moby/libnetwork/sandbox_externalkey_unix.go
Sebastiaan van Stijn cff4f20c44
migrate to github.com/containerd/log v0.1.0
The github.com/containerd/containerd/log package was moved to a separate
module, which will also be used by upcoming (patch) releases of containerd.

This patch moves our own uses of the package to use the new module.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 17:52:23 +02:00

176 lines
4.4 KiB
Go

//go:build linux || freebsd
package libnetwork
import (
"context"
"encoding/json"
"flag"
"fmt"
"io"
"net"
"os"
"path/filepath"
"github.com/containerd/log"
"github.com/docker/docker/libnetwork/types"
"github.com/docker/docker/pkg/reexec"
"github.com/docker/docker/pkg/stringid"
"github.com/opencontainers/runtime-spec/specs-go"
)
const (
execSubdir = "libnetwork"
defaultExecRoot = "/run/docker"
success = "success"
)
func init() {
// TODO(thaJeztah): should this actually be registered on FreeBSD, or only on Linux?
reexec.Register("libnetwork-setkey", processSetKeyReexec)
}
type setKeyData struct {
ContainerID string
Key string
}
// processSetKeyReexec is a private function that must be called only on an reexec path
// It expects 3 args { [0] = "libnetwork-setkey", [1] = <container-id>, [2] = <short-controller-id> }
// It also expects specs.State as a json string in <stdin>
// Refer to https://github.com/opencontainers/runc/pull/160/ for more information
// The docker exec-root can be specified as "-exec-root" flag. The default value is "/run/docker".
func processSetKeyReexec() {
if err := setKey(); err != nil {
_, _ = fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
func setKey() error {
execRoot := flag.String("exec-root", defaultExecRoot, "docker exec root")
flag.Parse()
// expecting 3 os.Args {[0]="libnetwork-setkey", [1]=<container-id>, [2]=<short-controller-id> }
// (i.e. expecting 2 flag.Args())
args := flag.Args()
if len(args) < 2 {
return fmt.Errorf("re-exec expects 2 args (after parsing flags), received : %d", len(args))
}
containerID, shortCtlrID := args[0], args[1]
// We expect specs.State as a json string in <stdin>
var state specs.State
if err := json.NewDecoder(os.Stdin).Decode(&state); err != nil {
return err
}
return setExternalKey(shortCtlrID, containerID, fmt.Sprintf("/proc/%d/ns/net", state.Pid), *execRoot)
}
// setExternalKey provides a convenient way to set an External key to a sandbox
func setExternalKey(shortCtlrID string, containerID string, key string, execRoot string) error {
uds := filepath.Join(execRoot, execSubdir, shortCtlrID+".sock")
c, err := net.Dial("unix", uds)
if err != nil {
return err
}
defer c.Close()
err = json.NewEncoder(c).Encode(setKeyData{
ContainerID: containerID,
Key: key,
})
if err != nil {
return fmt.Errorf("sendKey failed with : %v", err)
}
return processReturn(c)
}
func processReturn(r io.Reader) error {
buf := make([]byte, 1024)
n, err := r.Read(buf[:])
if err != nil {
return fmt.Errorf("failed to read buf in processReturn : %v", err)
}
if string(buf[0:n]) != success {
return fmt.Errorf(string(buf[0:n]))
}
return nil
}
func (c *Controller) startExternalKeyListener() error {
execRoot := defaultExecRoot
if v := c.Config().ExecRoot; v != "" {
execRoot = v
}
udsBase := filepath.Join(execRoot, execSubdir)
if err := os.MkdirAll(udsBase, 0o600); err != nil {
return err
}
shortCtlrID := stringid.TruncateID(c.id)
uds := filepath.Join(udsBase, shortCtlrID+".sock")
l, err := net.Listen("unix", uds)
if err != nil {
return err
}
if err := os.Chmod(uds, 0o600); err != nil {
l.Close()
return err
}
c.mu.Lock()
c.extKeyListener = l
c.mu.Unlock()
go c.acceptClientConnections(uds, l)
return nil
}
func (c *Controller) acceptClientConnections(sock string, l net.Listener) {
for {
conn, err := l.Accept()
if err != nil {
if _, err1 := os.Stat(sock); os.IsNotExist(err1) {
log.G(context.TODO()).Debugf("Unix socket %s doesn't exist. cannot accept client connections", sock)
return
}
log.G(context.TODO()).Errorf("Error accepting connection %v", err)
continue
}
go func() {
defer conn.Close()
err := c.processExternalKey(conn)
ret := success
if err != nil {
ret = err.Error()
}
_, err = conn.Write([]byte(ret))
if err != nil {
log.G(context.TODO()).Errorf("Error returning to the client %v", err)
}
}()
}
}
func (c *Controller) processExternalKey(conn net.Conn) error {
buf := make([]byte, 1280)
nr, err := conn.Read(buf)
if err != nil {
return err
}
var s setKeyData
if err = json.Unmarshal(buf[0:nr], &s); err != nil {
return err
}
sb, err := c.GetSandbox(s.ContainerID)
if err != nil {
return types.InvalidParameterErrorf("failed to get sandbox for %s", s.ContainerID)
}
return sb.SetKey(s.Key)
}
func (c *Controller) stopExternalKeyListener() {
c.extKeyListener.Close()
}