f42033ba94
Signed-off-by: John Howard <jhoward@microsoft.com> Working directory processing was handled differently for Hyper-V and Windows-Server containers, as annotated in the builder documentation (updated in this PR). For Hyper-V containers, the working directory set by WORKDIR was not created. This PR makes Hyper-V containers work the same as Windows Server containers (and the same as Linux). Example (only applies to Hyper-V containers, so not reproducible under CI environment) Dockerfile: FROM microsoft/nanoserver WORKDIR c:\installer ENV GOROOT=c:\installer ADD go.exe . RUN go --help Running on Windows Server 2016, using docker master without this change, but with daemon set to --exec-opt isolation=hyperv as it would be for Client operating systems. PS E:\go\src\github.com\docker\docker> dockerd -g c:\control --exec-opt isolation=hyperv time="2017-02-01T15:48:09.657286100-08:00" level=info msg="Windows default isolation mode: hyperv" time="2017-02-01T15:48:09.662720900-08:00" level=info msg="[graphdriver] using prior storage driver: windowsfilter" time="2017-02-01T15:48:10.011588000-08:00" level=info msg="Graph migration to content-addressability took 0.00 seconds" time="2017-02-01T15:48:10.016655800-08:00" level=info msg="Loading containers: start." time="2017-02-01T15:48:10.460820000-08:00" level=info msg="Loading containers: done." time="2017-02-01T15:48:10.509859600-08:00" level=info msg="Daemon has completed initialization" time="2017-02-01T15:48:10.509859600-08:00" level=info msg="Docker daemon" commit=3c64061 graphdriver=windowsfilter version=1.14.0-dev First with no explicit isolation: PS E:\docker\build\unifyworkdir> docker build --no-cache . Sending build context to Docker daemon 10.1 MB Step 1/5 : FROM microsoft/nanoserver ---> 89b8556cb9ca Step 2/5 : WORKDIR c:\installer ---> 7e0f41d08204 Removing intermediate container 236c7802042a Step 3/5 : ENV GOROOT c:\installer ---> Running in 8ea5237183c1 ---> 394b70435261 Removing intermediate container 8ea5237183c1 Step 4/5 : ADD go.exe . ---> e47401a1745c Removing intermediate container 88dcc28e74b1 Step 5/5 : RUN go --help ---> Running in efe90e1b6b8b container efe90e1b6b8b76586abc5c1dc0e2797b75adc26517c48733d90651e767c8463b encountered an error during CreateProcess: failure in a Windows system call: The directory name is invalid. (0x10b) extra info: {"ApplicationName":"","CommandLine":"cmd /S /C go --help","User":"","WorkingDirectory":"C:\\installer","Environment":{"GOROOT":"c:\\installer"},"EmulateConsole":false,"CreateStdInPipe":true,"CreateStdOutPipe":true,"CreateStdErrPipe":true,"ConsoleSize":[0,0]} PS E:\docker\build\unifyworkdir> Then forcing process isolation: PS E:\docker\build\unifyworkdir> docker build --isolation=process --no-cache . Sending build context to Docker daemon 10.1 MB Step 1/5 : FROM microsoft/nanoserver ---> 89b8556cb9ca Step 2/5 : WORKDIR c:\installer ---> 350c955980c8 Removing intermediate container 8339c1e9250c Step 3/5 : ENV GOROOT c:\installer ---> Running in bde511c5e3e0 ---> b8820063b5b6 Removing intermediate container bde511c5e3e0 Step 4/5 : ADD go.exe . ---> e4ac32f8902b Removing intermediate container d586e8492eda Step 5/5 : RUN go --help ---> Running in 9e1aa235af5f Cannot mkdir: C:\installer is not a directory PS E:\docker\build\unifyworkdir> Now compare the same results after this PR. Again, first with no explicit isolation (defaulting to Hyper-V containers as that's what the daemon it set to) - note it now succeeds 😄 PS E:\docker\build\unifyworkdir> docker build --no-cache . Sending build context to Docker daemon 10.1 MB Step 1/5 : FROM microsoft/nanoserver ---> 89b8556cb9ca Step 2/5 : WORKDIR c:\installer ---> 4f319f301c69 Removing intermediate container 61b9c0b1ff6f Step 3/5 : ENV GOROOT c:\installer ---> Running in c464a1d612d8 ---> 96a26ab9a7b5 Removing intermediate container c464a1d612d8 Step 4/5 : ADD go.exe . ---> 0290d61faf57 Removing intermediate container dc5a085fffe3 Step 5/5 : RUN go --help ---> Running in 60bd56042ff8 Go is a tool for managing Go source code. Usage: go command [arguments] The commands are: build compile packages and dependencies clean remove object files doc show documentation for package or symbol env print Go environment information fix run go tool fix on packages fmt run gofmt on package sources generate generate Go files by processing source get download and install packages and dependencies install compile and install packages and dependencies list list packages run compile and run Go program test test packages tool run specified go tool version print Go version vet run go tool vet on packages Use "go help [command]" for more information about a command. Additional help topics: c calling between Go and C buildmode description of build modes filetype file types gopath GOPATH environment variable environment environment variables importpath import path syntax packages description of package lists testflag description of testing flags testfunc description of testing functions Use "go help [topic]" for more information about that topic. The command 'cmd /S /C go --help' returned a non-zero code: 2 And the same with forcing process isolation. Also works 😄 PS E:\docker\build\unifyworkdir> docker build --isolation=process --no-cache . Sending build context to Docker daemon 10.1 MB Step 1/5 : FROM microsoft/nanoserver ---> 89b8556cb9ca Step 2/5 : WORKDIR c:\installer ---> f423b9cc3e78 Removing intermediate container 41330c88893d Step 3/5 : ENV GOROOT c:\installer ---> Running in 0b99a2d7bf19 ---> e051144bf8ec Removing intermediate container 0b99a2d7bf19 Step 4/5 : ADD go.exe . ---> 7072e32b7c37 Removing intermediate container a7a97aa37fd1 Step 5/5 : RUN go --help ---> Running in 7097438a54e5 Go is a tool for managing Go source code. Usage: go command [arguments] The commands are: build compile packages and dependencies clean remove object files doc show documentation for package or symbol env print Go environment information fix run go tool fix on packages fmt run gofmt on package sources generate generate Go files by processing source get download and install packages and dependencies install compile and install packages and dependencies list list packages run compile and run Go program test test packages tool run specified go tool version print Go version vet run go tool vet on packages Use "go help [command]" for more information about a command. Additional help topics: c calling between Go and C buildmode description of build modes filetype file types gopath GOPATH environment variable environment environment variables importpath import path syntax packages description of package lists testflag description of testing flags testfunc description of testing functions Use "go help [topic]" for more information about that topic. The command 'cmd /S /C go --help' returned a non-zero code: 2 PS E:\docker\build\unifyworkdir>
445 lines
13 KiB
Go
445 lines
13 KiB
Go
// +build linux freebsd solaris
|
|
|
|
package container
|
|
|
|
import (
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"github.com/Sirupsen/logrus"
|
|
containertypes "github.com/docker/docker/api/types/container"
|
|
mounttypes "github.com/docker/docker/api/types/mount"
|
|
"github.com/docker/docker/pkg/chrootarchive"
|
|
"github.com/docker/docker/pkg/stringid"
|
|
"github.com/docker/docker/pkg/symlink"
|
|
"github.com/docker/docker/pkg/system"
|
|
"github.com/docker/docker/volume"
|
|
"github.com/opencontainers/runc/libcontainer/label"
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
|
|
const (
|
|
containerSecretMountPath = "/run/secrets"
|
|
)
|
|
|
|
// Container holds the fields specific to unixen implementations.
|
|
// See CommonContainer for standard fields common to all containers.
|
|
type Container struct {
|
|
CommonContainer
|
|
|
|
// Fields below here are platform specific.
|
|
AppArmorProfile string
|
|
HostnamePath string
|
|
HostsPath string
|
|
ShmPath string
|
|
ResolvConfPath string
|
|
SeccompProfile string
|
|
NoNewPrivileges bool
|
|
}
|
|
|
|
// ExitStatus provides exit reasons for a container.
|
|
type ExitStatus struct {
|
|
// The exit code with which the container exited.
|
|
ExitCode int
|
|
|
|
// Whether the container encountered an OOM.
|
|
OOMKilled bool
|
|
}
|
|
|
|
// CreateDaemonEnvironment returns the list of all environment variables given the list of
|
|
// environment variables related to links.
|
|
// Sets PATH, HOSTNAME and if container.Config.Tty is set: TERM.
|
|
// The defaults set here do not override the values in container.Config.Env
|
|
func (container *Container) CreateDaemonEnvironment(tty bool, linkedEnv []string) []string {
|
|
// Setup environment
|
|
env := []string{
|
|
"PATH=" + system.DefaultPathEnv,
|
|
"HOSTNAME=" + container.Config.Hostname,
|
|
}
|
|
if tty {
|
|
env = append(env, "TERM=xterm")
|
|
}
|
|
env = append(env, linkedEnv...)
|
|
// because the env on the container can override certain default values
|
|
// we need to replace the 'env' keys where they match and append anything
|
|
// else.
|
|
env = ReplaceOrAppendEnvValues(env, container.Config.Env)
|
|
return env
|
|
}
|
|
|
|
// TrySetNetworkMount attempts to set the network mounts given a provided destination and
|
|
// the path to use for it; return true if the given destination was a network mount file
|
|
func (container *Container) TrySetNetworkMount(destination string, path string) bool {
|
|
if destination == "/etc/resolv.conf" {
|
|
container.ResolvConfPath = path
|
|
return true
|
|
}
|
|
if destination == "/etc/hostname" {
|
|
container.HostnamePath = path
|
|
return true
|
|
}
|
|
if destination == "/etc/hosts" {
|
|
container.HostsPath = path
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// BuildHostnameFile writes the container's hostname file.
|
|
func (container *Container) BuildHostnameFile() error {
|
|
hostnamePath, err := container.GetRootResourcePath("hostname")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
container.HostnamePath = hostnamePath
|
|
return ioutil.WriteFile(container.HostnamePath, []byte(container.Config.Hostname+"\n"), 0644)
|
|
}
|
|
|
|
// NetworkMounts returns the list of network mounts.
|
|
func (container *Container) NetworkMounts() []Mount {
|
|
var mounts []Mount
|
|
shared := container.HostConfig.NetworkMode.IsContainer()
|
|
if container.ResolvConfPath != "" {
|
|
if _, err := os.Stat(container.ResolvConfPath); err != nil {
|
|
logrus.Warnf("ResolvConfPath set to %q, but can't stat this filename (err = %v); skipping", container.ResolvConfPath, err)
|
|
} else {
|
|
if !container.HasMountFor("/etc/resolv.conf") {
|
|
label.Relabel(container.ResolvConfPath, container.MountLabel, shared)
|
|
}
|
|
writable := !container.HostConfig.ReadonlyRootfs
|
|
if m, exists := container.MountPoints["/etc/resolv.conf"]; exists {
|
|
writable = m.RW
|
|
}
|
|
mounts = append(mounts, Mount{
|
|
Source: container.ResolvConfPath,
|
|
Destination: "/etc/resolv.conf",
|
|
Writable: writable,
|
|
Propagation: string(volume.DefaultPropagationMode),
|
|
})
|
|
}
|
|
}
|
|
if container.HostnamePath != "" {
|
|
if _, err := os.Stat(container.HostnamePath); err != nil {
|
|
logrus.Warnf("HostnamePath set to %q, but can't stat this filename (err = %v); skipping", container.HostnamePath, err)
|
|
} else {
|
|
if !container.HasMountFor("/etc/hostname") {
|
|
label.Relabel(container.HostnamePath, container.MountLabel, shared)
|
|
}
|
|
writable := !container.HostConfig.ReadonlyRootfs
|
|
if m, exists := container.MountPoints["/etc/hostname"]; exists {
|
|
writable = m.RW
|
|
}
|
|
mounts = append(mounts, Mount{
|
|
Source: container.HostnamePath,
|
|
Destination: "/etc/hostname",
|
|
Writable: writable,
|
|
Propagation: string(volume.DefaultPropagationMode),
|
|
})
|
|
}
|
|
}
|
|
if container.HostsPath != "" {
|
|
if _, err := os.Stat(container.HostsPath); err != nil {
|
|
logrus.Warnf("HostsPath set to %q, but can't stat this filename (err = %v); skipping", container.HostsPath, err)
|
|
} else {
|
|
if !container.HasMountFor("/etc/hosts") {
|
|
label.Relabel(container.HostsPath, container.MountLabel, shared)
|
|
}
|
|
writable := !container.HostConfig.ReadonlyRootfs
|
|
if m, exists := container.MountPoints["/etc/hosts"]; exists {
|
|
writable = m.RW
|
|
}
|
|
mounts = append(mounts, Mount{
|
|
Source: container.HostsPath,
|
|
Destination: "/etc/hosts",
|
|
Writable: writable,
|
|
Propagation: string(volume.DefaultPropagationMode),
|
|
})
|
|
}
|
|
}
|
|
return mounts
|
|
}
|
|
|
|
// SecretMountPath returns the path of the secret mount for the container
|
|
func (container *Container) SecretMountPath() string {
|
|
return filepath.Join(container.Root, "secrets")
|
|
}
|
|
|
|
// CopyImagePathContent copies files in destination to the volume.
|
|
func (container *Container) CopyImagePathContent(v volume.Volume, destination string) error {
|
|
rootfs, err := symlink.FollowSymlinkInScope(filepath.Join(container.BaseFS, destination), container.BaseFS)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if _, err = ioutil.ReadDir(rootfs); err != nil {
|
|
if os.IsNotExist(err) {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
|
|
id := stringid.GenerateNonCryptoID()
|
|
path, err := v.Mount(id)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
defer func() {
|
|
if err := v.Unmount(id); err != nil {
|
|
logrus.Warnf("error while unmounting volume %s: %v", v.Name(), err)
|
|
}
|
|
}()
|
|
if err := label.Relabel(path, container.MountLabel, true); err != nil && err != unix.ENOTSUP {
|
|
return err
|
|
}
|
|
return copyExistingContents(rootfs, path)
|
|
}
|
|
|
|
// ShmResourcePath returns path to shm
|
|
func (container *Container) ShmResourcePath() (string, error) {
|
|
return container.GetRootResourcePath("shm")
|
|
}
|
|
|
|
// HasMountFor checks if path is a mountpoint
|
|
func (container *Container) HasMountFor(path string) bool {
|
|
_, exists := container.MountPoints[path]
|
|
return exists
|
|
}
|
|
|
|
// UnmountIpcMounts uses the provided unmount function to unmount shm and mqueue if they were mounted
|
|
func (container *Container) UnmountIpcMounts(unmount func(pth string) error) {
|
|
if container.HostConfig.IpcMode.IsContainer() || container.HostConfig.IpcMode.IsHost() {
|
|
return
|
|
}
|
|
|
|
var warnings []string
|
|
|
|
if !container.HasMountFor("/dev/shm") {
|
|
shmPath, err := container.ShmResourcePath()
|
|
if err != nil {
|
|
logrus.Error(err)
|
|
warnings = append(warnings, err.Error())
|
|
} else if shmPath != "" {
|
|
if err := unmount(shmPath); err != nil && !os.IsNotExist(err) {
|
|
warnings = append(warnings, fmt.Sprintf("failed to umount %s: %v", shmPath, err))
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
if len(warnings) > 0 {
|
|
logrus.Warnf("failed to cleanup ipc mounts:\n%v", strings.Join(warnings, "\n"))
|
|
}
|
|
}
|
|
|
|
// IpcMounts returns the list of IPC mounts
|
|
func (container *Container) IpcMounts() []Mount {
|
|
var mounts []Mount
|
|
|
|
if !container.HasMountFor("/dev/shm") {
|
|
label.SetFileLabel(container.ShmPath, container.MountLabel)
|
|
mounts = append(mounts, Mount{
|
|
Source: container.ShmPath,
|
|
Destination: "/dev/shm",
|
|
Writable: true,
|
|
Propagation: string(volume.DefaultPropagationMode),
|
|
})
|
|
}
|
|
|
|
return mounts
|
|
}
|
|
|
|
// SecretMount returns the mount for the secret path
|
|
func (container *Container) SecretMount() *Mount {
|
|
if len(container.SecretReferences) > 0 {
|
|
return &Mount{
|
|
Source: container.SecretMountPath(),
|
|
Destination: containerSecretMountPath,
|
|
Writable: false,
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// UnmountSecrets unmounts the local tmpfs for secrets
|
|
func (container *Container) UnmountSecrets() error {
|
|
if _, err := os.Stat(container.SecretMountPath()); err != nil {
|
|
if os.IsNotExist(err) {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
|
|
return detachMounted(container.SecretMountPath())
|
|
}
|
|
|
|
// UpdateContainer updates configuration of a container.
|
|
func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error {
|
|
container.Lock()
|
|
defer container.Unlock()
|
|
|
|
// update resources of container
|
|
resources := hostConfig.Resources
|
|
cResources := &container.HostConfig.Resources
|
|
if resources.BlkioWeight != 0 {
|
|
cResources.BlkioWeight = resources.BlkioWeight
|
|
}
|
|
if resources.CPUShares != 0 {
|
|
cResources.CPUShares = resources.CPUShares
|
|
}
|
|
if resources.CPUPeriod != 0 {
|
|
cResources.CPUPeriod = resources.CPUPeriod
|
|
}
|
|
if resources.CPUQuota != 0 {
|
|
cResources.CPUQuota = resources.CPUQuota
|
|
}
|
|
if resources.CpusetCpus != "" {
|
|
cResources.CpusetCpus = resources.CpusetCpus
|
|
}
|
|
if resources.CpusetMems != "" {
|
|
cResources.CpusetMems = resources.CpusetMems
|
|
}
|
|
if resources.Memory != 0 {
|
|
// if memory limit smaller than already set memoryswap limit and doesn't
|
|
// update the memoryswap limit, then error out.
|
|
if resources.Memory > cResources.MemorySwap && resources.MemorySwap == 0 {
|
|
return fmt.Errorf("Memory limit should be smaller than already set memoryswap limit, update the memoryswap at the same time")
|
|
}
|
|
cResources.Memory = resources.Memory
|
|
}
|
|
if resources.MemorySwap != 0 {
|
|
cResources.MemorySwap = resources.MemorySwap
|
|
}
|
|
if resources.MemoryReservation != 0 {
|
|
cResources.MemoryReservation = resources.MemoryReservation
|
|
}
|
|
if resources.KernelMemory != 0 {
|
|
cResources.KernelMemory = resources.KernelMemory
|
|
}
|
|
|
|
// update HostConfig of container
|
|
if hostConfig.RestartPolicy.Name != "" {
|
|
if container.HostConfig.AutoRemove && !hostConfig.RestartPolicy.IsNone() {
|
|
return fmt.Errorf("Restart policy cannot be updated because AutoRemove is enabled for the container")
|
|
}
|
|
container.HostConfig.RestartPolicy = hostConfig.RestartPolicy
|
|
}
|
|
|
|
if err := container.ToDisk(); err != nil {
|
|
logrus.Errorf("Error saving updated container: %v", err)
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// DetachAndUnmount uses a detached mount on all mount destinations, then
|
|
// unmounts each volume normally.
|
|
// This is used from daemon/archive for `docker cp`
|
|
func (container *Container) DetachAndUnmount(volumeEventLog func(name, action string, attributes map[string]string)) error {
|
|
networkMounts := container.NetworkMounts()
|
|
mountPaths := make([]string, 0, len(container.MountPoints)+len(networkMounts))
|
|
|
|
for _, mntPoint := range container.MountPoints {
|
|
dest, err := container.GetResourcePath(mntPoint.Destination)
|
|
if err != nil {
|
|
logrus.Warnf("Failed to get volume destination path for container '%s' at '%s' while lazily unmounting: %v", container.ID, mntPoint.Destination, err)
|
|
continue
|
|
}
|
|
mountPaths = append(mountPaths, dest)
|
|
}
|
|
|
|
for _, m := range networkMounts {
|
|
dest, err := container.GetResourcePath(m.Destination)
|
|
if err != nil {
|
|
logrus.Warnf("Failed to get volume destination path for container '%s' at '%s' while lazily unmounting: %v", container.ID, m.Destination, err)
|
|
continue
|
|
}
|
|
mountPaths = append(mountPaths, dest)
|
|
}
|
|
|
|
for _, mountPath := range mountPaths {
|
|
if err := detachMounted(mountPath); err != nil {
|
|
logrus.Warnf("%s unmountVolumes: Failed to do lazy umount fo volume '%s': %v", container.ID, mountPath, err)
|
|
}
|
|
}
|
|
return container.UnmountVolumes(volumeEventLog)
|
|
}
|
|
|
|
// copyExistingContents copies from the source to the destination and
|
|
// ensures the ownership is appropriately set.
|
|
func copyExistingContents(source, destination string) error {
|
|
volList, err := ioutil.ReadDir(source)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if len(volList) > 0 {
|
|
srcList, err := ioutil.ReadDir(destination)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if len(srcList) == 0 {
|
|
// If the source volume is empty, copies files from the root into the volume
|
|
if err := chrootarchive.CopyWithTar(source, destination); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
return copyOwnership(source, destination)
|
|
}
|
|
|
|
// copyOwnership copies the permissions and uid:gid of the source file
|
|
// to the destination file
|
|
func copyOwnership(source, destination string) error {
|
|
stat, err := system.Stat(source)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := os.Chown(destination, int(stat.UID()), int(stat.GID())); err != nil {
|
|
return err
|
|
}
|
|
|
|
return os.Chmod(destination, os.FileMode(stat.Mode()))
|
|
}
|
|
|
|
// TmpfsMounts returns the list of tmpfs mounts
|
|
func (container *Container) TmpfsMounts() ([]Mount, error) {
|
|
var mounts []Mount
|
|
for dest, data := range container.HostConfig.Tmpfs {
|
|
mounts = append(mounts, Mount{
|
|
Source: "tmpfs",
|
|
Destination: dest,
|
|
Data: data,
|
|
})
|
|
}
|
|
for dest, mnt := range container.MountPoints {
|
|
if mnt.Type == mounttypes.TypeTmpfs {
|
|
data, err := volume.ConvertTmpfsOptions(mnt.Spec.TmpfsOptions, mnt.Spec.ReadOnly)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
mounts = append(mounts, Mount{
|
|
Source: "tmpfs",
|
|
Destination: dest,
|
|
Data: data,
|
|
})
|
|
}
|
|
}
|
|
return mounts, nil
|
|
}
|
|
|
|
// cleanResourcePath cleans a resource path and prepares to combine with mnt path
|
|
func cleanResourcePath(path string) string {
|
|
return filepath.Join(string(os.PathSeparator), path)
|
|
}
|
|
|
|
// EnableServiceDiscoveryOnDefaultNetwork Enable service discovery on default network
|
|
func (container *Container) EnableServiceDiscoveryOnDefaultNetwork() bool {
|
|
return false
|
|
}
|