network" 16 "github.com/demonoid81/moby/errdefs" 17 "github.com/demonoid81/moby/image" 18 "github.com/demonoid81/moby/oci/caps" 19 "github.com/demonoid81/moby/opts" 20 "github.com/demonoid81/moby/pkg/signal" 21 "github.com/demonoid81/moby/pkg/system" 22 "github.com/demonoid81/moby/pkg/truncindex" 23 "github.com/demonoid81/moby/runconfig" 24 volumemounts "github.com/demonoid81/moby/volume/mounts" 25 "github.com/docker/go-connections/nat" 26 "github.com/opencontainers/selinux/go-selinux" 27 "github.com/pkg/errors" 28 "github.com/sirupsen/logrus" 29 ) 30 31 // GetContainer looks for a container using the provided information, which could be 32 // one of the following inputs from the caller: 33 // - A full container ID, which will exact match a container in daemon's list 34 // - A container name, which will only exact match via the GetByName() function 35 // - A partial container ID prefix (e.g. short ID) of any length that is 36 // unique enough to only return a single container object 37 // If none of these searches succeed, an error is returned 38 func (daemon *Daemon) GetContainer(prefixOrName string) (*container.Container, error) { 39 if len(prefixOrName) == 0 { 40 return nil, errors.WithStack(invalidIdentifier(prefixOrName)) 41 } 42 43 if containerByID := daemon.containers.Get(prefixOrName); containerByID != nil { 44 // prefix is an exact match to a full container ID 45 return containerByID, nil 46 } 47 48 // GetByName will match only an exact name provided; we ignore errors 49 if containerByName, _ := daemon.GetByName(prefixOrName); containerByName != nil { 50 // prefix is an exact match to a full container Name 51 return containerByName, nil 52 } 53 54 containerID, indexError := daemon.idIndex.Get(prefixOrName) 55 if indexError != nil { 56 // When truncindex defines an error type, use that instead 57 if indexError == truncindex.ErrNotExist { 58 return nil, containerNotFound(prefixOrName) 59 } 60 return nil, errdefs.System(indexError) 61 } 62 return daemon.containers.Get(containerID), nil 63 } 64 65 // checkContainer make sure the specified container validates the specified conditions 66 func (daemon *Daemon) checkContainer(container *container.Container, conditions ...func(*container.Container) error) error { 67 for _, condition := range conditions { 68 if err := condition(container); err != nil { 69 return err 70 } 71 } 72 return nil 73 } 74 75 // Exists returns a true if a container of the specified ID or name exists, 76 // false otherwise. 77 func (daemon *Daemon) Exists(id string) bool { 78 c, _ := daemon.GetContainer(id) 79 return c != nil 80 } 81 82 // IsPaused returns a bool indicating if the specified container is paused. 83 func (daemon *Daemon) IsPaused(id string) bool { 84 c, _ := daemon.GetContainer(id) 85 return c.State.IsPaused() 86 } 87 88 func (daemon *Daemon) containerRoot(id string) string { 89 return filepath.Join(daemon.repository, id) 90 } 91 92 // Load reads the contents of a container from disk 93 // This is typically done at startup. 94 func (daemon *Daemon) load(id string) (*container.Container, error) { 95 ctr := daemon.newBaseContainer(id) 96 97 if err := ctr.FromDisk(); err != nil { 98 return nil, err 99 } 100 selinux.ReserveLabel(ctr.ProcessLabel) 101 102 if ctr.ID != id { 103 return ctr, fmt.Errorf("Container %s is stored at %s", ctr.ID, id) 104 } 105 106 return ctr, nil 107 } 108 109 // Register makes a container object usable by the daemon as <container.ID> 110 func (daemon *Daemon) Register(c *container.Container) error { 111 // Attach to stdout and stderr 112 if c.Config.OpenStdin { 113 c.StreamConfig.NewInputPipes() 114 } else { 115 c.StreamConfig.NewNopInputPipe() 116 } 117 118 // once in the memory store it is visible to other goroutines 119 // grab a Lock until it has been checkpointed to avoid races 120 c.Lock() 121 defer c.Unlock() 122 123 daemon.containers.Add(c.ID, c) 124 daemon.idIndex.Add(c.ID) 125 return c.CheckpointTo(daemon.containersReplica) 126 } 127 128 func (daemon *Daemon) newContainer(name string, operatingSystem string, config *containertypes.Config, hostConfig *containertypes.HostConfig, imgID image.ID, managed bool) (*container.Container, error) { 129 var ( 130 id string 131 err error 132 noExplicitName = name == "" 133 ) 134 id, name, err = daemon.generateIDAndName(name) 135 if err != nil { 136 return nil, err 137 } 138 139 if hostConfig.NetworkMode.IsHost() { 140 if config.Hostname == "" { 141 config.Hostname, err = os.Hostname() 142 if err != nil { 143 return nil, errdefs.System(err) 144 } 145 } 146 } else { 147 daemon.generateHostname(id, config) 148 } 149 entrypoint, args := daemon.getEntrypointAndArgs(config.Entrypoint, config.Cmd) 150 151 base := daemon.newBaseContainer(id) 152 base.Created = time.Now().UTC() 153 base.Managed = managed 154 base.Path = entrypoint 155 base.Args = args // FIXME: de-duplicate from config 156 base.Config = config 157 base.HostConfig = &containertypes.HostConfig{} 158 base.ImageID = imgID 159 base.NetworkSettings = &network.Settings{IsAnonymousEndpoint: noExplicitName} 160 base.Name = name 161 base.Driver = daemon.imageService.GraphDriverForOS(operatingSystem) 162 base.OS = operatingSystem 163 return base, err 164 } 165 166 // GetByName returns a container given a name. 167 func (daemon *Daemon) GetByName(name string) (*container.Container, error) { 168 if len(name) == 0 { 169 return nil, fmt.Errorf("No container name supplied") 170 } 171 fullName := name 172 if name[0] != '/' { 173 fullName = "/" + name 174 } 175 id, err := daemon.containersReplica.Snapshot().GetID(fullName) 176 if err != nil { 177 return nil, fmt.Errorf("Could not find entity for %s", name) 178 } 179 e := daemon.containers.Get(id) 180 if e == nil { 181 return nil, fmt.Errorf("Could not find container for entity id %s", id) 182 } 183 return e, nil 184 } 185 186 // newBaseContainer creates a new container with its initial 187 // configuration based on the root storage from the daemon. 188 func (daemon *Daemon) newBaseContainer(id string) *container.Container { 189 return container.NewBaseContainer(id, daemon.containerRoot(id)) 190 } 191 192 func (daemon *Daemon) getEntrypointAndArgs(configEntrypoint strslice.StrSlice, configCmd strslice.StrSlice) (string, []string) { 193 if len(configEntrypoint) != 0 { 194 return configEntrypoint[0], append(configEntrypoint[1:], configCmd...) 195 } 196 return configCmd[0], configCmd[1:] 197 } 198 199 func (daemon *Daemon) generateHostname(id string, config *containertypes.Config) { 200 // Generate default hostname 201 if config.Hostname == "" { 202 config.Hostname = id[:12] 203 } 204 } 205 206 func (daemon *Daemon) setSecurityOptions(container *container.Container, hostConfig *containertypes.HostConfig) error { 207 container.Lock() 208 defer container.Unlock() 209 return daemon.parseSecurityOpt(container, hostConfig) 210 } 211 212 func (daemon *Daemon) setHostConfig(container *container.Container, hostConfig *containertypes.HostConfig) error { 213 // Do not lock while creating volumes since this could be calling out to external plugins 214 // Don't want to block other actions, like `docker ps` because we're waiting on an external plugin 215 if err := daemon.registerMountPoints(container, hostConfig); err != nil { 216 return err 217 } 218 219 container.Lock() 220 defer container.Unlock() 221 222 // Register any links from the host config before starting the container 223 if err := daemon.registerLinks(container, hostConfig); err != nil { 224 return err 225 } 226 227 runconfig.SetDefaultNetModeIfBlank(hostConfig) 228 container.HostConfig = hostConfig 229 return container.CheckpointTo(daemon.containersReplica) 230 } 231 232 // verifyContainerSettings performs validation of the hostconfig and config 233 // structures. 234 func (daemon *Daemon) verifyContainerSettings(platform string, hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) (warnings []string, err error) { 235 // First perform verification of settings common across all platforms. 236 if err = validateContainerConfig(config, platform); err != nil { 237 return warnings, err 238 } 239 if err := validateHostConfig(hostConfig, platform); err != nil { 240 return warnings, err 241 } 242 243 // Now do platform-specific verification 244 warnings, err = verifyPlatformContainerSettings(daemon, hostConfig, update) 245 for _, w := range warnings { 246 logrus.Warn(w) 247 } 248 return warnings, err 249 } 250 251 func validateContainerConfig(config *containertypes.Config, platform string) error { 252 if config == nil { 253 return nil 254 } 255 if err := translateWorkingDir(config, platform); err != nil { 256 return err 257 } 258 if len(config.StopSignal) > 0 { 259 if _, err := signal.ParseSignal(config.StopSignal); err != nil { 260 return err 261 } 262 } 263 // Validate if Env contains empty variable or not (e.g., ``, `=foo`) 264 for _, env := range config.Env { 265 if _, err := opts.ValidateEnv(env); err != nil { 266 return err 267 } 268 } 269 return validateHealthCheck(config.Healthcheck) 270 } 271 272 func validateHostConfig(hostConfig *containertypes.HostConfig, platform string) error { 273 if hostConfig == nil { 274 return nil 275 } 276 277 if hostConfig.AutoRemove && !hostConfig.RestartPolicy.IsNone() { 278 return errors.Errorf("can't create 'AutoRemove' container with restart policy") 279 } 280 // Validate mounts; check if host directories still exist 281 parser := volumemounts.NewParser(platform) 282 for _, cfg := range hostConfig.Mounts { 283 if err := parser.ValidateMountConfig(&cfg); err != nil { 284 return err 285 } 286 } 287 for _, extraHost := range hostConfig.ExtraHosts { 288 if _, err := opts.ValidateExtraHost(extraHost); err != nil { 289 return err 290 } 291 } 292 if err := validatePortBindings(hostConfig.PortBindings); err != nil { 293 return err 294 } 295 if err := validateRestartPolicy(hostConfig.RestartPolicy); err != nil { 296 return err 297 } 298 if err := validateCapabilities(hostConfig); err != nil { 299 return err 300 } 301 if !hostConfig.Isolation.IsValid() { 302 return errors.Errorf("invalid isolation '%s' on %s", hostConfig.Isolation, runtime.GOOS) 303 } 304 return nil 305 } 306 307 func validateCapabilities(hostConfig *containertypes.HostConfig) error { 308 if len(hostConfig.CapAdd) > 0 && hostConfig.Capabilities != nil { 309 return errdefs.InvalidParameter(errors.Errorf("conflicting options: Capabilities and CapAdd")) 310 } 311 if len(hostConfig.CapDrop) > 0 && hostConfig.Capabilities != nil { 312 return errdefs.InvalidParameter(errors.Errorf("conflicting options: Capabilities and CapDrop")) 313 } 314 if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapAdd); err != nil { 315 return errors.Wrap(err, "invalid CapAdd") 316 } 317 if _, err := caps.NormalizeLegacyCapabilities(hostConfig.CapDrop); err != nil { 318 return errors.Wrap(err, "invalid CapDrop") 319 } 320 if err := caps.ValidateCapabilities(hostConfig.Capabilities); err != nil { 321 return errors.Wrap(err, "invalid Capabilities") 322 } 323 // TODO consider returning warnings if "Privileged" is combined with Capabilities, CapAdd and/or CapDrop 324 return nil 325 } 326 327 // validateHealthCheck validates the healthcheck params of Config 328 func validateHealthCheck(healthConfig *containertypes.HealthConfig) error { 329 if healthConfig == nil { 330 return nil 331 } 332 if healthConfig.Interval != 0 && healthConfig.Interval < containertypes.MinimumDuration { 333 return errors.Errorf("Interval in Healthcheck cannot be less than %s", containertypes.MinimumDuration) 334 } 335 if healthConfig.Timeout != 0 && healthConfig.Timeout < containertypes.MinimumDuration { 336 return errors.Errorf("Timeout in Healthcheck cannot be less than %s", containertypes.MinimumDuration) 337 } 338 if healthConfig.Retries < 0 { 339 return errors.Errorf("Retries in Healthcheck cannot be negative") 340 } 341 if healthConfig.StartPeriod != 0 && healthConfig.StartPeriod < containertypes.MinimumDuration { 342 return errors.Errorf("StartPeriod in Healthcheck cannot be less than %s", containertypes.MinimumDuration) 343 } 344 return nil 345 } 346 347 func validatePortBindings(ports nat.PortMap) error { 348 for port := range ports { 349 _, portStr := nat.SplitProtoPort(string(port)) 350 if _, err := nat.ParsePort(portStr); err != nil { 351 return errors.Errorf("invalid port specification: %q", portStr) 352 } 353 for _, pb := range ports[port] { 354 _, err := nat.NewPort(nat.SplitProtoPort(pb.HostPort)) 355 if err != nil { 356 return errors.Errorf("invalid port specification: %q", pb.HostPort) 357 } 358 } 359 } 360 return nil 361 } 362 363 func validateRestartPolicy(policy containertypes.RestartPolicy) error { 364 switch policy.Name { 365 case "always", "unless-stopped", "no": 366 if policy.MaximumRetryCount != 0 { 367 return errors.Errorf("maximum retry count cannot be used with restart policy '%s'", policy.Name) 368 } 369 case "on-failure": 370 if policy.MaximumRetryCount < 0 { 371 return errors.Errorf("maximum retry count cannot be negative") 372 } 373 case "": 374 // do nothing 375 return nil 376 default: 377 return errors.Errorf("invalid restart policy '%s'", policy.Name) 378 } 379 return nil 380 } 381 382 // translateWorkingDir translates the working-dir for the target platform, 383 // and returns an error if the given path is not an absolute path. 384 func translateWorkingDir(config *containertypes.Config, platform string) error { 385 if config.WorkingDir == "" { 386 return nil 387 } 388 wd := config.WorkingDir 389 switch { 390 case runtime.GOOS != platform: 391 // LCOW. Force Unix semantics 392 wd = strings.Replace(wd, string(os.PathSeparator), "/", -1) 393 if !path.IsAbs(wd) { 394 return fmt.Errorf("the working directory '%s' is invalid, it needs to be an absolute path", config.WorkingDir) 395 } 396 default: 397 wd = filepath.FromSlash(wd) // Ensure in platform semantics 398 if !system.IsAbs(wd) { 399 return fmt.Errorf("the working directory '%s' is invalid, it needs to be an absolute path", config.WorkingDir) 400 } 401 } 402 config.WorkingDir = wd 403 return nil 404 }