2018-02-05 21:05:59 +00:00
|
|
|
package daemon // import "github.com/docker/docker/daemon"
|
2014-07-31 20:46:18 +00:00
|
|
|
|
|
|
|
import (
|
2017-09-22 13:52:41 +00:00
|
|
|
"context"
|
2016-07-20 23:11:28 +00:00
|
|
|
"time"
|
2015-03-25 07:44:12 +00:00
|
|
|
|
2023-09-13 15:41:45 +00:00
|
|
|
"github.com/containerd/log"
|
2023-12-05 14:58:22 +00:00
|
|
|
"github.com/docker/docker/api/types/backend"
|
2023-08-26 13:24:46 +00:00
|
|
|
"github.com/docker/docker/api/types/events"
|
2015-11-12 19:55:17 +00:00
|
|
|
"github.com/docker/docker/container"
|
2018-01-11 19:53:06 +00:00
|
|
|
"github.com/docker/docker/errdefs"
|
2024-01-09 18:32:31 +00:00
|
|
|
"github.com/docker/docker/internal/compatcontext"
|
2022-05-05 17:00:45 +00:00
|
|
|
"github.com/docker/docker/libcontainerd"
|
2017-07-19 14:20:13 +00:00
|
|
|
"github.com/pkg/errors"
|
2014-07-31 20:46:18 +00:00
|
|
|
)
|
|
|
|
|
2023-08-11 18:46:53 +00:00
|
|
|
// validateState verifies if the container is in a non-conflicting state.
|
|
|
|
func validateState(ctr *container.Container) error {
|
|
|
|
ctr.Lock()
|
|
|
|
defer ctr.Unlock()
|
|
|
|
|
|
|
|
// Intentionally checking paused first, because a container can be
|
|
|
|
// BOTH running AND paused. To start a paused (but running) container,
|
|
|
|
// it must be thawed ("un-paused").
|
|
|
|
if ctr.Paused {
|
|
|
|
return errdefs.Conflict(errors.New("cannot start a paused container, try unpause instead"))
|
|
|
|
} else if ctr.Running {
|
|
|
|
// This is not an actual error, but produces a 304 "not modified"
|
|
|
|
// when returned through the API to indicates the container is
|
|
|
|
// already in the desired state. It's implemented as an error
|
|
|
|
// to make the code calling this function terminate early (as
|
|
|
|
// no further processing is needed).
|
2023-08-11 19:07:19 +00:00
|
|
|
return errdefs.NotModified(errors.New("container is already running"))
|
2023-08-11 18:46:53 +00:00
|
|
|
}
|
|
|
|
if ctr.RemovalInProgress || ctr.Dead {
|
|
|
|
return errdefs.Conflict(errors.New("container is marked for removal and cannot be started"))
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-07-30 21:01:53 +00:00
|
|
|
// ContainerStart starts a container.
|
2024-01-21 16:52:05 +00:00
|
|
|
func (daemon *Daemon) ContainerStart(ctx context.Context, name string, checkpoint string, checkpointDir string) error {
|
2022-08-17 21:13:49 +00:00
|
|
|
daemonCfg := daemon.config()
|
|
|
|
if checkpoint != "" && !daemonCfg.Experimental {
|
2017-11-29 04:09:37 +00:00
|
|
|
return errdefs.InvalidParameter(errors.New("checkpoint is only supported in experimental mode"))
|
2016-10-28 00:43:57 +00:00
|
|
|
}
|
|
|
|
|
2019-08-09 12:10:07 +00:00
|
|
|
ctr, err := daemon.GetContainer(name)
|
2014-12-16 23:06:35 +00:00
|
|
|
if err != nil {
|
2015-03-25 07:44:12 +00:00
|
|
|
return err
|
2014-07-31 20:46:18 +00:00
|
|
|
}
|
2023-08-11 18:46:53 +00:00
|
|
|
if err := validateState(ctr); err != nil {
|
2017-07-19 14:20:13 +00:00
|
|
|
return err
|
2014-07-31 20:46:18 +00:00
|
|
|
}
|
|
|
|
|
2015-08-06 11:55:56 +00:00
|
|
|
// check if hostConfig is in line with the current system settings.
|
2024-01-21 16:52:05 +00:00
|
|
|
// It may happen cgroups are unmounted or the like.
|
2022-08-17 21:13:49 +00:00
|
|
|
if _, err = daemon.verifyContainerSettings(daemonCfg, ctr.HostConfig, nil, false); err != nil {
|
2017-11-29 04:09:37 +00:00
|
|
|
return errdefs.InvalidParameter(err)
|
2015-08-06 11:55:56 +00:00
|
|
|
}
|
2024-01-21 16:52:05 +00:00
|
|
|
|
2022-08-17 21:13:49 +00:00
|
|
|
return daemon.containerStart(ctx, daemonCfg, ctr, checkpoint, checkpointDir, true)
|
2014-07-31 20:46:18 +00:00
|
|
|
}
|
2015-11-03 01:06:09 +00:00
|
|
|
|
|
|
|
// containerStart prepares the container to run by setting up everything the
|
|
|
|
// container needs, such as storage and networking, as well as links
|
|
|
|
// between containers. The container is left waiting for a signal to
|
|
|
|
// begin running.
|
2022-08-31 20:12:30 +00:00
|
|
|
func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore, container *container.Container, checkpoint string, checkpointDir string, resetRestartManager bool) (retErr error) {
|
2016-07-20 23:11:28 +00:00
|
|
|
start := time.Now()
|
2015-11-03 01:06:09 +00:00
|
|
|
container.Lock()
|
|
|
|
defer container.Unlock()
|
|
|
|
|
2016-10-05 20:29:56 +00:00
|
|
|
if resetRestartManager && container.Running { // skip this check if already in restarting step and resetRestartManager==false
|
2015-11-03 01:06:09 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-11-12 19:55:17 +00:00
|
|
|
if container.RemovalInProgress || container.Dead {
|
2017-11-29 04:09:37 +00:00
|
|
|
return errdefs.Conflict(errors.New("container is marked for removal and cannot be started"))
|
2015-11-03 01:06:09 +00:00
|
|
|
}
|
|
|
|
|
2017-09-22 13:52:41 +00:00
|
|
|
if checkpointDir != "" {
|
|
|
|
// TODO(mlaventure): how would we support that?
|
2017-11-29 04:09:37 +00:00
|
|
|
return errdefs.Forbidden(errors.New("custom checkpointdir is not supported"))
|
2017-09-22 13:52:41 +00:00
|
|
|
}
|
|
|
|
|
2015-11-03 01:06:09 +00:00
|
|
|
// if we encounter an error during start we need to ensure that any other
|
|
|
|
// setup has been cleaned up properly
|
|
|
|
defer func() {
|
2022-08-26 17:54:34 +00:00
|
|
|
if retErr != nil {
|
|
|
|
container.SetError(retErr)
|
2015-11-03 01:06:09 +00:00
|
|
|
// if no one else has set it, make sure we don't leave it at zero
|
2016-06-14 18:11:43 +00:00
|
|
|
if container.ExitCode() == 0 {
|
2022-02-16 19:07:34 +00:00
|
|
|
container.SetExitCode(exitUnknown)
|
2015-11-03 01:06:09 +00:00
|
|
|
}
|
2017-03-27 17:18:53 +00:00
|
|
|
if err := container.CheckpointTo(daemon.containersReplica); err != nil {
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(ctx).Errorf("%s: failed saving state on start failure: %v", container.ID, err)
|
2017-02-22 22:02:20 +00:00
|
|
|
}
|
2016-12-07 06:37:08 +00:00
|
|
|
container.Reset(false)
|
|
|
|
|
2023-07-27 12:56:28 +00:00
|
|
|
daemon.Cleanup(compatcontext.WithoutCancel(ctx), container)
|
2016-08-03 02:11:01 +00:00
|
|
|
// if containers AutoRemove flag is set, remove it after clean up
|
|
|
|
if container.HostConfig.AutoRemove {
|
|
|
|
container.Unlock()
|
2023-12-05 14:58:22 +00:00
|
|
|
if err := daemon.containerRm(&daemonCfg.Config, container.ID, &backend.ContainerRmConfig{ForceRemove: true, RemoveVolume: true}); err != nil {
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(ctx).Errorf("can't remove container %s: %v", container.ID, err)
|
2016-08-03 02:11:01 +00:00
|
|
|
}
|
|
|
|
container.Lock()
|
|
|
|
}
|
2015-11-03 01:06:09 +00:00
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
if err := daemon.conditionalMountOnStart(container); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-08-31 20:12:30 +00:00
|
|
|
if err := daemon.initializeNetworking(&daemonCfg.Config, container); err != nil {
|
2015-11-03 01:06:09 +00:00
|
|
|
return err
|
|
|
|
}
|
2016-03-18 18:50:19 +00:00
|
|
|
|
2023-06-27 10:17:49 +00:00
|
|
|
mnts, err := daemon.setupContainerDirs(container)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-07-27 12:56:28 +00:00
|
|
|
m, cleanup, err := daemon.setupMounts(ctx, container)
|
2023-06-27 10:17:49 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
mnts = append(mnts, m...)
|
2023-07-27 12:56:28 +00:00
|
|
|
defer cleanup(compatcontext.WithoutCancel(ctx))
|
2023-06-27 10:17:49 +00:00
|
|
|
|
|
|
|
spec, err := daemon.createSpec(ctx, daemonCfg, container, mnts)
|
2015-11-03 01:06:09 +00:00
|
|
|
if err != nil {
|
2023-08-11 11:21:00 +00:00
|
|
|
// Any error that occurs while creating the spec, even if it's the
|
|
|
|
// result of an invalid container config, must be considered a System
|
|
|
|
// error (internal server error), as it's not an error with the request
|
|
|
|
// to start the container.
|
|
|
|
//
|
|
|
|
// Invalid configuration in the config itself must be validated when
|
|
|
|
// creating the container (creating its config), but some errors are
|
|
|
|
// dependent on the current state, for example when starting a container
|
|
|
|
// that shares a namespace with another container, and that container
|
|
|
|
// is not running (or missing).
|
2017-11-29 04:09:37 +00:00
|
|
|
return errdefs.System(err)
|
2015-11-03 01:06:09 +00:00
|
|
|
}
|
|
|
|
|
2016-10-05 20:29:56 +00:00
|
|
|
if resetRestartManager {
|
|
|
|
container.ResetRestartManager(true)
|
2017-11-01 06:15:02 +00:00
|
|
|
container.HasBeenManuallyStopped = false
|
2016-05-23 21:49:50 +00:00
|
|
|
}
|
|
|
|
|
2019-08-09 10:33:15 +00:00
|
|
|
if err := daemon.saveAppArmorConfig(container); err != nil {
|
2017-09-22 13:52:41 +00:00
|
|
|
return err
|
2016-09-19 16:01:16 +00:00
|
|
|
}
|
|
|
|
|
2017-09-22 13:52:41 +00:00
|
|
|
if checkpoint != "" {
|
|
|
|
checkpointDir, err = getCheckpointDir(checkpointDir, checkpoint, container.Name, container.ID, container.CheckpointDir(), false)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-17 21:13:49 +00:00
|
|
|
shim, createOptions, err := daemon.getLibcontainerdCreateOptions(daemonCfg, container)
|
2017-09-22 13:52:41 +00:00
|
|
|
if err != nil {
|
2016-12-19 12:22:45 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-05-15 15:42:37 +00:00
|
|
|
ctr, err := libcontainerd.ReplaceContainer(ctx, daemon.containerd, container.ID, spec, shim, createOptions)
|
2017-09-22 13:52:41 +00:00
|
|
|
if err != nil {
|
2022-08-24 10:44:05 +00:00
|
|
|
return setExitCodeFromError(container.SetExitCode, err)
|
2017-09-22 13:52:41 +00:00
|
|
|
}
|
2024-01-09 18:32:31 +00:00
|
|
|
defer func() {
|
|
|
|
if retErr != nil {
|
|
|
|
if err := ctr.Delete(compatcontext.WithoutCancel(ctx)); err != nil {
|
|
|
|
log.G(ctx).WithError(err).WithField("container", container.ID).
|
|
|
|
Error("failed to delete failed start container")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
2017-09-22 13:52:41 +00:00
|
|
|
|
|
|
|
// TODO(mlaventure): we need to specify checkpoint options here
|
2024-01-09 18:32:31 +00:00
|
|
|
tsk, err := ctr.NewTask(context.TODO(), // Passing ctx caused integration tests to be stuck in the cleanup phase
|
2022-10-27 08:40:03 +00:00
|
|
|
checkpointDir, container.StreamConfig.Stdin() != nil || container.Config.Tty,
|
2017-09-22 13:52:41 +00:00
|
|
|
container.InitializeStdio)
|
|
|
|
if err != nil {
|
2024-01-09 18:32:31 +00:00
|
|
|
return setExitCodeFromError(container.SetExitCode, err)
|
|
|
|
}
|
|
|
|
defer func() {
|
|
|
|
if retErr != nil {
|
|
|
|
if err := tsk.ForceDelete(compatcontext.WithoutCancel(ctx)); err != nil {
|
|
|
|
log.G(ctx).WithError(err).WithField("container", container.ID).
|
|
|
|
Error("failed to delete task after fail start")
|
|
|
|
}
|
2017-09-22 13:52:41 +00:00
|
|
|
}
|
2024-01-09 18:32:31 +00:00
|
|
|
}()
|
|
|
|
|
2022-11-01 19:21:37 +00:00
|
|
|
if err := daemon.initializeCreatedTask(ctx, tsk, container, spec); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2024-01-09 18:32:31 +00:00
|
|
|
if err := tsk.Start(context.TODO()); err != nil { // passing ctx caused integration tests to be stuck in the cleanup phase
|
2022-08-24 10:44:05 +00:00
|
|
|
return setExitCodeFromError(container.SetExitCode, err)
|
2017-09-22 13:52:41 +00:00
|
|
|
}
|
|
|
|
|
2022-07-19 10:17:08 +00:00
|
|
|
container.HasBeenManuallyRestarted = false
|
2022-05-10 19:59:00 +00:00
|
|
|
container.SetRunning(ctr, tsk, true)
|
2017-09-22 13:52:41 +00:00
|
|
|
container.HasBeenStartedBefore = true
|
|
|
|
daemon.setStateCounter(container)
|
|
|
|
|
|
|
|
daemon.initHealthMonitor(container)
|
2016-07-18 14:21:48 +00:00
|
|
|
|
2017-09-22 13:52:41 +00:00
|
|
|
if err := container.CheckpointTo(daemon.containersReplica); err != nil {
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(ctx).WithError(err).WithField("container", container.ID).
|
2017-09-22 13:52:41 +00:00
|
|
|
Errorf("failed to store container")
|
2015-11-03 01:06:09 +00:00
|
|
|
}
|
|
|
|
|
2023-08-26 13:24:46 +00:00
|
|
|
daemon.LogContainerEvent(container, events.ActionStart)
|
2016-07-20 23:11:28 +00:00
|
|
|
containerActions.WithValues("start").UpdateSince(start)
|
|
|
|
|
2015-11-14 19:06:19 +00:00
|
|
|
return nil
|
2015-11-03 17:33:13 +00:00
|
|
|
}
|
|
|
|
|
2015-11-03 17:43:36 +00:00
|
|
|
// Cleanup releases any network resources allocated to the container along with any rules
|
|
|
|
// around how containers are linked together. It also unmounts the container's root filesystem.
|
2023-07-27 12:56:28 +00:00
|
|
|
func (daemon *Daemon) Cleanup(ctx context.Context, container *container.Container) {
|
2022-05-10 19:59:00 +00:00
|
|
|
// Microsoft HCS containers get in a bad state if host resources are
|
|
|
|
// released while the container still exists.
|
|
|
|
if ctr, ok := container.C8dContainer(); ok {
|
|
|
|
if err := ctr.Delete(context.Background()); err != nil {
|
2023-07-27 12:56:28 +00:00
|
|
|
log.G(ctx).Errorf("%s cleanup: failed to delete container from containerd: %v", container.ID, err)
|
2022-05-10 19:59:00 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-11-03 17:43:36 +00:00
|
|
|
daemon.releaseNetwork(container)
|
|
|
|
|
2018-10-25 00:29:03 +00:00
|
|
|
if err := container.UnmountIpcMount(); err != nil {
|
2023-07-27 12:56:28 +00:00
|
|
|
log.G(ctx).Warnf("%s cleanup: failed to unmount IPC: %s", container.ID, err)
|
Implement none, private, and shareable ipc modes
Since the commit d88fe447df0e8 ("Add support for sharing /dev/shm/ and
/dev/mqueue between containers") container's /dev/shm is mounted on the
host first, then bind-mounted inside the container. This is done that
way in order to be able to share this container's IPC namespace
(and the /dev/shm mount point) with another container.
Unfortunately, this functionality breaks container checkpoint/restore
(even if IPC is not shared). Since /dev/shm is an external mount, its
contents is not saved by `criu checkpoint`, and so upon restore any
application that tries to access data under /dev/shm is severily
disappointed (which usually results in a fatal crash).
This commit solves the issue by introducing new IPC modes for containers
(in addition to 'host' and 'container:ID'). The new modes are:
- 'shareable': enables sharing this container's IPC with others
(this used to be the implicit default);
- 'private': disables sharing this container's IPC.
In 'private' mode, container's /dev/shm is truly mounted inside the
container, without any bind-mounting from the host, which solves the
issue.
While at it, let's also implement 'none' mode. The motivation, as
eloquently put by Justin Cormack, is:
> I wondered a while back about having a none shm mode, as currently it is
> not possible to have a totally unwriteable container as there is always
> a /dev/shm writeable mount. It is a bit of a niche case (and clearly
> should never be allowed to be daemon default) but it would be trivial to
> add now so maybe we should...
...so here's yet yet another mode:
- 'none': no /dev/shm mount inside the container (though it still
has its own private IPC namespace).
Now, to ultimately solve the abovementioned checkpoint/restore issue, we'd
need to make 'private' the default mode, but unfortunately it breaks the
backward compatibility. So, let's make the default container IPC mode
per-daemon configurable (with the built-in default set to 'shareable'
for now). The default can be changed either via a daemon CLI option
(--default-shm-mode) or a daemon.json configuration file parameter
of the same name.
Note one can only set either 'shareable' or 'private' IPC modes as a
daemon default (i.e. in this context 'host', 'container', or 'none'
do not make much sense).
Some other changes this patch introduces are:
1. A mount for /dev/shm is added to default OCI Linux spec.
2. IpcMode.Valid() is simplified to remove duplicated code that parsed
'container:ID' form. Note the old version used to check that ID does
not contain a semicolon -- this is no longer the case (tests are
modified accordingly). The motivation is we should either do a
proper check for container ID validity, or don't check it at all
(since it is checked in other places anyway). I chose the latter.
3. IpcMode.Container() is modified to not return container ID if the
mode value does not start with "container:", unifying the check to
be the same as in IpcMode.IsContainer().
3. IPC mode unit tests (runconfig/hostconfig_test.go) are modified
to add checks for newly added values.
[v2: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-51345997]
[v3: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-53902833]
[v4: addressed the case of upgrading from older daemon, in this case
container.HostConfig.IpcMode is unset and this is valid]
[v5: document old and new IpcMode values in api/swagger.yaml]
[v6: add the 'none' mode, changelog entry to docs/api/version-history.md]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-06-27 21:58:50 +00:00
|
|
|
}
|
2015-11-03 17:43:36 +00:00
|
|
|
|
2016-03-18 18:50:19 +00:00
|
|
|
if err := daemon.conditionalUnmountOnCleanup(container); err != nil {
|
|
|
|
// FIXME: remove once reference counting for graphdrivers has been refactored
|
|
|
|
// Ensure that all the mounts are gone
|
2021-03-19 14:34:08 +00:00
|
|
|
if mountid, err := daemon.imageService.GetLayerMountID(container.ID); err == nil {
|
2016-03-18 18:50:19 +00:00
|
|
|
daemon.cleanupMountsByID(mountid)
|
|
|
|
}
|
|
|
|
}
|
2015-11-03 17:43:36 +00:00
|
|
|
|
2016-10-19 16:22:02 +00:00
|
|
|
if err := container.UnmountSecrets(); err != nil {
|
2023-07-27 12:56:28 +00:00
|
|
|
log.G(ctx).Warnf("%s cleanup: failed to unmount secrets: %s", container.ID, err)
|
2016-10-19 16:22:02 +00:00
|
|
|
}
|
|
|
|
|
2020-09-19 16:45:41 +00:00
|
|
|
if err := recursiveUnmount(container.Root); err != nil {
|
2023-07-27 12:56:28 +00:00
|
|
|
log.G(ctx).WithError(err).WithField("container", container.ID).Warn("Error while cleaning up container resource mounts.")
|
2017-12-18 21:02:23 +00:00
|
|
|
}
|
|
|
|
|
2015-11-12 19:55:17 +00:00
|
|
|
for _, eConfig := range container.ExecCommands.Commands() {
|
2015-11-20 22:35:16 +00:00
|
|
|
daemon.unregisterExecCommand(container, eConfig)
|
2015-11-03 17:43:36 +00:00
|
|
|
}
|
|
|
|
|
2022-09-23 16:25:19 +00:00
|
|
|
if container.BaseFS != "" {
|
2023-07-27 12:56:28 +00:00
|
|
|
if err := container.UnmountVolumes(ctx, daemon.LogVolumeEvent); err != nil {
|
|
|
|
log.G(ctx).Warnf("%s cleanup: Failed to umount volumes: %v", container.ID, err)
|
2016-03-29 22:27:04 +00:00
|
|
|
}
|
2015-11-03 17:43:36 +00:00
|
|
|
}
|
2017-09-22 13:52:41 +00:00
|
|
|
|
2016-03-09 00:54:33 +00:00
|
|
|
container.CancelAttachContext()
|
2015-11-03 17:43:36 +00:00
|
|
|
}
|