moby/daemon/metrics_unix.go
Sebastiaan van Stijn 997ec12ec8
set ReadHeaderTimeout to address G112: Potential Slowloris Attack (gosec)
After discussing in the maintainers meeting, we concluded that Slowloris attacks
are not a real risk other than potentially having some additional goroutines
lingering around, so setting a long timeout to satisfy the linter, and to at
least have "some" timeout.

    libnetwork/diagnostic/server.go:96:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        srv := &http.Server{
            Addr:    net.JoinHostPort(ip, strconv.Itoa(port)),
            Handler: s,
        }
    api/server/server.go:60:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
                srv: &http.Server{
                    Addr: addr,
                },
    daemon/metrics_unix.go:34:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
            if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
                      ^
    cmd/dockerd/metrics.go:27:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
            if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
                      ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 55fd77f724)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-22 12:27:32 +02:00

70 lines
2.2 KiB
Go

//go:build !windows
// +build !windows
package daemon // import "github.com/docker/docker/daemon"
import (
"net"
"net/http"
"path/filepath"
"strings"
"time"
"github.com/docker/docker/pkg/plugingetter"
"github.com/docker/docker/pkg/plugins"
"github.com/docker/docker/plugin"
metrics "github.com/docker/go-metrics"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)
func (daemon *Daemon) listenMetricsSock() (string, error) {
path := filepath.Join(daemon.configStore.ExecRoot, "metrics.sock")
unix.Unlink(path)
l, err := net.Listen("unix", path)
if err != nil {
return "", errors.Wrap(err, "error setting up metrics plugin listener")
}
mux := http.NewServeMux()
mux.Handle("/metrics", metrics.Handler())
go func() {
logrus.Debugf("metrics API listening on %s", l.Addr())
srv := &http.Server{
Handler: mux,
ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
}
if err := srv.Serve(l); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
logrus.WithError(err).Error("error serving metrics API")
}
}()
daemon.metricsPluginListener = l
return path, nil
}
func registerMetricsPluginCallback(store *plugin.Store, sockPath string) {
store.RegisterRuntimeOpt(metricsPluginType, func(s *specs.Spec) {
f := plugin.WithSpecMounts([]specs.Mount{
{Type: "bind", Source: sockPath, Destination: "/run/docker/metrics.sock", Options: []string{"bind", "ro"}},
})
f(s)
})
store.Handle(metricsPluginType, func(name string, client *plugins.Client) {
// Use lookup since nothing in the system can really reference it, no need
// to protect against removal
p, err := store.Get(name, metricsPluginType, plugingetter.Lookup)
if err != nil {
return
}
adapter, err := makePluginAdapter(p)
if err != nil {
logrus.WithError(err).WithField("plugin", p.Name()).Error("Error creating plugin adapter")
}
if err := adapter.StartMetrics(); err != nil {
logrus.WithError(err).WithField("plugin", p.Name()).Error("Error starting metrics collector plugin")
}
})
}