daemon.go 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730
  1. package main
  2. import (
  3. "context"
  4. "crypto/tls"
  5. "fmt"
  6. "os"
  7. "path/filepath"
  8. "runtime"
  9. "strings"
  10. "time"
  11. containerddefaults "github.com/containerd/containerd/defaults"
  12. "github.com/docker/distribution/uuid"
  13. "github.com/docker/docker/api"
  14. apiserver "github.com/docker/docker/api/server"
  15. buildbackend "github.com/docker/docker/api/server/backend/build"
  16. "github.com/docker/docker/api/server/middleware"
  17. "github.com/docker/docker/api/server/router"
  18. "github.com/docker/docker/api/server/router/build"
  19. checkpointrouter "github.com/docker/docker/api/server/router/checkpoint"
  20. "github.com/docker/docker/api/server/router/container"
  21. distributionrouter "github.com/docker/docker/api/server/router/distribution"
  22. grpcrouter "github.com/docker/docker/api/server/router/grpc"
  23. "github.com/docker/docker/api/server/router/image"
  24. "github.com/docker/docker/api/server/router/network"
  25. pluginrouter "github.com/docker/docker/api/server/router/plugin"
  26. sessionrouter "github.com/docker/docker/api/server/router/session"
  27. swarmrouter "github.com/docker/docker/api/server/router/swarm"
  28. systemrouter "github.com/docker/docker/api/server/router/system"
  29. "github.com/docker/docker/api/server/router/volume"
  30. buildkit "github.com/docker/docker/builder/builder-next"
  31. "github.com/docker/docker/builder/dockerfile"
  32. "github.com/docker/docker/builder/fscache"
  33. "github.com/docker/docker/cli/debug"
  34. "github.com/docker/docker/daemon"
  35. "github.com/docker/docker/daemon/cluster"
  36. "github.com/docker/docker/daemon/config"
  37. "github.com/docker/docker/daemon/listeners"
  38. "github.com/docker/docker/dockerversion"
  39. "github.com/docker/docker/libcontainerd/supervisor"
  40. dopts "github.com/docker/docker/opts"
  41. "github.com/docker/docker/pkg/authorization"
  42. "github.com/docker/docker/pkg/homedir"
  43. "github.com/docker/docker/pkg/jsonmessage"
  44. "github.com/docker/docker/pkg/pidfile"
  45. "github.com/docker/docker/pkg/plugingetter"
  46. "github.com/docker/docker/pkg/signal"
  47. "github.com/docker/docker/pkg/system"
  48. "github.com/docker/docker/plugin"
  49. "github.com/docker/docker/rootless"
  50. "github.com/docker/docker/runconfig"
  51. "github.com/docker/go-connections/tlsconfig"
  52. swarmapi "github.com/docker/swarmkit/api"
  53. "github.com/moby/buildkit/session"
  54. "github.com/pkg/errors"
  55. "github.com/sirupsen/logrus"
  56. "github.com/spf13/pflag"
  57. )
  58. // DaemonCli represents the daemon CLI.
  59. type DaemonCli struct {
  60. *config.Config
  61. configFile *string
  62. flags *pflag.FlagSet
  63. api *apiserver.Server
  64. d *daemon.Daemon
  65. authzMiddleware *authorization.Middleware // authzMiddleware enables to dynamically reload the authorization plugins
  66. }
  67. // NewDaemonCli returns a daemon CLI
  68. func NewDaemonCli() *DaemonCli {
  69. return &DaemonCli{}
  70. }
  71. func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
  72. stopc := make(chan bool)
  73. defer close(stopc)
  74. // warn from uuid package when running the daemon
  75. uuid.Loggerf = logrus.Warnf
  76. opts.SetDefaultOptions(opts.flags)
  77. if cli.Config, err = loadDaemonCliConfig(opts); err != nil {
  78. return err
  79. }
  80. if err := configureDaemonLogs(cli.Config); err != nil {
  81. return err
  82. }
  83. logrus.Info("Starting up")
  84. cli.configFile = &opts.configFile
  85. cli.flags = opts.flags
  86. if cli.Config.Debug {
  87. debug.Enable()
  88. }
  89. if cli.Config.Experimental {
  90. logrus.Warn("Running experimental build")
  91. if cli.Config.IsRootless() {
  92. logrus.Warn("Running in rootless mode. Cgroups, AppArmor, and CRIU are disabled.")
  93. }
  94. if rootless.RunningWithRootlessKit() {
  95. logrus.Info("Running with RootlessKit integration")
  96. if !cli.Config.IsRootless() {
  97. return fmt.Errorf("rootless mode needs to be enabled for running with RootlessKit")
  98. }
  99. }
  100. } else {
  101. if cli.Config.IsRootless() {
  102. return fmt.Errorf("rootless mode is supported only when running in experimental mode")
  103. }
  104. }
  105. // return human-friendly error before creating files
  106. if runtime.GOOS == "linux" && os.Geteuid() != 0 {
  107. return fmt.Errorf("dockerd needs to be started with root. To see how to run dockerd in rootless mode with unprivileged user, see the documentation")
  108. }
  109. system.InitLCOW(cli.Config.Experimental)
  110. if err := setDefaultUmask(); err != nil {
  111. return err
  112. }
  113. // Create the daemon root before we create ANY other files (PID, or migrate keys)
  114. // to ensure the appropriate ACL is set (particularly relevant on Windows)
  115. if err := daemon.CreateDaemonRoot(cli.Config); err != nil {
  116. return err
  117. }
  118. if err := system.MkdirAll(cli.Config.ExecRoot, 0700, ""); err != nil {
  119. return err
  120. }
  121. potentiallyUnderRuntimeDir := []string{cli.Config.ExecRoot}
  122. if cli.Pidfile != "" {
  123. pf, err := pidfile.New(cli.Pidfile)
  124. if err != nil {
  125. return errors.Wrap(err, "failed to start daemon")
  126. }
  127. potentiallyUnderRuntimeDir = append(potentiallyUnderRuntimeDir, cli.Pidfile)
  128. defer func() {
  129. if err := pf.Remove(); err != nil {
  130. logrus.Error(err)
  131. }
  132. }()
  133. }
  134. if cli.Config.IsRootless() {
  135. // Set sticky bit if XDG_RUNTIME_DIR is set && the file is actually under XDG_RUNTIME_DIR
  136. if _, err := homedir.StickRuntimeDirContents(potentiallyUnderRuntimeDir); err != nil {
  137. // StickRuntimeDirContents returns nil error if XDG_RUNTIME_DIR is just unset
  138. logrus.WithError(err).Warn("cannot set sticky bit on files under XDG_RUNTIME_DIR")
  139. }
  140. }
  141. serverConfig, err := newAPIServerConfig(cli)
  142. if err != nil {
  143. return errors.Wrap(err, "failed to create API server")
  144. }
  145. cli.api = apiserver.New(serverConfig)
  146. hosts, err := loadListeners(cli, serverConfig)
  147. if err != nil {
  148. return errors.Wrap(err, "failed to load listeners")
  149. }
  150. ctx, cancel := context.WithCancel(context.Background())
  151. waitForContainerDShutdown, err := cli.initContainerD(ctx)
  152. if waitForContainerDShutdown != nil {
  153. defer waitForContainerDShutdown(10 * time.Second)
  154. }
  155. if err != nil {
  156. cancel()
  157. return err
  158. }
  159. defer cancel()
  160. signal.Trap(func() {
  161. cli.stop()
  162. <-stopc // wait for daemonCli.start() to return
  163. }, logrus.StandardLogger())
  164. // Notify that the API is active, but before daemon is set up.
  165. preNotifySystem()
  166. pluginStore := plugin.NewStore()
  167. if err := cli.initMiddlewares(cli.api, serverConfig, pluginStore); err != nil {
  168. logrus.Fatalf("Error creating middlewares: %v", err)
  169. }
  170. d, err := daemon.NewDaemon(ctx, cli.Config, pluginStore)
  171. if err != nil {
  172. return errors.Wrap(err, "failed to start daemon")
  173. }
  174. d.StoreHosts(hosts)
  175. // validate after NewDaemon has restored enabled plugins. Don't change order.
  176. if err := validateAuthzPlugins(cli.Config.AuthorizationPlugins, pluginStore); err != nil {
  177. return errors.Wrap(err, "failed to validate authorization plugin")
  178. }
  179. // TODO: move into startMetricsServer()
  180. if cli.Config.MetricsAddress != "" {
  181. if !d.HasExperimental() {
  182. return errors.Wrap(err, "metrics-addr is only supported when experimental is enabled")
  183. }
  184. if err := startMetricsServer(cli.Config.MetricsAddress); err != nil {
  185. return err
  186. }
  187. }
  188. c, err := createAndStartCluster(cli, d)
  189. if err != nil {
  190. logrus.Fatalf("Error starting cluster component: %v", err)
  191. }
  192. // Restart all autostart containers which has a swarm endpoint
  193. // and is not yet running now that we have successfully
  194. // initialized the cluster.
  195. d.RestartSwarmContainers()
  196. logrus.Info("Daemon has completed initialization")
  197. cli.d = d
  198. routerOptions, err := newRouterOptions(cli.Config, d)
  199. if err != nil {
  200. return err
  201. }
  202. routerOptions.api = cli.api
  203. routerOptions.cluster = c
  204. initRouter(routerOptions)
  205. go d.ProcessClusterNotifications(ctx, c.GetWatchStream())
  206. cli.setupConfigReloadTrap()
  207. // The serve API routine never exits unless an error occurs
  208. // We need to start it as a goroutine and wait on it so
  209. // daemon doesn't exit
  210. serveAPIWait := make(chan error)
  211. go cli.api.Wait(serveAPIWait)
  212. // after the daemon is done setting up we can notify systemd api
  213. notifySystem()
  214. // Daemon is fully initialized and handling API traffic
  215. // Wait for serve API to complete
  216. errAPI := <-serveAPIWait
  217. c.Cleanup()
  218. shutdownDaemon(d)
  219. // Stop notification processing and any background processes
  220. cancel()
  221. if errAPI != nil {
  222. return errors.Wrap(errAPI, "shutting down due to ServeAPI error")
  223. }
  224. logrus.Info("Daemon shutdown complete")
  225. return nil
  226. }
  227. type routerOptions struct {
  228. sessionManager *session.Manager
  229. buildBackend *buildbackend.Backend
  230. buildCache *fscache.FSCache // legacy
  231. features *map[string]bool
  232. buildkit *buildkit.Builder
  233. daemon *daemon.Daemon
  234. api *apiserver.Server
  235. cluster *cluster.Cluster
  236. }
  237. func newRouterOptions(config *config.Config, d *daemon.Daemon) (routerOptions, error) {
  238. opts := routerOptions{}
  239. sm, err := session.NewManager()
  240. if err != nil {
  241. return opts, errors.Wrap(err, "failed to create sessionmanager")
  242. }
  243. builderStateDir := filepath.Join(config.Root, "builder")
  244. buildCache, err := fscache.NewFSCache(fscache.Opt{
  245. Backend: fscache.NewNaiveCacheBackend(builderStateDir),
  246. Root: builderStateDir,
  247. GCPolicy: fscache.GCPolicy{ // TODO: expose this in config
  248. MaxSize: 1024 * 1024 * 512, // 512MB
  249. MaxKeepDuration: 7 * 24 * time.Hour, // 1 week
  250. },
  251. })
  252. if err != nil {
  253. return opts, errors.Wrap(err, "failed to create fscache")
  254. }
  255. manager, err := dockerfile.NewBuildManager(d.BuilderBackend(), sm, buildCache, d.IdentityMapping())
  256. if err != nil {
  257. return opts, err
  258. }
  259. cgroupParent := newCgroupParent(config)
  260. bk, err := buildkit.New(buildkit.Opt{
  261. SessionManager: sm,
  262. Root: filepath.Join(config.Root, "buildkit"),
  263. Dist: d.DistributionServices(),
  264. NetworkController: d.NetworkController(),
  265. DefaultCgroupParent: cgroupParent,
  266. ResolverOpt: d.NewResolveOptionsFunc(),
  267. BuilderConfig: config.Builder,
  268. Rootless: d.Rootless(),
  269. IdentityMapping: d.IdentityMapping(),
  270. DNSConfig: config.DNSConfig,
  271. })
  272. if err != nil {
  273. return opts, err
  274. }
  275. bb, err := buildbackend.NewBackend(d.ImageService(), manager, buildCache, bk)
  276. if err != nil {
  277. return opts, errors.Wrap(err, "failed to create buildmanager")
  278. }
  279. return routerOptions{
  280. sessionManager: sm,
  281. buildBackend: bb,
  282. buildCache: buildCache,
  283. buildkit: bk,
  284. features: d.Features(),
  285. daemon: d,
  286. }, nil
  287. }
  288. func (cli *DaemonCli) reloadConfig() {
  289. reload := func(c *config.Config) {
  290. // Revalidate and reload the authorization plugins
  291. if err := validateAuthzPlugins(c.AuthorizationPlugins, cli.d.PluginStore); err != nil {
  292. logrus.Fatalf("Error validating authorization plugin: %v", err)
  293. return
  294. }
  295. cli.authzMiddleware.SetPlugins(c.AuthorizationPlugins)
  296. // The namespaces com.docker.*, io.docker.*, org.dockerproject.* have been documented
  297. // to be reserved for Docker's internal use, but this was never enforced. Allowing
  298. // configured labels to use these namespaces are deprecated for 18.05.
  299. //
  300. // The following will check the usage of such labels, and report a warning for deprecation.
  301. //
  302. // TODO: At the next stable release, the validation should be folded into the other
  303. // configuration validation functions and an error will be returned instead, and this
  304. // block should be deleted.
  305. if err := config.ValidateReservedNamespaceLabels(c.Labels); err != nil {
  306. logrus.Warnf("Configured labels using reserved namespaces is deprecated: %s", err)
  307. }
  308. if err := cli.d.Reload(c); err != nil {
  309. logrus.Errorf("Error reconfiguring the daemon: %v", err)
  310. return
  311. }
  312. if c.IsValueSet("debug") {
  313. debugEnabled := debug.IsEnabled()
  314. switch {
  315. case debugEnabled && !c.Debug: // disable debug
  316. debug.Disable()
  317. case c.Debug && !debugEnabled: // enable debug
  318. debug.Enable()
  319. }
  320. }
  321. }
  322. if err := config.Reload(*cli.configFile, cli.flags, reload); err != nil {
  323. logrus.Error(err)
  324. }
  325. }
  326. func (cli *DaemonCli) stop() {
  327. cli.api.Close()
  328. }
  329. // shutdownDaemon just wraps daemon.Shutdown() to handle a timeout in case
  330. // d.Shutdown() is waiting too long to kill container or worst it's
  331. // blocked there
  332. func shutdownDaemon(d *daemon.Daemon) {
  333. shutdownTimeout := d.ShutdownTimeout()
  334. ch := make(chan struct{})
  335. go func() {
  336. d.Shutdown()
  337. close(ch)
  338. }()
  339. if shutdownTimeout < 0 {
  340. <-ch
  341. logrus.Debug("Clean shutdown succeeded")
  342. return
  343. }
  344. timeout := time.NewTimer(time.Duration(shutdownTimeout) * time.Second)
  345. defer timeout.Stop()
  346. select {
  347. case <-ch:
  348. logrus.Debug("Clean shutdown succeeded")
  349. case <-timeout.C:
  350. logrus.Error("Force shutdown daemon")
  351. }
  352. }
  353. func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
  354. conf := opts.daemonConfig
  355. flags := opts.flags
  356. conf.Debug = opts.Debug
  357. conf.Hosts = opts.Hosts
  358. conf.LogLevel = opts.LogLevel
  359. conf.TLS = opts.TLS
  360. conf.TLSVerify = opts.TLSVerify
  361. conf.CommonTLSOptions = config.CommonTLSOptions{}
  362. if opts.TLSOptions != nil {
  363. conf.CommonTLSOptions.CAFile = opts.TLSOptions.CAFile
  364. conf.CommonTLSOptions.CertFile = opts.TLSOptions.CertFile
  365. conf.CommonTLSOptions.KeyFile = opts.TLSOptions.KeyFile
  366. }
  367. if conf.TrustKeyPath == "" {
  368. daemonConfDir, err := getDaemonConfDir(conf.Root)
  369. if err != nil {
  370. return nil, err
  371. }
  372. conf.TrustKeyPath = filepath.Join(daemonConfDir, defaultTrustKeyFile)
  373. }
  374. if flags.Changed("graph") && flags.Changed("data-root") {
  375. return nil, errors.New(`cannot specify both "--graph" and "--data-root" option`)
  376. }
  377. if opts.configFile != "" {
  378. c, err := config.MergeDaemonConfigurations(conf, flags, opts.configFile)
  379. if err != nil {
  380. if flags.Changed("config-file") || !os.IsNotExist(err) {
  381. return nil, errors.Wrapf(err, "unable to configure the Docker daemon with file %s", opts.configFile)
  382. }
  383. }
  384. // the merged configuration can be nil if the config file didn't exist.
  385. // leave the current configuration as it is if when that happens.
  386. if c != nil {
  387. conf = c
  388. }
  389. }
  390. if err := config.Validate(conf); err != nil {
  391. return nil, err
  392. }
  393. if flags.Changed("graph") {
  394. logrus.Warnf(`The "-g / --graph" flag is deprecated. Please use "--data-root" instead`)
  395. }
  396. // Check if duplicate label-keys with different values are found
  397. newLabels, err := config.GetConflictFreeLabels(conf.Labels)
  398. if err != nil {
  399. return nil, err
  400. }
  401. // The namespaces com.docker.*, io.docker.*, org.dockerproject.* have been documented
  402. // to be reserved for Docker's internal use, but this was never enforced. Allowing
  403. // configured labels to use these namespaces are deprecated for 18.05.
  404. //
  405. // The following will check the usage of such labels, and report a warning for deprecation.
  406. //
  407. // TODO: At the next stable release, the validation should be folded into the other
  408. // configuration validation functions and an error will be returned instead, and this
  409. // block should be deleted.
  410. if err := config.ValidateReservedNamespaceLabels(newLabels); err != nil {
  411. logrus.Warnf("Configured labels using reserved namespaces is deprecated: %s", err)
  412. }
  413. conf.Labels = newLabels
  414. // Regardless of whether the user sets it to true or false, if they
  415. // specify TLSVerify at all then we need to turn on TLS
  416. if conf.IsValueSet(FlagTLSVerify) {
  417. conf.TLS = true
  418. }
  419. return conf, nil
  420. }
  421. func initRouter(opts routerOptions) {
  422. decoder := runconfig.ContainerDecoder{}
  423. routers := []router.Router{
  424. // we need to add the checkpoint router before the container router or the DELETE gets masked
  425. checkpointrouter.NewRouter(opts.daemon, decoder),
  426. container.NewRouter(opts.daemon, decoder),
  427. image.NewRouter(opts.daemon.ImageService()),
  428. systemrouter.NewRouter(opts.daemon, opts.cluster, opts.buildCache, opts.buildkit, opts.features),
  429. volume.NewRouter(opts.daemon.VolumesService()),
  430. build.NewRouter(opts.buildBackend, opts.daemon, opts.features),
  431. sessionrouter.NewRouter(opts.sessionManager),
  432. swarmrouter.NewRouter(opts.cluster),
  433. pluginrouter.NewRouter(opts.daemon.PluginManager()),
  434. distributionrouter.NewRouter(opts.daemon.ImageService()),
  435. }
  436. grpcBackends := []grpcrouter.Backend{}
  437. for _, b := range []interface{}{opts.daemon, opts.buildBackend} {
  438. if b, ok := b.(grpcrouter.Backend); ok {
  439. grpcBackends = append(grpcBackends, b)
  440. }
  441. }
  442. if len(grpcBackends) > 0 {
  443. routers = append(routers, grpcrouter.NewRouter(grpcBackends...))
  444. }
  445. if opts.daemon.NetworkControllerEnabled() {
  446. routers = append(routers, network.NewRouter(opts.daemon, opts.cluster))
  447. }
  448. if opts.daemon.HasExperimental() {
  449. for _, r := range routers {
  450. for _, route := range r.Routes() {
  451. if experimental, ok := route.(router.ExperimentalRoute); ok {
  452. experimental.Enable()
  453. }
  454. }
  455. }
  456. }
  457. opts.api.InitRouter(routers...)
  458. }
  459. // TODO: remove this from cli and return the authzMiddleware
  460. func (cli *DaemonCli) initMiddlewares(s *apiserver.Server, cfg *apiserver.Config, pluginStore plugingetter.PluginGetter) error {
  461. v := cfg.Version
  462. exp := middleware.NewExperimentalMiddleware(cli.Config.Experimental)
  463. s.UseMiddleware(exp)
  464. vm := middleware.NewVersionMiddleware(v, api.DefaultVersion, api.MinVersion)
  465. s.UseMiddleware(vm)
  466. if cfg.CorsHeaders != "" {
  467. c := middleware.NewCORSMiddleware(cfg.CorsHeaders)
  468. s.UseMiddleware(c)
  469. }
  470. cli.authzMiddleware = authorization.NewMiddleware(cli.Config.AuthorizationPlugins, pluginStore)
  471. cli.Config.AuthzMiddleware = cli.authzMiddleware
  472. s.UseMiddleware(cli.authzMiddleware)
  473. return nil
  474. }
  475. func (cli *DaemonCli) getContainerdDaemonOpts() ([]supervisor.DaemonOpt, error) {
  476. opts, err := cli.getPlatformContainerdDaemonOpts()
  477. if err != nil {
  478. return nil, err
  479. }
  480. if cli.Config.Debug {
  481. opts = append(opts, supervisor.WithLogLevel("debug"))
  482. } else if cli.Config.LogLevel != "" {
  483. opts = append(opts, supervisor.WithLogLevel(cli.Config.LogLevel))
  484. }
  485. if !cli.Config.CriContainerd {
  486. opts = append(opts, supervisor.WithPlugin("cri", nil))
  487. }
  488. return opts, nil
  489. }
  490. func newAPIServerConfig(cli *DaemonCli) (*apiserver.Config, error) {
  491. serverConfig := &apiserver.Config{
  492. Logging: true,
  493. SocketGroup: cli.Config.SocketGroup,
  494. Version: dockerversion.Version,
  495. CorsHeaders: cli.Config.CorsHeaders,
  496. }
  497. if cli.Config.TLS {
  498. tlsOptions := tlsconfig.Options{
  499. CAFile: cli.Config.CommonTLSOptions.CAFile,
  500. CertFile: cli.Config.CommonTLSOptions.CertFile,
  501. KeyFile: cli.Config.CommonTLSOptions.KeyFile,
  502. ExclusiveRootPools: true,
  503. }
  504. if cli.Config.TLSVerify {
  505. // server requires and verifies client's certificate
  506. tlsOptions.ClientAuth = tls.RequireAndVerifyClientCert
  507. }
  508. tlsConfig, err := tlsconfig.Server(tlsOptions)
  509. if err != nil {
  510. return nil, err
  511. }
  512. serverConfig.TLSConfig = tlsConfig
  513. }
  514. if len(cli.Config.Hosts) == 0 {
  515. cli.Config.Hosts = make([]string, 1)
  516. }
  517. return serverConfig, nil
  518. }
  519. func loadListeners(cli *DaemonCli, serverConfig *apiserver.Config) ([]string, error) {
  520. var hosts []string
  521. seen := make(map[string]struct{}, len(cli.Config.Hosts))
  522. for i := 0; i < len(cli.Config.Hosts); i++ {
  523. var err error
  524. if cli.Config.Hosts[i], err = dopts.ParseHost(cli.Config.TLS, honorXDG, cli.Config.Hosts[i]); err != nil {
  525. return nil, errors.Wrapf(err, "error parsing -H %s", cli.Config.Hosts[i])
  526. }
  527. if _, ok := seen[cli.Config.Hosts[i]]; ok {
  528. continue
  529. }
  530. seen[cli.Config.Hosts[i]] = struct{}{}
  531. protoAddr := cli.Config.Hosts[i]
  532. protoAddrParts := strings.SplitN(protoAddr, "://", 2)
  533. if len(protoAddrParts) != 2 {
  534. return nil, fmt.Errorf("bad format %s, expected PROTO://ADDR", protoAddr)
  535. }
  536. proto := protoAddrParts[0]
  537. addr := protoAddrParts[1]
  538. // It's a bad idea to bind to TCP without tlsverify.
  539. if proto == "tcp" && (serverConfig.TLSConfig == nil || serverConfig.TLSConfig.ClientAuth != tls.RequireAndVerifyClientCert) {
  540. logrus.Warn("[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]")
  541. }
  542. ls, err := listeners.Init(proto, addr, serverConfig.SocketGroup, serverConfig.TLSConfig)
  543. if err != nil {
  544. return nil, err
  545. }
  546. ls = wrapListeners(proto, ls)
  547. // If we're binding to a TCP port, make sure that a container doesn't try to use it.
  548. if proto == "tcp" {
  549. if err := allocateDaemonPort(addr); err != nil {
  550. return nil, err
  551. }
  552. }
  553. logrus.Debugf("Listener created for HTTP on %s (%s)", proto, addr)
  554. hosts = append(hosts, protoAddrParts[1])
  555. cli.api.Accept(addr, ls...)
  556. }
  557. return hosts, nil
  558. }
  559. func createAndStartCluster(cli *DaemonCli, d *daemon.Daemon) (*cluster.Cluster, error) {
  560. name, _ := os.Hostname()
  561. // Use a buffered channel to pass changes from store watch API to daemon
  562. // A buffer allows store watch API and daemon processing to not wait for each other
  563. watchStream := make(chan *swarmapi.WatchMessage, 32)
  564. c, err := cluster.New(cluster.Config{
  565. Root: cli.Config.Root,
  566. Name: name,
  567. Backend: d,
  568. VolumeBackend: d.VolumesService(),
  569. ImageBackend: d.ImageService(),
  570. PluginBackend: d.PluginManager(),
  571. NetworkSubnetsProvider: d,
  572. DefaultAdvertiseAddr: cli.Config.SwarmDefaultAdvertiseAddr,
  573. RaftHeartbeatTick: cli.Config.SwarmRaftHeartbeatTick,
  574. RaftElectionTick: cli.Config.SwarmRaftElectionTick,
  575. RuntimeRoot: cli.getSwarmRunRoot(),
  576. WatchStream: watchStream,
  577. })
  578. if err != nil {
  579. return nil, err
  580. }
  581. d.SetCluster(c)
  582. err = c.Start()
  583. return c, err
  584. }
  585. // validates that the plugins requested with the --authorization-plugin flag are valid AuthzDriver
  586. // plugins present on the host and available to the daemon
  587. func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGetter) error {
  588. for _, reqPlugin := range requestedPlugins {
  589. if _, err := pg.Get(reqPlugin, authorization.AuthZApiImplements, plugingetter.Lookup); err != nil {
  590. return err
  591. }
  592. }
  593. return nil
  594. }
  595. func systemContainerdRunning(honorXDG bool) (string, bool, error) {
  596. addr := containerddefaults.DefaultAddress
  597. if honorXDG {
  598. runtimeDir, err := homedir.GetRuntimeDir()
  599. if err != nil {
  600. return "", false, err
  601. }
  602. addr = filepath.Join(runtimeDir, "containerd", "containerd.sock")
  603. }
  604. _, err := os.Lstat(addr)
  605. return addr, err == nil, nil
  606. }
  607. // configureDaemonLogs sets the logrus logging level and formatting
  608. func configureDaemonLogs(conf *config.Config) error {
  609. if conf.LogLevel != "" {
  610. lvl, err := logrus.ParseLevel(conf.LogLevel)
  611. if err != nil {
  612. return fmt.Errorf("unable to parse logging level: %s", conf.LogLevel)
  613. }
  614. logrus.SetLevel(lvl)
  615. } else {
  616. logrus.SetLevel(logrus.InfoLevel)
  617. }
  618. logrus.SetFormatter(&logrus.TextFormatter{
  619. TimestampFormat: jsonmessage.RFC3339NanoFixed,
  620. DisableColors: conf.RawLogs,
  621. FullTimestamp: true,
  622. })
  623. return nil
  624. }