start_windows.go 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
  1. package daemon
  2. import (
  3. "fmt"
  4. "io/ioutil"
  5. "path/filepath"
  6. "strings"
  7. "github.com/docker/docker/container"
  8. "github.com/docker/docker/layer"
  9. "github.com/docker/docker/libcontainerd"
  10. "golang.org/x/sys/windows/registry"
  11. )
  12. const (
  13. credentialSpecRegistryLocation = `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Containers\CredentialSpecs`
  14. credentialSpecFileLocation = "CredentialSpecs"
  15. )
  16. func (daemon *Daemon) getLibcontainerdCreateOptions(container *container.Container) ([]libcontainerd.CreateOption, error) {
  17. createOptions := []libcontainerd.CreateOption{}
  18. // Are we going to run as a Hyper-V container?
  19. hvOpts := &libcontainerd.HyperVIsolationOption{}
  20. if container.HostConfig.Isolation.IsDefault() {
  21. // Container is set to use the default, so take the default from the daemon configuration
  22. hvOpts.IsHyperV = daemon.defaultIsolation.IsHyperV()
  23. } else {
  24. // Container is requesting an isolation mode. Honour it.
  25. hvOpts.IsHyperV = container.HostConfig.Isolation.IsHyperV()
  26. }
  27. dnsSearch := daemon.getDNSSearchSettings(container)
  28. // Generate the layer folder of the layer options
  29. layerOpts := &libcontainerd.LayerOption{}
  30. m, err := container.RWLayer.Metadata()
  31. if err != nil {
  32. return nil, fmt.Errorf("failed to get layer metadata - %s", err)
  33. }
  34. layerOpts.LayerFolderPath = m["dir"]
  35. // Generate the layer paths of the layer options
  36. img, err := daemon.imageStore.Get(container.ImageID)
  37. if err != nil {
  38. return nil, fmt.Errorf("failed to graph.Get on ImageID %s - %s", container.ImageID, err)
  39. }
  40. // Get the layer path for each layer.
  41. max := len(img.RootFS.DiffIDs)
  42. for i := 1; i <= max; i++ {
  43. img.RootFS.DiffIDs = img.RootFS.DiffIDs[:i]
  44. layerPath, err := layer.GetLayerPath(daemon.layerStore, img.RootFS.ChainID())
  45. if err != nil {
  46. return nil, fmt.Errorf("failed to get layer path from graphdriver %s for ImageID %s - %s", daemon.layerStore, img.RootFS.ChainID(), err)
  47. }
  48. // Reverse order, expecting parent most first
  49. layerOpts.LayerPaths = append([]string{layerPath}, layerOpts.LayerPaths...)
  50. }
  51. // Get endpoints for the libnetwork allocated networks to the container
  52. var epList []string
  53. AllowUnqualifiedDNSQuery := false
  54. gwHNSID := ""
  55. if container.NetworkSettings != nil {
  56. for n := range container.NetworkSettings.Networks {
  57. sn, err := daemon.FindNetwork(n)
  58. if err != nil {
  59. continue
  60. }
  61. ep, err := container.GetEndpointInNetwork(sn)
  62. if err != nil {
  63. continue
  64. }
  65. data, err := ep.DriverInfo()
  66. if err != nil {
  67. continue
  68. }
  69. if data["GW_INFO"] != nil {
  70. gwInfo := data["GW_INFO"].(map[string]interface{})
  71. if gwInfo["hnsid"] != nil {
  72. gwHNSID = gwInfo["hnsid"].(string)
  73. }
  74. }
  75. if data["hnsid"] != nil {
  76. epList = append(epList, data["hnsid"].(string))
  77. }
  78. if data["AllowUnqualifiedDNSQuery"] != nil {
  79. AllowUnqualifiedDNSQuery = true
  80. }
  81. }
  82. }
  83. if gwHNSID != "" {
  84. epList = append(epList, gwHNSID)
  85. }
  86. // Read and add credentials from the security options if a credential spec has been provided.
  87. if container.HostConfig.SecurityOpt != nil {
  88. for _, sOpt := range container.HostConfig.SecurityOpt {
  89. sOpt = strings.ToLower(sOpt)
  90. if !strings.Contains(sOpt, "=") {
  91. return nil, fmt.Errorf("invalid security option: no equals sign in supplied value %s", sOpt)
  92. }
  93. var splitsOpt []string
  94. splitsOpt = strings.SplitN(sOpt, "=", 2)
  95. if len(splitsOpt) != 2 {
  96. return nil, fmt.Errorf("invalid security option: %s", sOpt)
  97. }
  98. if splitsOpt[0] != "credentialspec" {
  99. return nil, fmt.Errorf("security option not supported: %s", splitsOpt[0])
  100. }
  101. credentialsOpts := &libcontainerd.CredentialsOption{}
  102. var (
  103. match bool
  104. csValue string
  105. err error
  106. )
  107. if match, csValue = getCredentialSpec("file://", splitsOpt[1]); match {
  108. if csValue == "" {
  109. return nil, fmt.Errorf("no value supplied for file:// credential spec security option")
  110. }
  111. if credentialsOpts.Credentials, err = readCredentialSpecFile(container.ID, daemon.root, filepath.Clean(csValue)); err != nil {
  112. return nil, err
  113. }
  114. } else if match, csValue = getCredentialSpec("registry://", splitsOpt[1]); match {
  115. if csValue == "" {
  116. return nil, fmt.Errorf("no value supplied for registry:// credential spec security option")
  117. }
  118. if credentialsOpts.Credentials, err = readCredentialSpecRegistry(container.ID, csValue); err != nil {
  119. return nil, err
  120. }
  121. } else {
  122. return nil, fmt.Errorf("invalid credential spec security option - value must be prefixed file:// or registry:// followed by a value")
  123. }
  124. createOptions = append(createOptions, credentialsOpts)
  125. }
  126. }
  127. // Now add the remaining options.
  128. createOptions = append(createOptions, &libcontainerd.FlushOption{IgnoreFlushesDuringBoot: !container.HasBeenStartedBefore})
  129. createOptions = append(createOptions, hvOpts)
  130. createOptions = append(createOptions, layerOpts)
  131. var networkSharedContainerID string
  132. if container.HostConfig.NetworkMode.IsContainer() {
  133. networkSharedContainerID = container.NetworkSharedContainerID
  134. }
  135. createOptions = append(createOptions, &libcontainerd.NetworkEndpointsOption{
  136. Endpoints: epList,
  137. AllowUnqualifiedDNSQuery: AllowUnqualifiedDNSQuery,
  138. DNSSearchList: dnsSearch,
  139. NetworkSharedContainerID: networkSharedContainerID,
  140. })
  141. return createOptions, nil
  142. }
  143. // getCredentialSpec is a helper function to get the value of a credential spec supplied
  144. // on the CLI, stripping the prefix
  145. func getCredentialSpec(prefix, value string) (bool, string) {
  146. if strings.HasPrefix(value, prefix) {
  147. return true, strings.TrimPrefix(value, prefix)
  148. }
  149. return false, ""
  150. }
  151. // readCredentialSpecRegistry is a helper function to read a credential spec from
  152. // the registry. If not found, we return an empty string and warn in the log.
  153. // This allows for staging on machines which do not have the necessary components.
  154. func readCredentialSpecRegistry(id, name string) (string, error) {
  155. var (
  156. k registry.Key
  157. err error
  158. val string
  159. )
  160. if k, err = registry.OpenKey(registry.LOCAL_MACHINE, credentialSpecRegistryLocation, registry.QUERY_VALUE); err != nil {
  161. return "", fmt.Errorf("failed handling spec %q for container %s - %s could not be opened", name, id, credentialSpecRegistryLocation)
  162. }
  163. if val, _, err = k.GetStringValue(name); err != nil {
  164. if err == registry.ErrNotExist {
  165. return "", fmt.Errorf("credential spec %q for container %s as it was not found", name, id)
  166. }
  167. return "", fmt.Errorf("error %v reading credential spec %q from registry for container %s", err, name, id)
  168. }
  169. return val, nil
  170. }
  171. // readCredentialSpecFile is a helper function to read a credential spec from
  172. // a file. If not found, we return an empty string and warn in the log.
  173. // This allows for staging on machines which do not have the necessary components.
  174. func readCredentialSpecFile(id, root, location string) (string, error) {
  175. if filepath.IsAbs(location) {
  176. return "", fmt.Errorf("invalid credential spec - file:// path cannot be absolute")
  177. }
  178. base := filepath.Join(root, credentialSpecFileLocation)
  179. full := filepath.Join(base, location)
  180. if !strings.HasPrefix(full, base) {
  181. return "", fmt.Errorf("invalid credential spec - file:// path must be under %s", base)
  182. }
  183. bcontents, err := ioutil.ReadFile(full)
  184. if err != nil {
  185. return "", fmt.Errorf("credential spec '%s' for container %s as the file could not be read: %q", full, id, err)
  186. }
  187. return string(bcontents[:]), nil
  188. }