daemon.go 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468
  1. package main
  2. import (
  3. "crypto/tls"
  4. "fmt"
  5. "io"
  6. "os"
  7. "path/filepath"
  8. "strings"
  9. "time"
  10. "github.com/Sirupsen/logrus"
  11. "github.com/docker/distribution/uuid"
  12. "github.com/docker/docker/api"
  13. apiserver "github.com/docker/docker/api/server"
  14. "github.com/docker/docker/api/server/middleware"
  15. "github.com/docker/docker/api/server/router"
  16. "github.com/docker/docker/api/server/router/build"
  17. "github.com/docker/docker/api/server/router/container"
  18. "github.com/docker/docker/api/server/router/image"
  19. "github.com/docker/docker/api/server/router/network"
  20. swarmrouter "github.com/docker/docker/api/server/router/swarm"
  21. systemrouter "github.com/docker/docker/api/server/router/system"
  22. "github.com/docker/docker/api/server/router/volume"
  23. "github.com/docker/docker/builder/dockerfile"
  24. cliflags "github.com/docker/docker/cli/flags"
  25. "github.com/docker/docker/cliconfig"
  26. "github.com/docker/docker/daemon"
  27. "github.com/docker/docker/daemon/cluster"
  28. "github.com/docker/docker/daemon/logger"
  29. "github.com/docker/docker/dockerversion"
  30. "github.com/docker/docker/libcontainerd"
  31. dopts "github.com/docker/docker/opts"
  32. "github.com/docker/docker/pkg/authorization"
  33. "github.com/docker/docker/pkg/jsonlog"
  34. "github.com/docker/docker/pkg/listeners"
  35. "github.com/docker/docker/pkg/pidfile"
  36. "github.com/docker/docker/pkg/signal"
  37. "github.com/docker/docker/pkg/system"
  38. "github.com/docker/docker/registry"
  39. "github.com/docker/docker/runconfig"
  40. "github.com/docker/docker/utils"
  41. "github.com/docker/go-connections/tlsconfig"
  42. "github.com/spf13/pflag"
  43. )
  44. const (
  45. flagDaemonConfigFile = "config-file"
  46. )
  47. // DaemonCli represents the daemon CLI.
  48. type DaemonCli struct {
  49. *daemon.Config
  50. configFile *string
  51. flags *pflag.FlagSet
  52. api *apiserver.Server
  53. d *daemon.Daemon
  54. authzMiddleware *authorization.Middleware // authzMiddleware enables to dynamically reload the authorization plugins
  55. }
  56. // NewDaemonCli returns a daemon CLI
  57. func NewDaemonCli() *DaemonCli {
  58. return &DaemonCli{}
  59. }
  60. func migrateKey() (err error) {
  61. // Migrate trust key if exists at ~/.docker/key.json and owned by current user
  62. oldPath := filepath.Join(cliconfig.ConfigDir(), cliflags.DefaultTrustKeyFile)
  63. newPath := filepath.Join(getDaemonConfDir(), cliflags.DefaultTrustKeyFile)
  64. if _, statErr := os.Stat(newPath); os.IsNotExist(statErr) && currentUserIsOwner(oldPath) {
  65. defer func() {
  66. // Ensure old path is removed if no error occurred
  67. if err == nil {
  68. err = os.Remove(oldPath)
  69. } else {
  70. logrus.Warnf("Key migration failed, key file not removed at %s", oldPath)
  71. os.Remove(newPath)
  72. }
  73. }()
  74. if err := system.MkdirAll(getDaemonConfDir(), os.FileMode(0644)); err != nil {
  75. return fmt.Errorf("Unable to create daemon configuration directory: %s", err)
  76. }
  77. newFile, err := os.OpenFile(newPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
  78. if err != nil {
  79. return fmt.Errorf("error creating key file %q: %s", newPath, err)
  80. }
  81. defer newFile.Close()
  82. oldFile, err := os.Open(oldPath)
  83. if err != nil {
  84. return fmt.Errorf("error opening key file %q: %s", oldPath, err)
  85. }
  86. defer oldFile.Close()
  87. if _, err := io.Copy(newFile, oldFile); err != nil {
  88. return fmt.Errorf("error copying key: %s", err)
  89. }
  90. logrus.Infof("Migrated key from %s to %s", oldPath, newPath)
  91. }
  92. return nil
  93. }
  94. func (cli *DaemonCli) start(opts daemonOptions) (err error) {
  95. stopc := make(chan bool)
  96. defer close(stopc)
  97. // warn from uuid package when running the daemon
  98. uuid.Loggerf = logrus.Warnf
  99. opts.common.SetDefaultOptions(opts.flags)
  100. if opts.common.TrustKey == "" {
  101. opts.common.TrustKey = filepath.Join(
  102. getDaemonConfDir(),
  103. cliflags.DefaultTrustKeyFile)
  104. }
  105. if cli.Config, err = loadDaemonCliConfig(opts); err != nil {
  106. return err
  107. }
  108. cli.configFile = &opts.configFile
  109. cli.flags = opts.flags
  110. if cli.Config.Debug {
  111. utils.EnableDebug()
  112. }
  113. if utils.ExperimentalBuild() {
  114. logrus.Warn("Running experimental build")
  115. }
  116. logrus.SetFormatter(&logrus.TextFormatter{
  117. TimestampFormat: jsonlog.RFC3339NanoFixed,
  118. DisableColors: cli.Config.RawLogs,
  119. })
  120. if err := setDefaultUmask(); err != nil {
  121. return fmt.Errorf("Failed to set umask: %v", err)
  122. }
  123. if len(cli.LogConfig.Config) > 0 {
  124. if err := logger.ValidateLogOpts(cli.LogConfig.Type, cli.LogConfig.Config); err != nil {
  125. return fmt.Errorf("Failed to set log opts: %v", err)
  126. }
  127. }
  128. if cli.Pidfile != "" {
  129. pf, err := pidfile.New(cli.Pidfile)
  130. if err != nil {
  131. return fmt.Errorf("Error starting daemon: %v", err)
  132. }
  133. defer func() {
  134. if err := pf.Remove(); err != nil {
  135. logrus.Error(err)
  136. }
  137. }()
  138. }
  139. serverConfig := &apiserver.Config{
  140. Logging: true,
  141. SocketGroup: cli.Config.SocketGroup,
  142. Version: dockerversion.Version,
  143. EnableCors: cli.Config.EnableCors,
  144. CorsHeaders: cli.Config.CorsHeaders,
  145. }
  146. if cli.Config.TLS {
  147. tlsOptions := tlsconfig.Options{
  148. CAFile: cli.Config.CommonTLSOptions.CAFile,
  149. CertFile: cli.Config.CommonTLSOptions.CertFile,
  150. KeyFile: cli.Config.CommonTLSOptions.KeyFile,
  151. }
  152. if cli.Config.TLSVerify {
  153. // server requires and verifies client's certificate
  154. tlsOptions.ClientAuth = tls.RequireAndVerifyClientCert
  155. }
  156. tlsConfig, err := tlsconfig.Server(tlsOptions)
  157. if err != nil {
  158. return err
  159. }
  160. serverConfig.TLSConfig = tlsConfig
  161. }
  162. if len(cli.Config.Hosts) == 0 {
  163. cli.Config.Hosts = make([]string, 1)
  164. }
  165. api := apiserver.New(serverConfig)
  166. cli.api = api
  167. for i := 0; i < len(cli.Config.Hosts); i++ {
  168. var err error
  169. if cli.Config.Hosts[i], err = dopts.ParseHost(cli.Config.TLS, cli.Config.Hosts[i]); err != nil {
  170. return fmt.Errorf("error parsing -H %s : %v", cli.Config.Hosts[i], err)
  171. }
  172. protoAddr := cli.Config.Hosts[i]
  173. protoAddrParts := strings.SplitN(protoAddr, "://", 2)
  174. if len(protoAddrParts) != 2 {
  175. return fmt.Errorf("bad format %s, expected PROTO://ADDR", protoAddr)
  176. }
  177. proto := protoAddrParts[0]
  178. addr := protoAddrParts[1]
  179. // It's a bad idea to bind to TCP without tlsverify.
  180. if proto == "tcp" && (serverConfig.TLSConfig == nil || serverConfig.TLSConfig.ClientAuth != tls.RequireAndVerifyClientCert) {
  181. logrus.Warn("[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting -tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]")
  182. }
  183. ls, err := listeners.Init(proto, addr, serverConfig.SocketGroup, serverConfig.TLSConfig)
  184. if err != nil {
  185. return err
  186. }
  187. ls = wrapListeners(proto, ls)
  188. // If we're binding to a TCP port, make sure that a container doesn't try to use it.
  189. if proto == "tcp" {
  190. if err := allocateDaemonPort(addr); err != nil {
  191. return err
  192. }
  193. }
  194. logrus.Debugf("Listener created for HTTP on %s (%s)", proto, addr)
  195. api.Accept(addr, ls...)
  196. }
  197. if err := migrateKey(); err != nil {
  198. return err
  199. }
  200. // FIXME: why is this down here instead of with the other TrustKey logic above?
  201. cli.TrustKeyPath = opts.common.TrustKey
  202. registryService := registry.NewService(cli.Config.ServiceOptions)
  203. containerdRemote, err := libcontainerd.New(cli.getLibcontainerdRoot(), cli.getPlatformRemoteOptions()...)
  204. if err != nil {
  205. return err
  206. }
  207. signal.Trap(func() {
  208. cli.stop()
  209. <-stopc // wait for daemonCli.start() to return
  210. })
  211. d, err := daemon.NewDaemon(cli.Config, registryService, containerdRemote)
  212. if err != nil {
  213. return fmt.Errorf("Error starting daemon: %v", err)
  214. }
  215. name, _ := os.Hostname()
  216. c, err := cluster.New(cluster.Config{
  217. Root: cli.Config.Root,
  218. Name: name,
  219. Backend: d,
  220. NetworkSubnetsProvider: d,
  221. DefaultAdvertiseAddr: cli.Config.SwarmDefaultAdvertiseAddr,
  222. RuntimeRoot: cli.getSwarmRunRoot(),
  223. })
  224. if err != nil {
  225. logrus.Fatalf("Error creating cluster component: %v", err)
  226. }
  227. // Restart all autostart containers which has a swarm endpoint
  228. // and is not yet running now that we have successfully
  229. // initialized the cluster.
  230. d.RestartSwarmContainers()
  231. logrus.Info("Daemon has completed initialization")
  232. logrus.WithFields(logrus.Fields{
  233. "version": dockerversion.Version,
  234. "commit": dockerversion.GitCommit,
  235. "graphdriver": d.GraphDriverName(),
  236. }).Info("Docker daemon")
  237. cli.d = d
  238. // initMiddlewares needs cli.d to be populated. Dont change this init order.
  239. cli.initMiddlewares(api, serverConfig)
  240. initRouter(api, d, c)
  241. cli.setupConfigReloadTrap()
  242. // The serve API routine never exits unless an error occurs
  243. // We need to start it as a goroutine and wait on it so
  244. // daemon doesn't exit
  245. serveAPIWait := make(chan error)
  246. go api.Wait(serveAPIWait)
  247. // after the daemon is done setting up we can notify systemd api
  248. notifySystem()
  249. // Daemon is fully initialized and handling API traffic
  250. // Wait for serve API to complete
  251. errAPI := <-serveAPIWait
  252. c.Cleanup()
  253. shutdownDaemon(d)
  254. containerdRemote.Cleanup()
  255. if errAPI != nil {
  256. return fmt.Errorf("Shutting down due to ServeAPI error: %v", errAPI)
  257. }
  258. return nil
  259. }
  260. func (cli *DaemonCli) reloadConfig() {
  261. reload := func(config *daemon.Config) {
  262. // Reload the authorization plugin
  263. cli.authzMiddleware.SetPlugins(config.AuthorizationPlugins)
  264. if err := cli.d.Reload(config); err != nil {
  265. logrus.Errorf("Error reconfiguring the daemon: %v", err)
  266. return
  267. }
  268. if config.IsValueSet("debug") {
  269. debugEnabled := utils.IsDebugEnabled()
  270. switch {
  271. case debugEnabled && !config.Debug: // disable debug
  272. utils.DisableDebug()
  273. cli.api.DisableProfiler()
  274. case config.Debug && !debugEnabled: // enable debug
  275. utils.EnableDebug()
  276. cli.api.EnableProfiler()
  277. }
  278. }
  279. }
  280. if err := daemon.ReloadConfiguration(*cli.configFile, cli.flags, reload); err != nil {
  281. logrus.Error(err)
  282. }
  283. }
  284. func (cli *DaemonCli) stop() {
  285. cli.api.Close()
  286. }
  287. // shutdownDaemon just wraps daemon.Shutdown() to handle a timeout in case
  288. // d.Shutdown() is waiting too long to kill container or worst it's
  289. // blocked there
  290. func shutdownDaemon(d *daemon.Daemon) {
  291. shutdownTimeout := d.ShutdownTimeout()
  292. ch := make(chan struct{})
  293. go func() {
  294. d.Shutdown()
  295. close(ch)
  296. }()
  297. if shutdownTimeout < 0 {
  298. <-ch
  299. logrus.Debug("Clean shutdown succeeded")
  300. return
  301. }
  302. select {
  303. case <-ch:
  304. logrus.Debug("Clean shutdown succeeded")
  305. case <-time.After(time.Duration(shutdownTimeout) * time.Second):
  306. logrus.Error("Force shutdown daemon")
  307. }
  308. }
  309. func loadDaemonCliConfig(opts daemonOptions) (*daemon.Config, error) {
  310. config := opts.daemonConfig
  311. flags := opts.flags
  312. config.Debug = opts.common.Debug
  313. config.Hosts = opts.common.Hosts
  314. config.LogLevel = opts.common.LogLevel
  315. config.TLS = opts.common.TLS
  316. config.TLSVerify = opts.common.TLSVerify
  317. config.CommonTLSOptions = daemon.CommonTLSOptions{}
  318. if opts.common.TLSOptions != nil {
  319. config.CommonTLSOptions.CAFile = opts.common.TLSOptions.CAFile
  320. config.CommonTLSOptions.CertFile = opts.common.TLSOptions.CertFile
  321. config.CommonTLSOptions.KeyFile = opts.common.TLSOptions.KeyFile
  322. }
  323. if opts.configFile != "" {
  324. c, err := daemon.MergeDaemonConfigurations(config, flags, opts.configFile)
  325. if err != nil {
  326. if flags.Changed(flagDaemonConfigFile) || !os.IsNotExist(err) {
  327. return nil, fmt.Errorf("unable to configure the Docker daemon with file %s: %v\n", opts.configFile, err)
  328. }
  329. }
  330. // the merged configuration can be nil if the config file didn't exist.
  331. // leave the current configuration as it is if when that happens.
  332. if c != nil {
  333. config = c
  334. }
  335. }
  336. if err := daemon.ValidateConfiguration(config); err != nil {
  337. return nil, err
  338. }
  339. // Labels of the docker engine used to allow multiple values associated with the same key.
  340. // This is deprecated in 1.13, and, be removed after 3 release cycles.
  341. // The following will check the conflict of labels, and report a warning for deprecation.
  342. //
  343. // TODO: After 3 release cycles (1.16) an error will be returned, and labels will be
  344. // sanitized to consolidate duplicate key-value pairs (config.Labels = newLabels):
  345. //
  346. // newLabels, err := daemon.GetConflictFreeLabels(config.Labels)
  347. // if err != nil {
  348. // return nil, err
  349. // }
  350. // config.Labels = newLabels
  351. //
  352. if _, err := daemon.GetConflictFreeLabels(config.Labels); err != nil {
  353. logrus.Warnf("Engine labels with duplicate keys and conflicting values have been deprecated: %s", err)
  354. }
  355. // Regardless of whether the user sets it to true or false, if they
  356. // specify TLSVerify at all then we need to turn on TLS
  357. if config.IsValueSet(cliflags.FlagTLSVerify) {
  358. config.TLS = true
  359. }
  360. // ensure that the log level is the one set after merging configurations
  361. cliflags.SetLogLevel(config.LogLevel)
  362. return config, nil
  363. }
  364. func initRouter(s *apiserver.Server, d *daemon.Daemon, c *cluster.Cluster) {
  365. decoder := runconfig.ContainerDecoder{}
  366. routers := []router.Router{}
  367. // we need to add the checkpoint router before the container router or the DELETE gets masked
  368. routers = addExperimentalRouters(routers, d, decoder)
  369. routers = append(routers, []router.Router{
  370. container.NewRouter(d, decoder),
  371. image.NewRouter(d, decoder),
  372. systemrouter.NewRouter(d, c),
  373. volume.NewRouter(d),
  374. build.NewRouter(dockerfile.NewBuildManager(d)),
  375. swarmrouter.NewRouter(c),
  376. }...)
  377. if d.NetworkControllerEnabled() {
  378. routers = append(routers, network.NewRouter(d, c))
  379. }
  380. s.InitRouter(utils.IsDebugEnabled(), routers...)
  381. }
  382. func (cli *DaemonCli) initMiddlewares(s *apiserver.Server, cfg *apiserver.Config) {
  383. v := cfg.Version
  384. vm := middleware.NewVersionMiddleware(v, api.DefaultVersion, api.MinVersion)
  385. s.UseMiddleware(vm)
  386. if cfg.EnableCors {
  387. c := middleware.NewCORSMiddleware(cfg.CorsHeaders)
  388. s.UseMiddleware(c)
  389. }
  390. u := middleware.NewUserAgentMiddleware(v)
  391. s.UseMiddleware(u)
  392. cli.authzMiddleware = authorization.NewMiddleware(cli.Config.AuthorizationPlugins, cli.d.PluginStore)
  393. s.UseMiddleware(cli.authzMiddleware)
  394. }