daemon, oci: remove LCOW bits

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-27 12:12:11 +02:00 · 2021-07-27 12:12:11 +02:00 · 0c84c322ae
commit 0c84c322ae
parent 12f1b3ce43
5 changed files with 148 additions and 230 deletions
--- a/daemon/create.go
+++ b/daemon/create.go
@ -16,6 +16,7 @@ import (
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/system"
 	"github.com/docker/docker/runconfig"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/selinux/go-selinux"
@ -113,19 +114,17 @@ func (daemon *Daemon) create(opts createOpts) (retC *container.Container, retErr
 		img   *image.Image
 		imgID image.ID
 		err   error
+		os    = runtime.GOOS
 	)

-	os := runtime.GOOS
 	if opts.params.Config.Image != "" {
 		img, err = daemon.imageService.GetImage(opts.params.Config.Image, opts.params.Platform)
 		if err != nil {
 			return nil, err
 		}
-		if img.OS != "" {
-			os = img.OS
-		}
+		os = img.OperatingSystem()
 		imgID = img.ID()
-		if isWindows && img.OS == "linux" {
+		if !system.IsOSSupported(os) {
 			return nil, errors.New("operating system on which parent image was created is not Windows")
 		}
 	} else if isWindows {
--- a/daemon/create_windows.go
+++ b/daemon/create_windows.go
@ -3,7 +3,6 @@ package daemon // import "github.com/docker/docker/daemon"
 import (
 	"context"
 	"fmt"
-	"runtime"

 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/container"
@ -14,19 +13,9 @@ import (

 // createContainerOSSpecificSettings performs host-OS specific container create functionality
 func (daemon *Daemon) createContainerOSSpecificSettings(container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error {
-
-	if container.OS == runtime.GOOS {
+	if containertypes.Isolation.IsDefault(hostConfig.Isolation) {
 		// Make sure the host config has the default daemon isolation if not specified by caller.
-		if containertypes.Isolation.IsDefault(containertypes.Isolation(hostConfig.Isolation)) {
-			hostConfig.Isolation = daemon.defaultIsolation
-		}
-	} else {
-		// LCOW must be a Hyper-V container as you can't run a shared kernel when one
-		// is a Windows kernel, the other is a Linux kernel.
-		if containertypes.Isolation.IsProcess(containertypes.Isolation(hostConfig.Isolation)) {
-			return fmt.Errorf("process isolation is invalid for Linux containers on Windows")
-		}
-		hostConfig.Isolation = "hyperv"
+		hostConfig.Isolation = daemon.defaultIsolation
 	}
 	parser := volumemounts.NewParser()
 	for spec := range config.Volumes {
--- a/daemon/daemon_windows.go
+++ b/daemon/daemon_windows.go
@ -510,17 +510,11 @@ func (daemon *Daemon) conditionalMountOnStart(container *container.Container) er
 // conditionalUnmountOnCleanup is a platform specific helper function called
 // during the cleanup of a container to unmount.
 func (daemon *Daemon) conditionalUnmountOnCleanup(container *container.Container) error {
-
-	// Bail out now for Linux containers
-	if system.LCOWSupported() && container.OS != "windows" {
+	if daemon.runAsHyperVContainer(container.HostConfig) {
+		// We do not unmount if a Hyper-V container
 		return nil
 	}
-
-	// We do not unmount if a Hyper-V container
-	if !daemon.runAsHyperVContainer(container.HostConfig) {
-		return daemon.Unmount(container)
-	}
-	return nil
+	return daemon.Unmount(container)
 }

 func driverOptions(config *config.Config) []nwconfig.Option {
--- a/daemon/oci_windows.go
+++ b/daemon/oci_windows.go
@ -5,7 +5,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
-	"runtime"
 	"strings"

 	"github.com/Microsoft/hcsshim/osversion"
@ -13,7 +12,6 @@ import (
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/oci"
-	"github.com/docker/docker/oci/caps"
 	"github.com/docker/docker/pkg/sysinfo"
 	"github.com/docker/docker/pkg/system"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
@ -33,8 +31,11 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
 	if err != nil {
 		return nil, err
 	}
+	if !system.IsOSSupported(img.OperatingSystem()) {
+		return nil, system.ErrNotSupportedOperatingSystem
+	}

-	s := oci.DefaultOSSpec(img.OS)
+	s := oci.DefaultSpec()

 	linkedEnv, err := daemon.setupLinkedContainers(c)
 	if err != nil {
@ -116,11 +117,6 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
 		if !mount.Writable {
 			m.Options = append(m.Options, "ro")
 		}
-		if img.OS != runtime.GOOS {
-			m.Type = "bind"
-			m.Options = append(m.Options, "rbind")
-			m.Options = append(m.Options, fmt.Sprintf("uvmpath=/tmp/gcs/%s/binds", c.ID))
-		}
 		s.Mounts = append(s.Mounts, m)
 	}

@ -200,20 +196,8 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
 		NetworkSharedContainerName: networkSharedContainerID,
 	}

-	switch img.OS {
-	case "windows":
-		if err := daemon.createSpecWindowsFields(c, &s, isHyperV); err != nil {
-			return nil, err
-		}
-	case "linux":
-		if !system.LCOWSupported() {
-			return nil, fmt.Errorf("Linux containers on Windows are not supported")
-		}
-		if err := daemon.createSpecLinuxFields(c, &s); err != nil {
-			return nil, err
-		}
-	default:
-		return nil, fmt.Errorf("Unsupported platform %q", img.OS)
+	if err := daemon.createSpecWindowsFields(c, &s, isHyperV); err != nil {
+		return nil, err
 	}

 	if logrus.IsLevelEnabled(logrus.DebugLevel) {
@ -222,7 +206,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
 		}
 	}

-	return (*specs.Spec)(&s), nil
+	return &s, nil
 }

 // Sets the Windows-specific fields of the OCI spec
@ -370,41 +354,6 @@ func (daemon *Daemon) setWindowsCredentialSpec(c *container.Container, s *specs.
 	return nil
 }

-// Sets the Linux-specific fields of the OCI spec
-// TODO: LCOW Support. We need to do a lot more pulling in what can
-// be pulled in from oci_linux.go.
-func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spec) error {
-	s.Root = &specs.Root{
-		Path:     "rootfs",
-		Readonly: c.HostConfig.ReadonlyRootfs,
-	}
-
-	s.Hostname = c.Config.Hostname
-	setLinuxDomainname(c, s)
-
-	if len(s.Process.Cwd) == 0 {
-		s.Process.Cwd = `/`
-	}
-	s.Process.Args = append([]string{c.Path}, c.Args...)
-
-	// Note these are against the UVM.
-	setResourcesInSpec(c, s, true) // LCOW is Hyper-V only
-
-	capabilities, err := caps.TweakCapabilities(caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged)
-	if err != nil {
-		return fmt.Errorf("linux spec capabilities: %v", err)
-	}
-	if err := oci.SetCapabilities(s, capabilities); err != nil {
-		return fmt.Errorf("linux spec capabilities: %v", err)
-	}
-	devPermissions, err := oci.AppendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
-	if err != nil {
-		return fmt.Errorf("linux runtime spec devices: %v", err)
-	}
-	s.Linux.Resources.Devices = devPermissions
-	return nil
-}
-
 func setResourcesInSpec(c *container.Container, s *specs.Spec, isHyperV bool) {
 	// In s.Windows.Resources
 	cpuShares := uint16(c.HostConfig.CPUShares)
--- a/oci/defaults.go
+++ b/oci/defaults.go
@ -14,12 +14,7 @@ func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }

 // DefaultSpec returns the default spec used by docker for the current Platform
 func DefaultSpec() specs.Spec {
-	return DefaultOSSpec(runtime.GOOS)
-}
-
-// DefaultOSSpec returns the spec for a given OS
-func DefaultOSSpec(osName string) specs.Spec {
-	if osName == "windows" {
+	if runtime.GOOS == "windows" {
 		return DefaultWindowsSpec()
 	}
 	return DefaultLinuxSpec()
@ -37,7 +32,7 @@ func DefaultWindowsSpec() specs.Spec {

 // DefaultLinuxSpec create a default spec for running Linux containers
 func DefaultLinuxSpec() specs.Spec {
-	s := specs.Spec{
+	return specs.Spec{
 		Version: specs.Version,
 		Process: &specs.Process{
 			Capabilities: &specs.LinuxCapabilities{
@ -48,147 +43,139 @@ func DefaultLinuxSpec() specs.Spec {
 			},
 		},
 		Root: &specs.Root{},
-	}
-	s.Mounts = []specs.Mount{
-		{
-			Destination: "/proc",
-			Type:        "proc",
-			Source:      "proc",
-			Options:     []string{"nosuid", "noexec", "nodev"},
+		Mounts: []specs.Mount{
+			{
+				Destination: "/proc",
+				Type:        "proc",
+				Source:      "proc",
+				Options:     []string{"nosuid", "noexec", "nodev"},
+			},
+			{
+				Destination: "/dev",
+				Type:        "tmpfs",
+				Source:      "tmpfs",
+				Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
+			},
+			{
+				Destination: "/dev/pts",
+				Type:        "devpts",
+				Source:      "devpts",
+				Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
+			},
+			{
+				Destination: "/sys",
+				Type:        "sysfs",
+				Source:      "sysfs",
+				Options:     []string{"nosuid", "noexec", "nodev", "ro"},
+			},
+			{
+				Destination: "/sys/fs/cgroup",
+				Type:        "cgroup",
+				Source:      "cgroup",
+				Options:     []string{"ro", "nosuid", "noexec", "nodev"},
+			},
+			{
+				Destination: "/dev/mqueue",
+				Type:        "mqueue",
+				Source:      "mqueue",
+				Options:     []string{"nosuid", "noexec", "nodev"},
+			},
+			{
+				Destination: "/dev/shm",
+				Type:        "tmpfs",
+				Source:      "shm",
+				Options:     []string{"nosuid", "noexec", "nodev", "mode=1777"},
+			},
 		},
-		{
-			Destination: "/dev",
-			Type:        "tmpfs",
-			Source:      "tmpfs",
-			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
-		},
-		{
-			Destination: "/dev/pts",
-			Type:        "devpts",
-			Source:      "devpts",
-			Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
-		},
-		{
-			Destination: "/sys",
-			Type:        "sysfs",
-			Source:      "sysfs",
-			Options:     []string{"nosuid", "noexec", "nodev", "ro"},
-		},
-		{
-			Destination: "/sys/fs/cgroup",
-			Type:        "cgroup",
-			Source:      "cgroup",
-			Options:     []string{"ro", "nosuid", "noexec", "nodev"},
-		},
-		{
-			Destination: "/dev/mqueue",
-			Type:        "mqueue",
-			Source:      "mqueue",
-			Options:     []string{"nosuid", "noexec", "nodev"},
-		},
-		{
-			Destination: "/dev/shm",
-			Type:        "tmpfs",
-			Source:      "shm",
-			Options:     []string{"nosuid", "noexec", "nodev", "mode=1777"},
-		},
-	}
-
-	s.Linux = &specs.Linux{
-		MaskedPaths: []string{
-			"/proc/asound",
-			"/proc/acpi",
-			"/proc/kcore",
-			"/proc/keys",
-			"/proc/latency_stats",
-			"/proc/timer_list",
-			"/proc/timer_stats",
-			"/proc/sched_debug",
-			"/proc/scsi",
-			"/sys/firmware",
-		},
-		ReadonlyPaths: []string{
-			"/proc/bus",
-			"/proc/fs",
-			"/proc/irq",
-			"/proc/sys",
-			"/proc/sysrq-trigger",
-		},
-		Namespaces: []specs.LinuxNamespace{
-			{Type: "mount"},
-			{Type: "network"},
-			{Type: "uts"},
-			{Type: "pid"},
-			{Type: "ipc"},
-		},
-		// Devices implicitly contains the following devices:
-		// null, zero, full, random, urandom, tty, console, and ptmx.
-		// ptmx is a bind mount or symlink of the container's ptmx.
-		// See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices
-		Devices: []specs.LinuxDevice{},
-		Resources: &specs.LinuxResources{
-			Devices: []specs.LinuxDeviceCgroup{
-				{
-					Allow:  false,
-					Access: "rwm",
-				},
-				{
-					Allow:  true,
-					Type:   "c",
-					Major:  iPtr(1),
-					Minor:  iPtr(5),
-					Access: "rwm",
-				},
-				{
-					Allow:  true,
-					Type:   "c",
-					Major:  iPtr(1),
-					Minor:  iPtr(3),
-					Access: "rwm",
-				},
-				{
-					Allow:  true,
-					Type:   "c",
-					Major:  iPtr(1),
-					Minor:  iPtr(9),
-					Access: "rwm",
-				},
-				{
-					Allow:  true,
-					Type:   "c",
-					Major:  iPtr(1),
-					Minor:  iPtr(8),
-					Access: "rwm",
-				},
-				{
-					Allow:  true,
-					Type:   "c",
-					Major:  iPtr(5),
-					Minor:  iPtr(0),
-					Access: "rwm",
-				},
-				{
-					Allow:  true,
-					Type:   "c",
-					Major:  iPtr(5),
-					Minor:  iPtr(1),
-					Access: "rwm",
-				},
-				{
-					Allow:  false,
-					Type:   "c",
-					Major:  iPtr(10),
-					Minor:  iPtr(229),
-					Access: "rwm",
+		Linux: &specs.Linux{
+			MaskedPaths: []string{
+				"/proc/asound",
+				"/proc/acpi",
+				"/proc/kcore",
+				"/proc/keys",
+				"/proc/latency_stats",
+				"/proc/timer_list",
+				"/proc/timer_stats",
+				"/proc/sched_debug",
+				"/proc/scsi",
+				"/sys/firmware",
+			},
+			ReadonlyPaths: []string{
+				"/proc/bus",
+				"/proc/fs",
+				"/proc/irq",
+				"/proc/sys",
+				"/proc/sysrq-trigger",
+			},
+			Namespaces: []specs.LinuxNamespace{
+				{Type: "mount"},
+				{Type: "network"},
+				{Type: "uts"},
+				{Type: "pid"},
+				{Type: "ipc"},
+			},
+			// Devices implicitly contains the following devices:
+			// null, zero, full, random, urandom, tty, console, and ptmx.
+			// ptmx is a bind mount or symlink of the container's ptmx.
+			// See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices
+			Devices: []specs.LinuxDevice{},
+			Resources: &specs.LinuxResources{
+				Devices: []specs.LinuxDeviceCgroup{
+					{
+						Allow:  false,
+						Access: "rwm",
+					},
+					{
+						Allow:  true,
+						Type:   "c",
+						Major:  iPtr(1),
+						Minor:  iPtr(5),
+						Access: "rwm",
+					},
+					{
+						Allow:  true,
+						Type:   "c",
+						Major:  iPtr(1),
+						Minor:  iPtr(3),
+						Access: "rwm",
+					},
+					{
+						Allow:  true,
+						Type:   "c",
+						Major:  iPtr(1),
+						Minor:  iPtr(9),
+						Access: "rwm",
+					},
+					{
+						Allow:  true,
+						Type:   "c",
+						Major:  iPtr(1),
+						Minor:  iPtr(8),
+						Access: "rwm",
+					},
+					{
+						Allow:  true,
+						Type:   "c",
+						Major:  iPtr(5),
+						Minor:  iPtr(0),
+						Access: "rwm",
+					},
+					{
+						Allow:  true,
+						Type:   "c",
+						Major:  iPtr(5),
+						Minor:  iPtr(1),
+						Access: "rwm",
+					},
+					{
+						Allow:  false,
+						Type:   "c",
+						Major:  iPtr(10),
+						Minor:  iPtr(229),
+						Access: "rwm",
+					},
 				},
 			},
 		},
 	}
-
-	// For LCOW support, populate a blank Windows spec
-	if runtime.GOOS == "windows" {
-		s.Windows = &specs.Windows{}
-	}
-
-	return s
 }