2021-08-23 13:14:53 +00:00
//go:build linux || freebsd
2015-05-15 23:34:26 +00:00
2018-02-05 21:05:59 +00:00
package daemon // import "github.com/docker/docker/daemon"
2015-05-15 23:34:26 +00:00
import (
2016-10-04 19:35:56 +00:00
"bufio"
2017-09-22 13:52:41 +00:00
"context"
2015-05-15 23:34:26 +00:00
"fmt"
"net"
"os"
"path/filepath"
2016-01-08 03:43:11 +00:00
"runtime"
2015-12-02 10:26:30 +00:00
"runtime/debug"
2015-10-10 16:43:03 +00:00
"strconv"
2015-05-15 23:34:26 +00:00
"strings"
2020-11-09 14:21:27 +00:00
"sync"
2022-10-08 20:23:41 +00:00
"syscall"
2016-11-01 17:12:29 +00:00
"time"
2015-05-15 23:34:26 +00:00
2023-01-30 14:43:31 +00:00
"github.com/containerd/cgroups/v3"
2021-06-18 09:01:24 +00:00
"github.com/containerd/containerd/pkg/userns"
2023-09-13 15:41:45 +00:00
"github.com/containerd/log"
2016-09-06 18:18:12 +00:00
"github.com/docker/docker/api/types/blkiodev"
pblkiodev "github.com/docker/docker/api/types/blkiodev"
containertypes "github.com/docker/docker/api/types/container"
2023-09-10 11:33:21 +00:00
"github.com/docker/docker/api/types/network"
2015-11-12 19:55:17 +00:00
"github.com/docker/docker/container"
2017-01-23 11:23:07 +00:00
"github.com/docker/docker/daemon/config"
2018-02-13 19:29:14 +00:00
"github.com/docker/docker/daemon/initlayer"
2019-09-02 21:39:24 +00:00
"github.com/docker/docker/errdefs"
2021-02-26 23:23:55 +00:00
"github.com/docker/docker/libcontainerd/remote"
2021-05-28 00:15:56 +00:00
"github.com/docker/docker/libnetwork"
nwconfig "github.com/docker/docker/libnetwork/config"
"github.com/docker/docker/libnetwork/drivers/bridge"
"github.com/docker/docker/libnetwork/netlabel"
"github.com/docker/docker/libnetwork/options"
lntypes "github.com/docker/docker/libnetwork/types"
2016-12-23 19:09:12 +00:00
"github.com/docker/docker/opts"
2015-10-08 15:51:41 +00:00
"github.com/docker/docker/pkg/idtools"
2016-01-23 02:15:09 +00:00
"github.com/docker/docker/pkg/parsers"
2015-05-15 23:34:26 +00:00
"github.com/docker/docker/pkg/parsers/kernel"
2015-08-06 11:54:48 +00:00
"github.com/docker/docker/pkg/sysinfo"
2015-05-15 23:34:26 +00:00
"github.com/docker/docker/runconfig"
2018-04-17 20:50:28 +00:00
volumemounts "github.com/docker/docker/volume/mounts"
2020-03-13 23:38:24 +00:00
"github.com/moby/sys/mount"
2019-08-09 16:34:35 +00:00
specs "github.com/opencontainers/runtime-spec/specs-go"
2020-12-14 10:46:58 +00:00
"github.com/opencontainers/selinux/go-selinux"
2017-04-18 13:26:36 +00:00
"github.com/opencontainers/selinux/go-selinux/label"
2016-09-17 05:46:20 +00:00
"github.com/pkg/errors"
2016-09-27 20:16:00 +00:00
"github.com/vishvananda/netlink"
2017-07-27 07:51:23 +00:00
"golang.org/x/sys/unix"
2015-05-15 23:34:26 +00:00
)
2015-08-06 00:15:14 +00:00
const (
2019-10-13 00:29:21 +00:00
isWindows = false
2024-01-21 15:54:06 +00:00
// These values were used to adjust the CPU-shares for older API versions,
// but were not used for validation.
//
// TODO(thaJeztah): validate min/max values for CPU-shares, similar to Windows: https://github.com/moby/moby/issues/47340
// https://github.com/moby/moby/blob/27e85c7b6885c2d21ae90791136d9aba78b83d01/daemon/daemon_windows.go#L97-L99
//
2015-08-06 00:15:14 +00:00
// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
2024-01-21 15:54:06 +00:00
// linuxMinCPUShares = 2
// linuxMaxCPUShares = 262144
Set minimum memory limit to 6M, to account for higher startup memory use
For some time, we defined a minimum limit for `--memory` limits to account for
overhead during startup, and to supply a reasonable functional container.
Changes in the runtime (runc) introduced a higher memory footprint during container
startup, which now lead to obscure error-messages that are unfriendly for users:
run --rm --memory=4m alpine echo success
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:415: setting cgroup config for procHooks process caused \\\"failed to write \\\\\\\"4194304\\\\\\\" to \\\\\\\"/sys/fs/cgroup/memory/docker/1254c8d63f85442e599b17dff895f4543c897755ee3bd9b56d5d3d17724b38d7/memory.limit_in_bytes\\\\\\\": write /sys/fs/cgroup/memory/docker/1254c8d63f85442e599b17dff895f4543c897755ee3bd9b56d5d3d17724b38d7/memory.limit_in_bytes: device or resource busy\\\"\"": unknown.
ERRO[0000] error waiting for container: context canceled
Containers that fail to start because of this limit, will not be marked as OOMKilled,
which makes it harder for users to find the cause of the failure.
Note that _after_ this memory is only required during startup of the container. After
the container was started, the container may not consume this memory, and limits
could (manually) be lowered, for example, an alpine container running only a shell
can run with 512k of memory;
echo 524288 > /sys/fs/cgroup/memory/docker/acdd326419f0898be63b0463cfc81cd17fb34d2dae6f8aa3768ee6a075ca5c86/memory.limit_in_bytes
However, restarting the container will reset that manual limit to the container's
configuration. While `docker container update` would allow for the updated limit to
be persisted, (re)starting the container after updating produces the same error message
again, so we cannot use different limits for `docker run` / `docker create` and `docker update`.
This patch raises the minimum memory limnit to 6M, so that a better error-message is
produced if a user tries to create a container with a memory-limit that is too low:
docker create --memory=4m alpine echo success
docker: Error response from daemon: Minimum memory limit allowed is 6MB.
Possibly, this constraint could be handled by runc, so that different runtimes
could set a best-matching limit (other runtimes may require less overhead).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-07-01 10:04:23 +00:00
// It's not kernel limit, we want this 6M limit to account for overhead during startup, and to supply a reasonable functional container
linuxMinMemory = 6291456
2016-01-08 03:43:11 +00:00
// constants for remapped root settings
2018-05-19 11:38:54 +00:00
defaultIDSpecifier = "default"
defaultRemappedID = "dockremap"
2016-03-18 19:43:17 +00:00
// constant for cgroup drivers
cgroupFsDriver = "cgroupfs"
cgroupSystemdDriver = "systemd"
2019-06-02 15:03:27 +00:00
cgroupNoneDriver = "none"
2015-08-06 00:15:14 +00:00
)
2017-08-01 19:04:37 +00:00
type containerGetter interface {
GetContainer ( string ) ( * container . Container , error )
}
2017-04-27 21:52:47 +00:00
func getMemoryResources ( config containertypes . Resources ) * specs . LinuxMemory {
memory := specs . LinuxMemory { }
2016-03-18 18:50:19 +00:00
if config . Memory > 0 {
2017-08-01 15:51:24 +00:00
memory . Limit = & config . Memory
2016-03-18 18:50:19 +00:00
}
if config . MemoryReservation > 0 {
2017-08-01 15:51:24 +00:00
memory . Reservation = & config . MemoryReservation
2016-03-18 18:50:19 +00:00
}
2017-04-27 21:52:47 +00:00
if config . MemorySwap > 0 {
2017-08-01 15:51:24 +00:00
memory . Swap = & config . MemorySwap
2016-03-18 18:50:19 +00:00
}
if config . MemorySwappiness != nil {
swappiness := uint64 ( * config . MemorySwappiness )
memory . Swappiness = & swappiness
}
2018-02-05 02:05:57 +00:00
if config . OomKillDisable != nil {
memory . DisableOOMKiller = config . OomKillDisable
}
daemon: add nolint-comments for deprecated kernel-memory options, hooks
This adds some nolint-comments for the deprecated kernel-memory options; we
deprecated these, but they could technically still be accepted by alternative
runtimes.
daemon/daemon_unix.go:108:3: SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes. (staticcheck)
memory.Kernel = &config.KernelMemory
^
daemon/update_linux.go:63:3: SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes. (staticcheck)
memory.Kernel = &resources.KernelMemory
^
Prestart hooks are deprecated, and more granular hooks should be used instead.
CreateRuntime are the closest equivalent, and executed in the same locations
as Prestart-hooks, but depending on what these hooks do, possibly one of the
other hooks could be used instead (such as CreateContainer or StartContainer).
As these hooks are still supported, this patch adds nolint comments, but adds
some TODOs to consider migrating to something else;
daemon/nvidia_linux.go:86:2: SA1019: s.Hooks.Prestart is deprecated: use [Hooks.CreateRuntime], [Hooks.CreateContainer], and [Hooks.StartContainer] instead, which allow more granular hook control during the create and start phase. (staticcheck)
s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{
^
daemon/oci_linux.go:76:5: SA1019: s.Hooks.Prestart is deprecated: use [Hooks.CreateRuntime], [Hooks.CreateContainer], and [Hooks.StartContainer] instead, which allow more granular hook control during the create and start phase. (staticcheck)
s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-04-15 13:53:55 +00:00
if config . KernelMemory != 0 { //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes.
memory . Kernel = & config . KernelMemory //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes.
2016-03-18 18:50:19 +00:00
}
2018-05-11 19:46:11 +00:00
if config . KernelMemoryTCP != 0 {
memory . KernelTCP = & config . KernelMemoryTCP
}
daemon: stop setting container resources to zero
Many of the fields in LinuxResources struct are pointers to scalars for
some reason, presumably to differentiate between set-to-zero and unset
when unmarshaling from JSON, despite zero being outside the acceptable
range for the corresponding kernel tunables. When creating the OCI spec
for a container, the daemon sets the container's OCI spec CPUShares and
BlkioWeight parameters to zero when the corresponding Docker container
configuration values are zero, signifying unset, despite the minimum
acceptable value for CPUShares being two, and BlkioWeight ten. This has
gone unnoticed as runC does not distingiush set-to-zero from unset as it
also uses zero internally to represent unset for those fields. However,
kata-containers v3.2.0-alpha.3 tries to apply the explicit-zero resource
parameters to the container, exactly as instructed, and fails loudly.
The OCI runtime-spec is silent on how the runtime should handle the case
when those parameters are explicitly set to out-of-range values and
kata's behaviour is not unreasonable, so the daemon must therefore be in
the wrong.
Translate unset values in the Docker container's resources HostConfig to
omit the corresponding fields in the container's OCI spec when starting
and updating a container in order to maximize compatibility with
runtimes.
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-06-05 22:44:51 +00:00
if memory != ( specs . LinuxMemory { } ) {
return & memory
}
return nil
2016-03-18 18:50:19 +00:00
}
2017-04-11 11:28:13 +00:00
func getPidsLimit ( config containertypes . Resources ) * specs . LinuxPids {
2019-02-24 14:36:45 +00:00
if config . PidsLimit == nil {
return nil
}
if * config . PidsLimit <= 0 {
// docker API allows 0 and negative values to unset this to be consistent
// with default values. When updating values, runc requires -1 to unset
// the previous limit.
return & specs . LinuxPids { Limit : - 1 }
2017-04-11 11:28:13 +00:00
}
2019-02-24 14:36:45 +00:00
return & specs . LinuxPids { Limit : * config . PidsLimit }
2017-04-11 11:28:13 +00:00
}
2017-04-27 21:52:47 +00:00
func getCPUResources ( config containertypes . Resources ) ( * specs . LinuxCPU , error ) {
cpu := specs . LinuxCPU { }
2016-03-18 18:50:19 +00:00
2017-04-27 21:52:47 +00:00
if config . CPUShares < 0 {
return nil , fmt . Errorf ( "shares: invalid argument" )
}
daemon: stop setting container resources to zero
Many of the fields in LinuxResources struct are pointers to scalars for
some reason, presumably to differentiate between set-to-zero and unset
when unmarshaling from JSON, despite zero being outside the acceptable
range for the corresponding kernel tunables. When creating the OCI spec
for a container, the daemon sets the container's OCI spec CPUShares and
BlkioWeight parameters to zero when the corresponding Docker container
configuration values are zero, signifying unset, despite the minimum
acceptable value for CPUShares being two, and BlkioWeight ten. This has
gone unnoticed as runC does not distingiush set-to-zero from unset as it
also uses zero internally to represent unset for those fields. However,
kata-containers v3.2.0-alpha.3 tries to apply the explicit-zero resource
parameters to the container, exactly as instructed, and fails loudly.
The OCI runtime-spec is silent on how the runtime should handle the case
when those parameters are explicitly set to out-of-range values and
kata's behaviour is not unreasonable, so the daemon must therefore be in
the wrong.
Translate unset values in the Docker container's resources HostConfig to
omit the corresponding fields in the container's OCI spec when starting
and updating a container in order to maximize compatibility with
runtimes.
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-06-05 22:44:51 +00:00
if config . CPUShares > 0 {
2016-03-18 18:50:19 +00:00
shares := uint64 ( config . CPUShares )
cpu . Shares = & shares
}
if config . CpusetCpus != "" {
2017-04-27 21:52:47 +00:00
cpu . Cpus = config . CpusetCpus
2016-03-18 18:50:19 +00:00
}
if config . CpusetMems != "" {
2017-04-27 21:52:47 +00:00
cpu . Mems = config . CpusetMems
2016-03-18 18:50:19 +00:00
}
2016-11-01 17:12:29 +00:00
if config . NanoCPUs > 0 {
// https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt
2016-11-18 00:39:47 +00:00
period := uint64 ( 100 * time . Millisecond / time . Microsecond )
2017-04-27 21:52:47 +00:00
quota := config . NanoCPUs * int64 ( period ) / 1e9
2016-11-01 17:12:29 +00:00
cpu . Period = & period
cpu . Quota = & quota
}
2016-03-18 18:50:19 +00:00
if config . CPUPeriod != 0 {
period := uint64 ( config . CPUPeriod )
cpu . Period = & period
}
if config . CPUQuota != 0 {
2017-04-27 21:52:47 +00:00
q := config . CPUQuota
cpu . Quota = & q
2016-03-18 18:50:19 +00:00
}
2016-06-07 19:05:43 +00:00
if config . CPURealtimePeriod != 0 {
period := uint64 ( config . CPURealtimePeriod )
cpu . RealtimePeriod = & period
}
if config . CPURealtimeRuntime != 0 {
2017-04-27 21:52:47 +00:00
c := config . CPURealtimeRuntime
cpu . RealtimeRuntime = & c
2016-06-07 19:05:43 +00:00
}
daemon: stop setting container resources to zero
Many of the fields in LinuxResources struct are pointers to scalars for
some reason, presumably to differentiate between set-to-zero and unset
when unmarshaling from JSON, despite zero being outside the acceptable
range for the corresponding kernel tunables. When creating the OCI spec
for a container, the daemon sets the container's OCI spec CPUShares and
BlkioWeight parameters to zero when the corresponding Docker container
configuration values are zero, signifying unset, despite the minimum
acceptable value for CPUShares being two, and BlkioWeight ten. This has
gone unnoticed as runC does not distingiush set-to-zero from unset as it
also uses zero internally to represent unset for those fields. However,
kata-containers v3.2.0-alpha.3 tries to apply the explicit-zero resource
parameters to the container, exactly as instructed, and fails loudly.
The OCI runtime-spec is silent on how the runtime should handle the case
when those parameters are explicitly set to out-of-range values and
kata's behaviour is not unreasonable, so the daemon must therefore be in
the wrong.
Translate unset values in the Docker container's resources HostConfig to
omit the corresponding fields in the container's OCI spec when starting
and updating a container in order to maximize compatibility with
runtimes.
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-06-05 22:44:51 +00:00
if cpu != ( specs . LinuxCPU { } ) {
return & cpu , nil
}
return nil , nil
2016-03-18 18:50:19 +00:00
}
2017-04-27 21:52:47 +00:00
func getBlkioWeightDevices ( config containertypes . Resources ) ( [ ] specs . LinuxWeightDevice , error ) {
2017-07-27 07:51:23 +00:00
var stat unix . Stat_t
2017-04-27 21:52:47 +00:00
var blkioWeightDevices [ ] specs . LinuxWeightDevice
2015-06-12 00:34:20 +00:00
for _ , weightDevice := range config . BlkioWeightDevice {
2017-07-27 07:51:23 +00:00
if err := unix . Stat ( weightDevice . Path , & stat ) ; err != nil {
2020-08-09 00:27:43 +00:00
return nil , errors . WithStack ( & os . PathError { Op : "stat" , Path : weightDevice . Path , Err : err } )
2015-06-12 00:34:20 +00:00
}
2016-03-18 18:50:19 +00:00
weight := weightDevice . Weight
2017-04-27 21:52:47 +00:00
d := specs . LinuxWeightDevice { Weight : & weight }
2019-08-01 08:48:48 +00:00
// The type is 32bit on mips.
2021-05-31 09:39:04 +00:00
d . Major = int64 ( unix . Major ( uint64 ( stat . Rdev ) ) ) //nolint: unconvert
d . Minor = int64 ( unix . Minor ( uint64 ( stat . Rdev ) ) ) //nolint: unconvert
2016-03-18 18:50:19 +00:00
blkioWeightDevices = append ( blkioWeightDevices , d )
2015-06-12 00:34:20 +00:00
}
2015-12-15 01:50:16 +00:00
return blkioWeightDevices , nil
2015-06-12 00:34:20 +00:00
}
2022-08-17 21:13:49 +00:00
func ( daemon * Daemon ) parseSecurityOpt ( cfg * config . Config , securityOptions * container . SecurityOptions , hostConfig * containertypes . HostConfig ) error {
securityOptions . NoNewPrivileges = cfg . NoNewPrivileges
2023-04-14 07:27:20 +00:00
return parseSecurityOpt ( securityOptions , hostConfig )
2017-01-09 01:22:05 +00:00
}
2023-04-14 07:27:20 +00:00
func parseSecurityOpt ( securityOptions * container . SecurityOptions , config * containertypes . HostConfig ) error {
2015-05-15 23:34:26 +00:00
var (
labelOpts [ ] string
err error
)
for _ , opt := range config . SecurityOpt {
2016-03-15 22:34:29 +00:00
if opt == "no-new-privileges" {
2023-04-14 07:27:20 +00:00
securityOptions . NoNewPrivileges = true
2016-11-01 02:35:18 +00:00
continue
}
2017-04-27 21:52:47 +00:00
if opt == "disable" {
labelOpts = append ( labelOpts , "disable" )
continue
}
2016-11-01 02:35:18 +00:00
2022-11-01 11:52:44 +00:00
var k , v string
var ok bool
2016-11-01 02:35:18 +00:00
if strings . Contains ( opt , "=" ) {
2022-11-01 11:52:44 +00:00
k , v , ok = strings . Cut ( opt , "=" )
2016-11-01 02:35:18 +00:00
} else if strings . Contains ( opt , ":" ) {
2022-11-01 11:52:44 +00:00
k , v , ok = strings . Cut ( opt , ":" )
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Warn ( "Security options with `:` as a separator are deprecated and will be completely unsupported in 17.04, use `=` instead." )
2016-11-01 02:35:18 +00:00
}
2022-11-01 11:52:44 +00:00
if ! ok {
2016-11-01 02:35:18 +00:00
return fmt . Errorf ( "invalid --security-opt 1: %q" , opt )
}
2022-11-01 11:52:44 +00:00
switch k {
2016-11-01 02:35:18 +00:00
case "label" :
2022-11-01 11:52:44 +00:00
labelOpts = append ( labelOpts , v )
2016-11-01 02:35:18 +00:00
case "apparmor" :
2023-04-14 07:27:20 +00:00
securityOptions . AppArmorProfile = v
2016-11-01 02:35:18 +00:00
case "seccomp" :
2023-04-14 07:27:20 +00:00
securityOptions . SeccompProfile = v
2017-01-09 01:22:05 +00:00
case "no-new-privileges" :
2022-11-01 11:52:44 +00:00
noNewPrivileges , err := strconv . ParseBool ( v )
2017-01-09 01:22:05 +00:00
if err != nil {
return fmt . Errorf ( "invalid --security-opt 2: %q" , opt )
}
2023-04-14 07:27:20 +00:00
securityOptions . NoNewPrivileges = noNewPrivileges
2016-11-01 02:35:18 +00:00
default :
return fmt . Errorf ( "invalid --security-opt 2: %q" , opt )
2015-05-15 23:34:26 +00:00
}
}
2023-04-14 07:27:20 +00:00
securityOptions . ProcessLabel , securityOptions . MountLabel , err = label . InitLabels ( labelOpts )
2015-05-15 23:34:26 +00:00
return err
}
2017-04-27 21:52:47 +00:00
func getBlkioThrottleDevices ( devs [ ] * blkiodev . ThrottleDevice ) ( [ ] specs . LinuxThrottleDevice , error ) {
var throttleDevices [ ] specs . LinuxThrottleDevice
2017-07-27 07:51:23 +00:00
var stat unix . Stat_t
2015-07-08 11:06:48 +00:00
2016-04-29 20:39:04 +00:00
for _ , d := range devs {
2017-07-27 07:51:23 +00:00
if err := unix . Stat ( d . Path , & stat ) ; err != nil {
2020-08-09 00:27:43 +00:00
return nil , errors . WithStack ( & os . PathError { Op : "stat" , Path : d . Path , Err : err } )
2015-07-08 11:06:48 +00:00
}
2017-04-27 21:52:47 +00:00
d := specs . LinuxThrottleDevice { Rate : d . Rate }
2019-08-01 08:48:48 +00:00
// the type is 32bit on mips
2021-05-31 09:39:04 +00:00
d . Major = int64 ( unix . Major ( uint64 ( stat . Rdev ) ) ) //nolint: unconvert
d . Minor = int64 ( unix . Minor ( uint64 ( stat . Rdev ) ) ) //nolint: unconvert
2016-04-29 20:39:04 +00:00
throttleDevices = append ( throttleDevices , d )
2015-07-08 11:06:48 +00:00
}
2016-04-29 20:39:04 +00:00
return throttleDevices , nil
2015-07-08 11:06:48 +00:00
}
2018-12-04 16:44:45 +00:00
// adjustParallelLimit takes a number of objects and a proposed limit and
// figures out if it's reasonable (and adjusts it accordingly). This is only
// used for daemon startup, which does a lot of parallel loading of containers
// (and if we exceed RLIMIT_NOFILE then we're in trouble).
func adjustParallelLimit ( n int , limit int ) int {
// Rule-of-thumb overhead factor (how many files will each goroutine open
// simultaneously). Yes, this is ugly but to be frank this whole thing is
// ugly.
const overhead = 2
// On Linux, we need to ensure that parallelStartupJobs doesn't cause us to
// exceed RLIMIT_NOFILE. If parallelStartupJobs is too large, we reduce it
// and give a warning (since in theory the user should increase their
// ulimits to the largest possible value for dockerd).
var rlim unix . Rlimit
if err := unix . Getrlimit ( unix . RLIMIT_NOFILE , & rlim ) ; err != nil {
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Warnf ( "Couldn't find dockerd's RLIMIT_NOFILE to double-check startup parallelism factor: %v" , err )
2018-12-04 16:44:45 +00:00
return limit
}
softRlimit := int ( rlim . Cur )
// Much fewer containers than RLIMIT_NOFILE. No need to adjust anything.
if softRlimit > overhead * n {
return limit
}
// RLIMIT_NOFILE big enough, no need to adjust anything.
if softRlimit > overhead * limit {
return limit
}
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Warnf ( "Found dockerd's open file ulimit (%v) is far too small -- consider increasing it significantly (at least %v)" , softRlimit , overhead * limit )
2018-12-04 16:44:45 +00:00
return softRlimit / overhead
}
2015-07-30 22:28:11 +00:00
// adaptContainerSettings is called during container creation to modify any
// settings necessary in the HostConfig structure.
2024-01-21 15:54:06 +00:00
func ( daemon * Daemon ) adaptContainerSettings ( daemonCfg * config . Config , hostConfig * containertypes . HostConfig ) error {
2015-07-13 07:17:43 +00:00
if hostConfig . Memory > 0 && hostConfig . MemorySwap == 0 {
// By default, MemorySwap is set to twice the size of Memory.
hostConfig . MemorySwap = hostConfig . Memory * 2
}
2015-12-29 20:49:17 +00:00
if hostConfig . ShmSize == 0 {
2017-01-23 11:23:07 +00:00
hostConfig . ShmSize = config . DefaultShmSize
2022-08-17 21:13:49 +00:00
if daemonCfg != nil {
hostConfig . ShmSize = int64 ( daemonCfg . ShmSize )
2016-12-25 09:11:12 +00:00
}
2015-11-26 12:14:09 +00:00
}
Implement none, private, and shareable ipc modes
Since the commit d88fe447df0e8 ("Add support for sharing /dev/shm/ and
/dev/mqueue between containers") container's /dev/shm is mounted on the
host first, then bind-mounted inside the container. This is done that
way in order to be able to share this container's IPC namespace
(and the /dev/shm mount point) with another container.
Unfortunately, this functionality breaks container checkpoint/restore
(even if IPC is not shared). Since /dev/shm is an external mount, its
contents is not saved by `criu checkpoint`, and so upon restore any
application that tries to access data under /dev/shm is severily
disappointed (which usually results in a fatal crash).
This commit solves the issue by introducing new IPC modes for containers
(in addition to 'host' and 'container:ID'). The new modes are:
- 'shareable': enables sharing this container's IPC with others
(this used to be the implicit default);
- 'private': disables sharing this container's IPC.
In 'private' mode, container's /dev/shm is truly mounted inside the
container, without any bind-mounting from the host, which solves the
issue.
While at it, let's also implement 'none' mode. The motivation, as
eloquently put by Justin Cormack, is:
> I wondered a while back about having a none shm mode, as currently it is
> not possible to have a totally unwriteable container as there is always
> a /dev/shm writeable mount. It is a bit of a niche case (and clearly
> should never be allowed to be daemon default) but it would be trivial to
> add now so maybe we should...
...so here's yet yet another mode:
- 'none': no /dev/shm mount inside the container (though it still
has its own private IPC namespace).
Now, to ultimately solve the abovementioned checkpoint/restore issue, we'd
need to make 'private' the default mode, but unfortunately it breaks the
backward compatibility. So, let's make the default container IPC mode
per-daemon configurable (with the built-in default set to 'shareable'
for now). The default can be changed either via a daemon CLI option
(--default-shm-mode) or a daemon.json configuration file parameter
of the same name.
Note one can only set either 'shareable' or 'private' IPC modes as a
daemon default (i.e. in this context 'host', 'container', or 'none'
do not make much sense).
Some other changes this patch introduces are:
1. A mount for /dev/shm is added to default OCI Linux spec.
2. IpcMode.Valid() is simplified to remove duplicated code that parsed
'container:ID' form. Note the old version used to check that ID does
not contain a semicolon -- this is no longer the case (tests are
modified accordingly). The motivation is we should either do a
proper check for container ID validity, or don't check it at all
(since it is checked in other places anyway). I chose the latter.
3. IpcMode.Container() is modified to not return container ID if the
mode value does not start with "container:", unifying the check to
be the same as in IpcMode.IsContainer().
3. IPC mode unit tests (runconfig/hostconfig_test.go) are modified
to add checks for newly added values.
[v2: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-51345997]
[v3: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-53902833]
[v4: addressed the case of upgrading from older daemon, in this case
container.HostConfig.IpcMode is unset and this is valid]
[v5: document old and new IpcMode values in api/swagger.yaml]
[v6: add the 'none' mode, changelog entry to docs/api/version-history.md]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-06-27 21:58:50 +00:00
// Set default IPC mode, if unset for container
if hostConfig . IpcMode . IsEmpty ( ) {
m := config . DefaultIpcMode
2022-08-17 21:13:49 +00:00
if daemonCfg != nil {
m = containertypes . IpcMode ( daemonCfg . IpcMode )
Implement none, private, and shareable ipc modes
Since the commit d88fe447df0e8 ("Add support for sharing /dev/shm/ and
/dev/mqueue between containers") container's /dev/shm is mounted on the
host first, then bind-mounted inside the container. This is done that
way in order to be able to share this container's IPC namespace
(and the /dev/shm mount point) with another container.
Unfortunately, this functionality breaks container checkpoint/restore
(even if IPC is not shared). Since /dev/shm is an external mount, its
contents is not saved by `criu checkpoint`, and so upon restore any
application that tries to access data under /dev/shm is severily
disappointed (which usually results in a fatal crash).
This commit solves the issue by introducing new IPC modes for containers
(in addition to 'host' and 'container:ID'). The new modes are:
- 'shareable': enables sharing this container's IPC with others
(this used to be the implicit default);
- 'private': disables sharing this container's IPC.
In 'private' mode, container's /dev/shm is truly mounted inside the
container, without any bind-mounting from the host, which solves the
issue.
While at it, let's also implement 'none' mode. The motivation, as
eloquently put by Justin Cormack, is:
> I wondered a while back about having a none shm mode, as currently it is
> not possible to have a totally unwriteable container as there is always
> a /dev/shm writeable mount. It is a bit of a niche case (and clearly
> should never be allowed to be daemon default) but it would be trivial to
> add now so maybe we should...
...so here's yet yet another mode:
- 'none': no /dev/shm mount inside the container (though it still
has its own private IPC namespace).
Now, to ultimately solve the abovementioned checkpoint/restore issue, we'd
need to make 'private' the default mode, but unfortunately it breaks the
backward compatibility. So, let's make the default container IPC mode
per-daemon configurable (with the built-in default set to 'shareable'
for now). The default can be changed either via a daemon CLI option
(--default-shm-mode) or a daemon.json configuration file parameter
of the same name.
Note one can only set either 'shareable' or 'private' IPC modes as a
daemon default (i.e. in this context 'host', 'container', or 'none'
do not make much sense).
Some other changes this patch introduces are:
1. A mount for /dev/shm is added to default OCI Linux spec.
2. IpcMode.Valid() is simplified to remove duplicated code that parsed
'container:ID' form. Note the old version used to check that ID does
not contain a semicolon -- this is no longer the case (tests are
modified accordingly). The motivation is we should either do a
proper check for container ID validity, or don't check it at all
(since it is checked in other places anyway). I chose the latter.
3. IpcMode.Container() is modified to not return container ID if the
mode value does not start with "container:", unifying the check to
be the same as in IpcMode.IsContainer().
3. IPC mode unit tests (runconfig/hostconfig_test.go) are modified
to add checks for newly added values.
[v2: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-51345997]
[v3: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-53902833]
[v4: addressed the case of upgrading from older daemon, in this case
container.HostConfig.IpcMode is unset and this is valid]
[v5: document old and new IpcMode values in api/swagger.yaml]
[v6: add the 'none' mode, changelog entry to docs/api/version-history.md]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-06-27 21:58:50 +00:00
}
2019-10-13 00:07:36 +00:00
hostConfig . IpcMode = m
Implement none, private, and shareable ipc modes
Since the commit d88fe447df0e8 ("Add support for sharing /dev/shm/ and
/dev/mqueue between containers") container's /dev/shm is mounted on the
host first, then bind-mounted inside the container. This is done that
way in order to be able to share this container's IPC namespace
(and the /dev/shm mount point) with another container.
Unfortunately, this functionality breaks container checkpoint/restore
(even if IPC is not shared). Since /dev/shm is an external mount, its
contents is not saved by `criu checkpoint`, and so upon restore any
application that tries to access data under /dev/shm is severily
disappointed (which usually results in a fatal crash).
This commit solves the issue by introducing new IPC modes for containers
(in addition to 'host' and 'container:ID'). The new modes are:
- 'shareable': enables sharing this container's IPC with others
(this used to be the implicit default);
- 'private': disables sharing this container's IPC.
In 'private' mode, container's /dev/shm is truly mounted inside the
container, without any bind-mounting from the host, which solves the
issue.
While at it, let's also implement 'none' mode. The motivation, as
eloquently put by Justin Cormack, is:
> I wondered a while back about having a none shm mode, as currently it is
> not possible to have a totally unwriteable container as there is always
> a /dev/shm writeable mount. It is a bit of a niche case (and clearly
> should never be allowed to be daemon default) but it would be trivial to
> add now so maybe we should...
...so here's yet yet another mode:
- 'none': no /dev/shm mount inside the container (though it still
has its own private IPC namespace).
Now, to ultimately solve the abovementioned checkpoint/restore issue, we'd
need to make 'private' the default mode, but unfortunately it breaks the
backward compatibility. So, let's make the default container IPC mode
per-daemon configurable (with the built-in default set to 'shareable'
for now). The default can be changed either via a daemon CLI option
(--default-shm-mode) or a daemon.json configuration file parameter
of the same name.
Note one can only set either 'shareable' or 'private' IPC modes as a
daemon default (i.e. in this context 'host', 'container', or 'none'
do not make much sense).
Some other changes this patch introduces are:
1. A mount for /dev/shm is added to default OCI Linux spec.
2. IpcMode.Valid() is simplified to remove duplicated code that parsed
'container:ID' form. Note the old version used to check that ID does
not contain a semicolon -- this is no longer the case (tests are
modified accordingly). The motivation is we should either do a
proper check for container ID validity, or don't check it at all
(since it is checked in other places anyway). I chose the latter.
3. IpcMode.Container() is modified to not return container ID if the
mode value does not start with "container:", unifying the check to
be the same as in IpcMode.IsContainer().
3. IPC mode unit tests (runconfig/hostconfig_test.go) are modified
to add checks for newly added values.
[v2: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-51345997]
[v3: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-53902833]
[v4: addressed the case of upgrading from older daemon, in this case
container.HostConfig.IpcMode is unset and this is valid]
[v5: document old and new IpcMode values in api/swagger.yaml]
[v6: add the 'none' mode, changelog entry to docs/api/version-history.md]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-06-27 21:58:50 +00:00
}
2019-03-15 03:44:18 +00:00
// Set default cgroup namespace mode, if unset for container
if hostConfig . CgroupnsMode . IsEmpty ( ) {
2019-11-05 09:04:21 +00:00
// for cgroup v2: unshare cgroupns even for privileged containers
// https://github.com/containers/libpod/pull/4374#issuecomment-549776387
2020-11-09 14:00:32 +00:00
if hostConfig . Privileged && cgroups . Mode ( ) != cgroups . Unified {
2019-10-13 12:18:57 +00:00
hostConfig . CgroupnsMode = containertypes . CgroupnsModeHost
2019-07-29 22:33:18 +00:00
} else {
2019-10-13 12:18:57 +00:00
m := containertypes . CgroupnsModeHost
2020-11-09 14:00:32 +00:00
if cgroups . Mode ( ) == cgroups . Unified {
2019-10-13 12:18:57 +00:00
m = containertypes . CgroupnsModePrivate
2019-11-05 09:04:21 +00:00
}
2022-08-17 21:13:49 +00:00
if daemonCfg != nil {
m = containertypes . CgroupnsMode ( daemonCfg . CgroupNamespaceMode )
2019-07-29 22:33:18 +00:00
}
2019-10-13 12:18:57 +00:00
hostConfig . CgroupnsMode = m
2019-03-15 03:44:18 +00:00
}
}
2017-08-01 19:04:37 +00:00
adaptSharedNamespaceContainer ( daemon , hostConfig )
2015-11-30 05:10:18 +00:00
var err error
2019-08-09 12:10:07 +00:00
secOpts , err := daemon . generateSecurityOpt ( hostConfig )
2016-11-03 16:44:40 +00:00
if err != nil {
return err
2015-11-30 05:10:18 +00:00
}
2019-08-09 12:10:07 +00:00
hostConfig . SecurityOpt = append ( hostConfig . SecurityOpt , secOpts ... )
2015-12-31 06:17:18 +00:00
if hostConfig . OomKillDisable == nil {
defaultOomKillDisable := false
hostConfig . OomKillDisable = & defaultOomKillDisable
}
2015-11-30 05:10:18 +00:00
return nil
2015-07-13 07:17:43 +00:00
}
2017-08-01 19:04:37 +00:00
// adaptSharedNamespaceContainer replaces container name with its ID in hostConfig.
// To be more precisely, it modifies `container:name` to `container:ID` of PidMode, IpcMode
// and NetworkMode.
//
// When a container shares its namespace with another container, use ID can keep the namespace
// sharing connection between the two containers even the another container is renamed.
func adaptSharedNamespaceContainer ( daemon containerGetter , hostConfig * containertypes . HostConfig ) {
containerPrefix := "container:"
if hostConfig . PidMode . IsContainer ( ) {
pidContainer := hostConfig . PidMode . Container ( )
// if there is any error returned here, we just ignore it and leave it to be
// handled in the following logic
if c , err := daemon . GetContainer ( pidContainer ) ; err == nil {
hostConfig . PidMode = containertypes . PidMode ( containerPrefix + c . ID )
}
}
if hostConfig . IpcMode . IsContainer ( ) {
ipcContainer := hostConfig . IpcMode . Container ( )
if c , err := daemon . GetContainer ( ipcContainer ) ; err == nil {
hostConfig . IpcMode = containertypes . IpcMode ( containerPrefix + c . ID )
}
}
if hostConfig . NetworkMode . IsContainer ( ) {
netContainer := hostConfig . NetworkMode . ConnectedContainer ( )
if c , err := daemon . GetContainer ( netContainer ) ; err == nil {
hostConfig . NetworkMode = containertypes . NetworkMode ( containerPrefix + c . ID )
}
}
}
2018-12-18 22:41:52 +00:00
// verifyPlatformContainerResources performs platform-specific validation of the container's resource-configuration
func verifyPlatformContainerResources ( resources * containertypes . Resources , sysInfo * sysinfo . SysInfo , update bool ) ( warnings [ ] string , err error ) {
2017-06-30 17:34:40 +00:00
fixMemorySwappiness ( resources )
2015-05-15 23:34:26 +00:00
2015-08-06 11:55:56 +00:00
// memory subsystem checks and adjustments
2015-12-11 02:59:29 +00:00
if resources . Memory != 0 && resources . Memory < linuxMinMemory {
Set minimum memory limit to 6M, to account for higher startup memory use
For some time, we defined a minimum limit for `--memory` limits to account for
overhead during startup, and to supply a reasonable functional container.
Changes in the runtime (runc) introduced a higher memory footprint during container
startup, which now lead to obscure error-messages that are unfriendly for users:
run --rm --memory=4m alpine echo success
docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:415: setting cgroup config for procHooks process caused \\\"failed to write \\\\\\\"4194304\\\\\\\" to \\\\\\\"/sys/fs/cgroup/memory/docker/1254c8d63f85442e599b17dff895f4543c897755ee3bd9b56d5d3d17724b38d7/memory.limit_in_bytes\\\\\\\": write /sys/fs/cgroup/memory/docker/1254c8d63f85442e599b17dff895f4543c897755ee3bd9b56d5d3d17724b38d7/memory.limit_in_bytes: device or resource busy\\\"\"": unknown.
ERRO[0000] error waiting for container: context canceled
Containers that fail to start because of this limit, will not be marked as OOMKilled,
which makes it harder for users to find the cause of the failure.
Note that _after_ this memory is only required during startup of the container. After
the container was started, the container may not consume this memory, and limits
could (manually) be lowered, for example, an alpine container running only a shell
can run with 512k of memory;
echo 524288 > /sys/fs/cgroup/memory/docker/acdd326419f0898be63b0463cfc81cd17fb34d2dae6f8aa3768ee6a075ca5c86/memory.limit_in_bytes
However, restarting the container will reset that manual limit to the container's
configuration. While `docker container update` would allow for the updated limit to
be persisted, (re)starting the container after updating produces the same error message
again, so we cannot use different limits for `docker run` / `docker create` and `docker update`.
This patch raises the minimum memory limnit to 6M, so that a better error-message is
produced if a user tries to create a container with a memory-limit that is too low:
docker create --memory=4m alpine echo success
docker: Error response from daemon: Minimum memory limit allowed is 6MB.
Possibly, this constraint could be handled by runc, so that different runtimes
could set a best-matching limit (other runtimes may require less overhead).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-07-01 10:04:23 +00:00
return warnings , fmt . Errorf ( "Minimum memory limit allowed is 6MB" )
2015-05-15 23:34:26 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . Memory > 0 && ! sysInfo . MemoryLimit {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded." )
2015-12-11 02:59:29 +00:00
resources . Memory = 0
resources . MemorySwap = - 1
2015-05-15 23:34:26 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . Memory > 0 && resources . MemorySwap != - 1 && ! sysInfo . SwapLimit {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap." )
2015-12-11 02:59:29 +00:00
resources . MemorySwap = - 1
2015-05-15 23:34:26 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . Memory > 0 && resources . MemorySwap > 0 && resources . MemorySwap < resources . Memory {
2016-03-22 00:53:57 +00:00
return warnings , fmt . Errorf ( "Minimum memoryswap limit should be larger than memory limit, see usage" )
2015-05-15 23:34:26 +00:00
}
2016-02-24 05:36:47 +00:00
if resources . Memory == 0 && resources . MemorySwap > 0 && ! update {
2016-03-22 00:53:57 +00:00
return warnings , fmt . Errorf ( "You should always set the Memory limit when using Memoryswap limit, see usage" )
2015-05-15 23:34:26 +00:00
}
2017-06-30 17:34:40 +00:00
if resources . MemorySwappiness != nil && ! sysInfo . MemorySwappiness {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support memory swappiness capabilities or the cgroup is not mounted. Memory swappiness discarded." )
2015-12-11 02:59:29 +00:00
resources . MemorySwappiness = nil
2015-07-14 05:52:57 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . MemorySwappiness != nil {
swappiness := * resources . MemorySwappiness
2017-06-30 17:34:40 +00:00
if swappiness < 0 || swappiness > 100 {
2016-03-22 00:53:57 +00:00
return warnings , fmt . Errorf ( "Invalid value: %v, valid memory swappiness range is 0-100" , swappiness )
2015-07-29 20:04:12 +00:00
}
2015-07-14 05:52:57 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . MemoryReservation > 0 && ! sysInfo . MemoryReservation {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support memory soft limit capabilities or the cgroup is not mounted. Limitation discarded." )
2015-12-11 02:59:29 +00:00
resources . MemoryReservation = 0
2015-09-23 06:02:45 +00:00
}
2016-04-06 01:37:51 +00:00
if resources . MemoryReservation > 0 && resources . MemoryReservation < linuxMinMemory {
2021-01-05 11:26:29 +00:00
return warnings , fmt . Errorf ( "Minimum memory reservation allowed is 6MB" )
2016-04-06 01:37:51 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . Memory > 0 && resources . MemoryReservation > 0 && resources . Memory < resources . MemoryReservation {
2016-07-11 10:29:17 +00:00
return warnings , fmt . Errorf ( "Minimum memory limit can not be less than memory reservation limit, see usage" )
2015-09-23 06:02:45 +00:00
}
2020-07-24 08:20:56 +00:00
if resources . KernelMemory > 0 {
// Kernel memory limit is not supported on cgroup v2.
// Even on cgroup v1, kernel memory limit (`kmem.limit_in_bytes`) has been deprecated since kernel 5.4.
// https://github.com/torvalds/linux/commit/0158115f702b0ba208ab0b5adf44cae99b3ebcc7
2021-09-21 07:58:31 +00:00
if ! sysInfo . KernelMemory {
warnings = append ( warnings , "Your kernel does not support kernel memory limit capabilities or the cgroup is not mounted. Limitation discarded." )
resources . KernelMemory = 0
}
2022-02-07 16:09:23 +00:00
if resources . KernelMemory > 0 && resources . KernelMemory < linuxMinMemory {
2021-09-21 07:58:31 +00:00
return warnings , fmt . Errorf ( "Minimum kernel memory limit allowed is 6MB" )
}
if ! kernel . CheckKernelVersion ( 4 , 0 , 0 ) {
warnings = append ( warnings , "You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable." )
}
2015-08-19 15:56:55 +00:00
}
2015-12-31 06:17:18 +00:00
if resources . OomKillDisable != nil && ! sysInfo . OomKillDisable {
2016-01-13 19:53:44 +00:00
// only produce warnings if the setting wasn't to *disable* the OOM Kill; no point
// warning the caller if they already wanted the feature to be off
if * resources . OomKillDisable {
2016-07-11 10:29:17 +00:00
warnings = append ( warnings , "Your kernel does not support OomKillDisable. OomKillDisable discarded." )
2016-01-13 19:53:44 +00:00
}
2015-12-31 06:17:18 +00:00
resources . OomKillDisable = nil
2015-12-22 08:08:04 +00:00
}
2018-12-17 10:23:41 +00:00
if resources . OomKillDisable != nil && * resources . OomKillDisable && resources . Memory == 0 {
warnings = append ( warnings , "OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources." )
}
2019-02-24 14:36:45 +00:00
if resources . PidsLimit != nil && ! sysInfo . PidsLimit {
if * resources . PidsLimit > 0 {
warnings = append ( warnings , "Your kernel does not support PIDs limit capabilities or the cgroup is not mounted. PIDs limit discarded." )
}
resources . PidsLimit = nil
2015-12-15 19:15:43 +00:00
}
2015-12-11 02:59:29 +00:00
// cpu subsystem checks and adjustments
2016-11-01 17:12:29 +00:00
if resources . NanoCPUs > 0 && resources . CPUPeriod > 0 {
return warnings , fmt . Errorf ( "Conflicting options: Nano CPUs and CPU Period cannot both be set" )
}
if resources . NanoCPUs > 0 && resources . CPUQuota > 0 {
return warnings , fmt . Errorf ( "Conflicting options: Nano CPUs and CPU Quota cannot both be set" )
}
2020-05-22 21:18:06 +00:00
if resources . NanoCPUs > 0 && ! sysInfo . CPUCfs {
return warnings , fmt . Errorf ( "NanoCPUs can not be set, as your kernel does not support CPU CFS scheduler or the cgroup is not mounted" )
2016-11-01 17:12:29 +00:00
}
2016-11-15 23:48:46 +00:00
// The highest precision we could get on Linux is 0.001, by setting
// cpu.cfs_period_us=1000ms
// cpu.cfs_quota=1ms
// See the following link for details:
// https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt
// Here we don't set the lower limit and it is up to the underlying platform (e.g., Linux) to return an error.
// The error message is 0.01 so that this is consistent with Windows
2016-11-01 17:12:29 +00:00
if resources . NanoCPUs < 0 || resources . NanoCPUs > int64 ( sysinfo . NumCPU ( ) ) * 1e9 {
2016-11-15 23:48:46 +00:00
return warnings , fmt . Errorf ( "Range of CPUs is from 0.01 to %d.00, as there are only %d CPUs available" , sysinfo . NumCPU ( ) , sysinfo . NumCPU ( ) )
2016-11-01 17:12:29 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . CPUShares > 0 && ! sysInfo . CPUShares {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support CPU shares or the cgroup is not mounted. Shares discarded." )
2015-12-11 02:59:29 +00:00
resources . CPUShares = 0
2015-08-05 14:35:18 +00:00
}
2020-05-22 21:18:06 +00:00
if ( resources . CPUPeriod != 0 || resources . CPUQuota != 0 ) && ! sysInfo . CPUCfs {
warnings = append ( warnings , "Your kernel does not support CPU CFS scheduler. CPU period/quota discarded." )
2015-12-11 02:59:29 +00:00
resources . CPUPeriod = 0
2020-05-22 21:18:06 +00:00
resources . CPUQuota = 0
2015-05-15 23:34:26 +00:00
}
2016-04-21 06:50:25 +00:00
if resources . CPUPeriod != 0 && ( resources . CPUPeriod < 1000 || resources . CPUPeriod > 1000000 ) {
2016-03-18 03:16:53 +00:00
return warnings , fmt . Errorf ( "CPU cfs period can not be less than 1ms (i.e. 1000) or larger than 1s (i.e. 1000000)" )
}
if resources . CPUQuota > 0 && resources . CPUQuota < 1000 {
return warnings , fmt . Errorf ( "CPU cfs quota can not be less than 1ms (i.e. 1000)" )
}
2016-03-05 01:24:09 +00:00
if resources . CPUPercent > 0 {
2016-10-16 14:57:44 +00:00
warnings = append ( warnings , fmt . Sprintf ( "%s does not support CPU percent. Percent discarded." , runtime . GOOS ) )
2016-03-05 01:24:09 +00:00
resources . CPUPercent = 0
}
2015-12-11 02:59:29 +00:00
// cpuset subsystem checks and adjustments
if ( resources . CpusetCpus != "" || resources . CpusetMems != "" ) && ! sysInfo . Cpuset {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support cpuset or the cgroup is not mounted. Cpuset discarded." )
2015-12-11 02:59:29 +00:00
resources . CpusetCpus = ""
resources . CpusetMems = ""
2015-08-05 14:35:18 +00:00
}
2015-12-11 02:59:29 +00:00
cpusAvailable , err := sysInfo . IsCpusetCpusAvailable ( resources . CpusetCpus )
2015-09-08 18:40:55 +00:00
if err != nil {
2018-09-04 14:49:09 +00:00
return warnings , errors . Wrapf ( err , "Invalid value %s for cpuset cpus" , resources . CpusetCpus )
2015-09-08 18:40:55 +00:00
}
if ! cpusAvailable {
2016-03-22 00:53:57 +00:00
return warnings , fmt . Errorf ( "Requested CPUs are not available - requested %s, available: %s" , resources . CpusetCpus , sysInfo . Cpus )
2015-09-08 18:40:55 +00:00
}
2015-12-11 02:59:29 +00:00
memsAvailable , err := sysInfo . IsCpusetMemsAvailable ( resources . CpusetMems )
2015-09-08 18:40:55 +00:00
if err != nil {
2018-09-04 14:49:09 +00:00
return warnings , errors . Wrapf ( err , "Invalid value %s for cpuset mems" , resources . CpusetMems )
2015-09-08 18:40:55 +00:00
}
if ! memsAvailable {
2016-03-22 00:53:57 +00:00
return warnings , fmt . Errorf ( "Requested memory nodes are not available - requested %s, available: %s" , resources . CpusetMems , sysInfo . Mems )
2015-09-08 18:40:55 +00:00
}
2015-12-11 02:59:29 +00:00
// blkio subsystem checks and adjustments
if resources . BlkioWeight > 0 && ! sysInfo . BlkioWeight {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded." )
2015-12-11 02:59:29 +00:00
resources . BlkioWeight = 0
2015-08-05 14:35:18 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . BlkioWeight > 0 && ( resources . BlkioWeight < 10 || resources . BlkioWeight > 1000 ) {
2016-03-22 00:53:57 +00:00
return warnings , fmt . Errorf ( "Range of blkio weight is from 10 to 1000" )
2015-05-15 23:34:26 +00:00
}
2016-02-25 01:51:46 +00:00
if resources . IOMaximumBandwidth != 0 || resources . IOMaximumIOps != 0 {
return warnings , fmt . Errorf ( "Invalid QoS settings: %s does not support Maximum IO Bandwidth or Maximum IO IOps" , runtime . GOOS )
}
2015-12-11 02:59:29 +00:00
if len ( resources . BlkioWeightDevice ) > 0 && ! sysInfo . BlkioWeightDevice {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support Block I/O weight_device or the cgroup is not mounted. Weight-device discarded." )
2015-12-11 02:59:29 +00:00
resources . BlkioWeightDevice = [ ] * pblkiodev . WeightDevice { }
2015-06-12 00:34:20 +00:00
}
2015-12-11 02:59:29 +00:00
if len ( resources . BlkioDeviceReadBps ) > 0 && ! sysInfo . BlkioReadBpsDevice {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support BPS Block I/O read limit or the cgroup is not mounted. Block I/O BPS read limit discarded." )
2015-12-11 02:59:29 +00:00
resources . BlkioDeviceReadBps = [ ] * pblkiodev . ThrottleDevice { }
2015-07-08 11:06:48 +00:00
}
2015-12-11 02:59:29 +00:00
if len ( resources . BlkioDeviceWriteBps ) > 0 && ! sysInfo . BlkioWriteBpsDevice {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support BPS Block I/O write limit or the cgroup is not mounted. Block I/O BPS write limit discarded." )
2015-12-11 02:59:29 +00:00
resources . BlkioDeviceWriteBps = [ ] * pblkiodev . ThrottleDevice { }
2015-07-08 11:06:48 +00:00
}
2015-07-08 11:06:48 +00:00
if len ( resources . BlkioDeviceReadIOps ) > 0 && ! sysInfo . BlkioReadIOpsDevice {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support IOPS Block read limit or the cgroup is not mounted. Block I/O IOPS read limit discarded." )
2015-07-08 11:06:48 +00:00
resources . BlkioDeviceReadIOps = [ ] * pblkiodev . ThrottleDevice { }
}
if len ( resources . BlkioDeviceWriteIOps ) > 0 && ! sysInfo . BlkioWriteIOpsDevice {
2016-07-18 20:56:41 +00:00
warnings = append ( warnings , "Your kernel does not support IOPS Block write limit or the cgroup is not mounted. Block I/O IOPS write limit discarded." )
2015-07-08 11:06:48 +00:00
resources . BlkioDeviceWriteIOps = [ ] * pblkiodev . ThrottleDevice { }
}
2015-12-11 02:59:29 +00:00
return warnings , nil
}
2022-08-17 21:13:49 +00:00
func cgroupDriver ( cfg * config . Config ) string {
if UsingSystemd ( cfg ) {
2020-02-10 05:37:22 +00:00
return cgroupSystemdDriver
}
2022-08-17 21:13:49 +00:00
if cfg . Rootless {
2019-06-02 15:03:27 +00:00
return cgroupNoneDriver
}
2020-02-10 05:37:22 +00:00
return cgroupFsDriver
2016-03-24 16:18:03 +00:00
}
// getCD gets the raw value of the native.cgroupdriver option, if set.
2017-01-23 11:23:07 +00:00
func getCD ( config * config . Config ) string {
2016-03-24 16:18:03 +00:00
for _ , option := range config . ExecOptions {
2016-01-23 02:15:09 +00:00
key , val , err := parsers . ParseKeyValueOpt ( option )
if err != nil || ! strings . EqualFold ( key , "native.cgroupdriver" ) {
continue
}
2016-03-24 16:18:03 +00:00
return val
2016-01-23 02:15:09 +00:00
}
2016-03-24 16:18:03 +00:00
return ""
2016-03-18 19:43:17 +00:00
}
2020-11-09 14:26:24 +00:00
// verifyCgroupDriver validates native.cgroupdriver
func verifyCgroupDriver ( config * config . Config ) error {
2016-03-24 16:18:03 +00:00
cd := getCD ( config )
if cd == "" || cd == cgroupFsDriver || cd == cgroupSystemdDriver {
return nil
}
2019-06-02 15:03:27 +00:00
if cd == cgroupNoneDriver {
return fmt . Errorf ( "native.cgroupdriver option %s is internally used and cannot be specified manually" , cd )
}
2016-03-24 16:18:03 +00:00
return fmt . Errorf ( "native.cgroupdriver option %s not supported" , cd )
2016-01-23 02:15:09 +00:00
}
2016-03-24 16:18:03 +00:00
// UsingSystemd returns true if cli option includes native.cgroupdriver=systemd
2017-01-23 11:23:07 +00:00
func UsingSystemd ( config * config . Config ) bool {
2021-09-24 11:51:39 +00:00
cd := getCD ( config )
if cd == cgroupSystemdDriver {
2020-04-21 14:56:23 +00:00
return true
}
// On cgroup v2 hosts, default to systemd driver
2021-09-24 11:51:39 +00:00
if cd == "" && cgroups . Mode ( ) == cgroups . Unified && isRunningSystemd ( ) {
2020-04-21 14:56:23 +00:00
return true
}
return false
}
2020-11-09 14:21:27 +00:00
var (
runningSystemd bool
detectSystemd sync . Once
)
2020-11-09 14:15:45 +00:00
// isRunningSystemd checks whether the host was booted with systemd as its init
// system. This functions similarly to systemd's `sd_booted(3)`: internally, it
// checks whether /run/systemd/system/ exists and is a directory.
// http://www.freedesktop.org/software/systemd/man/sd_booted.html
//
// NOTE: This function comes from package github.com/coreos/go-systemd/util
// It was borrowed here to avoid a dependency on cgo.
func isRunningSystemd ( ) bool {
2020-11-09 14:21:27 +00:00
detectSystemd . Do ( func ( ) {
fi , err := os . Lstat ( "/run/systemd/system" )
if err != nil {
return
}
runningSystemd = fi . IsDir ( )
} )
return runningSystemd
2016-01-23 02:15:09 +00:00
}
2015-12-11 02:59:29 +00:00
// verifyPlatformContainerSettings performs platform-specific validation of the
// hostconfig and config structures.
2022-08-31 20:12:30 +00:00
func verifyPlatformContainerSettings ( daemon * Daemon , daemonCfg * configStore , hostConfig * containertypes . HostConfig , update bool ) ( warnings [ ] string , err error ) {
2018-12-19 00:28:08 +00:00
if hostConfig == nil {
return nil , nil
}
2021-07-14 14:45:02 +00:00
sysInfo := daemon . RawSysInfo ( )
2015-12-11 02:59:29 +00:00
2018-12-18 22:41:52 +00:00
w , err := verifyPlatformContainerResources ( & hostConfig . Resources , sysInfo , update )
2016-08-31 16:23:56 +00:00
// no matter err is nil or not, w could have data in itself.
warnings = append ( warnings , w ... )
2015-12-11 02:59:29 +00:00
if err != nil {
return warnings , err
}
Fix validation of IpcMode, PidMode, UTSMode, CgroupnsMode
These HostConfig properties were not validated until the OCI spec for the container
was created, which meant that `container run` and `docker create` would accept
invalid values, and the invalid value would not be detected until `start` was
called, returning a 500 "internal server error", as well as errors from containerd
("cleanup: failed to delete container from containerd: no such container") in the
daemon logs.
As a result, a faulty container was created, and the container state remained
in the `created` state.
This patch:
- Updates `oci.WithNamespaces()` to return the correct `errdefs.InvalidParameter`
- Updates `verifyPlatformContainerSettings()` to validate these settings, so that
an error is returned when _creating_ the container.
Before this patch:
docker run -dit --ipc=shared --name foo busybox
2a00d74e9fbb7960c4718def8f6c74fa8ee754030eeb93ee26a516e27d4d029f
docker: Error response from daemon: Invalid IPC mode: shared.
docker ps -a --filter name=foo
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2a00d74e9fbb busybox "sh" About a minute ago Created foo
After this patch:
docker run -dit --ipc=shared --name foo busybox
docker: Error response from daemon: invalid IPC mode: shared.
docker ps -a --filter name=foo
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
An integration test was added to verify the new validation, which can be run with:
make BIND_DIR=. TEST_FILTER=TestCreateInvalidHostConfig DOCKER_GRAPHDRIVER=vfs test-integration
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-25 11:17:16 +00:00
if ! hostConfig . IpcMode . Valid ( ) {
return warnings , errors . Errorf ( "invalid IPC mode: %v" , hostConfig . IpcMode )
}
if ! hostConfig . PidMode . Valid ( ) {
return warnings , errors . Errorf ( "invalid PID mode: %v" , hostConfig . PidMode )
}
2015-12-29 20:49:17 +00:00
if hostConfig . ShmSize < 0 {
2016-07-11 10:29:17 +00:00
return warnings , fmt . Errorf ( "SHM size can not be less than 0" )
2015-12-11 02:59:29 +00:00
}
Fix validation of IpcMode, PidMode, UTSMode, CgroupnsMode
These HostConfig properties were not validated until the OCI spec for the container
was created, which meant that `container run` and `docker create` would accept
invalid values, and the invalid value would not be detected until `start` was
called, returning a 500 "internal server error", as well as errors from containerd
("cleanup: failed to delete container from containerd: no such container") in the
daemon logs.
As a result, a faulty container was created, and the container state remained
in the `created` state.
This patch:
- Updates `oci.WithNamespaces()` to return the correct `errdefs.InvalidParameter`
- Updates `verifyPlatformContainerSettings()` to validate these settings, so that
an error is returned when _creating_ the container.
Before this patch:
docker run -dit --ipc=shared --name foo busybox
2a00d74e9fbb7960c4718def8f6c74fa8ee754030eeb93ee26a516e27d4d029f
docker: Error response from daemon: Invalid IPC mode: shared.
docker ps -a --filter name=foo
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2a00d74e9fbb busybox "sh" About a minute ago Created foo
After this patch:
docker run -dit --ipc=shared --name foo busybox
docker: Error response from daemon: invalid IPC mode: shared.
docker ps -a --filter name=foo
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
An integration test was added to verify the new validation, which can be run with:
make BIND_DIR=. TEST_FILTER=TestCreateInvalidHostConfig DOCKER_GRAPHDRIVER=vfs test-integration
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-25 11:17:16 +00:00
if ! hostConfig . UTSMode . Valid ( ) {
return warnings , errors . Errorf ( "invalid UTS mode: %v" , hostConfig . UTSMode )
}
2015-12-11 02:59:29 +00:00
2015-10-13 09:26:27 +00:00
if hostConfig . OomScoreAdj < - 1000 || hostConfig . OomScoreAdj > 1000 {
2016-03-22 00:53:57 +00:00
return warnings , fmt . Errorf ( "Invalid value %d, range for oom score adj is [-1000, 1000]" , hostConfig . OomScoreAdj )
2015-10-13 09:26:27 +00:00
}
2016-05-18 18:10:31 +00:00
2016-05-20 15:39:05 +00:00
// ip-forwarding does not affect container with '--net=host' (or '--net=none')
if sysInfo . IPv4ForwardingDisabled && ! ( hostConfig . NetworkMode . IsHost ( ) || hostConfig . NetworkMode . IsNone ( ) ) {
2015-05-15 23:34:26 +00:00
warnings = append ( warnings , "IPv4 forwarding is disabled. Networking will not work." )
}
2018-12-18 21:42:57 +00:00
if hostConfig . NetworkMode . IsHost ( ) && len ( hostConfig . PortBindings ) > 0 {
warnings = append ( warnings , "Published ports are discarded when using host network mode" )
}
2016-01-08 14:03:17 +00:00
// check for various conflicting options with user namespaces
2022-08-17 21:13:49 +00:00
if daemonCfg . RemappedRoot != "" && hostConfig . UsernsMode . IsPrivate ( ) {
2016-01-08 14:03:17 +00:00
if hostConfig . Privileged {
2017-08-17 19:16:30 +00:00
return warnings , fmt . Errorf ( "privileged mode is incompatible with user namespaces. You must run the container in the host namespace when running privileged mode" )
2016-01-08 14:03:17 +00:00
}
2016-08-16 21:16:14 +00:00
if hostConfig . NetworkMode . IsHost ( ) && ! hostConfig . UsernsMode . IsHost ( ) {
2017-08-17 19:16:30 +00:00
return warnings , fmt . Errorf ( "cannot share the host's network namespace when user namespaces are enabled" )
2016-01-08 14:03:17 +00:00
}
2016-08-16 21:16:14 +00:00
if hostConfig . PidMode . IsHost ( ) && ! hostConfig . UsernsMode . IsHost ( ) {
2017-08-17 19:16:30 +00:00
return warnings , fmt . Errorf ( "cannot share the host PID namespace when user namespaces are enabled" )
2016-01-08 14:03:17 +00:00
}
2016-01-08 03:43:11 +00:00
}
2022-08-31 20:12:30 +00:00
if hostConfig . CgroupParent != "" && UsingSystemd ( & daemonCfg . Config ) {
2016-01-23 02:15:09 +00:00
// CgroupParent for systemd cgroup should be named as "xxx.slice"
if len ( hostConfig . CgroupParent ) <= 6 || ! strings . HasSuffix ( hostConfig . CgroupParent , ".slice" ) {
2023-07-05 10:13:09 +00:00
return warnings , fmt . Errorf ( ` cgroup-parent for systemd cgroup should be a valid slice named as "xxx.slice" ` )
2016-01-23 02:15:09 +00:00
}
}
2016-05-23 21:49:50 +00:00
if hostConfig . Runtime == "" {
2022-08-31 21:24:22 +00:00
hostConfig . Runtime = daemonCfg . Runtimes . Default
2016-05-23 21:49:50 +00:00
}
2022-08-31 20:12:30 +00:00
if _ , _ , err := daemonCfg . Runtimes . Get ( hostConfig . Runtime ) ; err != nil {
daemon: support other containerd runtimes (MVP)
Contrary to popular belief, the OCI Runtime specification does not
specify the command-line API for runtimes. Looking at containerd's
architecture from the lens of the OCI Runtime spec, the _shim_ is the
OCI Runtime and runC is "just" an implementation detail of the
io.containerd.runc.v2 runtime. When one configures a non-default runtime
in Docker, what they're really doing is instructing Docker to create
containers using the io.containerd.runc.v2 runtime with a configuration
option telling the runtime that the runC binary is at some non-default
path. Consequently, only OCI runtimes which are compatible with the
io.containerd.runc.v2 shim, such as crun, can be used in this manner.
Other OCI runtimes, including kata-containers v2, come with their own
containerd shim and are not compatible with io.containerd.runc.v2.
As Docker has not historically provided a way to select a non-default
runtime which requires its own shim, runtimes such as kata-containers v2
could not be used with Docker.
Allow other containerd shims to be used with Docker; no daemon
configuration required. If the daemon is instructed to create a
container with a runtime name which does not match any of the configured
or stock runtimes, it passes the name along to containerd verbatim. A
user can start a container with the kata-containers runtime, for
example, simply by calling
docker run --runtime io.containerd.kata.v2
Runtime names which containerd would interpret as a path to an arbitrary
binary are disallowed. While handy for development and testing it is not
strictly necessary and would allow anyone with Engine API access to
trivially execute any binary on the host as root, so we have decided it
would be safest for our users if it was not allowed.
It is not yet possible to set an alternative containerd shim as the
default runtime; it can only be configured per-container.
Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-07-20 20:12:01 +00:00
return warnings , err
2016-05-23 21:49:50 +00:00
}
2021-06-11 19:01:18 +00:00
parser := volumemounts . NewParser ( )
2017-01-16 09:52:43 +00:00
for dest := range hostConfig . Tmpfs {
2017-08-01 17:32:44 +00:00
if err := parser . ValidateTmpfsMountDestination ( dest ) ; err != nil {
2017-01-16 09:52:43 +00:00
return warnings , err
}
}
2019-03-15 03:44:18 +00:00
if ! hostConfig . CgroupnsMode . Valid ( ) {
return warnings , fmt . Errorf ( "invalid cgroup namespace mode: %v" , hostConfig . CgroupnsMode )
}
if hostConfig . CgroupnsMode . IsPrivate ( ) {
if ! sysInfo . CgroupNamespaces {
warnings = append ( warnings , "Your kernel does not support cgroup namespaces. Cgroup namespace setting discarded." )
}
}
2020-07-07 20:33:46 +00:00
return warnings , nil
2017-09-22 13:52:41 +00:00
}
2016-01-23 02:15:09 +00:00
// verifyDaemonSettings performs validation of daemon config struct
2017-01-23 11:23:07 +00:00
func verifyDaemonSettings ( conf * config . Config ) error {
2019-07-11 23:42:16 +00:00
if conf . ContainerdNamespace == conf . ContainerdPluginNamespace {
return errors . New ( "containers namespace and plugins namespace cannot be the same" )
}
2015-05-15 23:34:26 +00:00
// Check for mutually incompatible config options
2017-01-23 11:23:07 +00:00
if conf . BridgeConfig . Iface != "" && conf . BridgeConfig . IP != "" {
2016-02-03 14:56:34 +00:00
return fmt . Errorf ( "You specified -b & --bip, mutually exclusive options. Please specify only one" )
2015-05-15 23:34:26 +00:00
}
2017-01-23 11:23:07 +00:00
if ! conf . BridgeConfig . EnableIPTables && ! conf . BridgeConfig . InterContainerCommunication {
2016-02-03 14:56:34 +00:00
return fmt . Errorf ( "You specified --iptables=false with --icc=false. ICC=false uses iptables to function. Please set --icc or --iptables to true" )
2015-05-15 23:34:26 +00:00
}
2020-12-02 21:19:44 +00:00
if conf . BridgeConfig . EnableIP6Tables && ! conf . Experimental {
return fmt . Errorf ( "ip6tables rules are only available if experimental features are enabled" )
}
2017-01-23 11:23:07 +00:00
if ! conf . BridgeConfig . EnableIPTables && conf . BridgeConfig . EnableIPMasq {
conf . BridgeConfig . EnableIPMasq = false
2015-05-15 23:34:26 +00:00
}
2020-11-09 14:26:24 +00:00
if err := verifyCgroupDriver ( conf ) ; err != nil {
2016-03-24 16:18:03 +00:00
return err
}
2017-01-23 11:23:07 +00:00
if conf . CgroupParent != "" && UsingSystemd ( conf ) {
if len ( conf . CgroupParent ) <= 6 || ! strings . HasSuffix ( conf . CgroupParent , ".slice" ) {
2023-07-05 10:13:09 +00:00
return fmt . Errorf ( ` cgroup-parent for systemd cgroup should be a valid slice named as "xxx.slice" ` )
2016-01-23 02:15:09 +00:00
}
}
2016-05-23 21:49:50 +00:00
2020-11-09 14:00:32 +00:00
if conf . Rootless && UsingSystemd ( conf ) && cgroups . Mode ( ) != cgroups . Unified {
2020-03-11 03:49:03 +00:00
return fmt . Errorf ( "exec-opt native.cgroupdriver=systemd requires cgroup v2 for rootless mode" )
}
2015-05-15 23:34:26 +00:00
return nil
}
2015-07-11 19:32:08 +00:00
// checkSystem validates platform-specific requirements
2015-05-15 23:34:26 +00:00
func checkSystem ( ) error {
2022-02-17 14:37:58 +00:00
return nil
2015-05-15 23:34:26 +00:00
}
2015-12-02 10:26:30 +00:00
// configureMaxThreads sets the Go runtime max threads threshold
// which is 90% of the kernel setting from /proc/sys/kernel/threads-max
2017-01-23 11:23:07 +00:00
func configureMaxThreads ( config * config . Config ) error {
2021-08-24 10:10:50 +00:00
mt , err := os . ReadFile ( "/proc/sys/kernel/threads-max" )
2015-12-02 10:26:30 +00:00
if err != nil {
return err
}
mtint , err := strconv . Atoi ( strings . TrimSpace ( string ( mt ) ) )
if err != nil {
return err
}
maxThreads := ( mtint / 100 ) * 90
debug . SetMaxThreads ( maxThreads )
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Debugf ( "Golang's threads limit set to %d" , maxThreads )
2015-12-02 10:26:30 +00:00
return nil
}
2016-10-04 19:35:56 +00:00
func overlaySupportsSelinux ( ) ( bool , error ) {
f , err := os . Open ( "/proc/kallsyms" )
if err != nil {
if os . IsNotExist ( err ) {
return false , nil
}
return false , err
}
defer f . Close ( )
s := bufio . NewScanner ( f )
for s . Scan ( ) {
2020-03-12 02:09:30 +00:00
if strings . HasSuffix ( s . Text ( ) , " security_inode_copy_up" ) {
2016-10-04 19:35:56 +00:00
return true , nil
}
}
2020-03-12 02:09:30 +00:00
return false , s . Err ( )
2016-10-04 19:35:56 +00:00
}
2016-03-24 15:57:11 +00:00
// configureKernelSecuritySupport configures and validates security support for the kernel
2017-08-24 18:48:16 +00:00
func configureKernelSecuritySupport ( config * config . Config , driverName string ) error {
2015-05-15 23:34:26 +00:00
if config . EnableSelinuxSupport {
2020-12-14 10:46:58 +00:00
if ! selinux . GetEnabled ( ) {
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Warn ( "Docker could not enable SELinux on the host system" )
2016-10-04 19:35:56 +00:00
return nil
}
2022-05-24 15:24:04 +00:00
if driverName == "overlay2" || driverName == "overlayfs" {
// If driver is overlay2, make sure kernel
2016-10-04 19:35:56 +00:00
// supports selinux with overlay.
supported , err := overlaySupportsSelinux ( )
if err != nil {
return err
}
if ! supported {
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Warnf ( "SELinux is not supported with the %v graph driver on this kernel" , driverName )
2016-10-04 19:35:56 +00:00
}
2015-05-15 23:34:26 +00:00
}
} else {
2020-12-14 10:46:58 +00:00
selinux . SetDisabled ( )
2015-05-15 23:34:26 +00:00
}
return nil
}
2022-04-26 08:32:10 +00:00
// initNetworkController initializes the libnetwork controller and configures
// network settings. If there's active sandboxes, configuration changes will not
// take effect.
2022-08-17 21:13:49 +00:00
func ( daemon * Daemon ) initNetworkController ( cfg * config . Config , activeSandboxes map [ string ] interface { } ) error {
netOptions , err := daemon . networkOptions ( cfg , daemon . PluginStore , activeSandboxes )
2015-05-20 12:20:19 +00:00
if err != nil {
2022-04-26 08:32:10 +00:00
return err
2015-05-20 12:20:19 +00:00
}
2022-04-26 08:32:10 +00:00
daemon . netController , err = libnetwork . New ( netOptions ... )
2015-05-15 23:34:26 +00:00
if err != nil {
2022-04-26 08:32:10 +00:00
return fmt . Errorf ( "error obtaining controller instance: %v" , err )
2015-05-15 23:34:26 +00:00
}
2016-06-14 16:13:53 +00:00
if len ( activeSandboxes ) > 0 {
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Info ( "there are running containers, updated network configuration will not take affect" )
2022-08-17 21:13:49 +00:00
} else if err := configureNetworking ( daemon . netController , cfg ) ; err != nil {
2022-04-26 08:32:10 +00:00
return err
2016-06-14 16:13:53 +00:00
}
2022-04-26 08:32:10 +00:00
// Set HostGatewayIP to the default bridge's IP if it is empty
2022-08-17 21:13:49 +00:00
setHostGatewayIP ( daemon . netController , cfg )
2022-04-26 08:32:10 +00:00
return nil
}
2023-01-11 22:43:32 +00:00
func configureNetworking ( controller * libnetwork . Controller , conf * config . Config ) error {
2023-09-10 11:33:21 +00:00
// Create predefined network "none"
if n , _ := controller . NetworkByName ( network . NetworkNone ) ; n == nil {
if _ , err := controller . NewNetwork ( "null" , network . NetworkNone , "" , libnetwork . NetworkOptionPersist ( true ) ) ; err != nil {
return errors . Wrapf ( err , ` error creating default %q network ` , network . NetworkNone )
2016-06-14 16:13:53 +00:00
}
2015-05-15 23:34:26 +00:00
}
2023-09-10 11:33:21 +00:00
// Create predefined network "host"
if n , _ := controller . NetworkByName ( network . NetworkHost ) ; n == nil {
if _ , err := controller . NewNetwork ( "host" , network . NetworkHost , "" , libnetwork . NetworkOptionPersist ( true ) ) ; err != nil {
return errors . Wrapf ( err , ` error creating default %q network ` , network . NetworkHost )
2016-06-14 16:13:53 +00:00
}
2015-05-15 23:34:26 +00:00
}
2016-09-27 20:16:00 +00:00
// Clear stale bridge network
2023-09-10 11:33:21 +00:00
if n , err := controller . NetworkByName ( network . NetworkBridge ) ; err == nil {
2016-09-27 20:16:00 +00:00
if err = n . Delete ( ) ; err != nil {
2023-09-10 11:33:21 +00:00
return errors . Wrapf ( err , ` could not delete the default %q network ` , network . NetworkBridge )
2016-12-13 23:04:59 +00:00
}
2022-04-23 21:12:55 +00:00
if len ( conf . NetworkConfig . DefaultAddressPools . Value ( ) ) > 0 && ! conf . LiveRestoreEnabled {
2016-12-13 23:04:59 +00:00
removeDefaultBridgeInterface ( )
2016-09-27 20:16:00 +00:00
}
}
2022-04-23 21:12:55 +00:00
if ! conf . DisableBridge {
2015-06-30 17:34:15 +00:00
// Initialize default driver "bridge"
2023-07-05 12:24:39 +00:00
if err := initBridgeDriver ( controller , conf . BridgeConfig ) ; err != nil {
2022-04-26 08:32:10 +00:00
return err
2015-06-30 17:34:15 +00:00
}
2016-09-27 20:16:00 +00:00
} else {
removeDefaultBridgeInterface ( )
2015-06-30 17:34:15 +00:00
}
2022-04-26 08:32:10 +00:00
return nil
2021-08-25 19:51:59 +00:00
}
// setHostGatewayIP sets cfg.HostGatewayIP to the default bridge's IP if it is empty.
2023-01-11 22:43:32 +00:00
func setHostGatewayIP ( controller * libnetwork . Controller , config * config . Config ) {
2021-08-25 19:51:59 +00:00
if config . HostGatewayIP != nil {
return
}
2023-09-10 11:33:21 +00:00
if n , err := controller . NetworkByName ( network . NetworkBridge ) ; err == nil {
2023-07-25 15:37:19 +00:00
v4Info , v6Info := n . IpamInfo ( )
2021-08-25 19:51:59 +00:00
if len ( v4Info ) > 0 {
2023-07-25 15:37:19 +00:00
config . HostGatewayIP = v4Info [ 0 ] . Gateway . IP
2021-08-25 19:51:59 +00:00
} else if len ( v6Info ) > 0 {
2023-07-25 15:37:19 +00:00
config . HostGatewayIP = v6Info [ 0 ] . Gateway . IP
2019-11-02 00:09:40 +00:00
}
}
2015-06-30 17:34:15 +00:00
}
2021-07-27 10:12:11 +00:00
func driverOptions ( config * config . Config ) nwconfig . Option {
return nwconfig . OptionDriverConfig ( "bridge" , options . Generic {
netlabel . GenericData : options . Generic {
"EnableIPForwarding" : config . BridgeConfig . EnableIPForward ,
"EnableIPTables" : config . BridgeConfig . EnableIPTables ,
"EnableIP6Tables" : config . BridgeConfig . EnableIP6Tables ,
"EnableUserlandProxy" : config . BridgeConfig . EnableUserlandProxy ,
"UserlandProxyPath" : config . BridgeConfig . UserlandProxyPath ,
} ,
} )
2015-09-25 03:00:05 +00:00
}
2015-05-15 23:34:26 +00:00
2023-07-05 12:24:39 +00:00
func initBridgeDriver ( controller * libnetwork . Controller , cfg config . BridgeConfig ) error {
2015-10-10 16:43:03 +00:00
bridgeName := bridge . DefaultBridgeName
2023-07-05 12:24:39 +00:00
if cfg . Iface != "" {
bridgeName = cfg . Iface
2015-10-10 16:43:03 +00:00
}
netOption := map [ string ] string {
bridge . BridgeName : bridgeName ,
bridge . DefaultBridge : strconv . FormatBool ( true ) ,
2023-07-05 12:24:39 +00:00
netlabel . DriverMTU : strconv . Itoa ( cfg . MTU ) ,
bridge . EnableIPMasquerade : strconv . FormatBool ( cfg . EnableIPMasq ) ,
bridge . EnableICC : strconv . FormatBool ( cfg . InterContainerCommunication ) ,
2015-10-10 16:43:03 +00:00
}
// --ip processing
2023-07-05 12:24:39 +00:00
if cfg . DefaultIP != nil {
netOption [ bridge . DefaultBindingIP ] = cfg . DefaultIP . String ( )
2015-10-10 16:43:03 +00:00
}
2019-08-09 16:34:35 +00:00
ipamV4Conf := & libnetwork . IpamConf { AuxAddresses : make ( map [ string ] string ) }
2015-10-10 16:43:03 +00:00
2023-01-16 22:25:13 +00:00
// By default, libnetwork will request an arbitrary available address
// pool for the network from the configured IPAM allocator.
// Configure it to use the IPv4 network ranges of the existing bridge
// interface if one exists with IPv4 addresses assigned to it.
nwList , nw6List , err := ifaceAddrs ( bridgeName )
2016-09-17 05:46:20 +00:00
if err != nil {
return errors . Wrap ( err , "list bridge addresses failed" )
}
2023-01-16 22:25:13 +00:00
if len ( nwList ) > 0 {
nw := nwList [ 0 ]
2023-07-05 12:24:39 +00:00
if len ( nwList ) > 1 && cfg . FixedCIDR != "" {
_ , fCIDR , err := net . ParseCIDR ( cfg . FixedCIDR )
2023-01-16 22:25:13 +00:00
if err != nil {
return errors . Wrap ( err , "parse CIDR failed" )
}
// Iterate through in case there are multiple addresses for the bridge
for _ , entry := range nwList {
if fCIDR . Contains ( entry . IP ) {
nw = entry
break
}
2016-09-17 05:46:20 +00:00
}
}
2023-01-16 22:25:13 +00:00
ipamV4Conf . PreferredPool = lntypes . GetIPNetCanonical ( nw ) . String ( )
hip , _ := lntypes . GetHostPartIP ( nw . IP , nw . Mask )
if hip . IsGlobalUnicast ( ) {
ipamV4Conf . Gateway = nw . IP . String ( )
}
2015-05-15 23:34:26 +00:00
}
2023-07-05 12:24:39 +00:00
if cfg . IP != "" {
ip , ipNet , err := net . ParseCIDR ( cfg . IP )
2015-05-15 23:34:26 +00:00
if err != nil {
2015-06-30 17:34:15 +00:00
return err
2015-05-15 23:34:26 +00:00
}
2020-02-11 01:34:30 +00:00
ipamV4Conf . PreferredPool = ipNet . String ( )
2015-10-10 16:43:03 +00:00
ipamV4Conf . Gateway = ip . String ( )
2015-10-26 18:46:20 +00:00
} else if bridgeName == bridge . DefaultBridgeName && ipamV4Conf . PreferredPool != "" {
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Infof ( "Default bridge (%s) is assigned with an IP address %s. Daemon option --bip can be used to set a preferred IP address" , bridgeName , ipamV4Conf . PreferredPool )
2015-05-15 23:34:26 +00:00
}
2023-07-05 12:24:39 +00:00
if cfg . FixedCIDR != "" {
_ , fCIDR , err := net . ParseCIDR ( cfg . FixedCIDR )
2015-05-15 23:34:26 +00:00
if err != nil {
2015-06-30 17:34:15 +00:00
return err
2015-05-15 23:34:26 +00:00
}
2015-10-10 16:43:03 +00:00
ipamV4Conf . SubPool = fCIDR . String ( )
2023-04-20 11:11:15 +00:00
if ipamV4Conf . PreferredPool == "" {
ipamV4Conf . PreferredPool = fCIDR . String ( )
}
2015-05-15 23:34:26 +00:00
}
2023-07-05 12:24:39 +00:00
if cfg . DefaultGatewayIPv4 != nil {
ipamV4Conf . AuxAddresses [ "DefaultGatewayIPv4" ] = cfg . DefaultGatewayIPv4 . String ( )
2015-10-10 16:43:03 +00:00
}
2019-08-09 16:34:35 +00:00
var (
deferIPv6Alloc bool
ipamV6Conf * libnetwork . IpamConf
)
2023-07-05 12:24:39 +00:00
if cfg . EnableIPv6 && cfg . FixedCIDRv6 == "" {
2020-01-11 02:53:59 +00:00
return errdefs . InvalidParameter ( errors . New ( "IPv6 is enabled for the default bridge, but no subnet is configured. Specify an IPv6 subnet using --fixed-cidr-v6" ) )
2023-07-05 12:24:39 +00:00
} else if cfg . FixedCIDRv6 != "" {
_ , fCIDRv6 , err := net . ParseCIDR ( cfg . FixedCIDRv6 )
2015-05-15 23:34:26 +00:00
if err != nil {
2015-06-30 17:34:15 +00:00
return err
2015-05-15 23:34:26 +00:00
}
2015-11-11 05:14:05 +00:00
// In case user has specified the daemon flag --fixed-cidr-v6 and the passed network has
// at least 48 host bits, we need to guarantee the current behavior where the containers'
// IPv6 addresses will be constructed based on the containers' interface MAC address.
// We do so by telling libnetwork to defer the IPv6 address allocation for the endpoints
// on this network until after the driver has created the endpoint and returned the
// constructed address. Libnetwork will then reserve this address with the ipam driver.
ones , _ := fCIDRv6 . Mask . Size ( )
deferIPv6Alloc = ones <= 80
2019-08-09 16:34:35 +00:00
ipamV6Conf = & libnetwork . IpamConf {
AuxAddresses : make ( map [ string ] string ) ,
PreferredPool : fCIDRv6 . String ( ) ,
2015-10-10 16:43:03 +00:00
}
2016-01-12 07:47:44 +00:00
// In case the --fixed-cidr-v6 is specified and the current docker0 bridge IPv6
// address belongs to the same network, we need to inform libnetwork about it, so
// that it can be reserved with IPAM and it will not be given away to somebody else
for _ , nw6 := range nw6List {
if fCIDRv6 . Contains ( nw6 . IP ) {
ipamV6Conf . Gateway = nw6 . IP . String ( )
break
}
}
2015-05-15 23:34:26 +00:00
}
2023-07-05 12:24:39 +00:00
if cfg . DefaultGatewayIPv6 != nil {
2015-10-10 16:43:03 +00:00
if ipamV6Conf == nil {
2015-12-30 22:51:51 +00:00
ipamV6Conf = & libnetwork . IpamConf { AuxAddresses : make ( map [ string ] string ) }
2015-10-10 16:43:03 +00:00
}
2023-07-05 12:24:39 +00:00
ipamV6Conf . AuxAddresses [ "DefaultGatewayIPv6" ] = cfg . DefaultGatewayIPv6 . String ( )
2015-05-15 23:34:26 +00:00
}
2016-01-12 07:47:44 +00:00
v4Conf := [ ] * libnetwork . IpamConf { ipamV4Conf }
2015-10-10 16:43:03 +00:00
v6Conf := [ ] * libnetwork . IpamConf { }
if ipamV6Conf != nil {
v6Conf = append ( v6Conf , ipamV6Conf )
2015-05-15 23:34:26 +00:00
}
// Initialize default network on "bridge" with the same name
2023-09-10 11:33:21 +00:00
_ , err = controller . NewNetwork ( "bridge" , network . NetworkBridge , "" ,
2023-07-05 12:24:39 +00:00
libnetwork . NetworkOptionEnableIPv6 ( cfg . EnableIPv6 ) ,
2015-12-10 14:02:50 +00:00
libnetwork . NetworkOptionDriverOpts ( netOption ) ,
2016-01-08 21:38:52 +00:00
libnetwork . NetworkOptionIpam ( "default" , "" , v4Conf , v6Conf , nil ) ,
2015-11-11 05:14:05 +00:00
libnetwork . NetworkOptionDeferIPv6Alloc ( deferIPv6Alloc ) )
2015-05-15 23:34:26 +00:00
if err != nil {
2023-09-10 11:33:21 +00:00
return fmt . Errorf ( ` error creating default %q network: %v ` , network . NetworkBridge , err )
2015-05-15 23:34:26 +00:00
}
2015-06-30 17:34:15 +00:00
return nil
2015-05-15 23:34:26 +00:00
}
2015-06-16 18:06:53 +00:00
2016-09-27 20:16:00 +00:00
// Remove default bridge interface if present (--bridge=none use case)
func removeDefaultBridgeInterface ( ) {
if lnk , err := netlink . LinkByName ( bridge . DefaultBridgeName ) ; err == nil {
if err := netlink . LinkDel ( lnk ) ; err != nil {
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Warnf ( "Failed to remove bridge interface (%s): %v" , bridge . DefaultBridgeName , err )
2016-09-27 20:16:00 +00:00
}
}
}
2022-09-23 18:21:31 +00:00
func setupInitLayer ( idMapping idtools . IdentityMapping ) func ( string ) error {
return func ( initPath string ) error {
2017-11-16 06:20:33 +00:00
return initlayer . Setup ( initPath , idMapping . RootPair ( ) )
2018-02-13 19:29:14 +00:00
}
2016-09-21 18:45:25 +00:00
}
2016-01-08 03:43:11 +00:00
// Parse the remapped root (user namespace) option, which can be one of:
//
2022-07-08 16:27:07 +00:00
// - username - valid username from /etc/passwd
// - username:groupname - valid username; valid groupname from /etc/group
// - uid - 32-bit unsigned int valid Linux UID value
// - uid:gid - uid value; 32-bit unsigned int Linux GID value
2016-01-08 03:43:11 +00:00
//
2022-07-08 16:27:07 +00:00
// If no groupname is specified, and a username is specified, an attempt
// will be made to lookup a gid for that username as a groupname
//
// If names are used, they are verified to exist in passwd/group
2016-01-08 03:43:11 +00:00
func parseRemappedRoot ( usergrp string ) ( string , string , error ) {
var (
userID , groupID int
username , groupname string
)
idparts := strings . Split ( usergrp , ":" )
if len ( idparts ) > 2 {
return "" , "" , fmt . Errorf ( "Invalid user/group specification in --userns-remap: %q" , usergrp )
}
if uid , err := strconv . ParseInt ( idparts [ 0 ] , 10 , 32 ) ; err == nil {
// must be a uid; take it as valid
userID = int ( uid )
2016-10-20 19:43:42 +00:00
luser , err := idtools . LookupUID ( userID )
2016-01-08 03:43:11 +00:00
if err != nil {
return "" , "" , fmt . Errorf ( "Uid %d has no entry in /etc/passwd: %v" , userID , err )
}
username = luser . Name
if len ( idparts ) == 1 {
// if the uid was numeric and no gid was specified, take the uid as the gid
groupID = userID
2016-10-20 19:43:42 +00:00
lgrp , err := idtools . LookupGID ( groupID )
2016-01-08 03:43:11 +00:00
if err != nil {
return "" , "" , fmt . Errorf ( "Gid %d has no entry in /etc/group: %v" , groupID , err )
}
groupname = lgrp . Name
}
} else {
lookupName := idparts [ 0 ]
// special case: if the user specified "default", they want Docker to create or
// use (after creation) the "dockremap" user/group for root remapping
if lookupName == defaultIDSpecifier {
lookupName = defaultRemappedID
}
2016-10-20 19:43:42 +00:00
luser , err := idtools . LookupUser ( lookupName )
2016-01-08 03:43:11 +00:00
if err != nil && idparts [ 0 ] != defaultIDSpecifier {
// error if the name requested isn't the special "dockremap" ID
return "" , "" , fmt . Errorf ( "Error during uid lookup for %q: %v" , lookupName , err )
} else if err != nil {
// special case-- if the username == "default", then we have been asked
// to create a new entry pair in /etc/{passwd,group} for which the /etc/sub{uid,gid}
// ranges will be used for the user and group mappings in user namespaced containers
_ , _ , err := idtools . AddNamespaceRangesUser ( defaultRemappedID )
if err == nil {
return defaultRemappedID , defaultRemappedID , nil
}
return "" , "" , fmt . Errorf ( "Error during %q user creation: %v" , defaultRemappedID , err )
}
username = luser . Name
if len ( idparts ) == 1 {
// we only have a string username, and no group specified; look up gid from username as group
2016-10-20 19:43:42 +00:00
group , err := idtools . LookupGroup ( lookupName )
2016-01-08 03:43:11 +00:00
if err != nil {
return "" , "" , fmt . Errorf ( "Error during gid lookup for %q: %v" , lookupName , err )
}
groupname = group . Name
}
}
if len ( idparts ) == 2 {
// groupname or gid is separately specified and must be resolved
2016-03-24 15:57:11 +00:00
// to an unsigned 32-bit gid
2016-01-08 03:43:11 +00:00
if gid , err := strconv . ParseInt ( idparts [ 1 ] , 10 , 32 ) ; err == nil {
// must be a gid, take it as valid
groupID = int ( gid )
2016-10-20 19:43:42 +00:00
lgrp , err := idtools . LookupGID ( groupID )
2016-01-08 03:43:11 +00:00
if err != nil {
return "" , "" , fmt . Errorf ( "Gid %d has no entry in /etc/passwd: %v" , groupID , err )
}
groupname = lgrp . Name
} else {
// not a number; attempt a lookup
2016-10-20 19:43:42 +00:00
if _ , err := idtools . LookupGroup ( idparts [ 1 ] ) ; err != nil {
2016-03-17 02:43:26 +00:00
return "" , "" , fmt . Errorf ( "Error during groupname lookup for %q: %v" , idparts [ 1 ] , err )
2016-01-08 03:43:11 +00:00
}
groupname = idparts [ 1 ]
}
}
return username , groupname , nil
}
2022-03-14 19:24:29 +00:00
func setupRemappedRoot ( config * config . Config ) ( idtools . IdentityMapping , error ) {
2016-01-08 03:43:11 +00:00
if runtime . GOOS != "linux" && config . RemappedRoot != "" {
2022-03-14 19:24:29 +00:00
return idtools . IdentityMapping { } , fmt . Errorf ( "User namespaces are only supported on Linux" )
2016-01-08 03:43:11 +00:00
}
// if the daemon was started with remapped root option, parse
// the config option to the int uid,gid values
if config . RemappedRoot != "" {
username , groupname , err := parseRemappedRoot ( config . RemappedRoot )
if err != nil {
2022-03-14 19:24:29 +00:00
return idtools . IdentityMapping { } , err
2016-01-08 03:43:11 +00:00
}
if username == "root" {
// Cannot setup user namespaces with a 1-to-1 mapping; "--root=0:0" is a no-op
// effectively
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Warn ( "User namespaces: root cannot be remapped with itself; user namespaces are OFF" )
2022-03-14 19:24:29 +00:00
return idtools . IdentityMapping { } , nil
2016-01-08 03:43:11 +00:00
}
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Infof ( "User namespaces: ID ranges will be mapped to subuid/subgid ranges of: %s" , username )
2016-01-08 03:43:11 +00:00
// update remapped root setting now that we have resolved them to actual names
config . RemappedRoot = fmt . Sprintf ( "%s:%s" , username , groupname )
2022-03-14 19:24:29 +00:00
mappings , err := idtools . LoadIdentityMapping ( username )
2020-05-24 13:29:06 +00:00
if err != nil {
2022-03-14 19:24:29 +00:00
return idtools . IdentityMapping { } , errors . Wrap ( err , "Can't create ID mappings" )
2016-01-08 03:43:11 +00:00
}
2020-05-24 13:29:06 +00:00
return mappings , nil
2016-01-08 03:43:11 +00:00
}
2022-03-14 19:24:29 +00:00
return idtools . IdentityMapping { } , nil
2016-01-08 03:43:11 +00:00
}
2020-10-06 19:43:24 +00:00
func setupDaemonRoot ( config * config . Config , rootDir string , remappedRoot idtools . Identity ) error {
2016-01-08 03:43:11 +00:00
config . Root = rootDir
2016-03-16 08:24:03 +00:00
// the docker root metadata directory needs to have execute permissions for all users (g+x,o+x)
2016-01-08 03:43:11 +00:00
// so that syscalls executing as non-root, operating on subdirectories of the graph root
// (e.g. mounted layers of a container) can traverse this path.
// The user namespace support will create subdirectories for the remapped root host uid:gid
// pair owned by that same uid:gid pair for proper write access to those needed metadata and
// layer content subtrees.
if _ , err := os . Stat ( rootDir ) ; err == nil {
// root current exists; verify the access bits are correct by setting them
2022-01-20 13:25:24 +00:00
if err = os . Chmod ( rootDir , 0 o711 ) ; err != nil {
2016-01-08 03:43:11 +00:00
return err
}
} else if os . IsNotExist ( err ) {
2016-03-16 08:24:03 +00:00
// no root exists yet, create it 0711 with root:root ownership
2022-01-20 13:25:24 +00:00
if err := os . MkdirAll ( rootDir , 0 o711 ) ; err != nil {
2016-01-08 03:43:11 +00:00
return err
}
}
2021-07-02 17:27:45 +00:00
id := idtools . Identity { UID : idtools . CurrentIdentity ( ) . UID , GID : remappedRoot . GID }
// First make sure the current root dir has the correct perms.
2022-01-20 13:25:24 +00:00
if err := idtools . MkdirAllAndChown ( config . Root , 0 o710 , id ) ; err != nil {
2021-07-02 17:27:45 +00:00
return errors . Wrapf ( err , "could not create or set daemon root permissions: %s" , config . Root )
}
2016-01-08 03:43:11 +00:00
// if user namespaces are enabled we will create a subtree underneath the specified root
// with any/all specified remapped root uid/gid options on the daemon creating
// a new subdirectory with ownership set to the remapped uid/gid (so as to allow
// `chdir()` to work for containers namespaced to that uid/gid)
if config . RemappedRoot != "" {
2020-10-06 19:43:24 +00:00
config . Root = filepath . Join ( rootDir , fmt . Sprintf ( "%d.%d" , remappedRoot . UID , remappedRoot . GID ) )
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Debugf ( "Creating user namespaced daemon root: %s" , config . Root )
2016-03-24 15:57:11 +00:00
// Create the root directory if it doesn't exist
2022-01-20 13:25:24 +00:00
if err := idtools . MkdirAllAndChown ( config . Root , 0 o710 , id ) ; err != nil {
2016-01-08 03:43:11 +00:00
return fmt . Errorf ( "Cannot create daemon root: %s: %v" , config . Root , err )
}
2016-08-23 16:49:13 +00:00
// we also need to verify that any pre-existing directories in the path to
// the graphroot won't block access to remapped root--if any pre-existing directory
// has strict permissions that don't allow "x", container start will fail, so
// better to warn and fail now
dirPath := config . Root
for {
dirPath = filepath . Dir ( dirPath )
if dirPath == "/" {
break
}
2022-10-08 20:23:41 +00:00
if ! canAccess ( dirPath , remappedRoot ) {
2017-08-17 19:16:30 +00:00
return fmt . Errorf ( "a subdirectory in your graphroot path (%s) restricts access to the remapped root uid/gid; please fix by allowing 'o+x' permissions on existing directories" , config . Root )
2016-08-23 16:49:13 +00:00
}
}
2016-01-08 03:43:11 +00:00
}
2018-01-23 19:08:55 +00:00
2018-04-17 15:30:39 +00:00
if err := setupDaemonRootPropagation ( config ) ; err != nil {
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . WithError ( err ) . WithField ( "dir" , config . Root ) . Warn ( "Error while setting daemon root propagation, this is not generally critical but may cause some functionality to not work or fallback to less desirable behavior" )
2018-04-17 15:30:39 +00:00
}
return nil
}
2022-10-08 20:23:41 +00:00
// canAccess takes a valid (existing) directory and a uid, gid pair and determines
// if that uid, gid pair has access (execute bit) to the directory.
//
// Note: this is a very rudimentary check, and may not produce accurate results,
// so should not be used for anything other than the current use, see:
// https://github.com/moby/moby/issues/43724
func canAccess ( path string , pair idtools . Identity ) bool {
statInfo , err := os . Stat ( path )
if err != nil {
return false
}
perms := statInfo . Mode ( ) . Perm ( )
if perms & 0 o001 == 0 o001 {
// world access
return true
}
ssi := statInfo . Sys ( ) . ( * syscall . Stat_t )
if ssi . Uid == uint32 ( pair . UID ) && ( perms & 0 o100 == 0 o100 ) {
// owner access.
return true
}
if ssi . Gid == uint32 ( pair . GID ) && ( perms & 0 o010 == 0 o010 ) {
// group access.
return true
}
return false
}
2018-04-17 15:30:39 +00:00
func setupDaemonRootPropagation ( cfg * config . Config ) error {
2019-08-09 12:10:07 +00:00
rootParentMount , mountOptions , err := getSourceMount ( cfg . Root )
2018-04-17 15:30:39 +00:00
if err != nil {
return errors . Wrap ( err , "error getting daemon root's parent mount" )
}
var cleanupOldFile bool
cleanupFile := getUnmountOnShutdownPath ( cfg )
defer func ( ) {
if ! cleanupOldFile {
return
2018-01-23 19:08:55 +00:00
}
2018-04-17 15:30:39 +00:00
if err := os . Remove ( cleanupFile ) ; err != nil && ! os . IsNotExist ( err ) {
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . WithError ( err ) . WithField ( "file" , cleanupFile ) . Warn ( "could not clean up old root propagation unmount file" )
2018-04-17 15:30:39 +00:00
}
} ( )
2019-08-09 12:10:07 +00:00
if hasMountInfoOption ( mountOptions , sharedPropagationOption , slavePropagationOption ) {
2018-04-17 15:30:39 +00:00
cleanupOldFile = true
return nil
}
if err := mount . MakeShared ( cfg . Root ) ; err != nil {
return errors . Wrap ( err , "could not setup daemon root propagation to shared" )
}
// check the case where this may have already been a mount to itself.
// If so then the daemon only performed a remount and should not try to unmount this later.
if rootParentMount == cfg . Root {
cleanupOldFile = true
return nil
}
2022-01-20 13:25:24 +00:00
if err := os . MkdirAll ( filepath . Dir ( cleanupFile ) , 0 o700 ) ; err != nil {
2019-07-11 20:30:36 +00:00
return errors . Wrap ( err , "error creating dir to store mount cleanup file" )
}
2022-01-20 13:25:24 +00:00
if err := os . WriteFile ( cleanupFile , nil , 0 o600 ) ; err != nil {
2018-04-17 15:30:39 +00:00
return errors . Wrap ( err , "error writing file to signal mount cleanup on shutdown" )
2018-01-23 19:08:55 +00:00
}
2016-01-08 03:43:11 +00:00
return nil
}
2018-04-17 15:30:39 +00:00
// getUnmountOnShutdownPath generates the path to used when writing the file that signals to the daemon that on shutdown
// the daemon root should be unmounted.
func getUnmountOnShutdownPath ( config * config . Config ) string {
return filepath . Join ( config . ExecRoot , "unmount-on-shutdown" )
}
2022-12-12 21:04:09 +00:00
// registerLinks registers network links between container and other containers
// with the daemon using the specification in hostConfig.
2015-12-18 18:36:17 +00:00
func ( daemon * Daemon ) registerLinks ( container * container . Container , hostConfig * containertypes . HostConfig ) error {
2016-01-05 19:20:47 +00:00
if hostConfig == nil || hostConfig . NetworkMode . IsUserDefined ( ) {
2015-06-23 17:13:42 +00:00
return nil
}
for _ , l := range hostConfig . Links {
2016-12-23 19:09:12 +00:00
name , alias , err := opts . ParseLink ( l )
2015-06-23 17:13:42 +00:00
if err != nil {
return err
}
2015-12-11 17:39:28 +00:00
child , err := daemon . GetContainer ( name )
2015-06-23 17:13:42 +00:00
if err != nil {
2019-09-02 21:39:24 +00:00
if errdefs . IsNotFound ( err ) {
// Trying to link to a non-existing container is not valid, and
// should return an "invalid parameter" error. Returning a "not
// found" error here would make the client report the container's
// image could not be found (see moby/moby#39823)
err = errdefs . InvalidParameter ( err )
}
2017-07-19 14:20:13 +00:00
return errors . Wrapf ( err , "could not get container for %s" , name )
2015-06-23 17:13:42 +00:00
}
2015-11-12 19:55:17 +00:00
for child . HostConfig . NetworkMode . IsContainer ( ) {
2022-11-01 11:52:44 +00:00
cid := child . HostConfig . NetworkMode . ConnectedContainer ( )
child , err = daemon . GetContainer ( cid )
2015-06-23 17:13:42 +00:00
if err != nil {
2019-09-02 21:39:24 +00:00
if errdefs . IsNotFound ( err ) {
// Trying to link to a non-existing container is not valid, and
// should return an "invalid parameter" error. Returning a "not
// found" error here would make the client report the container's
// image could not be found (see moby/moby#39823)
err = errdefs . InvalidParameter ( err )
}
2022-11-01 11:52:44 +00:00
return errors . Wrapf ( err , "could not get container for %s" , cid )
2015-06-23 17:13:42 +00:00
}
}
2015-11-12 19:55:17 +00:00
if child . HostConfig . NetworkMode . IsHost ( ) {
2015-06-23 17:13:42 +00:00
return runconfig . ErrConflictHostNetworkAndLinks
}
2015-07-30 21:01:53 +00:00
if err := daemon . registerLink ( container , child , alias ) ; err != nil {
2015-06-23 17:13:42 +00:00
return err
}
}
2022-12-12 21:04:09 +00:00
return nil
2015-06-23 17:13:42 +00:00
}
2015-07-16 21:14:58 +00:00
2015-11-03 01:06:09 +00:00
// conditionalMountOnStart is a platform specific helper function during the
// container start to call mount.
2015-11-12 19:55:17 +00:00
func ( daemon * Daemon ) conditionalMountOnStart ( container * container . Container ) error {
2023-05-15 15:42:37 +00:00
return daemon . Mount ( container )
2015-11-03 01:06:09 +00:00
}
// conditionalUnmountOnCleanup is a platform specific helper function called
// during the cleanup of a container to unmount.
2016-03-18 18:50:19 +00:00
func ( daemon * Daemon ) conditionalUnmountOnCleanup ( container * container . Container ) error {
2023-05-15 15:42:37 +00:00
return daemon . Unmount ( container )
2015-11-03 01:06:09 +00:00
}
2016-03-24 15:57:11 +00:00
// setDefaultIsolation determines the default isolation mode for the
2016-03-18 18:50:19 +00:00
// daemon to run in. This is only applicable on Windows
2022-08-17 21:13:49 +00:00
func ( daemon * Daemon ) setDefaultIsolation ( * config . Config ) error {
2016-03-18 18:50:19 +00:00
return nil
}
2016-03-21 16:56:51 +00:00
2017-09-18 13:26:34 +00:00
// This is used to allow removal of mountpoints that may be mounted in other
// namespaces on RHEL based kernels starting from RHEL 7.4.
// Without this setting, removals on these RHEL based kernels may fail with
// "device or resource busy".
// This setting is not available in upstream kernels as it is not configurable,
// but has been in the upstream kernels since 3.15.
func setMayDetachMounts ( ) error {
f , err := os . OpenFile ( "/proc/sys/fs/may_detach_mounts" , os . O_WRONLY , 0 )
if err != nil {
if os . IsNotExist ( err ) {
return nil
}
return errors . Wrap ( err , "error opening may_detach_mounts kernel config file" )
}
defer f . Close ( )
_ , err = f . WriteString ( "1" )
if os . IsPermission ( err ) {
// Setting may_detach_mounts does not work in an
// unprivileged container. Ignore the error, but log
// it if we appear not to be in that situation.
2021-06-18 09:01:24 +00:00
if ! userns . RunningInUserNS ( ) {
2023-06-23 00:33:17 +00:00
log . G ( context . TODO ( ) ) . Debugf ( "Permission denied writing %q to /proc/sys/fs/may_detach_mounts" , "1" )
2017-09-18 13:26:34 +00:00
}
return nil
}
return err
2016-07-11 22:26:23 +00:00
}
2022-08-17 21:13:49 +00:00
func ( daemon * Daemon ) initCPURtController ( cfg * config . Config , mnt , path string ) error {
2016-06-07 19:05:43 +00:00
if path == "/" || path == "." {
return nil
}
2017-01-03 13:54:30 +00:00
// Recursively create cgroup to ensure that the system and all parent cgroups have values set
// for the period and runtime as this limits what the children can be set to.
2022-08-17 21:13:49 +00:00
if err := daemon . initCPURtController ( cfg , mnt , filepath . Dir ( path ) ) ; err != nil {
2016-06-07 19:05:43 +00:00
return err
}
2020-05-22 22:05:13 +00:00
path = filepath . Join ( mnt , path )
2022-01-20 13:25:24 +00:00
if err := os . MkdirAll ( path , 0 o755 ) ; err != nil {
2017-02-28 10:12:06 +00:00
return err
2016-06-07 19:05:43 +00:00
}
2022-08-17 21:13:49 +00:00
if err := maybeCreateCPURealTimeFile ( cfg . CPURealtimePeriod , "cpu.rt_period_us" , path ) ; err != nil {
2020-05-22 22:05:13 +00:00
return err
}
2022-08-17 21:13:49 +00:00
return maybeCreateCPURealTimeFile ( cfg . CPURealtimeRuntime , "cpu.rt_runtime_us" , path )
2017-02-28 10:12:06 +00:00
}
2020-05-22 22:05:13 +00:00
func maybeCreateCPURealTimeFile ( configValue int64 , file string , path string ) error {
if configValue == 0 {
return nil
2016-06-07 19:05:43 +00:00
}
2022-01-20 13:25:24 +00:00
return os . WriteFile ( filepath . Join ( path , file ) , [ ] byte ( strconv . FormatInt ( configValue , 10 ) ) , 0 o700 )
2016-09-02 13:20:54 +00:00
}
2016-06-07 19:05:43 +00:00
2022-08-17 21:13:49 +00:00
func ( daemon * Daemon ) setupSeccompProfile ( cfg * config . Config ) error {
switch profile := cfg . SeccompProfile ; profile {
2021-07-07 11:09:54 +00:00
case "" , config . SeccompProfileDefault :
daemon . seccompProfilePath = config . SeccompProfileDefault
case config . SeccompProfileUnconfined :
daemon . seccompProfilePath = config . SeccompProfileUnconfined
default :
daemon . seccompProfilePath = profile
2021-08-24 10:10:50 +00:00
b , err := os . ReadFile ( profile )
2021-07-07 11:09:54 +00:00
if err != nil {
return fmt . Errorf ( "opening seccomp profile (%s) failed: %v" , profile , err )
2016-09-02 13:20:54 +00:00
}
2021-07-07 11:09:54 +00:00
daemon . seccompProfile = b
2016-09-02 13:20:54 +00:00
}
2016-06-07 19:05:43 +00:00
return nil
}
2019-11-05 07:10:19 +00:00
2022-08-17 21:13:49 +00:00
func getSysInfo ( cfg * config . Config ) * sysinfo . SysInfo {
2021-06-05 19:09:59 +00:00
var siOpts [ ] sysinfo . Opt
2022-08-17 21:13:49 +00:00
if cgroupDriver ( cfg ) == cgroupSystemdDriver {
2021-06-05 19:09:59 +00:00
if euid := os . Getenv ( "ROOTLESSKIT_PARENT_EUID" ) ; euid != "" {
siOpts = append ( siOpts , sysinfo . WithCgroup2GroupPath ( "/user.slice/user-" + euid + ".slice" ) )
2020-03-10 12:09:25 +00:00
}
}
2022-06-03 15:35:23 +00:00
return sysinfo . New ( siOpts ... )
2020-09-19 16:45:41 +00:00
}
2021-02-26 23:23:55 +00:00
2022-08-17 21:13:49 +00:00
func ( daemon * Daemon ) initLibcontainerd ( ctx context . Context , cfg * config . Config ) error {
2021-02-26 23:23:55 +00:00
var err error
daemon . containerd , err = remote . NewClient (
ctx ,
2023-07-18 11:57:27 +00:00
daemon . containerdClient ,
2022-08-17 21:13:49 +00:00
filepath . Join ( cfg . ExecRoot , "containerd" ) ,
cfg . ContainerdNamespace ,
2021-02-26 23:23:55 +00:00
daemon ,
)
return err
}
daemon: load and cache sysInfo on initialization
The `daemon.RawSysInfo()` function can be a heavy operation, as it collects
information about all cgroups on the host, networking, AppArmor, Seccomp, etc.
While looking at our code, I noticed that various parts in the code call this
function, potentially even _multiple times_ per container, for example, it is
called from:
- `verifyPlatformContainerSettings()`
- `oci.WithCgroups()` if the daemon has `cpu-rt-period` or `cpu-rt-runtime` configured
- in `ContainerDecoder.DecodeConfig()`, which is called on boith `container create` and `container commit`
Given that this information is not expected to change during the daemon's
lifecycle, and various information coming from this (such as seccomp and
apparmor status) was already cached, we may as well load it once, and cache
the results in the daemon instance.
This patch updates `daemon.RawSysInfo()` to use a `sync.Once()` so that
it's only executed once for the daemon's lifecycle.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-07 11:54:47 +00:00
func recursiveUnmount ( target string ) error {
return mount . RecursiveUnmount ( target )
}