2015-08-07 16:33:29 +00:00
// +build linux freebsd
2015-05-15 23:34:26 +00:00
package daemon
import (
"fmt"
"net"
"os"
"path/filepath"
2015-10-10 16:43:03 +00:00
"strconv"
2015-05-15 23:34:26 +00:00
"strings"
2015-06-16 18:06:53 +00:00
"syscall"
2015-05-15 23:34:26 +00:00
"github.com/Sirupsen/logrus"
2015-12-18 17:44:39 +00:00
pblkiodev "github.com/docker/docker/api/types/blkiodev"
2015-12-18 18:36:17 +00:00
containertypes "github.com/docker/docker/api/types/container"
2015-11-12 19:55:17 +00:00
"github.com/docker/docker/container"
2015-09-08 18:40:55 +00:00
derr "github.com/docker/docker/errors"
2015-11-18 22:20:54 +00:00
"github.com/docker/docker/image"
"github.com/docker/docker/layer"
2015-10-08 15:51:41 +00:00
"github.com/docker/docker/pkg/idtools"
2015-05-15 23:34:26 +00:00
"github.com/docker/docker/pkg/parsers/kernel"
2015-08-06 11:54:48 +00:00
"github.com/docker/docker/pkg/sysinfo"
2015-12-04 21:55:15 +00:00
"github.com/docker/docker/reference"
2015-05-15 23:34:26 +00:00
"github.com/docker/docker/runconfig"
2015-12-22 01:05:55 +00:00
runconfigopts "github.com/docker/docker/runconfig/opts"
2015-05-15 23:34:26 +00:00
"github.com/docker/libnetwork"
2015-05-20 12:20:19 +00:00
nwconfig "github.com/docker/libnetwork/config"
2015-10-10 16:43:03 +00:00
"github.com/docker/libnetwork/drivers/bridge"
"github.com/docker/libnetwork/ipamutils"
2015-05-15 23:34:26 +00:00
"github.com/docker/libnetwork/netlabel"
"github.com/docker/libnetwork/options"
2015-10-10 16:43:03 +00:00
"github.com/docker/libnetwork/types"
2015-06-12 00:34:20 +00:00
blkiodev "github.com/opencontainers/runc/libcontainer/configs"
2015-07-16 23:00:55 +00:00
"github.com/opencontainers/runc/libcontainer/label"
2015-05-15 23:34:26 +00:00
)
2015-08-06 00:15:14 +00:00
const (
// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
linuxMinCPUShares = 2
linuxMaxCPUShares = 262144
2015-08-07 16:33:29 +00:00
platformSupported = true
2015-12-09 06:26:41 +00:00
// It's not kernel limit, we want this 4M limit to supply a reasonable functional container
linuxMinMemory = 4194304
2015-08-06 00:15:14 +00:00
)
2015-12-18 18:36:17 +00:00
func getBlkioWeightDevices ( config * containertypes . HostConfig ) ( [ ] * blkiodev . WeightDevice , error ) {
2015-06-12 00:34:20 +00:00
var stat syscall . Stat_t
2015-12-15 01:50:16 +00:00
var blkioWeightDevices [ ] * blkiodev . WeightDevice
2015-06-12 00:34:20 +00:00
for _ , weightDevice := range config . BlkioWeightDevice {
if err := syscall . Stat ( weightDevice . Path , & stat ) ; err != nil {
return nil , err
}
2015-12-15 01:50:16 +00:00
weightDevice := blkiodev . NewWeightDevice ( int64 ( stat . Rdev / 256 ) , int64 ( stat . Rdev % 256 ) , weightDevice . Weight , 0 )
blkioWeightDevices = append ( blkioWeightDevices , weightDevice )
2015-06-12 00:34:20 +00:00
}
2015-12-15 01:50:16 +00:00
return blkioWeightDevices , nil
2015-06-12 00:34:20 +00:00
}
2015-12-18 18:36:17 +00:00
func parseSecurityOpt ( container * container . Container , config * containertypes . HostConfig ) error {
2015-05-15 23:34:26 +00:00
var (
labelOpts [ ] string
err error
)
for _ , opt := range config . SecurityOpt {
con := strings . SplitN ( opt , ":" , 2 )
if len ( con ) == 1 {
return fmt . Errorf ( "Invalid --security-opt: %q" , opt )
}
switch con [ 0 ] {
case "label" :
labelOpts = append ( labelOpts , con [ 1 ] )
case "apparmor" :
container . AppArmorProfile = con [ 1 ]
2015-11-15 02:02:26 +00:00
case "seccomp" :
container . SeccompProfile = con [ 1 ]
2015-05-15 23:34:26 +00:00
default :
return fmt . Errorf ( "Invalid --security-opt: %q" , opt )
}
}
container . ProcessLabel , container . MountLabel , err = label . InitLabels ( labelOpts )
return err
}
2015-12-18 18:36:17 +00:00
func getBlkioReadIOpsDevices ( config * containertypes . HostConfig ) ( [ ] * blkiodev . ThrottleDevice , error ) {
2015-07-08 11:06:48 +00:00
var blkioReadIOpsDevice [ ] * blkiodev . ThrottleDevice
var stat syscall . Stat_t
for _ , iopsDevice := range config . BlkioDeviceReadIOps {
if err := syscall . Stat ( iopsDevice . Path , & stat ) ; err != nil {
return nil , err
}
readIOpsDevice := blkiodev . NewThrottleDevice ( int64 ( stat . Rdev / 256 ) , int64 ( stat . Rdev % 256 ) , iopsDevice . Rate )
blkioReadIOpsDevice = append ( blkioReadIOpsDevice , readIOpsDevice )
}
return blkioReadIOpsDevice , nil
}
2015-12-18 18:36:17 +00:00
func getBlkioWriteIOpsDevices ( config * containertypes . HostConfig ) ( [ ] * blkiodev . ThrottleDevice , error ) {
2015-07-08 11:06:48 +00:00
var blkioWriteIOpsDevice [ ] * blkiodev . ThrottleDevice
var stat syscall . Stat_t
for _ , iopsDevice := range config . BlkioDeviceWriteIOps {
if err := syscall . Stat ( iopsDevice . Path , & stat ) ; err != nil {
return nil , err
}
writeIOpsDevice := blkiodev . NewThrottleDevice ( int64 ( stat . Rdev / 256 ) , int64 ( stat . Rdev % 256 ) , iopsDevice . Rate )
blkioWriteIOpsDevice = append ( blkioWriteIOpsDevice , writeIOpsDevice )
}
return blkioWriteIOpsDevice , nil
}
2015-12-18 18:36:17 +00:00
func getBlkioReadBpsDevices ( config * containertypes . HostConfig ) ( [ ] * blkiodev . ThrottleDevice , error ) {
2015-12-15 01:50:16 +00:00
var blkioReadBpsDevice [ ] * blkiodev . ThrottleDevice
2015-07-08 11:06:48 +00:00
var stat syscall . Stat_t
for _ , bpsDevice := range config . BlkioDeviceReadBps {
if err := syscall . Stat ( bpsDevice . Path , & stat ) ; err != nil {
return nil , err
}
2015-12-15 01:50:16 +00:00
readBpsDevice := blkiodev . NewThrottleDevice ( int64 ( stat . Rdev / 256 ) , int64 ( stat . Rdev % 256 ) , bpsDevice . Rate )
blkioReadBpsDevice = append ( blkioReadBpsDevice , readBpsDevice )
2015-07-08 11:06:48 +00:00
}
2015-12-15 01:50:16 +00:00
return blkioReadBpsDevice , nil
2015-07-08 11:06:48 +00:00
}
2015-12-18 18:36:17 +00:00
func getBlkioWriteBpsDevices ( config * containertypes . HostConfig ) ( [ ] * blkiodev . ThrottleDevice , error ) {
2015-12-15 01:50:16 +00:00
var blkioWriteBpsDevice [ ] * blkiodev . ThrottleDevice
2015-07-08 11:06:48 +00:00
var stat syscall . Stat_t
for _ , bpsDevice := range config . BlkioDeviceWriteBps {
if err := syscall . Stat ( bpsDevice . Path , & stat ) ; err != nil {
return nil , err
}
2015-12-15 01:50:16 +00:00
writeBpsDevice := blkiodev . NewThrottleDevice ( int64 ( stat . Rdev / 256 ) , int64 ( stat . Rdev % 256 ) , bpsDevice . Rate )
blkioWriteBpsDevice = append ( blkioWriteBpsDevice , writeBpsDevice )
2015-07-08 11:06:48 +00:00
}
2015-12-15 01:50:16 +00:00
return blkioWriteBpsDevice , nil
2015-07-08 11:06:48 +00:00
}
2015-07-30 21:01:53 +00:00
func checkKernelVersion ( k , major , minor int ) bool {
2015-08-19 02:40:22 +00:00
if v , err := kernel . GetKernelVersion ( ) ; err != nil {
logrus . Warnf ( "%s" , err )
} else {
if kernel . CompareKernelVersion ( * v , kernel . VersionInfo { Kernel : k , Major : major , Minor : minor } ) < 0 {
return false
}
}
return true
}
2015-05-15 23:34:26 +00:00
func checkKernel ( ) error {
// Check for unsupported kernel versions
// FIXME: it would be cleaner to not test for specific versions, but rather
// test for specific functionalities.
// Unfortunately we can't test for the feature "does not cause a kernel panic"
// without actually causing a kernel panic, so we need this workaround until
// the circumstances of pre-3.10 crashes are clearer.
// For details see https://github.com/docker/docker/issues/407
2015-07-30 21:01:53 +00:00
if ! checkKernelVersion ( 3 , 10 , 0 ) {
2015-08-19 02:40:22 +00:00
v , _ := kernel . GetKernelVersion ( )
if os . Getenv ( "DOCKER_NOWARN_KERNEL_VERSION" ) == "" {
logrus . Warnf ( "Your Linux kernel version %s can be unstable running docker. Please upgrade your kernel to 3.10.0." , v . String ( ) )
2015-05-15 23:34:26 +00:00
}
}
return nil
}
2015-07-30 22:28:11 +00:00
// adaptContainerSettings is called during container creation to modify any
// settings necessary in the HostConfig structure.
2015-12-18 18:36:17 +00:00
func ( daemon * Daemon ) adaptContainerSettings ( hostConfig * containertypes . HostConfig , adjustCPUShares bool ) error {
2015-08-06 00:15:14 +00:00
if adjustCPUShares && hostConfig . CPUShares > 0 {
// Handle unsupported CPUShares
if hostConfig . CPUShares < linuxMinCPUShares {
logrus . Warnf ( "Changing requested CPUShares of %d to minimum allowed of %d" , hostConfig . CPUShares , linuxMinCPUShares )
hostConfig . CPUShares = linuxMinCPUShares
} else if hostConfig . CPUShares > linuxMaxCPUShares {
logrus . Warnf ( "Changing requested CPUShares of %d to maximum allowed of %d" , hostConfig . CPUShares , linuxMaxCPUShares )
hostConfig . CPUShares = linuxMaxCPUShares
}
}
2015-07-13 07:17:43 +00:00
if hostConfig . Memory > 0 && hostConfig . MemorySwap == 0 {
// By default, MemorySwap is set to twice the size of Memory.
hostConfig . MemorySwap = hostConfig . Memory * 2
}
2015-11-26 12:14:09 +00:00
if hostConfig . ShmSize == nil {
2015-11-12 19:55:17 +00:00
shmSize := container . DefaultSHMSize
2015-11-26 12:14:09 +00:00
hostConfig . ShmSize = & shmSize
}
2015-11-30 05:10:18 +00:00
var err error
if hostConfig . SecurityOpt == nil {
hostConfig . SecurityOpt , err = daemon . generateSecurityOpt ( hostConfig . IpcMode , hostConfig . PidMode )
if err != nil {
return err
}
}
2015-12-02 02:53:52 +00:00
if hostConfig . MemorySwappiness == nil {
defaultSwappiness := int64 ( - 1 )
hostConfig . MemorySwappiness = & defaultSwappiness
}
2015-11-30 05:10:18 +00:00
return nil
2015-07-13 07:17:43 +00:00
}
2015-12-18 18:36:17 +00:00
func verifyContainerResources ( resources * containertypes . Resources ) ( [ ] string , error ) {
2015-08-06 11:54:48 +00:00
warnings := [ ] string { }
2015-08-18 14:01:52 +00:00
sysInfo := sysinfo . New ( true )
2015-05-15 23:34:26 +00:00
2015-08-06 11:55:56 +00:00
// memory subsystem checks and adjustments
2015-12-11 02:59:29 +00:00
if resources . Memory != 0 && resources . Memory < linuxMinMemory {
2015-05-15 23:34:26 +00:00
return warnings , fmt . Errorf ( "Minimum memory limit allowed is 4MB" )
}
2015-12-11 02:59:29 +00:00
if resources . Memory > 0 && ! sysInfo . MemoryLimit {
2015-05-15 23:34:26 +00:00
warnings = append ( warnings , "Your kernel does not support memory limit capabilities. Limitation discarded." )
logrus . Warnf ( "Your kernel does not support memory limit capabilities. Limitation discarded." )
2015-12-11 02:59:29 +00:00
resources . Memory = 0
resources . MemorySwap = - 1
2015-05-15 23:34:26 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . Memory > 0 && resources . MemorySwap != - 1 && ! sysInfo . SwapLimit {
2015-05-15 23:34:26 +00:00
warnings = append ( warnings , "Your kernel does not support swap limit capabilities, memory limited without swap." )
logrus . Warnf ( "Your kernel does not support swap limit capabilities, memory limited without swap." )
2015-12-11 02:59:29 +00:00
resources . MemorySwap = - 1
2015-05-15 23:34:26 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . Memory > 0 && resources . MemorySwap > 0 && resources . MemorySwap < resources . Memory {
2015-05-15 23:34:26 +00:00
return warnings , fmt . Errorf ( "Minimum memoryswap limit should be larger than memory limit, see usage." )
}
2015-12-11 02:59:29 +00:00
if resources . Memory == 0 && resources . MemorySwap > 0 {
2015-05-15 23:34:26 +00:00
return warnings , fmt . Errorf ( "You should always set the Memory limit when using Memoryswap limit, see usage." )
}
2015-12-11 02:59:29 +00:00
if resources . MemorySwappiness != nil && * resources . MemorySwappiness != - 1 && ! sysInfo . MemorySwappiness {
2015-07-14 05:52:57 +00:00
warnings = append ( warnings , "Your kernel does not support memory swappiness capabilities, memory swappiness discarded." )
logrus . Warnf ( "Your kernel does not support memory swappiness capabilities, memory swappiness discarded." )
2015-12-11 02:59:29 +00:00
resources . MemorySwappiness = nil
2015-07-14 05:52:57 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . MemorySwappiness != nil {
swappiness := * resources . MemorySwappiness
2015-07-29 20:04:12 +00:00
if swappiness < - 1 || swappiness > 100 {
return warnings , fmt . Errorf ( "Invalid value: %v, valid memory swappiness range is 0-100." , swappiness )
}
2015-07-14 05:52:57 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . MemoryReservation > 0 && ! sysInfo . MemoryReservation {
2015-09-23 06:02:45 +00:00
warnings = append ( warnings , "Your kernel does not support memory soft limit capabilities. Limitation discarded." )
logrus . Warnf ( "Your kernel does not support memory soft limit capabilities. Limitation discarded." )
2015-12-11 02:59:29 +00:00
resources . MemoryReservation = 0
2015-09-23 06:02:45 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . Memory > 0 && resources . MemoryReservation > 0 && resources . Memory < resources . MemoryReservation {
2015-09-23 06:02:45 +00:00
return warnings , fmt . Errorf ( "Minimum memory limit should be larger than memory reservation limit, see usage." )
}
2015-12-11 02:59:29 +00:00
if resources . KernelMemory > 0 && ! sysInfo . KernelMemory {
2015-08-19 15:56:55 +00:00
warnings = append ( warnings , "Your kernel does not support kernel memory limit capabilities. Limitation discarded." )
logrus . Warnf ( "Your kernel does not support kernel memory limit capabilities. Limitation discarded." )
2015-12-11 02:59:29 +00:00
resources . KernelMemory = 0
2015-08-19 15:56:55 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . KernelMemory > 0 && resources . KernelMemory < linuxMinMemory {
2015-12-09 06:26:41 +00:00
return warnings , fmt . Errorf ( "Minimum kernel memory limit allowed is 4MB" )
}
2015-12-11 02:59:29 +00:00
if resources . KernelMemory > 0 && ! checkKernelVersion ( 4 , 0 , 0 ) {
2015-08-19 15:56:55 +00:00
warnings = append ( warnings , "You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable." )
logrus . Warnf ( "You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable." )
}
2015-12-22 08:08:04 +00:00
if resources . OomKillDisable && ! sysInfo . OomKillDisable {
resources . OomKillDisable = false
return warnings , fmt . Errorf ( "Your kernel does not support oom kill disable." )
}
2015-12-11 02:59:29 +00:00
// cpu subsystem checks and adjustments
if resources . CPUShares > 0 && ! sysInfo . CPUShares {
2015-08-05 14:35:18 +00:00
warnings = append ( warnings , "Your kernel does not support CPU shares. Shares discarded." )
logrus . Warnf ( "Your kernel does not support CPU shares. Shares discarded." )
2015-12-11 02:59:29 +00:00
resources . CPUShares = 0
2015-08-05 14:35:18 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . CPUPeriod > 0 && ! sysInfo . CPUCfsPeriod {
2015-05-15 23:34:26 +00:00
warnings = append ( warnings , "Your kernel does not support CPU cfs period. Period discarded." )
logrus . Warnf ( "Your kernel does not support CPU cfs period. Period discarded." )
2015-12-11 02:59:29 +00:00
resources . CPUPeriod = 0
2015-05-15 23:34:26 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . CPUQuota > 0 && ! sysInfo . CPUCfsQuota {
2015-05-15 23:34:26 +00:00
warnings = append ( warnings , "Your kernel does not support CPU cfs quota. Quota discarded." )
logrus . Warnf ( "Your kernel does not support CPU cfs quota. Quota discarded." )
2015-12-11 02:59:29 +00:00
resources . CPUQuota = 0
2015-05-15 23:34:26 +00:00
}
2015-12-11 02:59:29 +00:00
// cpuset subsystem checks and adjustments
if ( resources . CpusetCpus != "" || resources . CpusetMems != "" ) && ! sysInfo . Cpuset {
2015-08-05 14:35:18 +00:00
warnings = append ( warnings , "Your kernel does not support cpuset. Cpuset discarded." )
logrus . Warnf ( "Your kernel does not support cpuset. Cpuset discarded." )
2015-12-11 02:59:29 +00:00
resources . CpusetCpus = ""
resources . CpusetMems = ""
2015-08-05 14:35:18 +00:00
}
2015-12-11 02:59:29 +00:00
cpusAvailable , err := sysInfo . IsCpusetCpusAvailable ( resources . CpusetCpus )
2015-09-08 18:40:55 +00:00
if err != nil {
2015-12-11 02:59:29 +00:00
return warnings , derr . ErrorCodeInvalidCpusetCpus . WithArgs ( resources . CpusetCpus )
2015-09-08 18:40:55 +00:00
}
if ! cpusAvailable {
2015-12-11 02:59:29 +00:00
return warnings , derr . ErrorCodeNotAvailableCpusetCpus . WithArgs ( resources . CpusetCpus , sysInfo . Cpus )
2015-09-08 18:40:55 +00:00
}
2015-12-11 02:59:29 +00:00
memsAvailable , err := sysInfo . IsCpusetMemsAvailable ( resources . CpusetMems )
2015-09-08 18:40:55 +00:00
if err != nil {
2015-12-11 02:59:29 +00:00
return warnings , derr . ErrorCodeInvalidCpusetMems . WithArgs ( resources . CpusetMems )
2015-09-08 18:40:55 +00:00
}
if ! memsAvailable {
2015-12-11 02:59:29 +00:00
return warnings , derr . ErrorCodeNotAvailableCpusetMems . WithArgs ( resources . CpusetMems , sysInfo . Mems )
2015-09-08 18:40:55 +00:00
}
2015-12-11 02:59:29 +00:00
// blkio subsystem checks and adjustments
if resources . BlkioWeight > 0 && ! sysInfo . BlkioWeight {
2015-08-05 14:35:18 +00:00
warnings = append ( warnings , "Your kernel does not support Block I/O weight. Weight discarded." )
logrus . Warnf ( "Your kernel does not support Block I/O weight. Weight discarded." )
2015-12-11 02:59:29 +00:00
resources . BlkioWeight = 0
2015-08-05 14:35:18 +00:00
}
2015-12-11 02:59:29 +00:00
if resources . BlkioWeight > 0 && ( resources . BlkioWeight < 10 || resources . BlkioWeight > 1000 ) {
2015-05-15 23:34:26 +00:00
return warnings , fmt . Errorf ( "Range of blkio weight is from 10 to 1000." )
}
2015-12-11 02:59:29 +00:00
if len ( resources . BlkioWeightDevice ) > 0 && ! sysInfo . BlkioWeightDevice {
2015-06-12 00:34:20 +00:00
warnings = append ( warnings , "Your kernel does not support Block I/O weight_device." )
logrus . Warnf ( "Your kernel does not support Block I/O weight_device. Weight-device discarded." )
2015-12-11 02:59:29 +00:00
resources . BlkioWeightDevice = [ ] * pblkiodev . WeightDevice { }
2015-06-12 00:34:20 +00:00
}
2015-12-11 02:59:29 +00:00
if len ( resources . BlkioDeviceReadBps ) > 0 && ! sysInfo . BlkioReadBpsDevice {
2015-07-08 11:06:48 +00:00
warnings = append ( warnings , "Your kernel does not support Block read limit in bytes per second." )
logrus . Warnf ( "Your kernel does not support Block I/O read limit in bytes per second. --device-read-bps discarded." )
2015-12-11 02:59:29 +00:00
resources . BlkioDeviceReadBps = [ ] * pblkiodev . ThrottleDevice { }
2015-07-08 11:06:48 +00:00
}
2015-12-11 02:59:29 +00:00
if len ( resources . BlkioDeviceWriteBps ) > 0 && ! sysInfo . BlkioWriteBpsDevice {
2015-07-08 11:06:48 +00:00
warnings = append ( warnings , "Your kernel does not support Block write limit in bytes per second." )
logrus . Warnf ( "Your kernel does not support Block I/O write limit in bytes per second. --device-write-bps discarded." )
2015-12-11 02:59:29 +00:00
resources . BlkioDeviceWriteBps = [ ] * pblkiodev . ThrottleDevice { }
2015-07-08 11:06:48 +00:00
}
2015-07-08 11:06:48 +00:00
if len ( resources . BlkioDeviceReadIOps ) > 0 && ! sysInfo . BlkioReadIOpsDevice {
warnings = append ( warnings , "Your kernel does not support Block read limit in IO per second." )
logrus . Warnf ( "Your kernel does not support Block I/O read limit in IO per second. -device-read-iops discarded." )
resources . BlkioDeviceReadIOps = [ ] * pblkiodev . ThrottleDevice { }
}
if len ( resources . BlkioDeviceWriteIOps ) > 0 && ! sysInfo . BlkioWriteIOpsDevice {
warnings = append ( warnings , "Your kernel does not support Block write limit in IO per second." )
logrus . Warnf ( "Your kernel does not support Block I/O write limit in IO per second. --device-write-iops discarded." )
resources . BlkioDeviceWriteIOps = [ ] * pblkiodev . ThrottleDevice { }
}
2015-12-11 02:59:29 +00:00
return warnings , nil
}
// verifyPlatformContainerSettings performs platform-specific validation of the
// hostconfig and config structures.
2015-12-18 18:36:17 +00:00
func verifyPlatformContainerSettings ( daemon * Daemon , hostConfig * containertypes . HostConfig , config * containertypes . Config ) ( [ ] string , error ) {
2015-12-11 02:59:29 +00:00
warnings := [ ] string { }
sysInfo := sysinfo . New ( true )
warnings , err := daemon . verifyExperimentalContainerSettings ( hostConfig , config )
if err != nil {
return warnings , err
}
w , err := verifyContainerResources ( & hostConfig . Resources )
if err != nil {
return warnings , err
}
warnings = append ( warnings , w ... )
if hostConfig . ShmSize != nil && * hostConfig . ShmSize <= 0 {
return warnings , fmt . Errorf ( "SHM size must be greater then 0" )
}
2015-10-13 09:26:27 +00:00
if hostConfig . OomScoreAdj < - 1000 || hostConfig . OomScoreAdj > 1000 {
return warnings , fmt . Errorf ( "Invalid value %d, range for oom score adj is [-1000, 1000]." , hostConfig . OomScoreAdj )
}
2015-08-06 11:54:48 +00:00
if sysInfo . IPv4ForwardingDisabled {
2015-05-15 23:34:26 +00:00
warnings = append ( warnings , "IPv4 forwarding is disabled. Networking will not work." )
logrus . Warnf ( "IPv4 forwarding is disabled. Networking will not work" )
}
return warnings , nil
}
// checkConfigOptions checks for mutually incompatible config options
func checkConfigOptions ( config * Config ) error {
// Check for mutually incompatible config options
if config . Bridge . Iface != "" && config . Bridge . IP != "" {
return fmt . Errorf ( "You specified -b & --bip, mutually exclusive options. Please specify only one." )
}
if ! config . Bridge . EnableIPTables && ! config . Bridge . InterContainerCommunication {
2015-10-19 21:19:21 +00:00
return fmt . Errorf ( "You specified --iptables=false with --icc=false. ICC=false uses iptables to function. Please set --icc or --iptables to true." )
2015-05-15 23:34:26 +00:00
}
if ! config . Bridge . EnableIPTables && config . Bridge . EnableIPMasq {
config . Bridge . EnableIPMasq = false
}
return nil
}
2015-07-11 19:32:08 +00:00
// checkSystem validates platform-specific requirements
2015-05-15 23:34:26 +00:00
func checkSystem ( ) error {
if os . Geteuid ( ) != 0 {
return fmt . Errorf ( "The Docker daemon needs to be run as root" )
}
2015-09-08 18:40:55 +00:00
return checkKernel ( )
2015-05-15 23:34:26 +00:00
}
// configureKernelSecuritySupport configures and validate security support for the kernel
func configureKernelSecuritySupport ( config * Config , driverName string ) error {
if config . EnableSelinuxSupport {
if selinuxEnabled ( ) {
2015-10-28 13:19:51 +00:00
// As Docker on overlayFS and SELinux are incompatible at present, error on overlayfs being enabled
if driverName == "overlay" {
2015-09-02 19:09:53 +00:00
return fmt . Errorf ( "SELinux is not supported with the %s graph driver" , driverName )
2015-05-15 23:34:26 +00:00
}
logrus . Debug ( "SELinux enabled successfully" )
} else {
logrus . Warn ( "Docker could not enable SELinux on the host system" )
}
} else {
selinuxSetDisabled ( )
}
return nil
}
2015-06-30 17:34:15 +00:00
func isBridgeNetworkDisabled ( config * Config ) bool {
2015-05-15 23:34:26 +00:00
return config . Bridge . Iface == disableNetworkBridge
}
2015-09-21 12:04:36 +00:00
func ( daemon * Daemon ) networkOptions ( dconfig * Config ) ( [ ] nwconfig . Option , error ) {
2015-05-20 12:20:19 +00:00
options := [ ] nwconfig . Option { }
if dconfig == nil {
return options , nil
}
2015-10-10 16:43:03 +00:00
options = append ( options , nwconfig . OptionDataDir ( dconfig . Root ) )
2015-10-22 10:16:53 +00:00
dd := runconfig . DefaultDaemonNetworkMode ( )
dn := runconfig . DefaultDaemonNetworkMode ( ) . NetworkName ( )
options = append ( options , nwconfig . OptionDefaultDriver ( string ( dd ) ) )
options = append ( options , nwconfig . OptionDefaultNetwork ( dn ) )
2015-06-21 00:08:36 +00:00
2015-09-10 23:12:00 +00:00
if strings . TrimSpace ( dconfig . ClusterStore ) != "" {
kv := strings . Split ( dconfig . ClusterStore , "://" )
2015-11-04 14:27:23 +00:00
if len ( kv ) != 2 {
2015-09-25 03:00:05 +00:00
return nil , fmt . Errorf ( "kv store daemon config must be of the form KV-PROVIDER://KV-URL" )
2015-06-21 00:08:36 +00:00
}
options = append ( options , nwconfig . OptionKVProvider ( kv [ 0 ] ) )
2015-11-04 14:27:23 +00:00
options = append ( options , nwconfig . OptionKVProviderURL ( kv [ 1 ] ) )
2015-06-21 00:08:36 +00:00
}
2015-10-21 16:31:09 +00:00
if len ( dconfig . ClusterOpts ) > 0 {
options = append ( options , nwconfig . OptionKVOpts ( dconfig . ClusterOpts ) )
}
2015-06-21 00:08:36 +00:00
2015-09-21 12:04:36 +00:00
if daemon . discoveryWatcher != nil {
options = append ( options , nwconfig . OptionDiscoveryWatcher ( daemon . discoveryWatcher ) )
}
if dconfig . ClusterAdvertise != "" {
options = append ( options , nwconfig . OptionDiscoveryAddress ( dconfig . ClusterAdvertise ) )
}
2015-05-20 12:20:19 +00:00
options = append ( options , nwconfig . OptionLabels ( dconfig . Labels ) )
2015-09-25 03:00:05 +00:00
options = append ( options , driverOptions ( dconfig ) ... )
2015-05-20 12:20:19 +00:00
return options , nil
}
2015-09-21 12:04:36 +00:00
func ( daemon * Daemon ) initNetworkController ( config * Config ) ( libnetwork . NetworkController , error ) {
netOptions , err := daemon . networkOptions ( config )
2015-05-20 12:20:19 +00:00
if err != nil {
return nil , err
}
controller , err := libnetwork . New ( netOptions ... )
2015-05-15 23:34:26 +00:00
if err != nil {
return nil , fmt . Errorf ( "error obtaining controller instance: %v" , err )
}
// Initialize default network on "null"
2015-09-25 03:00:05 +00:00
if _ , err := controller . NewNetwork ( "null" , "none" , libnetwork . NetworkOptionPersist ( false ) ) ; err != nil {
2015-05-15 23:34:26 +00:00
return nil , fmt . Errorf ( "Error creating default \"null\" network: %v" , err )
}
// Initialize default network on "host"
2015-09-25 03:00:05 +00:00
if _ , err := controller . NewNetwork ( "host" , "host" , libnetwork . NetworkOptionPersist ( false ) ) ; err != nil {
2015-05-15 23:34:26 +00:00
return nil , fmt . Errorf ( "Error creating default \"host\" network: %v" , err )
}
2015-06-30 17:34:15 +00:00
if ! config . DisableBridge {
// Initialize default driver "bridge"
if err := initBridgeDriver ( controller , config ) ; err != nil {
return nil , err
}
}
return controller , nil
}
2015-09-25 03:00:05 +00:00
func driverOptions ( config * Config ) [ ] nwconfig . Option {
bridgeConfig := options . Generic {
2015-08-06 11:53:44 +00:00
"EnableIPForwarding" : config . Bridge . EnableIPForward ,
"EnableIPTables" : config . Bridge . EnableIPTables ,
"EnableUserlandProxy" : config . Bridge . EnableUserlandProxy }
2015-09-25 03:00:05 +00:00
bridgeOption := options . Generic { netlabel . GenericData : bridgeConfig }
2015-05-15 23:34:26 +00:00
2015-09-25 03:00:05 +00:00
dOptions := [ ] nwconfig . Option { }
dOptions = append ( dOptions , nwconfig . OptionDriverConfig ( "bridge" , bridgeOption ) )
return dOptions
}
2015-05-15 23:34:26 +00:00
2015-09-25 03:00:05 +00:00
func initBridgeDriver ( controller libnetwork . NetworkController , config * Config ) error {
2015-10-10 16:43:03 +00:00
if n , err := controller . NetworkByName ( "bridge" ) ; err == nil {
if err = n . Delete ( ) ; err != nil {
return fmt . Errorf ( "could not delete the default bridge network: %v" , err )
}
}
bridgeName := bridge . DefaultBridgeName
if config . Bridge . Iface != "" {
bridgeName = config . Bridge . Iface
}
netOption := map [ string ] string {
bridge . BridgeName : bridgeName ,
bridge . DefaultBridge : strconv . FormatBool ( true ) ,
netlabel . DriverMTU : strconv . Itoa ( config . Mtu ) ,
bridge . EnableIPMasquerade : strconv . FormatBool ( config . Bridge . EnableIPMasq ) ,
bridge . EnableICC : strconv . FormatBool ( config . Bridge . InterContainerCommunication ) ,
}
// --ip processing
if config . Bridge . DefaultIP != nil {
netOption [ bridge . DefaultBindingIP ] = config . Bridge . DefaultIP . String ( )
}
ipamV4Conf := libnetwork . IpamConf { }
ipamV4Conf . AuxAddresses = make ( map [ string ] string )
if nw , _ , err := ipamutils . ElectInterfaceAddresses ( bridgeName ) ; err == nil {
ipamV4Conf . PreferredPool = nw . String ( )
hip , _ := types . GetHostPartIP ( nw . IP , nw . Mask )
if hip . IsGlobalUnicast ( ) {
ipamV4Conf . Gateway = nw . IP . String ( )
}
2015-05-15 23:34:26 +00:00
}
if config . Bridge . IP != "" {
2015-10-10 16:43:03 +00:00
ipamV4Conf . PreferredPool = config . Bridge . IP
ip , _ , err := net . ParseCIDR ( config . Bridge . IP )
2015-05-15 23:34:26 +00:00
if err != nil {
2015-06-30 17:34:15 +00:00
return err
2015-05-15 23:34:26 +00:00
}
2015-10-10 16:43:03 +00:00
ipamV4Conf . Gateway = ip . String ( )
2015-10-26 18:46:20 +00:00
} else if bridgeName == bridge . DefaultBridgeName && ipamV4Conf . PreferredPool != "" {
logrus . Infof ( "Default bridge (%s) is assigned with an IP address %s. Daemon option --bip can be used to set a preferred IP address" , bridgeName , ipamV4Conf . PreferredPool )
2015-05-15 23:34:26 +00:00
}
if config . Bridge . FixedCIDR != "" {
_ , fCIDR , err := net . ParseCIDR ( config . Bridge . FixedCIDR )
if err != nil {
2015-06-30 17:34:15 +00:00
return err
2015-05-15 23:34:26 +00:00
}
2015-10-10 16:43:03 +00:00
ipamV4Conf . SubPool = fCIDR . String ( )
2015-05-15 23:34:26 +00:00
}
2015-10-10 16:43:03 +00:00
if config . Bridge . DefaultGatewayIPv4 != nil {
ipamV4Conf . AuxAddresses [ "DefaultGatewayIPv4" ] = config . Bridge . DefaultGatewayIPv4 . String ( )
}
2015-11-11 05:14:05 +00:00
var (
ipamV6Conf * libnetwork . IpamConf
deferIPv6Alloc bool
)
2015-05-15 23:34:26 +00:00
if config . Bridge . FixedCIDRv6 != "" {
_ , fCIDRv6 , err := net . ParseCIDR ( config . Bridge . FixedCIDRv6 )
if err != nil {
2015-06-30 17:34:15 +00:00
return err
2015-05-15 23:34:26 +00:00
}
2015-11-11 05:14:05 +00:00
// In case user has specified the daemon flag --fixed-cidr-v6 and the passed network has
// at least 48 host bits, we need to guarantee the current behavior where the containers'
// IPv6 addresses will be constructed based on the containers' interface MAC address.
// We do so by telling libnetwork to defer the IPv6 address allocation for the endpoints
// on this network until after the driver has created the endpoint and returned the
// constructed address. Libnetwork will then reserve this address with the ipam driver.
ones , _ := fCIDRv6 . Mask . Size ( )
deferIPv6Alloc = ones <= 80
2015-10-10 16:43:03 +00:00
if ipamV6Conf == nil {
2015-12-30 22:51:51 +00:00
ipamV6Conf = & libnetwork . IpamConf { AuxAddresses : make ( map [ string ] string ) }
2015-10-10 16:43:03 +00:00
}
ipamV6Conf . PreferredPool = fCIDRv6 . String ( )
2015-05-15 23:34:26 +00:00
}
if config . Bridge . DefaultGatewayIPv6 != nil {
2015-10-10 16:43:03 +00:00
if ipamV6Conf == nil {
2015-12-30 22:51:51 +00:00
ipamV6Conf = & libnetwork . IpamConf { AuxAddresses : make ( map [ string ] string ) }
2015-10-10 16:43:03 +00:00
}
ipamV6Conf . AuxAddresses [ "DefaultGatewayIPv6" ] = config . Bridge . DefaultGatewayIPv6 . String ( )
2015-05-15 23:34:26 +00:00
}
2015-10-10 16:43:03 +00:00
v4Conf := [ ] * libnetwork . IpamConf { & ipamV4Conf }
v6Conf := [ ] * libnetwork . IpamConf { }
if ipamV6Conf != nil {
v6Conf = append ( v6Conf , ipamV6Conf )
2015-05-15 23:34:26 +00:00
}
// Initialize default network on "bridge" with the same name
2015-06-30 17:34:15 +00:00
_ , err := controller . NewNetwork ( "bridge" , "bridge" ,
2015-05-15 23:34:26 +00:00
libnetwork . NetworkOptionGeneric ( options . Generic {
netlabel . GenericData : netOption ,
netlabel . EnableIPv6 : config . Bridge . EnableIPv6 ,
2015-09-25 03:00:05 +00:00
} ) ,
2015-11-11 05:14:05 +00:00
libnetwork . NetworkOptionIpam ( "default" , "" , v4Conf , v6Conf ) ,
libnetwork . NetworkOptionDeferIPv6Alloc ( deferIPv6Alloc ) )
2015-05-15 23:34:26 +00:00
if err != nil {
2015-06-30 17:34:15 +00:00
return fmt . Errorf ( "Error creating default \"bridge\" network: %v" , err )
2015-05-15 23:34:26 +00:00
}
2015-06-30 17:34:15 +00:00
return nil
2015-05-15 23:34:26 +00:00
}
2015-06-16 18:06:53 +00:00
// setupInitLayer populates a directory with mountpoints suitable
// for bind-mounting dockerinit into the container. The mountpoint is simply an
// empty file at /.dockerinit
//
// This extra layer is used by all containers as the top-most ro layer. It protects
// the container from unwanted side-effects on the rw layer.
2015-10-08 15:51:41 +00:00
func setupInitLayer ( initLayer string , rootUID , rootGID int ) error {
2015-06-16 18:06:53 +00:00
for pth , typ := range map [ string ] string {
"/dev/pts" : "dir" ,
"/dev/shm" : "dir" ,
"/proc" : "dir" ,
"/sys" : "dir" ,
"/.dockerinit" : "file" ,
"/.dockerenv" : "file" ,
"/etc/resolv.conf" : "file" ,
"/etc/hosts" : "file" ,
"/etc/hostname" : "file" ,
"/dev/console" : "file" ,
"/etc/mtab" : "/proc/mounts" ,
} {
parts := strings . Split ( pth , "/" )
prev := "/"
for _ , p := range parts [ 1 : ] {
prev = filepath . Join ( prev , p )
syscall . Unlink ( filepath . Join ( initLayer , prev ) )
}
if _ , err := os . Stat ( filepath . Join ( initLayer , pth ) ) ; err != nil {
if os . IsNotExist ( err ) {
2015-12-04 17:18:05 +00:00
if err := idtools . MkdirAllNewAs ( filepath . Join ( initLayer , filepath . Dir ( pth ) ) , 0755 , rootUID , rootGID ) ; err != nil {
2015-06-16 18:06:53 +00:00
return err
}
switch typ {
case "dir" :
2015-12-04 17:18:05 +00:00
if err := idtools . MkdirAllNewAs ( filepath . Join ( initLayer , pth ) , 0755 , rootUID , rootGID ) ; err != nil {
2015-06-16 18:06:53 +00:00
return err
}
case "file" :
f , err := os . OpenFile ( filepath . Join ( initLayer , pth ) , os . O_CREATE , 0755 )
if err != nil {
return err
}
2015-10-08 15:51:41 +00:00
f . Chown ( rootUID , rootGID )
2015-12-04 17:18:05 +00:00
f . Close ( )
2015-06-16 18:06:53 +00:00
default :
if err := os . Symlink ( typ , filepath . Join ( initLayer , pth ) ) ; err != nil {
return err
}
}
} else {
return err
}
}
}
// Layer is ready to use, if it wasn't before.
return nil
}
2015-05-20 12:20:19 +00:00
2015-07-30 21:01:53 +00:00
// registerLinks writes the links to a file.
2015-12-18 18:36:17 +00:00
func ( daemon * Daemon ) registerLinks ( container * container . Container , hostConfig * containertypes . HostConfig ) error {
2015-06-23 17:13:42 +00:00
if hostConfig == nil || hostConfig . Links == nil {
return nil
}
for _ , l := range hostConfig . Links {
2015-12-22 01:05:55 +00:00
name , alias , err := runconfigopts . ParseLink ( l )
2015-06-23 17:13:42 +00:00
if err != nil {
return err
}
2015-12-11 17:39:28 +00:00
child , err := daemon . GetContainer ( name )
2015-06-23 17:13:42 +00:00
if err != nil {
2015-12-11 17:39:28 +00:00
//An error from daemon.GetContainer() means this name could not be found
2015-06-23 17:13:42 +00:00
return fmt . Errorf ( "Could not get container for %s" , name )
}
2015-11-12 19:55:17 +00:00
for child . HostConfig . NetworkMode . IsContainer ( ) {
parts := strings . SplitN ( string ( child . HostConfig . NetworkMode ) , ":" , 2 )
2015-12-11 17:39:28 +00:00
child , err = daemon . GetContainer ( parts [ 1 ] )
2015-06-23 17:13:42 +00:00
if err != nil {
return fmt . Errorf ( "Could not get container for %s" , parts [ 1 ] )
}
}
2015-11-12 19:55:17 +00:00
if child . HostConfig . NetworkMode . IsHost ( ) {
2015-06-23 17:13:42 +00:00
return runconfig . ErrConflictHostNetworkAndLinks
}
2015-07-30 21:01:53 +00:00
if err := daemon . registerLink ( container , child , alias ) ; err != nil {
2015-06-23 17:13:42 +00:00
return err
}
}
// After we load all the links into the daemon
// set them to nil on the hostconfig
hostConfig . Links = nil
2015-11-12 19:55:17 +00:00
if err := container . WriteHostConfig ( ) ; err != nil {
2015-06-23 17:13:42 +00:00
return err
}
return nil
}
2015-07-16 21:14:58 +00:00
2015-11-03 01:06:09 +00:00
// conditionalMountOnStart is a platform specific helper function during the
// container start to call mount.
2015-11-12 19:55:17 +00:00
func ( daemon * Daemon ) conditionalMountOnStart ( container * container . Container ) error {
2015-11-03 01:06:09 +00:00
return daemon . Mount ( container )
}
// conditionalUnmountOnCleanup is a platform specific helper function called
// during the cleanup of a container to unmount.
2015-11-12 19:55:17 +00:00
func ( daemon * Daemon ) conditionalUnmountOnCleanup ( container * container . Container ) {
2015-11-18 22:20:54 +00:00
daemon . Unmount ( container )
2015-11-03 01:06:09 +00:00
}
2015-12-16 20:32:16 +00:00
func restoreCustomImage ( is image . Store , ls layer . Store , rs reference . Store ) error {
2015-11-18 22:20:54 +00:00
// Unix has no custom images to register
return nil
}