beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
moby/daemon/reload.go

300 lines
11 KiB
Go
Raw Permalink Normal View History

Add canonical import comment Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 21:05:59 +00:00
package daemon // import "github.com/docker/docker/daemon"
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
import (
Switch all logging to use containerd log pkg This unifies our logging and allows us to propagate logging and trace contexts together. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-06-23 00:33:17 +00:00
"context"
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
"encoding/json"
"fmt"
daemon/config: remove uses of pointers for ints Use the default (0) value to indicate "not set", which simplifies working with these configuration options, preventing the need to use intermediate variables etc. While changing this code, also making some small cleanups, such as replacing "fmt.Sprintf()" for "strconv" variants. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-24 20:59:54 +00:00
"strconv"
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
migrate to github.com/containerd/log v0.1.0 The github.com/containerd/containerd/log package was moved to a separate module, which will also be used by upcoming (patch) releases of containerd. This patch moves our own uses of the package to use the new module. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-13 15:41:45 +00:00
"github.com/containerd/log"
api/types/events: define "Action" type and consts Define consts for the Actions we use for events, instead of "ad-hoc" strings. Having these consts makes it easier to find where specific events are triggered, makes the events less error-prone, and allows documenting each Action (if needed). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-26 13:24:46 +00:00
"github.com/docker/docker/api/types/events"
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
"github.com/hashicorp/go-multierror"
"github.com/mitchellh/copystructure"
"github.com/docker/docker/daemon/config"
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
)
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
// reloadTxn is used to defer side effects of a config reload.
type reloadTxn struct {
onCommit, onRollback []func() error
}
// OnCommit defers a function to be called when a config reload is being finalized.
// The error returned from cb is purely informational.
func (tx *reloadTxn) OnCommit(cb func() error) {
tx.onCommit = append(tx.onCommit, cb)
}
// OnRollback defers a function to be called when a config reload is aborted.
// The error returned from cb is purely informational.
func (tx *reloadTxn) OnRollback(cb func() error) {
tx.onCommit = append(tx.onRollback, cb)
}
func (tx *reloadTxn) run(cbs []func() error) error {
tx.onCommit = nil
tx.onRollback = nil
var res *multierror.Error
for _, cb := range cbs {
res = multierror.Append(res, cb())
}
return res.ErrorOrNil()
}
// Commit calls all functions registered with OnCommit.
// Any errors returned by the functions are collated into a
// *github.com/hashicorp/go-multierror.Error value.
func (tx *reloadTxn) Commit() error {
return tx.run(tx.onCommit)
}
// Rollback calls all functions registered with OnRollback.
// Any errors returned by the functions are collated into a
// *github.com/hashicorp/go-multierror.Error value.
func (tx *reloadTxn) Rollback() error {
return tx.run(tx.onRollback)
}
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
// Reload modifies the live daemon configuration from conf.
// conf is assumed to be a validated configuration.
//
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// These are the settings that Reload changes:
// - Platform runtime
// - Daemon debug log level
// - Daemon max concurrent downloads
// - Daemon max concurrent uploads
Adding ability to change max download attempts Moby works perfectly when you are in a situation when one has a good and stable internet connection. Operating in area's where internet connectivity is likely to be lost in undetermined intervals, like a satellite connection or 4G/LTE in rural area's, can become a problem when pulling a new image. When connection is lost while image layers are being pulled, Moby will try to reconnect up to 5 times. If this fails, the incompletely downloaded layers are lost will need to be completely downloaded again during the next pull request. This means that we are using more data than we might have to. Pulling a layer multiple times from the start can become costly over a satellite or 4G/LTE connection. As these techniques (especially 4G) quite common in IoT and Moby is used to run Azure IoT Edge devices, I would like to add a settable maximum download attempts. The maximum download attempts is currently set at 5 (distribution/xfer/download.go). I would like to change this constant to a variable that the user can set. The default will still be 5, so nothing will change from the current version unless specified when starting the daemon with the added flag or in the config file. I added a default value of 5 for DefaultMaxDownloadAttempts and a settable max-download-attempts in the daemon config file. It is also added to the config of dockerd so it can be set with a flag when starting the daemon. This value gets stored in the imageService of the daemon when it is initiated and can be passed to the NewLayerDownloadManager as a parameter. It will be stored in the LayerDownloadManager when initiated. This enables us to set the max amount of retries in makeDownoadFunc equal to the max download attempts. I also added some tests that are based on maxConcurrentDownloads/maxConcurrentUploads. You can pull this version and test in a development container. Either create a config `file /etc/docker/daemon.json` with `{"max-download-attempts"=3}``, or use `dockerd --max-download-attempts=3 -D &` to start up the dockerd. Start downloading a container and disconnect from the internet whilst downloading. The result would be that it stops pulling after three attempts. Signed-off-by: Lukas Heeren <lukas-heeren@hotmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-06-25 13:26:36 +00:00
// - Daemon max download attempts
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// - Daemon shutdown timeout (in seconds)
// - Cluster discovery (reconfigure and restart)
// - Daemon labels
// - Insecure registries
// - Registry mirrors
// - Daemon live restore
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
func (daemon *Daemon) Reload(conf *config.Config) error {
daemon.configReload.Lock()
defer daemon.configReload.Unlock()
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
copied, err := copystructure.Copy(daemon.config().Config)
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
if err != nil {
return err
}
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
newCfg := &configStore{
Config: copied.(config.Config),
}
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
attributes := map[string]string{}
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
// Ideally reloading should be transactional: the reload either completes
// successfully, or the daemon config and state are left untouched. We use a
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
// two-phase commit protocol to achieve this. Any fallible reload operation is
// split into two phases. The first phase performs all the fallible operations
// and mutates the newCfg copy. The second phase atomically swaps newCfg into
// the live daemon configuration and executes any commit functions the first
// phase registered to apply the side effects. If any first-phase returns an
// error, the reload transaction is rolled back by discarding newCfg and
// executing any registered rollback functions.
var txn reloadTxn
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
for _, reload := range []func(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error{
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
daemon.reloadPlatform,
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
daemon.reloadDebug,
daemon.reloadMaxConcurrentDownloadsAndUploads,
daemon.reloadMaxDownloadAttempts,
daemon.reloadShutdownTimeout,
daemon.reloadFeatures,
daemon.reloadLabels,
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
daemon.reloadRegistryConfig,
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
daemon.reloadLiveRestore,
daemon.reloadNetworkDiagnosticPort,
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
} {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
if err := reload(&txn, newCfg, conf, attributes); err != nil {
if rollbackErr := txn.Rollback(); rollbackErr != nil {
return multierror.Append(nil, err, rollbackErr)
}
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
return err
}
Implement none, private, and shareable ipc modes Since the commit d88fe447df0e8 ("Add support for sharing /dev/shm/ and /dev/mqueue between containers") container's /dev/shm is mounted on the host first, then bind-mounted inside the container. This is done that way in order to be able to share this container's IPC namespace (and the /dev/shm mount point) with another container. Unfortunately, this functionality breaks container checkpoint/restore (even if IPC is not shared). Since /dev/shm is an external mount, its contents is not saved by `criu checkpoint`, and so upon restore any application that tries to access data under /dev/shm is severily disappointed (which usually results in a fatal crash). This commit solves the issue by introducing new IPC modes for containers (in addition to 'host' and 'container:ID'). The new modes are: - 'shareable': enables sharing this container's IPC with others (this used to be the implicit default); - 'private': disables sharing this container's IPC. In 'private' mode, container's /dev/shm is truly mounted inside the container, without any bind-mounting from the host, which solves the issue. While at it, let's also implement 'none' mode. The motivation, as eloquently put by Justin Cormack, is: > I wondered a while back about having a none shm mode, as currently it is > not possible to have a totally unwriteable container as there is always > a /dev/shm writeable mount. It is a bit of a niche case (and clearly > should never be allowed to be daemon default) but it would be trivial to > add now so maybe we should... ...so here's yet yet another mode: - 'none': no /dev/shm mount inside the container (though it still has its own private IPC namespace). Now, to ultimately solve the abovementioned checkpoint/restore issue, we'd need to make 'private' the default mode, but unfortunately it breaks the backward compatibility. So, let's make the default container IPC mode per-daemon configurable (with the built-in default set to 'shareable' for now). The default can be changed either via a daemon CLI option (--default-shm-mode) or a daemon.json configuration file parameter of the same name. Note one can only set either 'shareable' or 'private' IPC modes as a daemon default (i.e. in this context 'host', 'container', or 'none' do not make much sense). Some other changes this patch introduces are: 1. A mount for /dev/shm is added to default OCI Linux spec. 2. IpcMode.Valid() is simplified to remove duplicated code that parsed 'container:ID' form. Note the old version used to check that ID does not contain a semicolon -- this is no longer the case (tests are modified accordingly). The motivation is we should either do a proper check for container ID validity, or don't check it at all (since it is checked in other places anyway). I chose the latter. 3. IpcMode.Container() is modified to not return container ID if the mode value does not start with "container:", unifying the check to be the same as in IpcMode.IsContainer(). 3. IPC mode unit tests (runconfig/hostconfig_test.go) are modified to add checks for newly added values. [v2: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-51345997] [v3: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-53902833] [v4: addressed the case of upgrading from older daemon, in this case container.HostConfig.IpcMode is unset and this is valid] [v5: document old and new IpcMode values in api/swagger.yaml] [v6: add the 'none' mode, changelog entry to docs/api/version-history.md] Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-06-27 21:58:50 +00:00
}
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
jsonString, _ := json.Marshal(&struct {
*config.Config
config.Proxies `json:"proxies"`
}{
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
Config: &newCfg.Config,
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
Proxies: config.Proxies{
HTTPProxy: config.MaskCredentials(newCfg.HTTPProxy),
HTTPSProxy: config.MaskCredentials(newCfg.HTTPSProxy),
NoProxy: config.MaskCredentials(newCfg.NoProxy),
},
})
Switch all logging to use containerd log pkg This unifies our logging and allows us to propagate logging and trace contexts together. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-06-23 00:33:17 +00:00
log.G(context.TODO()).Infof("Reloaded configuration: %s", jsonString)
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
daemon.configStore.Store(newCfg)
api/types/events: define "Action" type and consts Define consts for the Actions we use for events, instead of "ad-hoc" strings. Having these consts makes it easier to find where specific events are triggered, makes the events less error-prone, and allows documenting each Action (if needed). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-26 13:24:46 +00:00
daemon.LogDaemonEventWithAttributes(events.ActionReload, attributes)
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
return txn.Commit()
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
}
func marshalAttributeSlice(v []string) string {
if v == nil {
return "[]"
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
b, err := json.Marshal(v)
if err != nil {
panic(err) // Should never happen as the input type is fixed.
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
return string(b)
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
// reloadDebug updates configuration with Debug option
// and updates the passed attributes
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
func (daemon *Daemon) reloadDebug(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error {
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// update corresponding configuration
if conf.IsValueSet("debug") {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.Debug = conf.Debug
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
// prepare reload event attributes with updatable configurations
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
attributes["debug"] = strconv.FormatBool(newCfg.Debug)
return nil
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
Spelling fixes * additional * ambiguous * anonymous * anything * application * because * before * building * capabilities * circumstances * commit * committer * compresses * concatenated * config * container * container's * current * definition * delimiter * disassociates * discovery * distributed * doesnotexist * downloads * duplicates * either * enhancing * enumerate * escapable * exactly * expect * expectations * expected * explicitly * false * filesystem * following * forbidden * git with * healthcheck * ignore * independent * inheritance * investigating * irrelevant * it * logging * looking * membership * mimic * minimum * modify * mountpoint * multiline * notifier * outputting * outside * overridden * override * parsable * plugins * precedence * propagation * provided * provides * registries * repositories * returning * settings * should * signals * someone * something * specifically * successfully * synchronize * they've * thinking * uninitialized * unintentionally * unmarshaling * unnamed * unreferenced * verify Signed-off-by: Josh Soref <jsoref@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-05-21 23:24:07 +00:00
// reloadMaxConcurrentDownloadsAndUploads updates configuration with max concurrent
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// download and upload options and updates the passed attributes
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
func (daemon *Daemon) reloadMaxConcurrentDownloadsAndUploads(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error {
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// We always "reset" as the cost is lightweight and easy to maintain.
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.MaxConcurrentDownloads = config.DefaultMaxConcurrentDownloads
newCfg.MaxConcurrentUploads = config.DefaultMaxConcurrentUploads
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
daemon/config: remove uses of pointers for ints Use the default (0) value to indicate "not set", which simplifies working with these configuration options, preventing the need to use intermediate variables etc. While changing this code, also making some small cleanups, such as replacing "fmt.Sprintf()" for "strconv" variants. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-24 20:59:54 +00:00
if conf.IsValueSet("max-concurrent-downloads") && conf.MaxConcurrentDownloads != 0 {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.MaxConcurrentDownloads = conf.MaxConcurrentDownloads
daemon/config: remove uses of pointers for ints Use the default (0) value to indicate "not set", which simplifies working with these configuration options, preventing the need to use intermediate variables etc. While changing this code, also making some small cleanups, such as replacing "fmt.Sprintf()" for "strconv" variants. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-24 20:59:54 +00:00
}
if conf.IsValueSet("max-concurrent-uploads") && conf.MaxConcurrentUploads != 0 {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.MaxConcurrentUploads = conf.MaxConcurrentUploads
Fix possible segfault in config reload This commit fixes two possible crashes in the `*Daemon` bound method `reloadMaxConcurrentDownloadsAndUploads()`. The first fixed issue is when `daemon.imageService` is `nil`. The second panic can occur if the provided `*config.Config` is incomplete and the fields `conf.MaxConcurrentDownloads` or `conf.MaxConcurrentUploads` are `nil`. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2019-01-10 14:34:02 +00:00
}
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
txn.OnCommit(func() error {
if daemon.imageService != nil {
daemon.imageService.UpdateConfig(
newCfg.MaxConcurrentDownloads,
newCfg.MaxConcurrentUploads,
)
}
return nil
})
Fix possible segfault in config reload This commit fixes two possible crashes in the `*Daemon` bound method `reloadMaxConcurrentDownloadsAndUploads()`. The first fixed issue is when `daemon.imageService` is `nil`. The second panic can occur if the provided `*config.Config` is incomplete and the fields `conf.MaxConcurrentDownloads` or `conf.MaxConcurrentUploads` are `nil`. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2019-01-10 14:34:02 +00:00
Move ImageService to new package Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-07 20:52:47 +00:00
// prepare reload event attributes with updatable configurations
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
attributes["max-concurrent-downloads"] = strconv.Itoa(newCfg.MaxConcurrentDownloads)
attributes["max-concurrent-uploads"] = strconv.Itoa(newCfg.MaxConcurrentUploads)
Switch all logging to use containerd log pkg This unifies our logging and allows us to propagate logging and trace contexts together. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-06-23 00:33:17 +00:00
log.G(context.TODO()).Debug("Reset Max Concurrent Downloads: ", attributes["max-concurrent-downloads"])
log.G(context.TODO()).Debug("Reset Max Concurrent Uploads: ", attributes["max-concurrent-uploads"])
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
return nil
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
Adding ability to change max download attempts Moby works perfectly when you are in a situation when one has a good and stable internet connection. Operating in area's where internet connectivity is likely to be lost in undetermined intervals, like a satellite connection or 4G/LTE in rural area's, can become a problem when pulling a new image. When connection is lost while image layers are being pulled, Moby will try to reconnect up to 5 times. If this fails, the incompletely downloaded layers are lost will need to be completely downloaded again during the next pull request. This means that we are using more data than we might have to. Pulling a layer multiple times from the start can become costly over a satellite or 4G/LTE connection. As these techniques (especially 4G) quite common in IoT and Moby is used to run Azure IoT Edge devices, I would like to add a settable maximum download attempts. The maximum download attempts is currently set at 5 (distribution/xfer/download.go). I would like to change this constant to a variable that the user can set. The default will still be 5, so nothing will change from the current version unless specified when starting the daemon with the added flag or in the config file. I added a default value of 5 for DefaultMaxDownloadAttempts and a settable max-download-attempts in the daemon config file. It is also added to the config of dockerd so it can be set with a flag when starting the daemon. This value gets stored in the imageService of the daemon when it is initiated and can be passed to the NewLayerDownloadManager as a parameter. It will be stored in the LayerDownloadManager when initiated. This enables us to set the max amount of retries in makeDownoadFunc equal to the max download attempts. I also added some tests that are based on maxConcurrentDownloads/maxConcurrentUploads. You can pull this version and test in a development container. Either create a config `file /etc/docker/daemon.json` with `{"max-download-attempts"=3}``, or use `dockerd --max-download-attempts=3 -D &` to start up the dockerd. Start downloading a container and disconnect from the internet whilst downloading. The result would be that it stops pulling after three attempts. Signed-off-by: Lukas Heeren <lukas-heeren@hotmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-06-25 13:26:36 +00:00
// reloadMaxDownloadAttempts updates configuration with max concurrent
// download attempts when a connection is lost and updates the passed attributes
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
func (daemon *Daemon) reloadMaxDownloadAttempts(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error {
Adding ability to change max download attempts Moby works perfectly when you are in a situation when one has a good and stable internet connection. Operating in area's where internet connectivity is likely to be lost in undetermined intervals, like a satellite connection or 4G/LTE in rural area's, can become a problem when pulling a new image. When connection is lost while image layers are being pulled, Moby will try to reconnect up to 5 times. If this fails, the incompletely downloaded layers are lost will need to be completely downloaded again during the next pull request. This means that we are using more data than we might have to. Pulling a layer multiple times from the start can become costly over a satellite or 4G/LTE connection. As these techniques (especially 4G) quite common in IoT and Moby is used to run Azure IoT Edge devices, I would like to add a settable maximum download attempts. The maximum download attempts is currently set at 5 (distribution/xfer/download.go). I would like to change this constant to a variable that the user can set. The default will still be 5, so nothing will change from the current version unless specified when starting the daemon with the added flag or in the config file. I added a default value of 5 for DefaultMaxDownloadAttempts and a settable max-download-attempts in the daemon config file. It is also added to the config of dockerd so it can be set with a flag when starting the daemon. This value gets stored in the imageService of the daemon when it is initiated and can be passed to the NewLayerDownloadManager as a parameter. It will be stored in the LayerDownloadManager when initiated. This enables us to set the max amount of retries in makeDownoadFunc equal to the max download attempts. I also added some tests that are based on maxConcurrentDownloads/maxConcurrentUploads. You can pull this version and test in a development container. Either create a config `file /etc/docker/daemon.json` with `{"max-download-attempts"=3}``, or use `dockerd --max-download-attempts=3 -D &` to start up the dockerd. Start downloading a container and disconnect from the internet whilst downloading. The result would be that it stops pulling after three attempts. Signed-off-by: Lukas Heeren <lukas-heeren@hotmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-06-25 13:26:36 +00:00
// We always "reset" as the cost is lightweight and easy to maintain.
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.MaxDownloadAttempts = config.DefaultDownloadAttempts
daemon/config: remove uses of pointers for ints Use the default (0) value to indicate "not set", which simplifies working with these configuration options, preventing the need to use intermediate variables etc. While changing this code, also making some small cleanups, such as replacing "fmt.Sprintf()" for "strconv" variants. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-24 20:59:54 +00:00
if conf.IsValueSet("max-download-attempts") && conf.MaxDownloadAttempts != 0 {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.MaxDownloadAttempts = conf.MaxDownloadAttempts
Adding ability to change max download attempts Moby works perfectly when you are in a situation when one has a good and stable internet connection. Operating in area's where internet connectivity is likely to be lost in undetermined intervals, like a satellite connection or 4G/LTE in rural area's, can become a problem when pulling a new image. When connection is lost while image layers are being pulled, Moby will try to reconnect up to 5 times. If this fails, the incompletely downloaded layers are lost will need to be completely downloaded again during the next pull request. This means that we are using more data than we might have to. Pulling a layer multiple times from the start can become costly over a satellite or 4G/LTE connection. As these techniques (especially 4G) quite common in IoT and Moby is used to run Azure IoT Edge devices, I would like to add a settable maximum download attempts. The maximum download attempts is currently set at 5 (distribution/xfer/download.go). I would like to change this constant to a variable that the user can set. The default will still be 5, so nothing will change from the current version unless specified when starting the daemon with the added flag or in the config file. I added a default value of 5 for DefaultMaxDownloadAttempts and a settable max-download-attempts in the daemon config file. It is also added to the config of dockerd so it can be set with a flag when starting the daemon. This value gets stored in the imageService of the daemon when it is initiated and can be passed to the NewLayerDownloadManager as a parameter. It will be stored in the LayerDownloadManager when initiated. This enables us to set the max amount of retries in makeDownoadFunc equal to the max download attempts. I also added some tests that are based on maxConcurrentDownloads/maxConcurrentUploads. You can pull this version and test in a development container. Either create a config `file /etc/docker/daemon.json` with `{"max-download-attempts"=3}``, or use `dockerd --max-download-attempts=3 -D &` to start up the dockerd. Start downloading a container and disconnect from the internet whilst downloading. The result would be that it stops pulling after three attempts. Signed-off-by: Lukas Heeren <lukas-heeren@hotmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-06-25 13:26:36 +00:00
}
// prepare reload event attributes with updatable configurations
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
attributes["max-download-attempts"] = strconv.Itoa(newCfg.MaxDownloadAttempts)
Switch all logging to use containerd log pkg This unifies our logging and allows us to propagate logging and trace contexts together. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-06-23 00:33:17 +00:00
log.G(context.TODO()).Debug("Reset Max Download Attempts: ", attributes["max-download-attempts"])
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
return nil
Adding ability to change max download attempts Moby works perfectly when you are in a situation when one has a good and stable internet connection. Operating in area's where internet connectivity is likely to be lost in undetermined intervals, like a satellite connection or 4G/LTE in rural area's, can become a problem when pulling a new image. When connection is lost while image layers are being pulled, Moby will try to reconnect up to 5 times. If this fails, the incompletely downloaded layers are lost will need to be completely downloaded again during the next pull request. This means that we are using more data than we might have to. Pulling a layer multiple times from the start can become costly over a satellite or 4G/LTE connection. As these techniques (especially 4G) quite common in IoT and Moby is used to run Azure IoT Edge devices, I would like to add a settable maximum download attempts. The maximum download attempts is currently set at 5 (distribution/xfer/download.go). I would like to change this constant to a variable that the user can set. The default will still be 5, so nothing will change from the current version unless specified when starting the daemon with the added flag or in the config file. I added a default value of 5 for DefaultMaxDownloadAttempts and a settable max-download-attempts in the daemon config file. It is also added to the config of dockerd so it can be set with a flag when starting the daemon. This value gets stored in the imageService of the daemon when it is initiated and can be passed to the NewLayerDownloadManager as a parameter. It will be stored in the LayerDownloadManager when initiated. This enables us to set the max amount of retries in makeDownoadFunc equal to the max download attempts. I also added some tests that are based on maxConcurrentDownloads/maxConcurrentUploads. You can pull this version and test in a development container. Either create a config `file /etc/docker/daemon.json` with `{"max-download-attempts"=3}``, or use `dockerd --max-download-attempts=3 -D &` to start up the dockerd. Start downloading a container and disconnect from the internet whilst downloading. The result would be that it stops pulling after three attempts. Signed-off-by: Lukas Heeren <lukas-heeren@hotmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-06-25 13:26:36 +00:00
}
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// reloadShutdownTimeout updates configuration with daemon shutdown timeout option
// and updates the passed attributes
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
func (daemon *Daemon) reloadShutdownTimeout(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error {
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// update corresponding configuration
if conf.IsValueSet("shutdown-timeout") {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.ShutdownTimeout = conf.ShutdownTimeout
Switch all logging to use containerd log pkg This unifies our logging and allows us to propagate logging and trace contexts together. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-06-23 00:33:17 +00:00
log.G(context.TODO()).Debugf("Reset Shutdown Timeout: %d", newCfg.ShutdownTimeout)
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
// prepare reload event attributes with updatable configurations
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
attributes["shutdown-timeout"] = strconv.Itoa(newCfg.ShutdownTimeout)
return nil
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
// reloadLabels updates configuration with engine labels
// and updates the passed attributes
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
func (daemon *Daemon) reloadLabels(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error {
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// update corresponding configuration
if conf.IsValueSet("labels") {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.Labels = conf.Labels
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
// prepare reload event attributes with updatable configurations
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
attributes["labels"] = marshalAttributeSlice(newCfg.Labels)
return nil
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
// reloadRegistryConfig updates the configuration with registry options
Add daemon option to push foreign layers The --allow-nondistributable-artifacts daemon option specifies registries to which foreign layers should be pushed. (By default, foreign layers are not pushed to registries.) Additionally, to make this option effective, foreign layers are now pulled from the registry if possible, falling back to the URLs in the image manifest otherwise. This option is useful when pushing images containing foreign layers to a registry on an air-gapped network so hosts on that network can pull the images without connecting to another server. Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
2017-05-09 21:00:31 +00:00
// and updates the passed attributes.
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
func (daemon *Daemon) reloadRegistryConfig(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error {
Add daemon option to push foreign layers The --allow-nondistributable-artifacts daemon option specifies registries to which foreign layers should be pushed. (By default, foreign layers are not pushed to registries.) Additionally, to make this option effective, foreign layers are now pulled from the registry if possible, falling back to the URLs in the image manifest otherwise. This option is useful when pushing images containing foreign layers to a registry on an air-gapped network so hosts on that network can pull the images without connecting to another server. Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
2017-05-09 21:00:31 +00:00
// Update corresponding configuration.
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
if conf.IsValueSet("allow-nondistributable-artifacts") {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.ServiceOptions.AllowNondistributableArtifacts = conf.AllowNondistributableArtifacts
Add daemon option to push foreign layers The --allow-nondistributable-artifacts daemon option specifies registries to which foreign layers should be pushed. (By default, foreign layers are not pushed to registries.) Additionally, to make this option effective, foreign layers are now pulled from the registry if possible, falling back to the URLs in the image manifest otherwise. This option is useful when pushing images containing foreign layers to a registry on an air-gapped network so hosts on that network can pull the images without connecting to another server. Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
2017-05-09 21:00:31 +00:00
}
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
if conf.IsValueSet("insecure-registries") {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.ServiceOptions.InsecureRegistries = conf.InsecureRegistries
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
if conf.IsValueSet("registry-mirrors") {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.ServiceOptions.Mirrors = conf.Mirrors
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
commit, err := daemon.registryService.ReplaceConfig(newCfg.ServiceOptions)
daemon: make config reloading more transactional Config reloading has interleaved validations and other fallible operations with mutating the live daemon configuration. The daemon configuration could be left in a partially-reloaded state if any of the operations returns an error. Mutating a copy of the configuration and atomically swapping the config struct on success is not currently an option as config values are not copyable due to the presence of sync.Mutex fields. Introduce a two-phase commit protocol to defer any mutations of the daemon state until after all fallible operations have succeeded. Reload transactions are not yet entirely hermetic. The platform reloading logic for custom runtimes on *nix could still leave the directory of generated runtime wrapper scripts in an indeterminate state if an error is encountered. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 17:33:21 +00:00
if err != nil {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
return err
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
txn.OnCommit(func() error { commit(); return nil })
attributes["allow-nondistributable-artifacts"] = marshalAttributeSlice(newCfg.ServiceOptions.AllowNondistributableArtifacts)
attributes["insecure-registries"] = marshalAttributeSlice(newCfg.ServiceOptions.InsecureRegistries)
attributes["registry-mirrors"] = marshalAttributeSlice(newCfg.ServiceOptions.Mirrors)
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
return nil
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
Typo fix: retore -> restore Signed-off-by: ruicao <ruicao@alauda.io>
2018-09-07 05:55:31 +00:00
// reloadLiveRestore updates configuration with live restore option
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// and updates the passed attributes
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
func (daemon *Daemon) reloadLiveRestore(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error {
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
// update corresponding configuration
if conf.IsValueSet("live-restore") {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.LiveRestoreEnabled = conf.LiveRestoreEnabled
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
// prepare reload event attributes with updatable configurations
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
attributes["live-restore"] = strconv.FormatBool(newCfg.LiveRestoreEnabled)
return nil
rewrite reload code Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-07 14:30:25 +00:00
}
Add option to enable networkDB debug Add a new configuration option to allow the enabling of the networkDB debug. The option is only parsed using the reload event. This will protect the daemon on start or restart if the option is left behind in the config file Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
2017-12-01 19:24:14 +00:00
Libnetwork revendoring Diff: https://github.com/docker/libnetwork/compare/5ab4ab830062fe8a30a44b75b0bda6b1f4f166a4...20dd462e0a0e883437a274bd61df4bc4de980830 - Memberlist revendor (fix for deadlock on exit) - Network diagnostic client - Fix for ndots configuration Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
2018-01-29 19:19:37 +00:00
// reloadNetworkDiagnosticPort updates the network controller starting the diagnostic if the config is valid
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
func (daemon *Daemon) reloadNetworkDiagnosticPort(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error {
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
txn.OnCommit(func() error {
if conf == nil || daemon.netController == nil || !conf.IsValueSet("network-diagnostic-port") ||
conf.NetworkDiagnosticPort < 1 || conf.NetworkDiagnosticPort > 65535 {
// If there is no config make sure that the diagnostic is off
if daemon.netController != nil {
daemon.netController.StopDiagnostic()
}
return nil
Libnetwork revendoring Diff: https://github.com/docker/libnetwork/compare/5ab4ab830062fe8a30a44b75b0bda6b1f4f166a4...20dd462e0a0e883437a274bd61df4bc4de980830 - Memberlist revendor (fix for deadlock on exit) - Network diagnostic client - Fix for ndots configuration Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
2018-01-29 19:19:37 +00:00
}
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
// Enable the network diagnostic if the flag is set with a valid port within the range
swap logrus types for their containerd/logs aliases Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-30 15:18:56 +00:00
log.G(context.TODO()).WithFields(log.Fields{"port": conf.NetworkDiagnosticPort, "ip": "127.0.0.1"}).Warn("Starting network diagnostic server")
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
daemon.netController.StartDiagnostic(conf.NetworkDiagnosticPort)
return nil
})
return nil
Add option to enable networkDB debug Add a new configuration option to allow the enabling of the networkDB debug. The option is only parsed using the reload event. This will protect the daemon on start or restart if the option is left behind in the config file Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
2017-12-01 19:24:14 +00:00
}
allow features option live reloadable Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-08-22 06:05:26 +00:00
// reloadFeatures updates configuration with enabled/disabled features
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
func (daemon *Daemon) reloadFeatures(txn *reloadTxn, newCfg *configStore, conf *config.Config, attributes map[string]string) error {
allow features option live reloadable Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-08-22 06:05:26 +00:00
// update corresponding configuration
// note that we allow features option to be entirely unset
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
newCfg.Features = conf.Features
allow features option live reloadable Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-08-22 06:05:26 +00:00
// prepare reload event attributes with updatable configurations
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
attributes["features"] = fmt.Sprintf("%v", newCfg.Features)
return nil
allow features option live reloadable Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-08-22 06:05:26 +00:00
}
Reference in a new issue Copy permalink