daemon.go 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538
  1. package main
  2. import (
  3. "crypto/tls"
  4. "fmt"
  5. "io"
  6. "os"
  7. "path/filepath"
  8. "runtime"
  9. "strings"
  10. "time"
  11. "github.com/Sirupsen/logrus"
  12. "github.com/docker/distribution/uuid"
  13. "github.com/docker/docker/api"
  14. apiserver "github.com/docker/docker/api/server"
  15. buildbackend "github.com/docker/docker/api/server/backend/build"
  16. "github.com/docker/docker/api/server/middleware"
  17. "github.com/docker/docker/api/server/router"
  18. "github.com/docker/docker/api/server/router/build"
  19. checkpointrouter "github.com/docker/docker/api/server/router/checkpoint"
  20. "github.com/docker/docker/api/server/router/container"
  21. "github.com/docker/docker/api/server/router/image"
  22. "github.com/docker/docker/api/server/router/network"
  23. pluginrouter "github.com/docker/docker/api/server/router/plugin"
  24. swarmrouter "github.com/docker/docker/api/server/router/swarm"
  25. systemrouter "github.com/docker/docker/api/server/router/system"
  26. "github.com/docker/docker/api/server/router/volume"
  27. cliconfig "github.com/docker/docker/cli/config"
  28. "github.com/docker/docker/cli/debug"
  29. cliflags "github.com/docker/docker/cli/flags"
  30. "github.com/docker/docker/daemon"
  31. "github.com/docker/docker/daemon/cluster"
  32. "github.com/docker/docker/daemon/config"
  33. "github.com/docker/docker/daemon/logger"
  34. "github.com/docker/docker/dockerversion"
  35. "github.com/docker/docker/libcontainerd"
  36. dopts "github.com/docker/docker/opts"
  37. "github.com/docker/docker/pkg/authorization"
  38. "github.com/docker/docker/pkg/jsonlog"
  39. "github.com/docker/docker/pkg/listeners"
  40. "github.com/docker/docker/pkg/pidfile"
  41. "github.com/docker/docker/pkg/plugingetter"
  42. "github.com/docker/docker/pkg/signal"
  43. "github.com/docker/docker/pkg/system"
  44. "github.com/docker/docker/plugin"
  45. "github.com/docker/docker/registry"
  46. "github.com/docker/docker/runconfig"
  47. "github.com/docker/go-connections/tlsconfig"
  48. "github.com/spf13/pflag"
  49. )
  50. // DaemonCli represents the daemon CLI.
  51. type DaemonCli struct {
  52. *config.Config
  53. configFile *string
  54. flags *pflag.FlagSet
  55. api *apiserver.Server
  56. d *daemon.Daemon
  57. authzMiddleware *authorization.Middleware // authzMiddleware enables to dynamically reload the authorization plugins
  58. }
  59. // NewDaemonCli returns a daemon CLI
  60. func NewDaemonCli() *DaemonCli {
  61. return &DaemonCli{}
  62. }
  63. func migrateKey(config *config.Config) (err error) {
  64. // No migration necessary on Windows
  65. if runtime.GOOS == "windows" {
  66. return nil
  67. }
  68. // Migrate trust key if exists at ~/.docker/key.json and owned by current user
  69. oldPath := filepath.Join(cliconfig.Dir(), cliflags.DefaultTrustKeyFile)
  70. newPath := filepath.Join(getDaemonConfDir(config.Root), cliflags.DefaultTrustKeyFile)
  71. if _, statErr := os.Stat(newPath); os.IsNotExist(statErr) && currentUserIsOwner(oldPath) {
  72. defer func() {
  73. // Ensure old path is removed if no error occurred
  74. if err == nil {
  75. err = os.Remove(oldPath)
  76. } else {
  77. logrus.Warnf("Key migration failed, key file not removed at %s", oldPath)
  78. os.Remove(newPath)
  79. }
  80. }()
  81. if err := system.MkdirAll(getDaemonConfDir(config.Root), os.FileMode(0644)); err != nil {
  82. return fmt.Errorf("Unable to create daemon configuration directory: %s", err)
  83. }
  84. newFile, err := os.OpenFile(newPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
  85. if err != nil {
  86. return fmt.Errorf("error creating key file %q: %s", newPath, err)
  87. }
  88. defer newFile.Close()
  89. oldFile, err := os.Open(oldPath)
  90. if err != nil {
  91. return fmt.Errorf("error opening key file %q: %s", oldPath, err)
  92. }
  93. defer oldFile.Close()
  94. if _, err := io.Copy(newFile, oldFile); err != nil {
  95. return fmt.Errorf("error copying key: %s", err)
  96. }
  97. logrus.Infof("Migrated key from %s to %s", oldPath, newPath)
  98. }
  99. return nil
  100. }
  101. func (cli *DaemonCli) start(opts daemonOptions) (err error) {
  102. stopc := make(chan bool)
  103. defer close(stopc)
  104. // warn from uuid package when running the daemon
  105. uuid.Loggerf = logrus.Warnf
  106. opts.common.SetDefaultOptions(opts.flags)
  107. if cli.Config, err = loadDaemonCliConfig(opts); err != nil {
  108. return err
  109. }
  110. cli.configFile = &opts.configFile
  111. cli.flags = opts.flags
  112. if opts.common.TrustKey == "" {
  113. opts.common.TrustKey = filepath.Join(
  114. getDaemonConfDir(cli.Config.Root),
  115. cliflags.DefaultTrustKeyFile)
  116. }
  117. if cli.Config.Debug {
  118. debug.Enable()
  119. }
  120. if cli.Config.Experimental {
  121. logrus.Warn("Running experimental build")
  122. }
  123. logrus.SetFormatter(&logrus.TextFormatter{
  124. TimestampFormat: jsonlog.RFC3339NanoFixed,
  125. DisableColors: cli.Config.RawLogs,
  126. })
  127. if err := setDefaultUmask(); err != nil {
  128. return fmt.Errorf("Failed to set umask: %v", err)
  129. }
  130. if len(cli.LogConfig.Config) > 0 {
  131. if err := logger.ValidateLogOpts(cli.LogConfig.Type, cli.LogConfig.Config); err != nil {
  132. return fmt.Errorf("Failed to set log opts: %v", err)
  133. }
  134. }
  135. // Create the daemon root before we create ANY other files (PID, or migrate keys)
  136. // to ensure the appropriate ACL is set (particularly relevant on Windows)
  137. if err := daemon.CreateDaemonRoot(cli.Config); err != nil {
  138. return err
  139. }
  140. if cli.Pidfile != "" {
  141. pf, err := pidfile.New(cli.Pidfile)
  142. if err != nil {
  143. return fmt.Errorf("Error starting daemon: %v", err)
  144. }
  145. defer func() {
  146. if err := pf.Remove(); err != nil {
  147. logrus.Error(err)
  148. }
  149. }()
  150. }
  151. serverConfig := &apiserver.Config{
  152. Logging: true,
  153. SocketGroup: cli.Config.SocketGroup,
  154. Version: dockerversion.Version,
  155. EnableCors: cli.Config.EnableCors,
  156. CorsHeaders: cli.Config.CorsHeaders,
  157. }
  158. if cli.Config.TLS {
  159. tlsOptions := tlsconfig.Options{
  160. CAFile: cli.Config.CommonTLSOptions.CAFile,
  161. CertFile: cli.Config.CommonTLSOptions.CertFile,
  162. KeyFile: cli.Config.CommonTLSOptions.KeyFile,
  163. }
  164. if cli.Config.TLSVerify {
  165. // server requires and verifies client's certificate
  166. tlsOptions.ClientAuth = tls.RequireAndVerifyClientCert
  167. }
  168. tlsConfig, err := tlsconfig.Server(tlsOptions)
  169. if err != nil {
  170. return err
  171. }
  172. serverConfig.TLSConfig = tlsConfig
  173. }
  174. if len(cli.Config.Hosts) == 0 {
  175. cli.Config.Hosts = make([]string, 1)
  176. }
  177. api := apiserver.New(serverConfig)
  178. cli.api = api
  179. for i := 0; i < len(cli.Config.Hosts); i++ {
  180. var err error
  181. if cli.Config.Hosts[i], err = dopts.ParseHost(cli.Config.TLS, cli.Config.Hosts[i]); err != nil {
  182. return fmt.Errorf("error parsing -H %s : %v", cli.Config.Hosts[i], err)
  183. }
  184. protoAddr := cli.Config.Hosts[i]
  185. protoAddrParts := strings.SplitN(protoAddr, "://", 2)
  186. if len(protoAddrParts) != 2 {
  187. return fmt.Errorf("bad format %s, expected PROTO://ADDR", protoAddr)
  188. }
  189. proto := protoAddrParts[0]
  190. addr := protoAddrParts[1]
  191. // It's a bad idea to bind to TCP without tlsverify.
  192. if proto == "tcp" && (serverConfig.TLSConfig == nil || serverConfig.TLSConfig.ClientAuth != tls.RequireAndVerifyClientCert) {
  193. logrus.Warn("[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]")
  194. }
  195. ls, err := listeners.Init(proto, addr, serverConfig.SocketGroup, serverConfig.TLSConfig)
  196. if err != nil {
  197. return err
  198. }
  199. ls = wrapListeners(proto, ls)
  200. // If we're binding to a TCP port, make sure that a container doesn't try to use it.
  201. if proto == "tcp" {
  202. if err := allocateDaemonPort(addr); err != nil {
  203. return err
  204. }
  205. }
  206. logrus.Debugf("Listener created for HTTP on %s (%s)", proto, addr)
  207. api.Accept(addr, ls...)
  208. }
  209. if err := migrateKey(cli.Config); err != nil {
  210. return err
  211. }
  212. // FIXME: why is this down here instead of with the other TrustKey logic above?
  213. cli.TrustKeyPath = opts.common.TrustKey
  214. registryService := registry.NewService(cli.Config.ServiceOptions)
  215. containerdRemote, err := libcontainerd.New(cli.getLibcontainerdRoot(), cli.getPlatformRemoteOptions()...)
  216. if err != nil {
  217. return err
  218. }
  219. signal.Trap(func() {
  220. cli.stop()
  221. <-stopc // wait for daemonCli.start() to return
  222. })
  223. // Notify that the API is active, but before daemon is set up.
  224. preNotifySystem()
  225. pluginStore := plugin.NewStore()
  226. if err := cli.initMiddlewares(api, serverConfig, pluginStore); err != nil {
  227. logrus.Fatalf("Error creating middlewares: %v", err)
  228. }
  229. d, err := daemon.NewDaemon(cli.Config, registryService, containerdRemote, pluginStore)
  230. if err != nil {
  231. return fmt.Errorf("Error starting daemon: %v", err)
  232. }
  233. // validate after NewDaemon has restored enabled plugins. Dont change order.
  234. if err := validateAuthzPlugins(cli.Config.AuthorizationPlugins, pluginStore); err != nil {
  235. return fmt.Errorf("Error validating authorization plugin: %v", err)
  236. }
  237. if cli.Config.MetricsAddress != "" {
  238. if !d.HasExperimental() {
  239. return fmt.Errorf("metrics-addr is only supported when experimental is enabled")
  240. }
  241. if err := startMetricsServer(cli.Config.MetricsAddress); err != nil {
  242. return err
  243. }
  244. }
  245. name, _ := os.Hostname()
  246. c, err := cluster.New(cluster.Config{
  247. Root: cli.Config.Root,
  248. Name: name,
  249. Backend: d,
  250. NetworkSubnetsProvider: d,
  251. DefaultAdvertiseAddr: cli.Config.SwarmDefaultAdvertiseAddr,
  252. RuntimeRoot: cli.getSwarmRunRoot(),
  253. })
  254. if err != nil {
  255. logrus.Fatalf("Error creating cluster component: %v", err)
  256. }
  257. // Restart all autostart containers which has a swarm endpoint
  258. // and is not yet running now that we have successfully
  259. // initialized the cluster.
  260. d.RestartSwarmContainers()
  261. logrus.Info("Daemon has completed initialization")
  262. logrus.WithFields(logrus.Fields{
  263. "version": dockerversion.Version,
  264. "commit": dockerversion.GitCommit,
  265. "graphdriver": d.GraphDriverName(),
  266. }).Info("Docker daemon")
  267. cli.d = d
  268. d.SetCluster(c)
  269. initRouter(api, d, c)
  270. cli.setupConfigReloadTrap()
  271. // The serve API routine never exits unless an error occurs
  272. // We need to start it as a goroutine and wait on it so
  273. // daemon doesn't exit
  274. serveAPIWait := make(chan error)
  275. go api.Wait(serveAPIWait)
  276. // after the daemon is done setting up we can notify systemd api
  277. notifySystem()
  278. // Daemon is fully initialized and handling API traffic
  279. // Wait for serve API to complete
  280. errAPI := <-serveAPIWait
  281. c.Cleanup()
  282. shutdownDaemon(d)
  283. containerdRemote.Cleanup()
  284. if errAPI != nil {
  285. return fmt.Errorf("Shutting down due to ServeAPI error: %v", errAPI)
  286. }
  287. return nil
  288. }
  289. func (cli *DaemonCli) reloadConfig() {
  290. reload := func(config *config.Config) {
  291. // Revalidate and reload the authorization plugins
  292. if err := validateAuthzPlugins(config.AuthorizationPlugins, cli.d.PluginStore); err != nil {
  293. logrus.Fatalf("Error validating authorization plugin: %v", err)
  294. return
  295. }
  296. cli.authzMiddleware.SetPlugins(config.AuthorizationPlugins)
  297. if err := cli.d.Reload(config); err != nil {
  298. logrus.Errorf("Error reconfiguring the daemon: %v", err)
  299. return
  300. }
  301. if config.IsValueSet("debug") {
  302. debugEnabled := debug.IsEnabled()
  303. switch {
  304. case debugEnabled && !config.Debug: // disable debug
  305. debug.Disable()
  306. cli.api.DisableProfiler()
  307. case config.Debug && !debugEnabled: // enable debug
  308. debug.Enable()
  309. cli.api.EnableProfiler()
  310. }
  311. }
  312. }
  313. if err := config.Reload(*cli.configFile, cli.flags, reload); err != nil {
  314. logrus.Error(err)
  315. }
  316. }
  317. func (cli *DaemonCli) stop() {
  318. cli.api.Close()
  319. }
  320. // shutdownDaemon just wraps daemon.Shutdown() to handle a timeout in case
  321. // d.Shutdown() is waiting too long to kill container or worst it's
  322. // blocked there
  323. func shutdownDaemon(d *daemon.Daemon) {
  324. shutdownTimeout := d.ShutdownTimeout()
  325. ch := make(chan struct{})
  326. go func() {
  327. d.Shutdown()
  328. close(ch)
  329. }()
  330. if shutdownTimeout < 0 {
  331. <-ch
  332. logrus.Debug("Clean shutdown succeeded")
  333. return
  334. }
  335. select {
  336. case <-ch:
  337. logrus.Debug("Clean shutdown succeeded")
  338. case <-time.After(time.Duration(shutdownTimeout) * time.Second):
  339. logrus.Error("Force shutdown daemon")
  340. }
  341. }
  342. func loadDaemonCliConfig(opts daemonOptions) (*config.Config, error) {
  343. conf := opts.daemonConfig
  344. flags := opts.flags
  345. conf.Debug = opts.common.Debug
  346. conf.Hosts = opts.common.Hosts
  347. conf.LogLevel = opts.common.LogLevel
  348. conf.TLS = opts.common.TLS
  349. conf.TLSVerify = opts.common.TLSVerify
  350. conf.CommonTLSOptions = config.CommonTLSOptions{}
  351. if opts.common.TLSOptions != nil {
  352. conf.CommonTLSOptions.CAFile = opts.common.TLSOptions.CAFile
  353. conf.CommonTLSOptions.CertFile = opts.common.TLSOptions.CertFile
  354. conf.CommonTLSOptions.KeyFile = opts.common.TLSOptions.KeyFile
  355. }
  356. if flags.Changed("graph") && flags.Changed("data-root") {
  357. return nil, fmt.Errorf(`cannot specify both "--graph" and "--data-root" option`)
  358. }
  359. if opts.configFile != "" {
  360. c, err := config.MergeDaemonConfigurations(conf, flags, opts.configFile)
  361. if err != nil {
  362. if flags.Changed("config-file") || !os.IsNotExist(err) {
  363. return nil, fmt.Errorf("unable to configure the Docker daemon with file %s: %v\n", opts.configFile, err)
  364. }
  365. }
  366. // the merged configuration can be nil if the config file didn't exist.
  367. // leave the current configuration as it is if when that happens.
  368. if c != nil {
  369. conf = c
  370. }
  371. }
  372. if err := config.Validate(conf); err != nil {
  373. return nil, err
  374. }
  375. if flags.Changed("graph") {
  376. logrus.Warnf(`the "-g / --graph" flag is deprecated. Please use "--data-root" instead`)
  377. }
  378. // Labels of the docker engine used to allow multiple values associated with the same key.
  379. // This is deprecated in 1.13, and, be removed after 3 release cycles.
  380. // The following will check the conflict of labels, and report a warning for deprecation.
  381. //
  382. // TODO: After 3 release cycles (17.12) an error will be returned, and labels will be
  383. // sanitized to consolidate duplicate key-value pairs (config.Labels = newLabels):
  384. //
  385. // newLabels, err := daemon.GetConflictFreeLabels(config.Labels)
  386. // if err != nil {
  387. // return nil, err
  388. // }
  389. // config.Labels = newLabels
  390. //
  391. if _, err := config.GetConflictFreeLabels(conf.Labels); err != nil {
  392. logrus.Warnf("Engine labels with duplicate keys and conflicting values have been deprecated: %s", err)
  393. }
  394. // Regardless of whether the user sets it to true or false, if they
  395. // specify TLSVerify at all then we need to turn on TLS
  396. if conf.IsValueSet(cliflags.FlagTLSVerify) {
  397. conf.TLS = true
  398. }
  399. // ensure that the log level is the one set after merging configurations
  400. cliflags.SetLogLevel(conf.LogLevel)
  401. return conf, nil
  402. }
  403. func initRouter(s *apiserver.Server, d *daemon.Daemon, c *cluster.Cluster) {
  404. decoder := runconfig.ContainerDecoder{}
  405. routers := []router.Router{
  406. // we need to add the checkpoint router before the container router or the DELETE gets masked
  407. checkpointrouter.NewRouter(d, decoder),
  408. container.NewRouter(d, decoder),
  409. image.NewRouter(d, decoder),
  410. systemrouter.NewRouter(d, c),
  411. volume.NewRouter(d),
  412. build.NewRouter(buildbackend.NewBackend(d, d), d),
  413. swarmrouter.NewRouter(c),
  414. pluginrouter.NewRouter(d.PluginManager()),
  415. }
  416. if d.NetworkControllerEnabled() {
  417. routers = append(routers, network.NewRouter(d, c))
  418. }
  419. if d.HasExperimental() {
  420. for _, r := range routers {
  421. for _, route := range r.Routes() {
  422. if experimental, ok := route.(router.ExperimentalRoute); ok {
  423. experimental.Enable()
  424. }
  425. }
  426. }
  427. }
  428. s.InitRouter(debug.IsEnabled(), routers...)
  429. }
  430. func (cli *DaemonCli) initMiddlewares(s *apiserver.Server, cfg *apiserver.Config, pluginStore *plugin.Store) error {
  431. v := cfg.Version
  432. exp := middleware.NewExperimentalMiddleware(cli.Config.Experimental)
  433. s.UseMiddleware(exp)
  434. vm := middleware.NewVersionMiddleware(v, api.DefaultVersion, api.MinVersion)
  435. s.UseMiddleware(vm)
  436. if cfg.EnableCors || cfg.CorsHeaders != "" {
  437. c := middleware.NewCORSMiddleware(cfg.CorsHeaders)
  438. s.UseMiddleware(c)
  439. }
  440. cli.authzMiddleware = authorization.NewMiddleware(cli.Config.AuthorizationPlugins, pluginStore)
  441. cli.Config.AuthzMiddleware = cli.authzMiddleware
  442. s.UseMiddleware(cli.authzMiddleware)
  443. return nil
  444. }
  445. // validates that the plugins requested with the --authorization-plugin flag are valid AuthzDriver
  446. // plugins present on the host and available to the daemon
  447. func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGetter) error {
  448. for _, reqPlugin := range requestedPlugins {
  449. if _, err := pg.Get(reqPlugin, authorization.AuthZApiImplements, plugingetter.Lookup); err != nil {
  450. return err
  451. }
  452. }
  453. return nil
  454. }