We use cookies to ensure you get the best experience on our website
Главная Обзор Помощь
Регистрация Вход
0ct0pu5
/
moby
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Дерево: 5f5285a6e2
Ветки Метки
moby
/
cmd
/
dockerd
/
daemon.go

daemon.go 23 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773 
  1. package main
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"crypto/tls"
    6. 

  6. 	"fmt"
    7. 

  7. 	"net"
    8. 

  8. 	"os"
    9. 

  9. 	"path/filepath"
    10. 

  10. 	"runtime"
    11. 

  11. 	"strings"
    12. 

  12. 	"time"
    13. 

  13. 

  14. 	containerddefaults "github.com/containerd/containerd/defaults"
    15. 

  15. 	"github.com/docker/docker/api"
    16. 

  16. 	apiserver "github.com/docker/docker/api/server"
    17. 

  17. 	buildbackend "github.com/docker/docker/api/server/backend/build"
    18. 

  18. 	"github.com/docker/docker/api/server/middleware"
    19. 

  19. 	"github.com/docker/docker/api/server/router"
    20. 

  20. 	"github.com/docker/docker/api/server/router/build"
    21. 

  21. 	checkpointrouter "github.com/docker/docker/api/server/router/checkpoint"
    22. 

  22. 	"github.com/docker/docker/api/server/router/container"
    23. 

  23. 	distributionrouter "github.com/docker/docker/api/server/router/distribution"
    24. 

  24. 	grpcrouter "github.com/docker/docker/api/server/router/grpc"
    25. 

  25. 	"github.com/docker/docker/api/server/router/image"
    26. 

  26. 	"github.com/docker/docker/api/server/router/network"
    27. 

  27. 	pluginrouter "github.com/docker/docker/api/server/router/plugin"
    28. 

  28. 	sessionrouter "github.com/docker/docker/api/server/router/session"
    29. 

  29. 	swarmrouter "github.com/docker/docker/api/server/router/swarm"
    30. 

  30. 	systemrouter "github.com/docker/docker/api/server/router/system"
    31. 

  31. 	"github.com/docker/docker/api/server/router/volume"
    32. 

  32. 	buildkit "github.com/docker/docker/builder/builder-next"
    33. 

  33. 	"github.com/docker/docker/builder/dockerfile"
    34. 

  34. 	"github.com/docker/docker/cli/debug"
    35. 

  35. 	"github.com/docker/docker/daemon"
    36. 

  36. 	"github.com/docker/docker/daemon/cluster"
    37. 

  37. 	"github.com/docker/docker/daemon/config"
    38. 

  38. 	"github.com/docker/docker/daemon/listeners"
    39. 

  39. 	"github.com/docker/docker/dockerversion"
    40. 

  40. 	"github.com/docker/docker/libcontainerd/supervisor"
    41. 

  41. 	dopts "github.com/docker/docker/opts"
    42. 

  42. 	"github.com/docker/docker/pkg/authorization"
    43. 

  43. 	"github.com/docker/docker/pkg/homedir"
    44. 

  44. 	"github.com/docker/docker/pkg/jsonmessage"
    45. 

  45. 	"github.com/docker/docker/pkg/pidfile"
    46. 

  46. 	"github.com/docker/docker/pkg/plugingetter"
    47. 

  47. 	"github.com/docker/docker/pkg/signal"
    48. 

  48. 	"github.com/docker/docker/pkg/sysinfo"
    49. 

  49. 	"github.com/docker/docker/pkg/system"
    50. 

  50. 	"github.com/docker/docker/plugin"
    51. 

  51. 	"github.com/docker/docker/rootless"
    52. 

  52. 	"github.com/docker/docker/runconfig"
    53. 

  53. 	"github.com/docker/go-connections/tlsconfig"
    54. 

  54. 	swarmapi "github.com/docker/swarmkit/api"
    55. 

  55. 	"github.com/moby/buildkit/session"
    56. 

  56. 	"github.com/pkg/errors"
    57. 

  57. 	"github.com/sirupsen/logrus"
    58. 

  58. 	"github.com/spf13/pflag"
    59. 

  59. )
    60. 

  60. 

  61. // DaemonCli represents the daemon CLI.
    62. 

  62. type DaemonCli struct {
    63. 

  63. 	*config.Config
    64. 

  64. 	configFile *string
    65. 

  65. 	flags      *pflag.FlagSet
    66. 

  66. 

  67. 	api             *apiserver.Server
    68. 

  68. 	d               *daemon.Daemon
    69. 

  69. 	authzMiddleware *authorization.Middleware // authzMiddleware enables to dynamically reload the authorization plugins
    70. 

  70. }
    71. 

  71. 

  72. // NewDaemonCli returns a daemon CLI
    73. 

  73. func NewDaemonCli() *DaemonCli {
    74. 

  74. 	return &DaemonCli{}
    75. 

  75. }
    76. 

  76. 

  77. func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
    78. 

  78. 	stopc := make(chan bool)
    79. 

  79. 	defer close(stopc)
    80. 

  80. 

  81. 	opts.SetDefaultOptions(opts.flags)
    82. 

  82. 

  83. 	if cli.Config, err = loadDaemonCliConfig(opts); err != nil {
    84. 

  84. 		return err
    85. 

  85. 	}
    86. 

  86. 	warnOnDeprecatedConfigOptions(cli.Config)
    87. 

  87. 

  88. 	if err := configureDaemonLogs(cli.Config); err != nil {
    89. 

  89. 		return err
    90. 

  90. 	}
    91. 

  91. 

  92. 	logrus.Info("Starting up")
    93. 

  93. 

  94. 	cli.configFile = &opts.configFile
    95. 

  95. 	cli.flags = opts.flags
    96. 

  96. 

  97. 	if cli.Config.Debug {
    98. 

  98. 		debug.Enable()
    99. 

  99. 	}
    100. 

  100. 

  101. 	if cli.Config.Experimental {
    102. 

  102. 		logrus.Warn("Running experimental build")
    103. 

  103. 	}
    104. 

  104. 

  105. 	if cli.Config.IsRootless() {
    106. 

  106. 		logrus.Warn("Running in rootless mode. This mode has feature limitations.")
    107. 

  107. 	}
    108. 

  108. 	if rootless.RunningWithRootlessKit() {
    109. 

  109. 		logrus.Info("Running with RootlessKit integration")
    110. 

  110. 		if !cli.Config.IsRootless() {
    111. 

  111. 			return fmt.Errorf("rootless mode needs to be enabled for running with RootlessKit")
    112. 

  112. 		}
    113. 

  113. 	}
    114. 

  114. 

  115. 	// return human-friendly error before creating files
    116. 

  116. 	if runtime.GOOS == "linux" && os.Geteuid() != 0 {
    117. 

  117. 		return fmt.Errorf("dockerd needs to be started with root. To see how to run dockerd in rootless mode with unprivileged user, see the documentation")
    118. 

  118. 	}
    119. 

  119. 

  120. 	system.InitLCOW(cli.Config.Experimental)
    121. 

  121. 

  122. 	if err := setDefaultUmask(); err != nil {
    123. 

  123. 		return err
    124. 

  124. 	}
    125. 

  125. 

  126. 	// Create the daemon root before we create ANY other files (PID, or migrate keys)
    127. 

  127. 	// to ensure the appropriate ACL is set (particularly relevant on Windows)
    128. 

  128. 	if err := daemon.CreateDaemonRoot(cli.Config); err != nil {
    129. 

  129. 		return err
    130. 

  130. 	}
    131. 

  131. 

  132. 	if err := system.MkdirAll(cli.Config.ExecRoot, 0700); err != nil {
    133. 

  133. 		return err
    134. 

  134. 	}
    135. 

  135. 

  136. 	potentiallyUnderRuntimeDir := []string{cli.Config.ExecRoot}
    137. 

  137. 

  138. 	if cli.Pidfile != "" {
    139. 

  139. 		pf, err := pidfile.New(cli.Pidfile)
    140. 

  140. 		if err != nil {
    141. 

  141. 			return errors.Wrap(err, "failed to start daemon")
    142. 

  142. 		}
    143. 

  143. 		potentiallyUnderRuntimeDir = append(potentiallyUnderRuntimeDir, cli.Pidfile)
    144. 

  144. 		defer func() {
    145. 

  145. 			if err := pf.Remove(); err != nil {
    146. 

  146. 				logrus.Error(err)
    147. 

  147. 			}
    148. 

  148. 		}()
    149. 

  149. 	}
    150. 

  150. 

  151. 	if cli.Config.IsRootless() {
    152. 

  152. 		// Set sticky bit if XDG_RUNTIME_DIR is set && the file is actually under XDG_RUNTIME_DIR
    153. 

  153. 		if _, err := homedir.StickRuntimeDirContents(potentiallyUnderRuntimeDir); err != nil {
    154. 

  154. 			// StickRuntimeDirContents returns nil error if XDG_RUNTIME_DIR is just unset
    155. 

  155. 			logrus.WithError(err).Warn("cannot set sticky bit on files under XDG_RUNTIME_DIR")
    156. 

  156. 		}
    157. 

  157. 	}
    158. 

  158. 

  159. 	serverConfig, err := newAPIServerConfig(cli)
    160. 

  160. 	if err != nil {
    161. 

  161. 		return errors.Wrap(err, "failed to create API server")
    162. 

  162. 	}
    163. 

  163. 	cli.api = apiserver.New(serverConfig)
    164. 

  164. 

  165. 	hosts, err := loadListeners(cli, serverConfig)
    166. 

  166. 	if err != nil {
    167. 

  167. 		return errors.Wrap(err, "failed to load listeners")
    168. 

  168. 	}
    169. 

  169. 

  170. 	ctx, cancel := context.WithCancel(context.Background())
    171. 

  171. 	waitForContainerDShutdown, err := cli.initContainerD(ctx)
    172. 

  172. 	if waitForContainerDShutdown != nil {
    173. 

  173. 		defer waitForContainerDShutdown(10 * time.Second)
    174. 

  174. 	}
    175. 

  175. 	if err != nil {
    176. 

  176. 		cancel()
    177. 

  177. 		return err
    178. 

  178. 	}
    179. 

  179. 	defer cancel()
    180. 

  180. 

  181. 	signal.Trap(func() {
    182. 

  182. 		cli.stop()
    183. 

  183. 		<-stopc // wait for daemonCli.start() to return
    184. 

  184. 	}, logrus.StandardLogger())
    185. 

  185. 

  186. 	// Notify that the API is active, but before daemon is set up.
    187. 

  187. 	preNotifySystem()
    188. 

  188. 

  189. 	pluginStore := plugin.NewStore()
    190. 

  190. 

  191. 	if err := cli.initMiddlewares(cli.api, serverConfig, pluginStore); err != nil {
    192. 

  192. 		logrus.Fatalf("Error creating middlewares: %v", err)
    193. 

  193. 	}
    194. 

  194. 

  195. 	d, err := daemon.NewDaemon(ctx, cli.Config, pluginStore)
    196. 

  196. 	if err != nil {
    197. 

  197. 		return errors.Wrap(err, "failed to start daemon")
    198. 

  198. 	}
    199. 

  199. 

  200. 	d.StoreHosts(hosts)
    201. 

  201. 

  202. 	// validate after NewDaemon has restored enabled plugins. Don't change order.
    203. 

  203. 	if err := validateAuthzPlugins(cli.Config.AuthorizationPlugins, pluginStore); err != nil {
    204. 

  204. 		return errors.Wrap(err, "failed to validate authorization plugin")
    205. 

  205. 	}
    206. 

  206. 

  207. 	cli.d = d
    208. 

  208. 

  209. 	if err := startMetricsServer(cli.Config.MetricsAddress); err != nil {
    210. 

  210. 		return errors.Wrap(err, "failed to start metrics server")
    211. 

  211. 	}
    212. 

  212. 

  213. 	c, err := createAndStartCluster(cli, d)
    214. 

  214. 	if err != nil {
    215. 

  215. 		logrus.Fatalf("Error starting cluster component: %v", err)
    216. 

  216. 	}
    217. 

  217. 

  218. 	// Restart all autostart containers which has a swarm endpoint
    219. 

  219. 	// and is not yet running now that we have successfully
    220. 

  220. 	// initialized the cluster.
    221. 

  221. 	d.RestartSwarmContainers()
    222. 

  222. 

  223. 	logrus.Info("Daemon has completed initialization")
    224. 

  224. 

  225. 	routerOptions, err := newRouterOptions(cli.Config, d)
    226. 

  226. 	if err != nil {
    227. 

  227. 		return err
    228. 

  228. 	}
    229. 

  229. 	routerOptions.api = cli.api
    230. 

  230. 	routerOptions.cluster = c
    231. 

  231. 

  232. 	initRouter(routerOptions)
    233. 

  233. 

  234. 	go d.ProcessClusterNotifications(ctx, c.GetWatchStream())
    235. 

  235. 

  236. 	cli.setupConfigReloadTrap()
    237. 

  237. 

  238. 	// The serve API routine never exits unless an error occurs
    239. 

  239. 	// We need to start it as a goroutine and wait on it so
    240. 

  240. 	// daemon doesn't exit
    241. 

  241. 	serveAPIWait := make(chan error)
    242. 

  242. 	go cli.api.Wait(serveAPIWait)
    243. 

  243. 

  244. 	// after the daemon is done setting up we can notify systemd api
    245. 

  245. 	notifySystem()
    246. 

  246. 

  247. 	// Daemon is fully initialized and handling API traffic
    248. 

  248. 	// Wait for serve API to complete
    249. 

  249. 	errAPI := <-serveAPIWait
    250. 

  250. 	c.Cleanup()
    251. 

  251. 

  252. 	shutdownDaemon(d)
    253. 

  253. 

  254. 	// Stop notification processing and any background processes
    255. 

  255. 	cancel()
    256. 

  256. 

  257. 	if errAPI != nil {
    258. 

  258. 		return errors.Wrap(errAPI, "shutting down due to ServeAPI error")
    259. 

  259. 	}
    260. 

  260. 

  261. 	logrus.Info("Daemon shutdown complete")
    262. 

  262. 	return nil
    263. 

  263. }
    264. 

  264. 

  265. type routerOptions struct {
    266. 

  266. 	sessionManager *session.Manager
    267. 

  267. 	buildBackend   *buildbackend.Backend
    268. 

  268. 	features       *map[string]bool
    269. 

  269. 	buildkit       *buildkit.Builder
    270. 

  270. 	daemon         *daemon.Daemon
    271. 

  271. 	api            *apiserver.Server
    272. 

  272. 	cluster        *cluster.Cluster
    273. 

  273. }
    274. 

  274. 

  275. func newRouterOptions(config *config.Config, d *daemon.Daemon) (routerOptions, error) {
    276. 

  276. 	opts := routerOptions{}
    277. 

  277. 	sm, err := session.NewManager()
    278. 

  278. 	if err != nil {
    279. 

  279. 		return opts, errors.Wrap(err, "failed to create sessionmanager")
    280. 

  280. 	}
    281. 

  281. 

  282. 	manager, err := dockerfile.NewBuildManager(d.BuilderBackend(), d.IdentityMapping())
    283. 

  283. 	if err != nil {
    284. 

  284. 		return opts, err
    285. 

  285. 	}
    286. 

  286. 	cgroupParent := newCgroupParent(config)
    287. 

  287. 	bk, err := buildkit.New(buildkit.Opt{
    288. 

  288. 		SessionManager:      sm,
    289. 

  289. 		Root:                filepath.Join(config.Root, "buildkit"),
    290. 

  290. 		Dist:                d.DistributionServices(),
    291. 

  291. 		NetworkController:   d.NetworkController(),
    292. 

  292. 		DefaultCgroupParent: cgroupParent,
    293. 

  293. 		RegistryHosts:       d.RegistryHosts(),
    294. 

  294. 		BuilderConfig:       config.Builder,
    295. 

  295. 		Rootless:            d.Rootless(),
    296. 

  296. 		IdentityMapping:     d.IdentityMapping(),
    297. 

  297. 		DNSConfig:           config.DNSConfig,
    298. 

  298. 	})
    299. 

  299. 	if err != nil {
    300. 

  300. 		return opts, err
    301. 

  301. 	}
    302. 

  302. 

  303. 	bb, err := buildbackend.NewBackend(d.ImageService(), manager, bk, d.EventsService)
    304. 

  304. 	if err != nil {
    305. 

  305. 		return opts, errors.Wrap(err, "failed to create buildmanager")
    306. 

  306. 	}
    307. 

  307. 	return routerOptions{
    308. 

  308. 		sessionManager: sm,
    309. 

  309. 		buildBackend:   bb,
    310. 

  310. 		buildkit:       bk,
    311. 

  311. 		features:       d.Features(),
    312. 

  312. 		daemon:         d,
    313. 

  313. 	}, nil
    314. 

  314. }
    315. 

  315. 

  316. func (cli *DaemonCli) reloadConfig() {
    317. 

  317. 	reload := func(c *config.Config) {
    318. 

  318. 

  319. 		// Revalidate and reload the authorization plugins
    320. 

  320. 		if err := validateAuthzPlugins(c.AuthorizationPlugins, cli.d.PluginStore); err != nil {
    321. 

  321. 			logrus.Fatalf("Error validating authorization plugin: %v", err)
    322. 

  322. 			return
    323. 

  323. 		}
    324. 

  324. 		cli.authzMiddleware.SetPlugins(c.AuthorizationPlugins)
    325. 

  325. 

  326. 		if err := cli.d.Reload(c); err != nil {
    327. 

  327. 			logrus.Errorf("Error reconfiguring the daemon: %v", err)
    328. 

  328. 			return
    329. 

  329. 		}
    330. 

  330. 

  331. 		if c.IsValueSet("debug") {
    332. 

  332. 			debugEnabled := debug.IsEnabled()
    333. 

  333. 			switch {
    334. 

  334. 			case debugEnabled && !c.Debug: // disable debug
    335. 

  335. 				debug.Disable()
    336. 

  336. 			case c.Debug && !debugEnabled: // enable debug
    337. 

  337. 				debug.Enable()
    338. 

  338. 			}
    339. 

  339. 		}
    340. 

  340. 	}
    341. 

  341. 

  342. 	if err := config.Reload(*cli.configFile, cli.flags, reload); err != nil {
    343. 

  343. 		logrus.Error(err)
    344. 

  344. 	}
    345. 

  345. }
    346. 

  346. 

  347. func (cli *DaemonCli) stop() {
    348. 

  348. 	cli.api.Close()
    349. 

  349. }
    350. 

  350. 

  351. // shutdownDaemon just wraps daemon.Shutdown() to handle a timeout in case
    352. 

  352. // d.Shutdown() is waiting too long to kill container or worst it's
    353. 

  353. // blocked there
    354. 

  354. func shutdownDaemon(d *daemon.Daemon) {
    355. 

  355. 	shutdownTimeout := d.ShutdownTimeout()
    356. 

  356. 	ch := make(chan struct{})
    357. 

  357. 	go func() {
    358. 

  358. 		d.Shutdown()
    359. 

  359. 		close(ch)
    360. 

  360. 	}()
    361. 

  361. 	if shutdownTimeout < 0 {
    362. 

  362. 		<-ch
    363. 

  363. 		logrus.Debug("Clean shutdown succeeded")
    364. 

  364. 		return
    365. 

  365. 	}
    366. 

  366. 

  367. 	timeout := time.NewTimer(time.Duration(shutdownTimeout) * time.Second)
    368. 

  368. 	defer timeout.Stop()
    369. 

  369. 

  370. 	select {
    371. 

  371. 	case <-ch:
    372. 

  372. 		logrus.Debug("Clean shutdown succeeded")
    373. 

  373. 	case <-timeout.C:
    374. 

  374. 		logrus.Error("Force shutdown daemon")
    375. 

  375. 	}
    376. 

  376. }
    377. 

  377. 

  378. func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
    379. 

  379. 	conf := opts.daemonConfig
    380. 

  380. 	flags := opts.flags
    381. 

  381. 	conf.Debug = opts.Debug
    382. 

  382. 	conf.Hosts = opts.Hosts
    383. 

  383. 	conf.LogLevel = opts.LogLevel
    384. 

  384. 

  385. 	if opts.flags.Changed(FlagTLS) {
    386. 

  386. 		conf.TLS = &opts.TLS
    387. 

  387. 	}
    388. 

  388. 	if opts.flags.Changed(FlagTLSVerify) {
    389. 

  389. 		conf.TLSVerify = &opts.TLSVerify
    390. 

  390. 		v := true
    391. 

  391. 		conf.TLS = &v
    392. 

  392. 	}
    393. 

  393. 

  394. 	conf.CommonTLSOptions = config.CommonTLSOptions{}
    395. 

  395. 

  396. 	if opts.TLSOptions != nil {
    397. 

  397. 		conf.CommonTLSOptions.CAFile = opts.TLSOptions.CAFile
    398. 

  398. 		conf.CommonTLSOptions.CertFile = opts.TLSOptions.CertFile
    399. 

  399. 		conf.CommonTLSOptions.KeyFile = opts.TLSOptions.KeyFile
    400. 

  400. 	}
    401. 

  401. 

  402. 	if conf.TrustKeyPath == "" {
    403. 

  403. 		daemonConfDir, err := getDaemonConfDir(conf.Root)
    404. 

  404. 		if err != nil {
    405. 

  405. 			return nil, err
    406. 

  406. 		}
    407. 

  407. 		conf.TrustKeyPath = filepath.Join(daemonConfDir, defaultTrustKeyFile)
    408. 

  408. 	}
    409. 

  409. 

  410. 	if flags.Changed("graph") && flags.Changed("data-root") {
    411. 

  411. 		return nil, errors.New(`cannot specify both "--graph" and "--data-root" option`)
    412. 

  412. 	}
    413. 

  413. 

  414. 	if opts.configFile != "" {
    415. 

  415. 		c, err := config.MergeDaemonConfigurations(conf, flags, opts.configFile)
    416. 

  416. 		if err != nil {
    417. 

  417. 			if flags.Changed("config-file") || !os.IsNotExist(err) {
    418. 

  418. 				return nil, errors.Wrapf(err, "unable to configure the Docker daemon with file %s", opts.configFile)
    419. 

  419. 			}
    420. 

  420. 		}
    421. 

  421. 

  422. 		// the merged configuration can be nil if the config file didn't exist.
    423. 

  423. 		// leave the current configuration as it is if when that happens.
    424. 

  424. 		if c != nil {
    425. 

  425. 			conf = c
    426. 

  426. 		}
    427. 

  427. 	}
    428. 

  428. 

  429. 	if err := config.Validate(conf); err != nil {
    430. 

  430. 		return nil, err
    431. 

  431. 	}
    432. 

  432. 

  433. 	if flags.Changed("graph") {
    434. 

  434. 		logrus.Warnf(`The "-g / --graph" flag is deprecated. Please use "--data-root" instead`)
    435. 

  435. 	}
    436. 

  436. 

  437. 	// Check if duplicate label-keys with different values are found
    438. 

  438. 	newLabels, err := config.GetConflictFreeLabels(conf.Labels)
    439. 

  439. 	if err != nil {
    440. 

  440. 		return nil, err
    441. 

  441. 	}
    442. 

  442. 	conf.Labels = newLabels
    443. 

  443. 

  444. 	// Regardless of whether the user sets it to true or false, if they
    445. 

  445. 	// specify TLSVerify at all then we need to turn on TLS
    446. 

  446. 	if conf.IsValueSet(FlagTLSVerify) {
    447. 

  447. 		v := true
    448. 

  448. 		conf.TLS = &v
    449. 

  449. 	}
    450. 

  450. 

  451. 	if conf.TLSVerify == nil && conf.TLS != nil {
    452. 

  452. 		conf.TLSVerify = conf.TLS
    453. 

  453. 	}
    454. 

  454. 

  455. 	return conf, nil
    456. 

  456. }
    457. 

  457. 

  458. func warnOnDeprecatedConfigOptions(config *config.Config) {
    459. 

  459. 	if config.ClusterAdvertise != "" {
    460. 

  460. 		logrus.Warn(`The "cluster-advertise" option is deprecated. To be removed soon.`)
    461. 

  461. 	}
    462. 

  462. 	if config.ClusterStore != "" {
    463. 

  463. 		logrus.Warn(`The "cluster-store" option is deprecated. To be removed soon.`)
    464. 

  464. 	}
    465. 

  465. 	if len(config.ClusterOpts) > 0 {
    466. 

  466. 		logrus.Warn(`The "cluster-store-opt" option is deprecated. To be removed soon.`)
    467. 

  467. 	}
    468. 

  468. }
    469. 

  469. 

  470. func initRouter(opts routerOptions) {
    471. 

  471. 	decoder := runconfig.ContainerDecoder{
    472. 

  472. 		GetSysInfo: func() *sysinfo.SysInfo {
    473. 

  473. 			return opts.daemon.RawSysInfo(true)
    474. 

  474. 		},
    475. 

  475. 	}
    476. 

  476. 

  477. 	routers := []router.Router{
    478. 

  478. 		// we need to add the checkpoint router before the container router or the DELETE gets masked
    479. 

  479. 		checkpointrouter.NewRouter(opts.daemon, decoder),
    480. 

  480. 		container.NewRouter(opts.daemon, decoder),
    481. 

  481. 		image.NewRouter(opts.daemon.ImageService()),
    482. 

  482. 		systemrouter.NewRouter(opts.daemon, opts.cluster, opts.buildkit, opts.features),
    483. 

  483. 		volume.NewRouter(opts.daemon.VolumesService()),
    484. 

  484. 		build.NewRouter(opts.buildBackend, opts.daemon, opts.features),
    485. 

  485. 		sessionrouter.NewRouter(opts.sessionManager),
    486. 

  486. 		swarmrouter.NewRouter(opts.cluster),
    487. 

  487. 		pluginrouter.NewRouter(opts.daemon.PluginManager()),
    488. 

  488. 		distributionrouter.NewRouter(opts.daemon.ImageService()),
    489. 

  489. 	}
    490. 

  490. 

  491. 	grpcBackends := []grpcrouter.Backend{}
    492. 

  492. 	for _, b := range []interface{}{opts.daemon, opts.buildBackend} {
    493. 

  493. 		if b, ok := b.(grpcrouter.Backend); ok {
    494. 

  494. 			grpcBackends = append(grpcBackends, b)
    495. 

  495. 		}
    496. 

  496. 	}
    497. 

  497. 	if len(grpcBackends) > 0 {
    498. 

  498. 		routers = append(routers, grpcrouter.NewRouter(grpcBackends...))
    499. 

  499. 	}
    500. 

  500. 

  501. 	if opts.daemon.NetworkControllerEnabled() {
    502. 

  502. 		routers = append(routers, network.NewRouter(opts.daemon, opts.cluster))
    503. 

  503. 	}
    504. 

  504. 

  505. 	if opts.daemon.HasExperimental() {
    506. 

  506. 		for _, r := range routers {
    507. 

  507. 			for _, route := range r.Routes() {
    508. 

  508. 				if experimental, ok := route.(router.ExperimentalRoute); ok {
    509. 

  509. 					experimental.Enable()
    510. 

  510. 				}
    511. 

  511. 			}
    512. 

  512. 		}
    513. 

  513. 	}
    514. 

  514. 

  515. 	opts.api.InitRouter(routers...)
    516. 

  516. }
    517. 

  517. 

  518. // TODO: remove this from cli and return the authzMiddleware
    519. 

  519. func (cli *DaemonCli) initMiddlewares(s *apiserver.Server, cfg *apiserver.Config, pluginStore plugingetter.PluginGetter) error {
    520. 

  520. 	v := cfg.Version
    521. 

  521. 

  522. 	exp := middleware.NewExperimentalMiddleware(cli.Config.Experimental)
    523. 

  523. 	s.UseMiddleware(exp)
    524. 

  524. 

  525. 	vm := middleware.NewVersionMiddleware(v, api.DefaultVersion, api.MinVersion)
    526. 

  526. 	s.UseMiddleware(vm)
    527. 

  527. 

  528. 	if cfg.CorsHeaders != "" {
    529. 

  529. 		c := middleware.NewCORSMiddleware(cfg.CorsHeaders)
    530. 

  530. 		s.UseMiddleware(c)
    531. 

  531. 	}
    532. 

  532. 

  533. 	cli.authzMiddleware = authorization.NewMiddleware(cli.Config.AuthorizationPlugins, pluginStore)
    534. 

  534. 	cli.Config.AuthzMiddleware = cli.authzMiddleware
    535. 

  535. 	s.UseMiddleware(cli.authzMiddleware)
    536. 

  536. 	return nil
    537. 

  537. }
    538. 

  538. 

  539. func (cli *DaemonCli) getContainerdDaemonOpts() ([]supervisor.DaemonOpt, error) {
    540. 

  540. 	opts, err := cli.getPlatformContainerdDaemonOpts()
    541. 

  541. 	if err != nil {
    542. 

  542. 		return nil, err
    543. 

  543. 	}
    544. 

  544. 

  545. 	if cli.Config.Debug {
    546. 

  546. 		opts = append(opts, supervisor.WithLogLevel("debug"))
    547. 

  547. 	} else if cli.Config.LogLevel != "" {
    548. 

  548. 		opts = append(opts, supervisor.WithLogLevel(cli.Config.LogLevel))
    549. 

  549. 	}
    550. 

  550. 

  551. 	if !cli.Config.CriContainerd {
    552. 

  552. 		opts = append(opts, supervisor.WithPlugin("cri", nil))
    553. 

  553. 	}
    554. 

  554. 

  555. 	return opts, nil
    556. 

  556. }
    557. 

  557. 

  558. func newAPIServerConfig(cli *DaemonCli) (*apiserver.Config, error) {
    559. 

  559. 	serverConfig := &apiserver.Config{
    560. 

  560. 		Logging:     true,
    561. 

  561. 		SocketGroup: cli.Config.SocketGroup,
    562. 

  562. 		Version:     dockerversion.Version,
    563. 

  563. 		CorsHeaders: cli.Config.CorsHeaders,
    564. 

  564. 	}
    565. 

  565. 

  566. 	if cli.Config.TLS != nil && *cli.Config.TLS {
    567. 

  567. 		tlsOptions := tlsconfig.Options{
    568. 

  568. 			CAFile:             cli.Config.CommonTLSOptions.CAFile,
    569. 

  569. 			CertFile:           cli.Config.CommonTLSOptions.CertFile,
    570. 

  570. 			KeyFile:            cli.Config.CommonTLSOptions.KeyFile,
    571. 

  571. 			ExclusiveRootPools: true,
    572. 

  572. 		}
    573. 

  573. 

  574. 		if cli.Config.TLSVerify == nil || *cli.Config.TLSVerify {
    575. 

  575. 			// server requires and verifies client's certificate
    576. 

  576. 			tlsOptions.ClientAuth = tls.RequireAndVerifyClientCert
    577. 

  577. 		}
    578. 

  578. 		tlsConfig, err := tlsconfig.Server(tlsOptions)
    579. 

  579. 		if err != nil {
    580. 

  580. 			return nil, err
    581. 

  581. 		}
    582. 

  582. 		serverConfig.TLSConfig = tlsConfig
    583. 

  583. 	}
    584. 

  584. 

  585. 	if len(cli.Config.Hosts) == 0 {
    586. 

  586. 		cli.Config.Hosts = make([]string, 1)
    587. 

  587. 	}
    588. 

  588. 

  589. 	return serverConfig, nil
    590. 

  590. }
    591. 

  591. 

  592. // checkTLSAuthOK checks basically for an explicitly disabled TLS/TLSVerify
    593. 

  593. // Going forward we do not want to support a scenario where dockerd listens
    594. 

  594. //   on TCP without either TLS client auth (or an explicit opt-in to disable it)
    595. 

  595. func checkTLSAuthOK(c *config.Config) bool {
    596. 

  596. 	if c.TLS == nil {
    597. 

  597. 		// Either TLS is enabled by default, in which case TLS verification should be enabled by default, or explicitly disabled
    598. 

  598. 		// Or TLS is disabled by default... in any of these cases, we can just take the default value as to how to proceed
    599. 

  599. 		return DefaultTLSValue
    600. 

  600. 	}
    601. 

  601. 

  602. 	if !*c.TLS {
    603. 

  603. 		// TLS is explicitly disabled, which is supported
    604. 

  604. 		return true
    605. 

  605. 	}
    606. 

  606. 

  607. 	if c.TLSVerify == nil {
    608. 

  608. 		// this actually shouldn't happen since we set TLSVerify on the config object anyway
    609. 

  609. 		// But in case it does get here, be cautious and assume this is not supported.
    610. 

  610. 		return false
    611. 

  611. 	}
    612. 

  612. 

  613. 	// Either TLSVerify is explicitly enabled or disabled, both cases are supported
    614. 

  614. 	return true
    615. 

  615. }
    616. 

  616. 

  617. func loadListeners(cli *DaemonCli, serverConfig *apiserver.Config) ([]string, error) {
    618. 

  618. 	var hosts []string
    619. 

  619. 	seen := make(map[string]struct{}, len(cli.Config.Hosts))
    620. 

  620. 

  621. 	useTLS := DefaultTLSValue
    622. 

  622. 	if cli.Config.TLS != nil {
    623. 

  623. 		useTLS = *cli.Config.TLS
    624. 

  624. 	}
    625. 

  625. 

  626. 	for i := 0; i < len(cli.Config.Hosts); i++ {
    627. 

  627. 		var err error
    628. 

  628. 		if cli.Config.Hosts[i], err = dopts.ParseHost(useTLS, honorXDG, cli.Config.Hosts[i]); err != nil {
    629. 

  629. 			return nil, errors.Wrapf(err, "error parsing -H %s", cli.Config.Hosts[i])
    630. 

  630. 		}
    631. 

  631. 		if _, ok := seen[cli.Config.Hosts[i]]; ok {
    632. 

  632. 			continue
    633. 

  633. 		}
    634. 

  634. 		seen[cli.Config.Hosts[i]] = struct{}{}
    635. 

  635. 

  636. 		protoAddr := cli.Config.Hosts[i]
    637. 

  637. 		protoAddrParts := strings.SplitN(protoAddr, "://", 2)
    638. 

  638. 		if len(protoAddrParts) != 2 {
    639. 

  639. 			return nil, fmt.Errorf("bad format %s, expected PROTO://ADDR", protoAddr)
    640. 

  640. 		}
    641. 

  641. 

  642. 		proto := protoAddrParts[0]
    643. 

  643. 		addr := protoAddrParts[1]
    644. 

  644. 

  645. 		// It's a bad idea to bind to TCP without tlsverify.
    646. 

  646. 		authEnabled := serverConfig.TLSConfig != nil && serverConfig.TLSConfig.ClientAuth == tls.RequireAndVerifyClientCert
    647. 

  647. 		if proto == "tcp" && !authEnabled {
    648. 

  648. 			logrus.WithField("host", protoAddr).Warn("Binding to IP address without --tlsverify is insecure and gives root access on this machine to everyone who has access to your network.")
    649. 

  649. 			logrus.WithField("host", protoAddr).Warn("Binding to an IP address, even on localhost, can also give access to scripts run in a browser. Be safe out there!")
    650. 

  650. 			time.Sleep(time.Second)
    651. 

  651. 

  652. 			// If TLSVerify is explicitly set to false we'll take that as "Please let me shoot myself in the foot"
    653. 

  653. 			// We do not want to continue to support a default mode where tls verification is disabled, so we do some extra warnings here and eventually remove support
    654. 

  654. 			if !checkTLSAuthOK(cli.Config) {
    655. 

  655. 				ipAddr, _, err := net.SplitHostPort(addr)
    656. 

  656. 				if err != nil {
    657. 

  657. 					return nil, errors.Wrap(err, "error parsing tcp address")
    658. 

  658. 				}
    659. 

  659. 

  660. 				// shortcut all this extra stuff for literal "localhost"
    661. 

  661. 				// -H supports specifying hostnames, since we want to bypass this on loopback interfaces we'll look it up here.
    662. 

  662. 				if ipAddr != "localhost" {
    663. 

  663. 					ip := net.ParseIP(ipAddr)
    664. 

  664. 					if ip == nil {
    665. 

  665. 						ipA, err := net.ResolveIPAddr("ip", ipAddr)
    666. 

  666. 						if err != nil {
    667. 

  667. 							logrus.WithError(err).WithField("host", ipAddr).Error("Error looking up specified host address")
    668. 

  668. 						}
    669. 

  669. 						if ipA != nil {
    670. 

  670. 							ip = ipA.IP
    671. 

  671. 						}
    672. 

  672. 					}
    673. 

  673. 					if ip == nil || !ip.IsLoopback() {
    674. 

  674. 						logrus.WithField("host", protoAddr).Warn("Binding to an IP address without --tlsverify is deprecated. Startup is intentionally being slowed down to show this message")
    675. 

  675. 						logrus.WithField("host", protoAddr).Warn("Please consider generating tls certificates with client validation to prevent exposing unauthenticated root access to your network")
    676. 

  676. 						logrus.WithField("host", protoAddr).Warnf("You can override this by explicitly specifying '--%s=false' or '--%s=false'", FlagTLS, FlagTLSVerify)
    677. 

  677. 						logrus.WithField("host", protoAddr).Warnf("Support for listening on TCP without authentication or explicit intent to run without authentication will be removed in the next release")
    678. 

  678. 

  679. 						time.Sleep(15 * time.Second)
    680. 

  680. 					}
    681. 

  681. 				}
    682. 

  682. 			}
    683. 

  683. 		}
    684. 

  684. 		ls, err := listeners.Init(proto, addr, serverConfig.SocketGroup, serverConfig.TLSConfig)
    685. 

  685. 		if err != nil {
    686. 

  686. 			return nil, err
    687. 

  687. 		}
    688. 

  688. 		// If we're binding to a TCP port, make sure that a container doesn't try to use it.
    689. 

  689. 		if proto == "tcp" {
    690. 

  690. 			if err := allocateDaemonPort(addr); err != nil {
    691. 

  691. 				return nil, err
    692. 

  692. 			}
    693. 

  693. 		}
    694. 

  694. 		logrus.Debugf("Listener created for HTTP on %s (%s)", proto, addr)
    695. 

  695. 		hosts = append(hosts, protoAddrParts[1])
    696. 

  696. 		cli.api.Accept(addr, ls...)
    697. 

  697. 	}
    698. 

  698. 

  699. 	return hosts, nil
    700. 

  700. }
    701. 

  701. 

  702. func createAndStartCluster(cli *DaemonCli, d *daemon.Daemon) (*cluster.Cluster, error) {
    703. 

  703. 	name, _ := os.Hostname()
    704. 

  704. 

  705. 	// Use a buffered channel to pass changes from store watch API to daemon
    706. 

  706. 	// A buffer allows store watch API and daemon processing to not wait for each other
    707. 

  707. 	watchStream := make(chan *swarmapi.WatchMessage, 32)
    708. 

  708. 

  709. 	c, err := cluster.New(cluster.Config{
    710. 

  710. 		Root:                   cli.Config.Root,
    711. 

  711. 		Name:                   name,
    712. 

  712. 		Backend:                d,
    713. 

  713. 		VolumeBackend:          d.VolumesService(),
    714. 

  714. 		ImageBackend:           d.ImageService(),
    715. 

  715. 		PluginBackend:          d.PluginManager(),
    716. 

  716. 		NetworkSubnetsProvider: d,
    717. 

  717. 		DefaultAdvertiseAddr:   cli.Config.SwarmDefaultAdvertiseAddr,
    718. 

  718. 		RaftHeartbeatTick:      cli.Config.SwarmRaftHeartbeatTick,
    719. 

  719. 		RaftElectionTick:       cli.Config.SwarmRaftElectionTick,
    720. 

  720. 		RuntimeRoot:            cli.getSwarmRunRoot(),
    721. 

  721. 		WatchStream:            watchStream,
    722. 

  722. 	})
    723. 

  723. 	if err != nil {
    724. 

  724. 		return nil, err
    725. 

  725. 	}
    726. 

  726. 	d.SetCluster(c)
    727. 

  727. 	err = c.Start()
    728. 

  728. 

  729. 	return c, err
    730. 

  730. }
    731. 

  731. 

  732. // validates that the plugins requested with the --authorization-plugin flag are valid AuthzDriver
    733. 

  733. // plugins present on the host and available to the daemon
    734. 

  734. func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGetter) error {
    735. 

  735. 	for _, reqPlugin := range requestedPlugins {
    736. 

  736. 		if _, err := pg.Get(reqPlugin, authorization.AuthZApiImplements, plugingetter.Lookup); err != nil {
    737. 

  737. 			return err
    738. 

  738. 		}
    739. 

  739. 	}
    740. 

  740. 	return nil
    741. 

  741. }
    742. 

  742. 

  743. func systemContainerdRunning(honorXDG bool) (string, bool, error) {
    744. 

  744. 	addr := containerddefaults.DefaultAddress
    745. 

  745. 	if honorXDG {
    746. 

  746. 		runtimeDir, err := homedir.GetRuntimeDir()
    747. 

  747. 		if err != nil {
    748. 

  748. 			return "", false, err
    749. 

  749. 		}
    750. 

  750. 		addr = filepath.Join(runtimeDir, "containerd", "containerd.sock")
    751. 

  751. 	}
    752. 

  752. 	_, err := os.Lstat(addr)
    753. 

  753. 	return addr, err == nil, nil
    754. 

  754. }
    755. 

  755. 

  756. // configureDaemonLogs sets the logrus logging level and formatting
    757. 

  757. func configureDaemonLogs(conf *config.Config) error {
    758. 

  758. 	if conf.LogLevel != "" {
    759. 

  759. 		lvl, err := logrus.ParseLevel(conf.LogLevel)
    760. 

  760. 		if err != nil {
    761. 

  761. 			return fmt.Errorf("unable to parse logging level: %s", conf.LogLevel)
    762. 

  762. 		}
    763. 

  763. 		logrus.SetLevel(lvl)
    764. 

  764. 	} else {
    765. 

  765. 		logrus.SetLevel(logrus.InfoLevel)
    766. 

  766. 	}
    767. 

  767. 	logrus.SetFormatter(&logrus.TextFormatter{
    768. 

  768. 		TimestampFormat: jsonmessage.RFC3339NanoFixed,
    769. 

  769. 		DisableColors:   conf.RawLogs,
    770. 

  770. 		FullTimestamp:   true,
    771. 

  771. 	})
    772. 

  772. 	return nil
    773. 

  773. }
    774.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5