2021-08-23 13:14:53 +00:00
|
|
|
//go:build linux || freebsd
|
2015-11-23 22:02:42 +00:00
|
|
|
|
|
|
|
package libnetwork
|
|
|
|
|
|
|
|
import (
|
2023-06-23 00:33:17 +00:00
|
|
|
"context"
|
2015-11-23 22:02:42 +00:00
|
|
|
"encoding/json"
|
allow propagating custom exec-root (e.g. "/run/docker") to libnetwork-setkey
The docker daemon needs to be modified as follows:
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 00ace320df..ea7daa72df 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -809,7 +809,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
s.Hooks = &specs.Hooks{
Prestart: []specs.Hook{{
Path: target,
- Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+ Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID(), "-exec-root="+daemon.configStore.GetExecRoot()},
}},
}
}
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-11 12:26:40 +00:00
|
|
|
"flag"
|
2015-11-23 22:02:42 +00:00
|
|
|
"fmt"
|
|
|
|
"io"
|
|
|
|
"net"
|
|
|
|
"os"
|
allow propagating custom exec-root (e.g. "/run/docker") to libnetwork-setkey
The docker daemon needs to be modified as follows:
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 00ace320df..ea7daa72df 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -809,7 +809,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
s.Hooks = &specs.Hooks{
Prestart: []specs.Hook{{
Path: target,
- Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+ Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID(), "-exec-root="+daemon.configStore.GetExecRoot()},
}},
}
}
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-11 12:26:40 +00:00
|
|
|
"path/filepath"
|
2015-11-23 22:02:42 +00:00
|
|
|
|
2023-06-23 00:33:17 +00:00
|
|
|
"github.com/containerd/containerd/log"
|
2021-04-06 00:24:47 +00:00
|
|
|
"github.com/docker/docker/libnetwork/types"
|
2023-04-28 08:56:38 +00:00
|
|
|
"github.com/docker/docker/pkg/reexec"
|
2021-05-28 00:15:56 +00:00
|
|
|
"github.com/docker/docker/pkg/stringid"
|
2018-12-07 01:47:05 +00:00
|
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
2015-11-23 22:02:42 +00:00
|
|
|
)
|
|
|
|
|
allow propagating custom exec-root (e.g. "/run/docker") to libnetwork-setkey
The docker daemon needs to be modified as follows:
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 00ace320df..ea7daa72df 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -809,7 +809,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
s.Hooks = &specs.Hooks{
Prestart: []specs.Hook{{
Path: target,
- Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+ Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID(), "-exec-root="+daemon.configStore.GetExecRoot()},
}},
}
}
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-11 12:26:40 +00:00
|
|
|
const (
|
|
|
|
execSubdir = "libnetwork"
|
|
|
|
defaultExecRoot = "/run/docker"
|
|
|
|
success = "success"
|
|
|
|
)
|
2015-11-23 22:02:42 +00:00
|
|
|
|
2023-04-28 08:56:38 +00:00
|
|
|
func init() {
|
|
|
|
// TODO(thaJeztah): should this actually be registered on FreeBSD, or only on Linux?
|
|
|
|
reexec.Register("libnetwork-setkey", processSetKeyReexec)
|
|
|
|
}
|
|
|
|
|
|
|
|
type setKeyData struct {
|
|
|
|
ContainerID string
|
|
|
|
Key string
|
|
|
|
}
|
|
|
|
|
2015-11-23 22:02:42 +00:00
|
|
|
// processSetKeyReexec is a private function that must be called only on an reexec path
|
2019-08-28 17:59:49 +00:00
|
|
|
// It expects 3 args { [0] = "libnetwork-setkey", [1] = <container-id>, [2] = <short-controller-id> }
|
2018-12-07 01:47:05 +00:00
|
|
|
// It also expects specs.State as a json string in <stdin>
|
2015-11-23 22:02:42 +00:00
|
|
|
// Refer to https://github.com/opencontainers/runc/pull/160/ for more information
|
allow propagating custom exec-root (e.g. "/run/docker") to libnetwork-setkey
The docker daemon needs to be modified as follows:
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 00ace320df..ea7daa72df 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -809,7 +809,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
s.Hooks = &specs.Hooks{
Prestart: []specs.Hook{{
Path: target,
- Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+ Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID(), "-exec-root="+daemon.configStore.GetExecRoot()},
}},
}
}
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-11 12:26:40 +00:00
|
|
|
// The docker exec-root can be specified as "-exec-root" flag. The default value is "/run/docker".
|
2015-11-23 22:02:42 +00:00
|
|
|
func processSetKeyReexec() {
|
libnetwork: processSetKeyReexec() remove defer()
Split the function into a "backing" function that returns an error, and the
re-exec entrypoint, which handles the error to provide a more idiomatic approach.
This was part of a larger change accross multiple re-exec functions (now removed).
For history's sake; here's the description for that;
The `reexec.Register()` function accepts reexec entrypoints, which are a `func()`
without return (matching a binary's `main()` function). As these functions cannot
return an error, it's the entrypoint's responsibility to handle any error, and to
indicate failures through `os.Exit()`.
I noticed that some of these entrypoint functions had `defer()` statements, but
called `os.Exit()` either explicitly or implicitly (e.g. through `logrus.Fatal()`).
defer statements are not executed if `os.Exit()` is called, which rendered these
statements useless.
While I doubt these were problematic (I expect files to be closed when the process
exists, and `runtime.LockOSThread()` to not have side-effects after exit), it also
didn't seem to "hurt" to call these as was expected by the function.
This patch rewrites some of the entrypoints to split them into a "backing function"
that can return an error (being slightly more iodiomatic Go) and an wrapper function
to act as entrypoint (which can handle the error and exit the executable).
To some extend, I'm wondering if we should change the signatures of the entrypoints
to return an error so that `reexec.Init()` can handle (or return) the errors, so
that logging can be handled more consistently (currently, some some use logrus,
some just print); this would also keep logging out of some packages, as well as
allows us to provide more metadata about the error (which reexec produced the
error for example).
A quick search showed that there's some external consumers of pkg/reexec, so I
kept this for a future discussion / exercise.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-20 15:34:56 +00:00
|
|
|
if err := setKey(); err != nil {
|
2022-10-01 23:58:09 +00:00
|
|
|
_, _ = fmt.Fprintln(os.Stderr, err)
|
|
|
|
os.Exit(1)
|
libnetwork: processSetKeyReexec() remove defer()
Split the function into a "backing" function that returns an error, and the
re-exec entrypoint, which handles the error to provide a more idiomatic approach.
This was part of a larger change accross multiple re-exec functions (now removed).
For history's sake; here's the description for that;
The `reexec.Register()` function accepts reexec entrypoints, which are a `func()`
without return (matching a binary's `main()` function). As these functions cannot
return an error, it's the entrypoint's responsibility to handle any error, and to
indicate failures through `os.Exit()`.
I noticed that some of these entrypoint functions had `defer()` statements, but
called `os.Exit()` either explicitly or implicitly (e.g. through `logrus.Fatal()`).
defer statements are not executed if `os.Exit()` is called, which rendered these
statements useless.
While I doubt these were problematic (I expect files to be closed when the process
exists, and `runtime.LockOSThread()` to not have side-effects after exit), it also
didn't seem to "hurt" to call these as was expected by the function.
This patch rewrites some of the entrypoints to split them into a "backing function"
that can return an error (being slightly more iodiomatic Go) and an wrapper function
to act as entrypoint (which can handle the error and exit the executable).
To some extend, I'm wondering if we should change the signatures of the entrypoints
to return an error so that `reexec.Init()` can handle (or return) the errors, so
that logging can be handled more consistently (currently, some some use logrus,
some just print); this would also keep logging out of some packages, as well as
allows us to provide more metadata about the error (which reexec produced the
error for example).
A quick search showed that there's some external consumers of pkg/reexec, so I
kept this for a future discussion / exercise.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-20 15:34:56 +00:00
|
|
|
}
|
|
|
|
}
|
2015-11-23 22:02:42 +00:00
|
|
|
|
libnetwork: processSetKeyReexec() remove defer()
Split the function into a "backing" function that returns an error, and the
re-exec entrypoint, which handles the error to provide a more idiomatic approach.
This was part of a larger change accross multiple re-exec functions (now removed).
For history's sake; here's the description for that;
The `reexec.Register()` function accepts reexec entrypoints, which are a `func()`
without return (matching a binary's `main()` function). As these functions cannot
return an error, it's the entrypoint's responsibility to handle any error, and to
indicate failures through `os.Exit()`.
I noticed that some of these entrypoint functions had `defer()` statements, but
called `os.Exit()` either explicitly or implicitly (e.g. through `logrus.Fatal()`).
defer statements are not executed if `os.Exit()` is called, which rendered these
statements useless.
While I doubt these were problematic (I expect files to be closed when the process
exists, and `runtime.LockOSThread()` to not have side-effects after exit), it also
didn't seem to "hurt" to call these as was expected by the function.
This patch rewrites some of the entrypoints to split them into a "backing function"
that can return an error (being slightly more iodiomatic Go) and an wrapper function
to act as entrypoint (which can handle the error and exit the executable).
To some extend, I'm wondering if we should change the signatures of the entrypoints
to return an error so that `reexec.Init()` can handle (or return) the errors, so
that logging can be handled more consistently (currently, some some use logrus,
some just print); this would also keep logging out of some packages, as well as
allows us to provide more metadata about the error (which reexec produced the
error for example).
A quick search showed that there's some external consumers of pkg/reexec, so I
kept this for a future discussion / exercise.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-20 15:34:56 +00:00
|
|
|
func setKey() error {
|
allow propagating custom exec-root (e.g. "/run/docker") to libnetwork-setkey
The docker daemon needs to be modified as follows:
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 00ace320df..ea7daa72df 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -809,7 +809,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
s.Hooks = &specs.Hooks{
Prestart: []specs.Hook{{
Path: target,
- Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+ Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID(), "-exec-root="+daemon.configStore.GetExecRoot()},
}},
}
}
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-11 12:26:40 +00:00
|
|
|
execRoot := flag.String("exec-root", defaultExecRoot, "docker exec root")
|
|
|
|
flag.Parse()
|
|
|
|
|
2019-08-28 17:59:49 +00:00
|
|
|
// expecting 3 os.Args {[0]="libnetwork-setkey", [1]=<container-id>, [2]=<short-controller-id> }
|
allow propagating custom exec-root (e.g. "/run/docker") to libnetwork-setkey
The docker daemon needs to be modified as follows:
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 00ace320df..ea7daa72df 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -809,7 +809,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
s.Hooks = &specs.Hooks{
Prestart: []specs.Hook{{
Path: target,
- Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+ Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID(), "-exec-root="+daemon.configStore.GetExecRoot()},
}},
}
}
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-11 12:26:40 +00:00
|
|
|
// (i.e. expecting 2 flag.Args())
|
|
|
|
args := flag.Args()
|
|
|
|
if len(args) < 2 {
|
libnetwork: processSetKeyReexec() remove defer()
Split the function into a "backing" function that returns an error, and the
re-exec entrypoint, which handles the error to provide a more idiomatic approach.
This was part of a larger change accross multiple re-exec functions (now removed).
For history's sake; here's the description for that;
The `reexec.Register()` function accepts reexec entrypoints, which are a `func()`
without return (matching a binary's `main()` function). As these functions cannot
return an error, it's the entrypoint's responsibility to handle any error, and to
indicate failures through `os.Exit()`.
I noticed that some of these entrypoint functions had `defer()` statements, but
called `os.Exit()` either explicitly or implicitly (e.g. through `logrus.Fatal()`).
defer statements are not executed if `os.Exit()` is called, which rendered these
statements useless.
While I doubt these were problematic (I expect files to be closed when the process
exists, and `runtime.LockOSThread()` to not have side-effects after exit), it also
didn't seem to "hurt" to call these as was expected by the function.
This patch rewrites some of the entrypoints to split them into a "backing function"
that can return an error (being slightly more iodiomatic Go) and an wrapper function
to act as entrypoint (which can handle the error and exit the executable).
To some extend, I'm wondering if we should change the signatures of the entrypoints
to return an error so that `reexec.Init()` can handle (or return) the errors, so
that logging can be handled more consistently (currently, some some use logrus,
some just print); this would also keep logging out of some packages, as well as
allows us to provide more metadata about the error (which reexec produced the
error for example).
A quick search showed that there's some external consumers of pkg/reexec, so I
kept this for a future discussion / exercise.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-20 15:34:56 +00:00
|
|
|
return fmt.Errorf("re-exec expects 2 args (after parsing flags), received : %d", len(args))
|
2015-11-23 22:02:42 +00:00
|
|
|
}
|
2019-08-28 17:59:49 +00:00
|
|
|
containerID, shortCtlrID := args[0], args[1]
|
2015-11-23 22:02:42 +00:00
|
|
|
|
2018-12-07 01:47:05 +00:00
|
|
|
// We expect specs.State as a json string in <stdin>
|
|
|
|
var state specs.State
|
2023-04-28 10:33:57 +00:00
|
|
|
if err := json.NewDecoder(os.Stdin).Decode(&state); err != nil {
|
libnetwork: processSetKeyReexec() remove defer()
Split the function into a "backing" function that returns an error, and the
re-exec entrypoint, which handles the error to provide a more idiomatic approach.
This was part of a larger change accross multiple re-exec functions (now removed).
For history's sake; here's the description for that;
The `reexec.Register()` function accepts reexec entrypoints, which are a `func()`
without return (matching a binary's `main()` function). As these functions cannot
return an error, it's the entrypoint's responsibility to handle any error, and to
indicate failures through `os.Exit()`.
I noticed that some of these entrypoint functions had `defer()` statements, but
called `os.Exit()` either explicitly or implicitly (e.g. through `logrus.Fatal()`).
defer statements are not executed if `os.Exit()` is called, which rendered these
statements useless.
While I doubt these were problematic (I expect files to be closed when the process
exists, and `runtime.LockOSThread()` to not have side-effects after exit), it also
didn't seem to "hurt" to call these as was expected by the function.
This patch rewrites some of the entrypoints to split them into a "backing function"
that can return an error (being slightly more iodiomatic Go) and an wrapper function
to act as entrypoint (which can handle the error and exit the executable).
To some extend, I'm wondering if we should change the signatures of the entrypoints
to return an error so that `reexec.Init()` can handle (or return) the errors, so
that logging can be handled more consistently (currently, some some use logrus,
some just print); this would also keep logging out of some packages, as well as
allows us to provide more metadata about the error (which reexec produced the
error for example).
A quick search showed that there's some external consumers of pkg/reexec, so I
kept this for a future discussion / exercise.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-20 15:34:56 +00:00
|
|
|
return err
|
2015-11-23 22:02:42 +00:00
|
|
|
}
|
|
|
|
|
libnetwork: processSetKeyReexec() remove defer()
Split the function into a "backing" function that returns an error, and the
re-exec entrypoint, which handles the error to provide a more idiomatic approach.
This was part of a larger change accross multiple re-exec functions (now removed).
For history's sake; here's the description for that;
The `reexec.Register()` function accepts reexec entrypoints, which are a `func()`
without return (matching a binary's `main()` function). As these functions cannot
return an error, it's the entrypoint's responsibility to handle any error, and to
indicate failures through `os.Exit()`.
I noticed that some of these entrypoint functions had `defer()` statements, but
called `os.Exit()` either explicitly or implicitly (e.g. through `logrus.Fatal()`).
defer statements are not executed if `os.Exit()` is called, which rendered these
statements useless.
While I doubt these were problematic (I expect files to be closed when the process
exists, and `runtime.LockOSThread()` to not have side-effects after exit), it also
didn't seem to "hurt" to call these as was expected by the function.
This patch rewrites some of the entrypoints to split them into a "backing function"
that can return an error (being slightly more iodiomatic Go) and an wrapper function
to act as entrypoint (which can handle the error and exit the executable).
To some extend, I'm wondering if we should change the signatures of the entrypoints
to return an error so that `reexec.Init()` can handle (or return) the errors, so
that logging can be handled more consistently (currently, some some use logrus,
some just print); this would also keep logging out of some packages, as well as
allows us to provide more metadata about the error (which reexec produced the
error for example).
A quick search showed that there's some external consumers of pkg/reexec, so I
kept this for a future discussion / exercise.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-20 15:34:56 +00:00
|
|
|
return SetExternalKey(shortCtlrID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot)
|
2015-11-23 22:02:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// SetExternalKey provides a convenient way to set an External key to a sandbox
|
2019-08-28 17:59:49 +00:00
|
|
|
func SetExternalKey(shortCtlrID string, containerID string, key string, execRoot string) error {
|
|
|
|
uds := filepath.Join(execRoot, execSubdir, shortCtlrID+".sock")
|
allow propagating custom exec-root (e.g. "/run/docker") to libnetwork-setkey
The docker daemon needs to be modified as follows:
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 00ace320df..ea7daa72df 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -809,7 +809,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
s.Hooks = &specs.Hooks{
Prestart: []specs.Hook{{
Path: target,
- Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+ Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID(), "-exec-root="+daemon.configStore.GetExecRoot()},
}},
}
}
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-11 12:26:40 +00:00
|
|
|
c, err := net.Dial("unix", uds)
|
2015-11-23 22:02:42 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer c.Close()
|
|
|
|
|
2023-04-28 10:38:08 +00:00
|
|
|
err = json.NewEncoder(c).Encode(setKeyData{
|
|
|
|
ContainerID: containerID,
|
|
|
|
Key: key,
|
|
|
|
})
|
|
|
|
if err != nil {
|
2015-11-23 22:02:42 +00:00
|
|
|
return fmt.Errorf("sendKey failed with : %v", err)
|
|
|
|
}
|
|
|
|
return processReturn(c)
|
|
|
|
}
|
|
|
|
|
|
|
|
func processReturn(r io.Reader) error {
|
|
|
|
buf := make([]byte, 1024)
|
|
|
|
n, err := r.Read(buf[:])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to read buf in processReturn : %v", err)
|
|
|
|
}
|
|
|
|
if string(buf[0:n]) != success {
|
|
|
|
return fmt.Errorf(string(buf[0:n]))
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-01-11 22:43:32 +00:00
|
|
|
func (c *Controller) startExternalKeyListener() error {
|
allow propagating custom exec-root (e.g. "/run/docker") to libnetwork-setkey
The docker daemon needs to be modified as follows:
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 00ace320df..ea7daa72df 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -809,7 +809,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
s.Hooks = &specs.Hooks{
Prestart: []specs.Hook{{
Path: target,
- Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+ Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID(), "-exec-root="+daemon.configStore.GetExecRoot()},
}},
}
}
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-11 12:26:40 +00:00
|
|
|
execRoot := defaultExecRoot
|
2022-09-23 17:40:11 +00:00
|
|
|
if v := c.Config().ExecRoot; v != "" {
|
allow propagating custom exec-root (e.g. "/run/docker") to libnetwork-setkey
The docker daemon needs to be modified as follows:
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 00ace320df..ea7daa72df 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -809,7 +809,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
s.Hooks = &specs.Hooks{
Prestart: []specs.Hook{{
Path: target,
- Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+ Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID(), "-exec-root="+daemon.configStore.GetExecRoot()},
}},
}
}
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-11 12:26:40 +00:00
|
|
|
execRoot = v
|
|
|
|
}
|
|
|
|
udsBase := filepath.Join(execRoot, execSubdir)
|
2022-01-20 13:10:24 +00:00
|
|
|
if err := os.MkdirAll(udsBase, 0o600); err != nil {
|
2015-11-23 22:02:42 +00:00
|
|
|
return err
|
|
|
|
}
|
2019-08-28 17:59:49 +00:00
|
|
|
shortCtlrID := stringid.TruncateID(c.id)
|
|
|
|
uds := filepath.Join(udsBase, shortCtlrID+".sock")
|
2015-11-23 22:02:42 +00:00
|
|
|
l, err := net.Listen("unix", uds)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-01-20 13:10:24 +00:00
|
|
|
if err := os.Chmod(uds, 0o600); err != nil {
|
2015-11-23 22:02:42 +00:00
|
|
|
l.Close()
|
|
|
|
return err
|
|
|
|
}
|
2023-01-11 20:56:50 +00:00
|
|
|
c.mu.Lock()
|
2015-11-23 22:02:42 +00:00
|
|
|
c.extKeyListener = l
|
2023-01-11 20:56:50 +00:00
|
|
|
c.mu.Unlock()
|
2015-11-23 22:02:42 +00:00
|
|
|
|
|
|
|
go c.acceptClientConnections(uds, l)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-01-11 22:43:32 +00:00
|
|
|
func (c *Controller) acceptClientConnections(sock string, l net.Listener) {
|
2015-11-23 22:02:42 +00:00
|
|
|
for {
|
|
|
|
conn, err := l.Accept()
|
|
|
|
if err != nil {
|
|
|
|
if _, err1 := os.Stat(sock); os.IsNotExist(err1) {
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(context.TODO()).Debugf("Unix socket %s doesn't exist. cannot accept client connections", sock)
|
2015-11-23 22:02:42 +00:00
|
|
|
return
|
|
|
|
}
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(context.TODO()).Errorf("Error accepting connection %v", err)
|
2015-11-23 22:02:42 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
go func() {
|
2016-07-01 23:29:51 +00:00
|
|
|
defer conn.Close()
|
|
|
|
|
2015-11-23 22:02:42 +00:00
|
|
|
err := c.processExternalKey(conn)
|
|
|
|
ret := success
|
|
|
|
if err != nil {
|
|
|
|
ret = err.Error()
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = conn.Write([]byte(ret))
|
|
|
|
if err != nil {
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(context.TODO()).Errorf("Error returning to the client %v", err)
|
2015-11-23 22:02:42 +00:00
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-11 22:43:32 +00:00
|
|
|
func (c *Controller) processExternalKey(conn net.Conn) error {
|
2015-11-23 22:02:42 +00:00
|
|
|
buf := make([]byte, 1280)
|
|
|
|
nr, err := conn.Read(buf)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
var s setKeyData
|
|
|
|
if err = json.Unmarshal(buf[0:nr], &s); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-01-12 01:10:09 +00:00
|
|
|
var sandbox *Sandbox
|
2015-11-23 22:02:42 +00:00
|
|
|
search := SandboxContainerWalker(&sandbox, s.ContainerID)
|
|
|
|
c.WalkSandboxes(search)
|
|
|
|
if sandbox == nil {
|
|
|
|
return types.BadRequestErrorf("no sandbox present for %s", s.ContainerID)
|
|
|
|
}
|
|
|
|
|
|
|
|
return sandbox.SetKey(s.Key)
|
|
|
|
}
|
|
|
|
|
2023-01-11 22:43:32 +00:00
|
|
|
func (c *Controller) stopExternalKeyListener() {
|
2015-11-23 22:02:42 +00:00
|
|
|
c.extKeyListener.Close()
|
|
|
|
}
|