moby--moby/plugin/v2/plugin_linux.go

// +build linux

package v2

import (
	"os"
	"path/filepath"
	"strings"

	"github.com/docker/docker/api/types"
	"github.com/docker/docker/oci"
	"github.com/docker/docker/pkg/system"
	specs "github.com/opencontainers/runtime-spec/specs-go"
	"github.com/pkg/errors"
)

// InitSpec creates an OCI spec from the plugin's config.
func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
	s := oci.DefaultSpec()
	s.Root = specs.Root{
		Path:     p.Rootfs,
		Readonly: false, // TODO: all plugins should be readonly? settable in config?
	}

	userMounts := make(map[string]struct{}, len(p.PluginObj.Settings.Mounts))
	for _, m := range p.PluginObj.Settings.Mounts {
		userMounts[m.Destination] = struct{}{}
	}

	execRoot = filepath.Join(execRoot, p.PluginObj.ID)
	if err := os.MkdirAll(execRoot, 0700); err != nil {
		return nil, errors.WithStack(err)
	}

	mounts := append(p.PluginObj.Config.Mounts, types.PluginMount{
		Source:      &execRoot,
		Destination: defaultPluginRuntimeDestination,
		Type:        "bind",
		Options:     []string{"rbind", "rshared"},
	})

	if p.PluginObj.Config.Network.Type != "" {
		// TODO: if net == bridge, use libnetwork controller to create a new plugin-specific bridge, bind mount /etc/hosts and /etc/resolv.conf look at the docker code (allocateNetwork, initialize)
		if p.PluginObj.Config.Network.Type == "host" {
			oci.RemoveNamespace(&s, specs.NamespaceType("network"))
		}
		etcHosts := "/etc/hosts"
		resolvConf := "/etc/resolv.conf"
		mounts = append(mounts,
			types.PluginMount{
				Source:      &etcHosts,
				Destination: etcHosts,
				Type:        "bind",
				Options:     []string{"rbind", "ro"},
			},
			types.PluginMount{
				Source:      &resolvConf,
				Destination: resolvConf,
				Type:        "bind",
				Options:     []string{"rbind", "ro"},
			})
	}
	if p.PluginObj.Config.PidHost {
		oci.RemoveNamespace(&s, specs.NamespaceType("pid"))
	}

	if p.PluginObj.Config.IpcHost {
		oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))
	}

	for _, mnt := range mounts {
		m := specs.Mount{
			Destination: mnt.Destination,
			Type:        mnt.Type,
			Options:     mnt.Options,
		}
		if mnt.Source == nil {
			return nil, errors.New("mount source is not specified")
		}
		m.Source = *mnt.Source
		s.Mounts = append(s.Mounts, m)
	}

	for i, m := range s.Mounts {
		if strings.HasPrefix(m.Destination, "/dev/") {
			if _, ok := userMounts[m.Destination]; ok {
				s.Mounts = append(s.Mounts[:i], s.Mounts[i+1:]...)
			}
		}
	}

	if p.PluginObj.Config.PropagatedMount != "" {
		p.PropagatedMount = filepath.Join(p.Rootfs, p.PluginObj.Config.PropagatedMount)
		s.Linux.RootfsPropagation = "rshared"
	}

	if p.PluginObj.Config.Linux.AllowAllDevices {
		rwm := "rwm"
		s.Linux.Resources.Devices = []specs.DeviceCgroup{{Allow: true, Access: &rwm}}
	}
	for _, dev := range p.PluginObj.Settings.Devices {
		path := *dev.Path
		d, dPermissions, err := oci.DevicesFromPath(path, path, "rwm")
		if err != nil {
			return nil, errors.WithStack(err)
		}
		s.Linux.Devices = append(s.Linux.Devices, d...)
		s.Linux.Resources.Devices = append(s.Linux.Resources.Devices, dPermissions...)
	}

	envs := make([]string, 1, len(p.PluginObj.Settings.Env)+1)
	envs[0] = "PATH=" + system.DefaultPathEnv
	envs = append(envs, p.PluginObj.Settings.Env...)

	args := append(p.PluginObj.Config.Entrypoint, p.PluginObj.Settings.Args...)
	cwd := p.PluginObj.Config.WorkDir
	if len(cwd) == 0 {
		cwd = "/"
	}
	s.Process.Terminal = false
	s.Process.Args = args
	s.Process.Cwd = cwd
	s.Process.Env = envs

	s.Process.Capabilities = append(s.Process.Capabilities, p.PluginObj.Config.Linux.Capabilities...)

	return &s, nil
}
Implement content addressability for plugins Move plugins to shared distribution stack with images. Create immutable plugin config that matches schema2 requirements. Ensure data being pushed is same as pulled/created. Store distribution artifacts in a blobstore. Run init layer setup for every plugin start. Fix breakouts from unsafe file accesses. Add support for `docker plugin install --alias` Uses normalized references for default names to avoid collisions when using default hosts/tags. Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2016-12-12 18:05:53 -05:00			`// +build linux`

			`package v2`

			`import (`
			`"os"`
			`"path/filepath"`
			`"strings"`

			`"github.com/docker/docker/api/types"`
			`"github.com/docker/docker/oci"`
			`"github.com/docker/docker/pkg/system"`
			`specs "github.com/opencontainers/runtime-spec/specs-go"`
plugin: use pkg/errors in more places Also provide stack trace output in daemon logs. Signed-off-by: Tibor Vass <tibor@docker.com> 2017-01-17 13:27:01 -05:00			`"github.com/pkg/errors"`
Implement content addressability for plugins Move plugins to shared distribution stack with images. Create immutable plugin config that matches schema2 requirements. Ensure data being pushed is same as pulled/created. Store distribution artifacts in a blobstore. Run init layer setup for every plugin start. Fix breakouts from unsafe file accesses. Add support for `docker plugin install --alias` Uses normalized references for default names to avoid collisions when using default hosts/tags. Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2016-12-12 18:05:53 -05:00			`)`

			`// InitSpec creates an OCI spec from the plugin's config.`
			`func (p Plugin) InitSpec(execRoot string) (specs.Spec, error) {`
			`s := oci.DefaultSpec()`
			`s.Root = specs.Root{`
			`Path: p.Rootfs,`
			`Readonly: false, // TODO: all plugins should be readonly? settable in config?`
			`}`

			`userMounts := make(map[string]struct{}, len(p.PluginObj.Settings.Mounts))`
			`for _, m := range p.PluginObj.Settings.Mounts {`
			`userMounts[m.Destination] = struct{}{}`
			`}`

			`execRoot = filepath.Join(execRoot, p.PluginObj.ID)`
			`if err := os.MkdirAll(execRoot, 0700); err != nil {`
plugin: use pkg/errors in more places Also provide stack trace output in daemon logs. Signed-off-by: Tibor Vass <tibor@docker.com> 2017-01-17 13:27:01 -05:00			`return nil, errors.WithStack(err)`
Implement content addressability for plugins Move plugins to shared distribution stack with images. Create immutable plugin config that matches schema2 requirements. Ensure data being pushed is same as pulled/created. Store distribution artifacts in a blobstore. Run init layer setup for every plugin start. Fix breakouts from unsafe file accesses. Add support for `docker plugin install --alias` Uses normalized references for default names to avoid collisions when using default hosts/tags. Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2016-12-12 18:05:53 -05:00			`}`

			`mounts := append(p.PluginObj.Config.Mounts, types.PluginMount{`
			`Source: &execRoot,`
			`Destination: defaultPluginRuntimeDestination,`
			`Type: "bind",`
			`Options: []string{"rbind", "rshared"},`
			`})`

			`if p.PluginObj.Config.Network.Type != "" {`
			`// TODO: if net == bridge, use libnetwork controller to create a new plugin-specific bridge, bind mount /etc/hosts and /etc/resolv.conf look at the docker code (allocateNetwork, initialize)`
			`if p.PluginObj.Config.Network.Type == "host" {`
			`oci.RemoveNamespace(&s, specs.NamespaceType("network"))`
			`}`
			`etcHosts := "/etc/hosts"`
			`resolvConf := "/etc/resolv.conf"`
			`mounts = append(mounts,`
			`types.PluginMount{`
			`Source: &etcHosts,`
			`Destination: etcHosts,`
			`Type: "bind",`
			`Options: []string{"rbind", "ro"},`
			`},`
			`types.PluginMount{`
			`Source: &resolvConf,`
			`Destination: resolvConf,`
			`Type: "bind",`
			`Options: []string{"rbind", "ro"},`
			`})`
			`}`
Add pid host support Tested using global-net-plugin-ipc which sets PidHost in config.json. Plugins might need access to host pid namespace. Add support for that. Tested using aragunathan/global-net-plugin-ipc which sets "pidhost" in config.json. Observed using `readlink /proc/self/ns/pid` that plugin and host have the same ns. Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com> 2017-03-10 17:17:24 -05:00			`if p.PluginObj.Config.PidHost {`
			`oci.RemoveNamespace(&s, specs.NamespaceType("pid"))`
			`}`
Implement content addressability for plugins Move plugins to shared distribution stack with images. Create immutable plugin config that matches schema2 requirements. Ensure data being pushed is same as pulled/created. Store distribution artifacts in a blobstore. Run init layer setup for every plugin start. Fix breakouts from unsafe file accesses. Add support for `docker plugin install --alias` Uses normalized references for default names to avoid collisions when using default hosts/tags. Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2016-12-12 18:05:53 -05:00
Add support in plugin config for accessing host ipc namespace. Plugins might need access to host ipc namespace. A good usecase is a volume plugin running iscsi multipath commands that need access to host kernel locks. Tested with a custom plugin (aragunathan/global-net-plugin-full) that's built with `"ipchost" : true` in config.json. Observed using `readlink /proc/self/ns/ipc` that plugin and host have the same ns. Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com> 2017-03-07 21:26:09 -05:00			`if p.PluginObj.Config.IpcHost {`
			`oci.RemoveNamespace(&s, specs.NamespaceType("ipc"))`
			`}`

Implement content addressability for plugins Move plugins to shared distribution stack with images. Create immutable plugin config that matches schema2 requirements. Ensure data being pushed is same as pulled/created. Store distribution artifacts in a blobstore. Run init layer setup for every plugin start. Fix breakouts from unsafe file accesses. Add support for `docker plugin install --alias` Uses normalized references for default names to avoid collisions when using default hosts/tags. Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2016-12-12 18:05:53 -05:00			`for _, mnt := range mounts {`
			`m := specs.Mount{`
			`Destination: mnt.Destination,`
			`Type: mnt.Type,`
			`Options: mnt.Options,`
			`}`
			`if mnt.Source == nil {`
			`return nil, errors.New("mount source is not specified")`
			`}`
			`m.Source = *mnt.Source`
			`s.Mounts = append(s.Mounts, m)`
			`}`

			`for i, m := range s.Mounts {`
			`if strings.HasPrefix(m.Destination, "/dev/") {`
			`if _, ok := userMounts[m.Destination]; ok {`
			`s.Mounts = append(s.Mounts[:i], s.Mounts[i+1:]...)`
			`}`
			`}`
			`}`

			`if p.PluginObj.Config.PropagatedMount != "" {`
			`p.PropagatedMount = filepath.Join(p.Rootfs, p.PluginObj.Config.PropagatedMount)`
			`s.Linux.RootfsPropagation = "rshared"`
			`}`

plugins: rename DeviceCreation to AllowAllDevices Signed-off-by: Tibor Vass <tibor@docker.com> 2017-01-10 14:00:57 -05:00			`if p.PluginObj.Config.Linux.AllowAllDevices {`
Implement content addressability for plugins Move plugins to shared distribution stack with images. Create immutable plugin config that matches schema2 requirements. Ensure data being pushed is same as pulled/created. Store distribution artifacts in a blobstore. Run init layer setup for every plugin start. Fix breakouts from unsafe file accesses. Add support for `docker plugin install --alias` Uses normalized references for default names to avoid collisions when using default hosts/tags. Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2016-12-12 18:05:53 -05:00			`rwm := "rwm"`
			`s.Linux.Resources.Devices = []specs.DeviceCgroup{{Allow: true, Access: &rwm}}`
			`}`
			`for _, dev := range p.PluginObj.Settings.Devices {`
			`path := *dev.Path`
			`d, dPermissions, err := oci.DevicesFromPath(path, path, "rwm")`
			`if err != nil {`
plugin: use pkg/errors in more places Also provide stack trace output in daemon logs. Signed-off-by: Tibor Vass <tibor@docker.com> 2017-01-17 13:27:01 -05:00			`return nil, errors.WithStack(err)`
Implement content addressability for plugins Move plugins to shared distribution stack with images. Create immutable plugin config that matches schema2 requirements. Ensure data being pushed is same as pulled/created. Store distribution artifacts in a blobstore. Run init layer setup for every plugin start. Fix breakouts from unsafe file accesses. Add support for `docker plugin install --alias` Uses normalized references for default names to avoid collisions when using default hosts/tags. Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2016-12-12 18:05:53 -05:00			`}`
			`s.Linux.Devices = append(s.Linux.Devices, d...)`
			`s.Linux.Resources.Devices = append(s.Linux.Resources.Devices, dPermissions...)`
			`}`

			`envs := make([]string, 1, len(p.PluginObj.Settings.Env)+1)`
			`envs[0] = "PATH=" + system.DefaultPathEnv`
			`envs = append(envs, p.PluginObj.Settings.Env...)`

			`args := append(p.PluginObj.Config.Entrypoint, p.PluginObj.Settings.Args...)`
			`cwd := p.PluginObj.Config.WorkDir`
			`if len(cwd) == 0 {`
			`cwd = "/"`
			`}`
			`s.Process.Terminal = false`
			`s.Process.Args = args`
			`s.Process.Cwd = cwd`
			`s.Process.Env = envs`

			`s.Process.Capabilities = append(s.Process.Capabilities, p.PluginObj.Config.Linux.Capabilities...)`

			`return &s, nil`
			`}`