2018-02-05 16:05:59 -05:00
|
|
|
package config // import "github.com/docker/docker/daemon/config"
|
2013-10-04 22:25:15 -04:00
|
|
|
|
|
|
|
import (
|
2015-12-10 18:35:10 -05:00
|
|
|
"bytes"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2019-11-01 20:09:40 -04:00
|
|
|
"net"
|
2021-08-31 08:05:49 -04:00
|
|
|
"net/url"
|
2017-10-07 17:26:50 -04:00
|
|
|
"os"
|
2022-08-17 14:50:19 -04:00
|
|
|
"path/filepath"
|
2015-12-10 18:35:10 -05:00
|
|
|
"strings"
|
|
|
|
"sync"
|
|
|
|
|
2022-08-17 14:50:19 -04:00
|
|
|
"github.com/containerd/containerd/runtime/v2/shim"
|
2014-08-09 21:18:32 -04:00
|
|
|
"github.com/docker/docker/opts"
|
2017-03-17 17:57:23 -04:00
|
|
|
"github.com/docker/docker/pkg/authorization"
|
2016-03-08 16:03:37 -05:00
|
|
|
"github.com/docker/docker/registry"
|
2015-12-10 18:35:10 -05:00
|
|
|
"github.com/imdario/mergo"
|
2018-11-24 08:47:40 -05:00
|
|
|
"github.com/pkg/errors"
|
2017-07-26 17:42:13 -04:00
|
|
|
"github.com/sirupsen/logrus"
|
2016-06-21 16:42:47 -04:00
|
|
|
"github.com/spf13/pflag"
|
2013-10-04 22:25:15 -04:00
|
|
|
)
|
|
|
|
|
2016-05-06 00:45:55 -04:00
|
|
|
const (
|
2017-01-23 06:23:07 -05:00
|
|
|
// DefaultMaxConcurrentDownloads is the default value for
|
2016-05-06 00:45:55 -04:00
|
|
|
// maximum number of downloads that
|
2022-10-28 15:52:57 -04:00
|
|
|
// may take place at a time.
|
2017-01-23 06:23:07 -05:00
|
|
|
DefaultMaxConcurrentDownloads = 3
|
|
|
|
// DefaultMaxConcurrentUploads is the default value for
|
2016-05-06 00:45:55 -04:00
|
|
|
// maximum number of uploads that
|
2022-10-28 15:52:57 -04:00
|
|
|
// may take place at a time.
|
2017-01-23 06:23:07 -05:00
|
|
|
DefaultMaxConcurrentUploads = 5
|
2019-06-25 09:26:36 -04:00
|
|
|
// DefaultDownloadAttempts is the default value for
|
|
|
|
// maximum number of attempts that
|
|
|
|
// may take place at a time for each pull when the connection is lost.
|
|
|
|
DefaultDownloadAttempts = 5
|
2022-02-18 12:07:40 -05:00
|
|
|
// DefaultShmSize is the default value for container's shm size (64 MiB)
|
|
|
|
DefaultShmSize int64 = 64 * 1024 * 1024
|
2017-01-23 06:23:07 -05:00
|
|
|
// DefaultNetworkMtu is the default value for network MTU
|
|
|
|
DefaultNetworkMtu = 1500
|
|
|
|
// DisableNetworkBridge is the default value of the option to disable network bridge
|
|
|
|
DisableNetworkBridge = "none"
|
2022-04-02 12:40:09 -04:00
|
|
|
// DefaultShutdownTimeout is the default shutdown timeout (in seconds) for
|
|
|
|
// the daemon for containers to stop when it is shutting down.
|
|
|
|
DefaultShutdownTimeout = 15
|
2017-04-10 05:25:15 -04:00
|
|
|
// DefaultInitBinary is the name of the default init binary
|
|
|
|
DefaultInitBinary = "docker-init"
|
2020-11-09 10:24:14 -05:00
|
|
|
// DefaultRuntimeBinary is the default runtime to be used by
|
|
|
|
// containerd if none is specified
|
|
|
|
DefaultRuntimeBinary = "runc"
|
2022-04-02 11:43:50 -04:00
|
|
|
// DefaultContainersNamespace is the name of the default containerd namespace used for users containers.
|
|
|
|
DefaultContainersNamespace = "moby"
|
|
|
|
// DefaultPluginNamespace is the name of the default containerd namespace used for plugins.
|
|
|
|
DefaultPluginNamespace = "plugins.moby"
|
2021-02-26 18:23:55 -05:00
|
|
|
|
2020-07-07 16:33:46 -04:00
|
|
|
// LinuxV2RuntimeName is the runtime used to specify the containerd v2 runc shim
|
|
|
|
LinuxV2RuntimeName = "io.containerd.runc.v2"
|
2021-06-07 07:44:32 -04:00
|
|
|
|
|
|
|
// SeccompProfileDefault is the built-in default seccomp profile.
|
2021-08-07 09:37:03 -04:00
|
|
|
SeccompProfileDefault = "builtin"
|
2021-06-07 07:44:32 -04:00
|
|
|
// SeccompProfileUnconfined is a special profile name for seccomp to use an
|
|
|
|
// "unconfined" seccomp profile.
|
|
|
|
SeccompProfileUnconfined = "unconfined"
|
2016-05-26 17:07:30 -04:00
|
|
|
)
|
|
|
|
|
2020-07-07 16:33:46 -04:00
|
|
|
var builtinRuntimes = map[string]bool{
|
|
|
|
StockRuntimeName: true,
|
|
|
|
LinuxV2RuntimeName: true,
|
|
|
|
}
|
|
|
|
|
2016-02-02 14:33:41 -05:00
|
|
|
// flatOptions contains configuration keys
|
|
|
|
// that MUST NOT be parsed as deep structures.
|
|
|
|
// Use this to differentiate these options
|
|
|
|
// with others like the ones in CommonTLSOptions.
|
|
|
|
var flatOptions = map[string]bool{
|
|
|
|
"cluster-store-opts": true,
|
|
|
|
"log-opts": true,
|
2016-05-23 17:49:50 -04:00
|
|
|
"runtimes": true,
|
2016-08-10 06:52:06 -04:00
|
|
|
"default-ulimits": true,
|
2018-08-21 19:20:19 -04:00
|
|
|
"features": true,
|
2018-09-04 22:12:44 -04:00
|
|
|
"builder": true,
|
2016-02-02 14:33:41 -05:00
|
|
|
}
|
|
|
|
|
2018-08-05 21:52:35 -04:00
|
|
|
// skipValidateOptions contains configuration keys
|
|
|
|
// that will be skipped from findConfigurationConflicts
|
|
|
|
// for unknown flag validation.
|
|
|
|
var skipValidateOptions = map[string]bool{
|
|
|
|
"features": true,
|
2018-09-04 22:12:44 -04:00
|
|
|
"builder": true,
|
2019-06-15 00:59:07 -04:00
|
|
|
// Corresponding flag has been removed because it was already unusable
|
|
|
|
"deprecated-key-path": true,
|
2018-08-05 21:52:35 -04:00
|
|
|
}
|
|
|
|
|
2018-09-17 18:28:26 -04:00
|
|
|
// skipDuplicates contains configuration keys that
|
|
|
|
// will be skipped when checking duplicated
|
|
|
|
// configuration field defined in both daemon
|
|
|
|
// config file and from dockerd cli flags.
|
|
|
|
// This allows some configurations to be merged
|
|
|
|
// during the parsing.
|
|
|
|
var skipDuplicates = map[string]bool{
|
|
|
|
"runtimes": true,
|
|
|
|
}
|
|
|
|
|
2015-12-10 18:35:10 -05:00
|
|
|
// LogConfig represents the default log configuration.
|
|
|
|
// It includes json tags to deserialize configuration from a file
|
2016-03-28 06:57:55 -04:00
|
|
|
// using the same names that the flags in the command line use.
|
2015-12-10 18:35:10 -05:00
|
|
|
type LogConfig struct {
|
|
|
|
Type string `json:"log-driver,omitempty"`
|
|
|
|
Config map[string]string `json:"log-opts,omitempty"`
|
|
|
|
}
|
|
|
|
|
2016-03-28 14:55:20 -04:00
|
|
|
// commonBridgeConfig stores all the platform-common bridge driver specific
|
|
|
|
// configuration.
|
|
|
|
type commonBridgeConfig struct {
|
|
|
|
Iface string `json:"bridge,omitempty"`
|
|
|
|
FixedCIDR string `json:"fixed-cidr,omitempty"`
|
|
|
|
}
|
|
|
|
|
2016-12-13 18:04:59 -05:00
|
|
|
// NetworkConfig stores the daemon-wide networking configurations
|
|
|
|
type NetworkConfig struct {
|
|
|
|
// Default address pools for docker networks
|
|
|
|
DefaultAddressPools opts.PoolsOpt `json:"default-address-pools,omitempty"`
|
2018-07-17 15:11:38 -04:00
|
|
|
// NetworkControlPlaneMTU allows to specify the control plane MTU, this will allow to optimize the network use in some components
|
|
|
|
NetworkControlPlaneMTU int `json:"network-control-plane-mtu,omitempty"`
|
2016-12-13 18:04:59 -05:00
|
|
|
}
|
|
|
|
|
2015-12-10 18:35:10 -05:00
|
|
|
// CommonTLSOptions defines TLS configuration for the daemon server.
|
|
|
|
// It includes json tags to deserialize configuration from a file
|
2016-03-28 06:57:55 -04:00
|
|
|
// using the same names that the flags in the command line use.
|
2015-12-10 18:35:10 -05:00
|
|
|
type CommonTLSOptions struct {
|
|
|
|
CAFile string `json:"tlscacert,omitempty"`
|
|
|
|
CertFile string `json:"tlscert,omitempty"`
|
|
|
|
KeyFile string `json:"tlskey,omitempty"`
|
|
|
|
}
|
|
|
|
|
2019-06-05 21:36:33 -04:00
|
|
|
// DNSConfig defines the DNS configurations.
|
|
|
|
type DNSConfig struct {
|
2019-11-01 20:09:40 -04:00
|
|
|
DNS []string `json:"dns,omitempty"`
|
|
|
|
DNSOptions []string `json:"dns-opts,omitempty"`
|
|
|
|
DNSSearch []string `json:"dns-search,omitempty"`
|
|
|
|
HostGatewayIP net.IP `json:"host-gateway-ip,omitempty"`
|
2019-06-05 21:36:33 -04:00
|
|
|
}
|
|
|
|
|
2016-03-28 06:57:55 -04:00
|
|
|
// CommonConfig defines the configuration of a docker daemon which is
|
2015-04-24 18:36:11 -04:00
|
|
|
// common across platforms.
|
2015-12-10 18:35:10 -05:00
|
|
|
// It includes json tags to deserialize configuration from a file
|
2016-03-28 06:57:55 -04:00
|
|
|
// using the same names that the flags in the command line use.
|
2015-04-24 18:36:11 -04:00
|
|
|
type CommonConfig struct {
|
2017-12-01 14:24:14 -05:00
|
|
|
AuthzMiddleware *authorization.Middleware `json:"-"`
|
|
|
|
AuthorizationPlugins []string `json:"authorization-plugins,omitempty"` // AuthorizationPlugins holds list of authorization plugins
|
|
|
|
AutoRestart bool `json:"-"`
|
|
|
|
Context map[string][]string `json:"-"`
|
|
|
|
DisableBridge bool `json:"-"`
|
|
|
|
ExecOptions []string `json:"exec-opts,omitempty"`
|
|
|
|
GraphDriver string `json:"storage-driver,omitempty"`
|
|
|
|
GraphOptions []string `json:"storage-opts,omitempty"`
|
|
|
|
Labels []string `json:"labels,omitempty"`
|
|
|
|
Mtu int `json:"mtu,omitempty"`
|
|
|
|
NetworkDiagnosticPort int `json:"network-diagnostic-port,omitempty"`
|
|
|
|
Pidfile string `json:"pidfile,omitempty"`
|
|
|
|
RawLogs bool `json:"raw-logs,omitempty"`
|
2022-08-18 06:51:23 -04:00
|
|
|
RootDeprecated string `json:"graph,omitempty"` // Deprecated: use Root instead. TODO(thaJeztah): remove in next release.
|
2017-12-01 14:24:14 -05:00
|
|
|
Root string `json:"data-root,omitempty"`
|
|
|
|
ExecRoot string `json:"exec-root,omitempty"`
|
|
|
|
SocketGroup string `json:"group,omitempty"`
|
|
|
|
CorsHeaders string `json:"api-cors-header,omitempty"`
|
daemon/config: move proxy settings to "proxies" struct within daemon.json
This is a follow-up to 427c7cc5f86364466c7173e8ca59b97c3876471d, which added
proxy-configuration options ("http-proxy", "https-proxy", "no-proxy") to the
dockerd cli and in `daemon.json`.
While working on documentation changes for this feature, I realised that those
options won't be "next" to each-other when formatting the daemon.json JSON, for
example using `jq` (which sorts the fields alphabetically). As it's possible that
additional proxy configuration options are added in future, I considered that
grouping these options in a struct within the JSON may help setting these options,
as well as discovering related options.
This patch introduces a "proxies" field in the JSON, which includes the
"http-proxy", "https-proxy", "no-proxy" options.
Conflict detection continues to work as before; with this patch applied:
mkdir -p /etc/docker/
echo '{"proxies":{"http-proxy":"http-config", "https-proxy":"https-config", "no-proxy": "no-proxy-config"}}' > /etc/docker/daemon.json
dockerd --http-proxy=http-flag --https-proxy=https-flag --no-proxy=no-proxy-flag --validate
unable to configure the Docker daemon with file /etc/docker/daemon.json:
the following directives are specified both as a flag and in the configuration file:
http-proxy: (from flag: http-flag, from file: http-config),
https-proxy: (from flag: https-flag, from file: https-config),
no-proxy: (from flag: no-proxy-flag, from file: no-proxy-config)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-02 10:03:39 -04:00
|
|
|
|
|
|
|
// Proxies holds the proxies that are configured for the daemon.
|
|
|
|
Proxies `json:"proxies"`
|
2016-07-27 11:30:15 -04:00
|
|
|
|
2019-06-17 20:23:44 -04:00
|
|
|
// TrustKeyPath is used to generate the daemon ID and for signing schema 1 manifests
|
|
|
|
// when pushing to a registry which does not support schema 2. This field is marked as
|
|
|
|
// deprecated because schema 1 manifests are deprecated in favor of schema 2 and the
|
|
|
|
// daemon ID will use a dedicated identifier not shared with exported signatures.
|
|
|
|
TrustKeyPath string `json:"deprecated-key-path,omitempty"`
|
|
|
|
|
2016-07-27 11:30:15 -04:00
|
|
|
// LiveRestoreEnabled determines whether we should keep containers
|
|
|
|
// alive upon daemon shutdown/start
|
|
|
|
LiveRestoreEnabled bool `json:"live-restore,omitempty"`
|
2015-09-10 19:12:00 -04:00
|
|
|
|
|
|
|
// ClusterStore is the storage backend used for the cluster information. It is used by both
|
|
|
|
// multihost networking (to store networks and endpoints information) and by the node discovery
|
|
|
|
// mechanism.
|
2020-03-03 12:00:56 -05:00
|
|
|
// Deprecated: host-discovery and overlay networks with external k/v stores are deprecated
|
2015-12-10 18:35:10 -05:00
|
|
|
ClusterStore string `json:"cluster-store,omitempty"`
|
2015-09-10 19:12:00 -04:00
|
|
|
|
2015-09-28 19:22:57 -04:00
|
|
|
// ClusterOpts is used to pass options to the discovery package for tuning libkv settings, such
|
|
|
|
// as TLS configuration settings.
|
2020-03-03 12:00:56 -05:00
|
|
|
// Deprecated: host-discovery and overlay networks with external k/v stores are deprecated
|
2015-12-10 18:35:10 -05:00
|
|
|
ClusterOpts map[string]string `json:"cluster-store-opts,omitempty"`
|
2015-09-28 19:22:57 -04:00
|
|
|
|
2015-09-10 19:12:00 -04:00
|
|
|
// ClusterAdvertise is the network endpoint that the Engine advertises for the purpose of node
|
|
|
|
// discovery. This should be a 'host:port' combination on which that daemon instance is
|
|
|
|
// reachable by other hosts.
|
2020-03-03 12:00:56 -05:00
|
|
|
// Deprecated: host-discovery and overlay networks with external k/v stores are deprecated
|
2015-12-10 18:35:10 -05:00
|
|
|
ClusterAdvertise string `json:"cluster-advertise,omitempty"`
|
|
|
|
|
2016-05-06 00:45:55 -04:00
|
|
|
// MaxConcurrentDownloads is the maximum number of downloads that
|
|
|
|
// may take place at a time for each pull.
|
2022-04-24 16:59:54 -04:00
|
|
|
MaxConcurrentDownloads int `json:"max-concurrent-downloads,omitempty"`
|
2016-05-06 00:45:55 -04:00
|
|
|
|
|
|
|
// MaxConcurrentUploads is the maximum number of uploads that
|
|
|
|
// may take place at a time for each push.
|
2022-04-24 16:59:54 -04:00
|
|
|
MaxConcurrentUploads int `json:"max-concurrent-uploads,omitempty"`
|
2016-05-06 00:45:55 -04:00
|
|
|
|
2019-06-25 09:26:36 -04:00
|
|
|
// MaxDownloadAttempts is the maximum number of attempts that
|
|
|
|
// may take place at a time for each push.
|
2022-04-24 16:59:54 -04:00
|
|
|
MaxDownloadAttempts int `json:"max-download-attempts,omitempty"`
|
2019-06-25 09:26:36 -04:00
|
|
|
|
2016-05-26 17:07:30 -04:00
|
|
|
// ShutdownTimeout is the timeout value (in seconds) the daemon will wait for the container
|
|
|
|
// to stop when daemon is being shutdown
|
|
|
|
ShutdownTimeout int `json:"shutdown-timeout,omitempty"`
|
|
|
|
|
2016-01-22 13:14:48 -05:00
|
|
|
Debug bool `json:"debug,omitempty"`
|
|
|
|
Hosts []string `json:"hosts,omitempty"`
|
|
|
|
LogLevel string `json:"log-level,omitempty"`
|
2020-07-28 19:01:08 -04:00
|
|
|
TLS *bool `json:"tls,omitempty"`
|
|
|
|
TLSVerify *bool `json:"tlsverify,omitempty"`
|
2016-01-22 13:14:48 -05:00
|
|
|
|
|
|
|
// Embedded structs that allow config
|
|
|
|
// deserialization without the full struct.
|
|
|
|
CommonTLSOptions
|
2016-06-30 21:07:35 -04:00
|
|
|
|
|
|
|
// SwarmDefaultAdvertiseAddr is the default host/IP or network interface
|
|
|
|
// to use if a wildcard address is specified in the ListenAddr value
|
|
|
|
// given to the /swarm/init endpoint and no advertise address is
|
|
|
|
// specified.
|
|
|
|
SwarmDefaultAdvertiseAddr string `json:"swarm-default-advertise-addr"`
|
2018-03-28 19:54:43 -04:00
|
|
|
|
|
|
|
// SwarmRaftHeartbeatTick is the number of ticks in time for swarm mode raft quorum heartbeat
|
|
|
|
// Typical value is 1
|
|
|
|
SwarmRaftHeartbeatTick uint32 `json:"swarm-raft-heartbeat-tick"`
|
|
|
|
|
|
|
|
// SwarmRaftElectionTick is the number of ticks to elapse before followers in the quorum can propose
|
|
|
|
// a new round of leader election. Default, recommended value is at least 10X that of Heartbeat tick.
|
|
|
|
// Higher values can make the quorum less sensitive to transient faults in the environment, but this also
|
|
|
|
// means it takes longer for the managers to detect a down leader.
|
|
|
|
SwarmRaftElectionTick uint32 `json:"swarm-raft-election-tick"`
|
|
|
|
|
|
|
|
MetricsAddress string `json:"metrics-addr"`
|
2016-06-30 21:07:35 -04:00
|
|
|
|
2019-06-05 21:36:33 -04:00
|
|
|
DNSConfig
|
2016-01-22 13:14:48 -05:00
|
|
|
LogConfig
|
2017-01-23 06:23:07 -05:00
|
|
|
BridgeConfig // bridgeConfig holds bridge network specific configuration.
|
2016-12-13 18:04:59 -05:00
|
|
|
NetworkConfig
|
2016-03-08 16:03:37 -05:00
|
|
|
registry.ServiceOptions
|
2015-12-10 18:35:10 -05:00
|
|
|
|
2017-01-23 06:23:07 -05:00
|
|
|
sync.Mutex
|
|
|
|
// FIXME(vdemeester) This part is not that clear and is mainly dependent on cli flags
|
|
|
|
// It should probably be handled outside this package.
|
Log active configuration when reloading
When succesfully reloading the daemon configuration, print a message
in the logs with the active configuration:
INFO[2018-01-15T15:36:20.901688317Z] Got signal to reload configuration, reloading from: /etc/docker/daemon.json
INFO[2018-01-14T02:23:48.782769942Z] Reloaded configuration: {"mtu":1500,"pidfile":"/var/run/docker.pid","data-root":"/var/lib/docker","exec-root":"/var/run/docker","group":"docker","deprecated-key-path":"/etc/docker/key.json","max-concurrent-downloads":3,"max-concurrent-uploads":5,"shutdown-timeout":15,"debug":true,"hosts":["unix:///var/run/docker.sock"],"log-level":"info","swarm-default-advertise-addr":"","metrics-addr":"","log-driver":"json-file","ip":"0.0.0.0","icc":true,"iptables":true,"ip-forward":true,"ip-masq":true,"userland-proxy":true,"disable-legacy-registry":true,"experimental":false,"network-control-plane-mtu":1500,"runtimes":{"runc":{"path":"docker-runc"}},"default-runtime":"runc","oom-score-adjust":-500,"default-shm-size":67108864,"default-ipc-mode":"shareable"}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-01-15 11:11:05 -05:00
|
|
|
ValuesSet map[string]interface{} `json:"-"`
|
2016-10-06 10:09:54 -04:00
|
|
|
|
|
|
|
Experimental bool `json:"experimental"` // Experimental indicates whether experimental features should be exposed or not
|
2017-05-30 20:02:11 -04:00
|
|
|
|
|
|
|
// Exposed node Generic Resources
|
2017-10-29 15:30:31 -04:00
|
|
|
// e.g: ["orange=red", "orange=green", "orange=blue", "apple=3"]
|
|
|
|
NodeGenericResources []string `json:"node-generic-resources,omitempty"`
|
2017-09-22 09:52:41 -04:00
|
|
|
|
|
|
|
// ContainerAddr is the address used to connect to containerd if we're
|
|
|
|
// not starting it ourselves
|
|
|
|
ContainerdAddr string `json:"containerd,omitempty"`
|
2018-06-19 18:53:40 -04:00
|
|
|
|
|
|
|
// CriContainerd determines whether a supervised containerd instance
|
|
|
|
// should be configured with the CRI plugin enabled. This allows using
|
|
|
|
// Docker's containerd instance directly with a Kubernetes kubelet.
|
|
|
|
CriContainerd bool `json:"cri-containerd,omitempty"`
|
2018-08-05 21:52:35 -04:00
|
|
|
|
|
|
|
// Features contains a list of feature key value pairs indicating what features are enabled or disabled.
|
|
|
|
// If a certain feature doesn't appear in this list then it's unset (i.e. neither true nor false).
|
|
|
|
Features map[string]bool `json:"features,omitempty"`
|
2018-09-04 22:12:44 -04:00
|
|
|
|
|
|
|
Builder BuilderConfig `json:"builder,omitempty"`
|
2019-07-11 19:42:16 -04:00
|
|
|
|
|
|
|
ContainerdNamespace string `json:"containerd-namespace,omitempty"`
|
|
|
|
ContainerdPluginNamespace string `json:"containerd-plugin-namespace,omitempty"`
|
2021-02-26 18:23:55 -05:00
|
|
|
|
|
|
|
DefaultRuntime string `json:"default-runtime,omitempty"`
|
2013-10-04 22:25:15 -04:00
|
|
|
}
|
2013-10-21 12:04:42 -04:00
|
|
|
|
daemon/config: move proxy settings to "proxies" struct within daemon.json
This is a follow-up to 427c7cc5f86364466c7173e8ca59b97c3876471d, which added
proxy-configuration options ("http-proxy", "https-proxy", "no-proxy") to the
dockerd cli and in `daemon.json`.
While working on documentation changes for this feature, I realised that those
options won't be "next" to each-other when formatting the daemon.json JSON, for
example using `jq` (which sorts the fields alphabetically). As it's possible that
additional proxy configuration options are added in future, I considered that
grouping these options in a struct within the JSON may help setting these options,
as well as discovering related options.
This patch introduces a "proxies" field in the JSON, which includes the
"http-proxy", "https-proxy", "no-proxy" options.
Conflict detection continues to work as before; with this patch applied:
mkdir -p /etc/docker/
echo '{"proxies":{"http-proxy":"http-config", "https-proxy":"https-config", "no-proxy": "no-proxy-config"}}' > /etc/docker/daemon.json
dockerd --http-proxy=http-flag --https-proxy=https-flag --no-proxy=no-proxy-flag --validate
unable to configure the Docker daemon with file /etc/docker/daemon.json:
the following directives are specified both as a flag and in the configuration file:
http-proxy: (from flag: http-flag, from file: http-config),
https-proxy: (from flag: https-flag, from file: https-config),
no-proxy: (from flag: no-proxy-flag, from file: no-proxy-config)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-02 10:03:39 -04:00
|
|
|
// Proxies holds the proxies that are configured for the daemon.
|
|
|
|
type Proxies struct {
|
2021-07-16 03:33:00 -04:00
|
|
|
HTTPProxy string `json:"http-proxy,omitempty"`
|
|
|
|
HTTPSProxy string `json:"https-proxy,omitempty"`
|
|
|
|
NoProxy string `json:"no-proxy,omitempty"`
|
|
|
|
}
|
|
|
|
|
2016-01-19 14:16:07 -05:00
|
|
|
// IsValueSet returns true if a configuration value
|
|
|
|
// was explicitly set in the configuration file.
|
2017-01-23 06:23:07 -05:00
|
|
|
func (conf *Config) IsValueSet(name string) bool {
|
|
|
|
if conf.ValuesSet == nil {
|
2016-01-19 14:16:07 -05:00
|
|
|
return false
|
|
|
|
}
|
2017-01-23 06:23:07 -05:00
|
|
|
_, ok := conf.ValuesSet[name]
|
2016-01-19 14:16:07 -05:00
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
2017-01-23 06:23:07 -05:00
|
|
|
// New returns a new fully initialized Config struct
|
|
|
|
func New() *Config {
|
2021-07-10 08:55:23 -04:00
|
|
|
return &Config{
|
|
|
|
CommonConfig: CommonConfig{
|
2022-06-06 13:38:32 -04:00
|
|
|
ShutdownTimeout: DefaultShutdownTimeout,
|
2021-07-10 08:55:23 -04:00
|
|
|
LogConfig: LogConfig{
|
|
|
|
Config: make(map[string]string),
|
|
|
|
},
|
2022-06-06 13:38:32 -04:00
|
|
|
MaxConcurrentDownloads: DefaultMaxConcurrentDownloads,
|
|
|
|
MaxConcurrentUploads: DefaultMaxConcurrentUploads,
|
|
|
|
MaxDownloadAttempts: DefaultDownloadAttempts,
|
|
|
|
Mtu: DefaultNetworkMtu,
|
|
|
|
NetworkConfig: NetworkConfig{
|
|
|
|
NetworkControlPlaneMTU: DefaultNetworkMtu,
|
|
|
|
},
|
|
|
|
ContainerdNamespace: DefaultContainersNamespace,
|
|
|
|
ContainerdPluginNamespace: DefaultPluginNamespace,
|
|
|
|
DefaultRuntime: StockRuntimeName,
|
2021-07-10 08:55:23 -04:00
|
|
|
},
|
|
|
|
}
|
2016-06-21 16:42:47 -04:00
|
|
|
}
|
|
|
|
|
2016-12-23 07:48:25 -05:00
|
|
|
// GetConflictFreeLabels validates Labels for conflict
|
2016-07-12 08:08:05 -04:00
|
|
|
// In swarm the duplicates for labels are removed
|
|
|
|
// so we only take same values here, no conflict values
|
|
|
|
// If the key-value is the same we will only take the last label
|
|
|
|
func GetConflictFreeLabels(labels []string) ([]string, error) {
|
|
|
|
labelMap := map[string]string{}
|
|
|
|
for _, label := range labels {
|
|
|
|
stringSlice := strings.SplitN(label, "=", 2)
|
|
|
|
if len(stringSlice) > 1 {
|
|
|
|
// If there is a conflict we will return an error
|
|
|
|
if v, ok := labelMap[stringSlice[0]]; ok && v != stringSlice[1] {
|
|
|
|
return nil, fmt.Errorf("conflict labels for %s=%s and %s=%s", stringSlice[0], stringSlice[1], stringSlice[0], v)
|
|
|
|
}
|
|
|
|
labelMap[stringSlice[0]] = stringSlice[1]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
newLabels := []string{}
|
|
|
|
for k, v := range labelMap {
|
|
|
|
newLabels = append(newLabels, fmt.Sprintf("%s=%s", k, v))
|
|
|
|
}
|
|
|
|
return newLabels, nil
|
|
|
|
}
|
|
|
|
|
2017-01-23 06:23:07 -05:00
|
|
|
// Reload reads the configuration in the host and reloads the daemon and server.
|
|
|
|
func Reload(configFile string, flags *pflag.FlagSet, reload func(*Config)) error {
|
2015-12-10 18:35:10 -05:00
|
|
|
logrus.Infof("Got signal to reload configuration, reloading from: %s", configFile)
|
|
|
|
newConfig, err := getConflictFreeConfiguration(configFile, flags)
|
|
|
|
if err != nil {
|
2017-10-07 17:26:50 -04:00
|
|
|
if flags.Changed("config-file") || !os.IsNotExist(err) {
|
2018-11-24 08:47:40 -05:00
|
|
|
return errors.Wrapf(err, "unable to configure the Docker daemon with file %s", configFile)
|
2017-10-07 17:26:50 -04:00
|
|
|
}
|
|
|
|
newConfig = New()
|
2015-12-10 18:35:10 -05:00
|
|
|
}
|
2016-03-11 03:50:49 -05:00
|
|
|
|
2017-11-11 21:09:28 -05:00
|
|
|
// Check if duplicate label-keys with different values are found
|
|
|
|
newLabels, err := GetConflictFreeLabels(newConfig.Labels)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2016-07-12 08:08:05 -04:00
|
|
|
}
|
2017-11-11 21:09:28 -05:00
|
|
|
newConfig.Labels = newLabels
|
2016-07-12 08:08:05 -04:00
|
|
|
|
daemon/config: Reload(): add TODO for config reload logic
The Reload logic is problematic and needs a rewrite.
Currently, config.Reload() is validating newConfig before the reload callback
is executed. At that point, newConfig may be a partial configuration, yet to be
merged with the existing configuration (in the "reload()" callback). Validating
this config before it's merged can result in incorrect validation errors.
However, the current "reload()" callback we use is DaemonCli.reloadConfig(),
which includes a call to Daemon.Reload(), which both performs "merging" and
validation, as well as actually updating the daemon configuration. Calling
DaemonCli.reloadConfig() *before* validation, could thus lead to a failure in
that function (making the reload non-atomic).
While *some* errors could always occur when applying/updating the config, we
should make it more atomic, and;
1. get (a copy of) the active configuration
2. get the new configuration
3. apply the (reloadable) options from the new configuration
4. validate the merged results
5. apply the new configuration.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-24 10:18:20 -04:00
|
|
|
// TODO(thaJeztah) This logic is problematic and needs a rewrite;
|
|
|
|
// This is validating newConfig before the "reload()" callback is executed.
|
|
|
|
// At this point, newConfig may be a partial configuration, to be merged
|
|
|
|
// with the existing configuration in the "reload()" callback. Validating
|
|
|
|
// this config before it's merged can result in incorrect validation errors.
|
|
|
|
//
|
|
|
|
// However, the current "reload()" callback we use is DaemonCli.reloadConfig(),
|
|
|
|
// which includes a call to Daemon.Reload(), which both performs "merging"
|
|
|
|
// and validation, as well as actually updating the daemon configuration.
|
|
|
|
// Calling DaemonCli.reloadConfig() *before* validation, could thus lead to
|
|
|
|
// a failure in that function (making the reload non-atomic).
|
|
|
|
//
|
|
|
|
// While *some* errors could always occur when applying/updating the config,
|
|
|
|
// we should make it more atomic, and;
|
|
|
|
//
|
|
|
|
// 1. get (a copy of) the active configuration
|
|
|
|
// 2. get the new configuration
|
|
|
|
// 3. apply the (reloadable) options from the new configuration
|
|
|
|
// 4. validate the merged results
|
|
|
|
// 5. apply the new configuration.
|
2022-04-24 10:14:44 -04:00
|
|
|
if err := Validate(newConfig); err != nil {
|
|
|
|
return errors.Wrap(err, "file configuration validation failed")
|
|
|
|
}
|
|
|
|
|
2016-02-18 16:55:03 -05:00
|
|
|
reload(newConfig)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// boolValue is an interface that boolean value flags implement
|
|
|
|
// to tell the command line how to make -name equivalent to -name=true.
|
|
|
|
type boolValue interface {
|
|
|
|
IsBoolFlag() bool
|
2015-12-10 18:35:10 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// MergeDaemonConfigurations reads a configuration file,
|
|
|
|
// loads the file configuration in an isolated structure,
|
|
|
|
// and merges the configuration provided from flags on top
|
|
|
|
// if there are no conflicts.
|
2016-06-21 16:42:47 -04:00
|
|
|
func MergeDaemonConfigurations(flagsConfig *Config, flags *pflag.FlagSet, configFile string) (*Config, error) {
|
2015-12-10 18:35:10 -05:00
|
|
|
fileConfig, err := getConflictFreeConfiguration(configFile, flags)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// merge flags configuration on top of the file configuration
|
|
|
|
if err := mergo.Merge(fileConfig, flagsConfig); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2022-04-24 16:26:09 -04:00
|
|
|
// validate the merged fileConfig and flagsConfig
|
2017-01-23 06:23:07 -05:00
|
|
|
if err := Validate(fileConfig); err != nil {
|
2018-11-24 08:47:40 -05:00
|
|
|
return nil, errors.Wrap(err, "merged configuration validation from file and command line flags failed")
|
2016-05-23 17:49:50 -04:00
|
|
|
}
|
|
|
|
|
2015-12-10 18:35:10 -05:00
|
|
|
return fileConfig, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// getConflictFreeConfiguration loads the configuration from a JSON file.
|
|
|
|
// It compares that configuration with the one provided by the flags,
|
|
|
|
// and returns an error if there are conflicts.
|
2016-06-21 16:42:47 -04:00
|
|
|
func getConflictFreeConfiguration(configFile string, flags *pflag.FlagSet) (*Config, error) {
|
2021-08-24 06:10:50 -04:00
|
|
|
b, err := os.ReadFile(configFile)
|
2015-12-10 18:35:10 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2016-01-19 14:16:07 -05:00
|
|
|
var config Config
|
2018-11-04 19:52:26 -05:00
|
|
|
|
|
|
|
b = bytes.TrimSpace(b)
|
|
|
|
if len(b) == 0 {
|
|
|
|
// empty config file
|
|
|
|
return &config, nil
|
|
|
|
}
|
|
|
|
|
2015-12-10 18:35:10 -05:00
|
|
|
if flags != nil {
|
|
|
|
var jsonConfig map[string]interface{}
|
2018-11-04 19:52:26 -05:00
|
|
|
if err := json.Unmarshal(b, &jsonConfig); err != nil {
|
2015-12-10 18:35:10 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2016-01-19 14:16:07 -05:00
|
|
|
configSet := configValuesSet(jsonConfig)
|
|
|
|
|
|
|
|
if err := findConfigurationConflicts(configSet, flags); err != nil {
|
2015-12-10 18:35:10 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
2016-01-19 14:16:07 -05:00
|
|
|
|
2016-02-18 16:55:03 -05:00
|
|
|
// Override flag values to make sure the values set in the config file with nullable values, like `false`,
|
2016-07-03 13:58:11 -04:00
|
|
|
// are not overridden by default truthy values from the flags that were not explicitly set.
|
2016-02-18 16:55:03 -05:00
|
|
|
// See https://github.com/docker/docker/issues/20289 for an example.
|
|
|
|
//
|
|
|
|
// TODO: Rewrite configuration logic to avoid same issue with other nullable values, like numbers.
|
|
|
|
namedOptions := make(map[string]interface{})
|
|
|
|
for key, value := range configSet {
|
2016-06-22 18:36:51 -04:00
|
|
|
f := flags.Lookup(key)
|
2016-02-18 16:55:03 -05:00
|
|
|
if f == nil { // ignore named flags that don't match
|
|
|
|
namedOptions[key] = value
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, ok := f.Value.(boolValue); ok {
|
|
|
|
f.Value.Set(fmt.Sprintf("%v", value))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(namedOptions) > 0 {
|
|
|
|
// set also default for mergeVal flags that are boolValue at the same time.
|
2016-06-21 16:42:47 -04:00
|
|
|
flags.VisitAll(func(f *pflag.Flag) {
|
2016-02-18 16:55:03 -05:00
|
|
|
if opt, named := f.Value.(opts.NamedOption); named {
|
|
|
|
v, set := namedOptions[opt.Name()]
|
|
|
|
_, boolean := f.Value.(boolValue)
|
|
|
|
if set && boolean {
|
|
|
|
f.Value.Set(fmt.Sprintf("%v", v))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2017-01-23 06:23:07 -05:00
|
|
|
config.ValuesSet = configSet
|
2015-12-10 18:35:10 -05:00
|
|
|
}
|
|
|
|
|
2018-11-04 19:52:26 -05:00
|
|
|
if err := json.Unmarshal(b, &config); err != nil {
|
2016-11-22 01:17:24 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return &config, nil
|
2015-12-10 18:35:10 -05:00
|
|
|
}
|
|
|
|
|
2016-01-19 14:16:07 -05:00
|
|
|
// configValuesSet returns the configuration values explicitly set in the file.
|
|
|
|
func configValuesSet(config map[string]interface{}) map[string]interface{} {
|
2015-12-10 18:35:10 -05:00
|
|
|
flatten := make(map[string]interface{})
|
|
|
|
for k, v := range config {
|
2016-02-02 14:33:41 -05:00
|
|
|
if m, isMap := v.(map[string]interface{}); isMap && !flatOptions[k] {
|
2015-12-10 18:35:10 -05:00
|
|
|
for km, vm := range m {
|
|
|
|
flatten[km] = vm
|
|
|
|
}
|
2016-02-02 14:33:41 -05:00
|
|
|
continue
|
2015-12-10 18:35:10 -05:00
|
|
|
}
|
2016-02-02 14:33:41 -05:00
|
|
|
|
|
|
|
flatten[k] = v
|
2015-12-10 18:35:10 -05:00
|
|
|
}
|
2016-01-19 14:16:07 -05:00
|
|
|
return flatten
|
|
|
|
}
|
|
|
|
|
|
|
|
// findConfigurationConflicts iterates over the provided flags searching for
|
2016-01-20 17:16:49 -05:00
|
|
|
// duplicated configurations and unknown keys. It returns an error with all the conflicts if
|
2016-01-19 14:16:07 -05:00
|
|
|
// it finds any.
|
2016-06-21 16:42:47 -04:00
|
|
|
func findConfigurationConflicts(config map[string]interface{}, flags *pflag.FlagSet) error {
|
2016-01-20 17:16:49 -05:00
|
|
|
// 1. Search keys from the file that we don't recognize as flags.
|
|
|
|
unknownKeys := make(map[string]interface{})
|
|
|
|
for key, value := range config {
|
2018-08-05 21:52:35 -04:00
|
|
|
if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] {
|
2016-01-20 17:16:49 -05:00
|
|
|
unknownKeys[key] = value
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-22 13:14:48 -05:00
|
|
|
// 2. Discard values that implement NamedOption.
|
|
|
|
// Their configuration name differs from their flag name, like `labels` and `label`.
|
2016-02-18 16:55:03 -05:00
|
|
|
if len(unknownKeys) > 0 {
|
2016-06-21 16:42:47 -04:00
|
|
|
unknownNamedConflicts := func(f *pflag.Flag) {
|
2016-02-18 16:55:03 -05:00
|
|
|
if namedOption, ok := f.Value.(opts.NamedOption); ok {
|
2019-10-13 16:10:24 -04:00
|
|
|
delete(unknownKeys, namedOption.Name())
|
2016-01-20 17:16:49 -05:00
|
|
|
}
|
|
|
|
}
|
2016-02-18 16:55:03 -05:00
|
|
|
flags.VisitAll(unknownNamedConflicts)
|
2016-01-20 17:16:49 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
if len(unknownKeys) > 0 {
|
|
|
|
var unknown []string
|
|
|
|
for key := range unknownKeys {
|
|
|
|
unknown = append(unknown, key)
|
|
|
|
}
|
|
|
|
return fmt.Errorf("the following directives don't match any configuration option: %s", strings.Join(unknown, ", "))
|
|
|
|
}
|
2015-12-10 18:35:10 -05:00
|
|
|
|
2016-01-20 17:16:49 -05:00
|
|
|
var conflicts []string
|
2015-12-10 18:35:10 -05:00
|
|
|
printConflict := func(name string, flagValue, fileValue interface{}) string {
|
2021-08-31 08:13:30 -04:00
|
|
|
switch name {
|
|
|
|
case "http-proxy", "https-proxy":
|
|
|
|
flagValue = MaskCredentials(flagValue.(string))
|
|
|
|
fileValue = MaskCredentials(fileValue.(string))
|
|
|
|
}
|
2015-12-10 18:35:10 -05:00
|
|
|
return fmt.Sprintf("%s: (from flag: %v, from file: %v)", name, flagValue, fileValue)
|
|
|
|
}
|
|
|
|
|
2016-01-20 17:16:49 -05:00
|
|
|
// 3. Search keys that are present as a flag and as a file option.
|
2016-06-21 16:42:47 -04:00
|
|
|
duplicatedConflicts := func(f *pflag.Flag) {
|
2015-12-10 18:35:10 -05:00
|
|
|
// search option name in the json configuration payload if the value is a named option
|
|
|
|
if namedOption, ok := f.Value.(opts.NamedOption); ok {
|
2018-09-17 18:28:26 -04:00
|
|
|
if optsValue, ok := config[namedOption.Name()]; ok && !skipDuplicates[namedOption.Name()] {
|
2015-12-10 18:35:10 -05:00
|
|
|
conflicts = append(conflicts, printConflict(namedOption.Name(), f.Value.String(), optsValue))
|
|
|
|
}
|
|
|
|
} else {
|
2016-06-21 16:42:47 -04:00
|
|
|
// search flag name in the json configuration payload
|
|
|
|
for _, name := range []string{f.Name, f.Shorthand} {
|
2018-09-17 18:28:26 -04:00
|
|
|
if value, ok := config[name]; ok && !skipDuplicates[name] {
|
2015-12-10 18:35:10 -05:00
|
|
|
conflicts = append(conflicts, printConflict(name, f.Value.String(), value))
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-20 17:16:49 -05:00
|
|
|
flags.Visit(duplicatedConflicts)
|
2015-12-10 18:35:10 -05:00
|
|
|
|
|
|
|
if len(conflicts) > 0 {
|
|
|
|
return fmt.Errorf("the following directives are specified both as a flag and in the configuration file: %s", strings.Join(conflicts, ", "))
|
|
|
|
}
|
|
|
|
return nil
|
2014-08-09 21:18:32 -04:00
|
|
|
}
|
2016-03-11 03:50:49 -05:00
|
|
|
|
2017-01-23 06:23:07 -05:00
|
|
|
// Validate validates some specific configs.
|
2016-05-06 00:45:55 -04:00
|
|
|
// such as config.DNS, config.Labels, config.DNSSearch,
|
2019-06-25 09:26:36 -04:00
|
|
|
// as well as config.MaxConcurrentDownloads, config.MaxConcurrentUploads and config.MaxDownloadAttempts.
|
2017-01-23 06:23:07 -05:00
|
|
|
func Validate(config *Config) error {
|
2022-08-18 06:51:23 -04:00
|
|
|
//nolint:staticcheck // TODO(thaJeztah): remove in next release.
|
|
|
|
if config.RootDeprecated != "" {
|
|
|
|
return errors.New(`the "graph" config file option is deprecated; use "data-root" instead`)
|
|
|
|
}
|
|
|
|
|
2022-04-22 09:59:23 -04:00
|
|
|
// validate log-level
|
|
|
|
if config.LogLevel != "" {
|
|
|
|
if _, err := logrus.ParseLevel(config.LogLevel); err != nil {
|
|
|
|
return fmt.Errorf("invalid logging level: %s", config.LogLevel)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-03-11 03:50:49 -05:00
|
|
|
// validate DNS
|
|
|
|
for _, dns := range config.DNS {
|
|
|
|
if _, err := opts.ValidateIPAddress(dns); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// validate DNSSearch
|
|
|
|
for _, dnsSearch := range config.DNSSearch {
|
|
|
|
if _, err := opts.ValidateDNSSearch(dnsSearch); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// validate Labels
|
|
|
|
for _, label := range config.Labels {
|
|
|
|
if _, err := opts.ValidateLabel(label); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2022-04-24 16:42:05 -04:00
|
|
|
|
|
|
|
// TODO(thaJeztah) Validations below should not accept "0" to be valid; see Validate() for a more in-depth description of this problem
|
2022-06-06 10:53:25 -04:00
|
|
|
if config.Mtu < 0 {
|
|
|
|
return fmt.Errorf("invalid default MTU: %d", config.Mtu)
|
|
|
|
}
|
2022-04-24 16:59:54 -04:00
|
|
|
if config.MaxConcurrentDownloads < 0 {
|
|
|
|
return fmt.Errorf("invalid max concurrent downloads: %d", config.MaxConcurrentDownloads)
|
2016-05-06 00:45:55 -04:00
|
|
|
}
|
2022-04-24 16:59:54 -04:00
|
|
|
if config.MaxConcurrentUploads < 0 {
|
|
|
|
return fmt.Errorf("invalid max concurrent uploads: %d", config.MaxConcurrentUploads)
|
2016-05-06 00:45:55 -04:00
|
|
|
}
|
2022-04-24 16:59:54 -04:00
|
|
|
if config.MaxDownloadAttempts < 0 {
|
|
|
|
return fmt.Errorf("invalid max download attempts: %d", config.MaxDownloadAttempts)
|
2019-06-25 09:26:36 -04:00
|
|
|
}
|
2016-05-23 17:49:50 -04:00
|
|
|
|
|
|
|
// validate that "default" runtime is not reset
|
|
|
|
if runtimes := config.GetAllRuntimes(); len(runtimes) > 0 {
|
2017-01-23 06:23:07 -05:00
|
|
|
if _, ok := runtimes[StockRuntimeName]; ok {
|
|
|
|
return fmt.Errorf("runtime name '%s' is reserved", StockRuntimeName)
|
2016-05-23 17:49:50 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-29 15:28:33 -04:00
|
|
|
if _, err := ParseGenericResources(config.NodeGenericResources); err != nil {
|
2017-05-30 20:02:11 -04:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2020-07-07 16:33:46 -04:00
|
|
|
if defaultRuntime := config.GetDefaultRuntimeName(); defaultRuntime != "" {
|
|
|
|
if !builtinRuntimes[defaultRuntime] {
|
|
|
|
runtimes := config.GetAllRuntimes()
|
2022-08-17 14:50:19 -04:00
|
|
|
if _, ok := runtimes[defaultRuntime]; !ok && !IsPermissibleC8dRuntimeName(defaultRuntime) {
|
2020-07-07 16:33:46 -04:00
|
|
|
return fmt.Errorf("specified default runtime '%s' does not exist", defaultRuntime)
|
|
|
|
}
|
2016-05-23 17:49:50 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-04 09:18:01 -04:00
|
|
|
for _, h := range config.Hosts {
|
|
|
|
if _, err := opts.ValidateHost(h); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Implement none, private, and shareable ipc modes
Since the commit d88fe447df0e8 ("Add support for sharing /dev/shm/ and
/dev/mqueue between containers") container's /dev/shm is mounted on the
host first, then bind-mounted inside the container. This is done that
way in order to be able to share this container's IPC namespace
(and the /dev/shm mount point) with another container.
Unfortunately, this functionality breaks container checkpoint/restore
(even if IPC is not shared). Since /dev/shm is an external mount, its
contents is not saved by `criu checkpoint`, and so upon restore any
application that tries to access data under /dev/shm is severily
disappointed (which usually results in a fatal crash).
This commit solves the issue by introducing new IPC modes for containers
(in addition to 'host' and 'container:ID'). The new modes are:
- 'shareable': enables sharing this container's IPC with others
(this used to be the implicit default);
- 'private': disables sharing this container's IPC.
In 'private' mode, container's /dev/shm is truly mounted inside the
container, without any bind-mounting from the host, which solves the
issue.
While at it, let's also implement 'none' mode. The motivation, as
eloquently put by Justin Cormack, is:
> I wondered a while back about having a none shm mode, as currently it is
> not possible to have a totally unwriteable container as there is always
> a /dev/shm writeable mount. It is a bit of a niche case (and clearly
> should never be allowed to be daemon default) but it would be trivial to
> add now so maybe we should...
...so here's yet yet another mode:
- 'none': no /dev/shm mount inside the container (though it still
has its own private IPC namespace).
Now, to ultimately solve the abovementioned checkpoint/restore issue, we'd
need to make 'private' the default mode, but unfortunately it breaks the
backward compatibility. So, let's make the default container IPC mode
per-daemon configurable (with the built-in default set to 'shareable'
for now). The default can be changed either via a daemon CLI option
(--default-shm-mode) or a daemon.json configuration file parameter
of the same name.
Note one can only set either 'shareable' or 'private' IPC modes as a
daemon default (i.e. in this context 'host', 'container', or 'none'
do not make much sense).
Some other changes this patch introduces are:
1. A mount for /dev/shm is added to default OCI Linux spec.
2. IpcMode.Valid() is simplified to remove duplicated code that parsed
'container:ID' form. Note the old version used to check that ID does
not contain a semicolon -- this is no longer the case (tests are
modified accordingly). The motivation is we should either do a
proper check for container ID validity, or don't check it at all
(since it is checked in other places anyway). I chose the latter.
3. IpcMode.Container() is modified to not return container ID if the
mode value does not start with "container:", unifying the check to
be the same as in IpcMode.IsContainer().
3. IPC mode unit tests (runconfig/hostconfig_test.go) are modified
to add checks for newly added values.
[v2: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-51345997]
[v3: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-53902833]
[v4: addressed the case of upgrading from older daemon, in this case
container.HostConfig.IpcMode is unset and this is valid]
[v5: document old and new IpcMode values in api/swagger.yaml]
[v6: add the 'none' mode, changelog entry to docs/api/version-history.md]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-06-27 17:58:50 -04:00
|
|
|
// validate platform-specific settings
|
2018-01-14 18:42:25 -05:00
|
|
|
return config.ValidatePlatformConfig()
|
2016-03-11 03:50:49 -05:00
|
|
|
}
|
2017-01-22 01:59:29 -05:00
|
|
|
|
2021-02-26 18:23:55 -05:00
|
|
|
// GetDefaultRuntimeName returns the current default runtime
|
|
|
|
func (conf *Config) GetDefaultRuntimeName() string {
|
|
|
|
conf.Lock()
|
|
|
|
rt := conf.DefaultRuntime
|
|
|
|
conf.Unlock()
|
|
|
|
|
|
|
|
return rt
|
|
|
|
}
|
2021-08-31 08:05:49 -04:00
|
|
|
|
|
|
|
// MaskCredentials masks credentials that are in an URL.
|
|
|
|
func MaskCredentials(rawURL string) string {
|
|
|
|
parsedURL, err := url.Parse(rawURL)
|
|
|
|
if err != nil || parsedURL.User == nil {
|
|
|
|
return rawURL
|
|
|
|
}
|
|
|
|
parsedURL.User = url.UserPassword("xxxxx", "xxxxx")
|
|
|
|
return parsedURL.String()
|
|
|
|
}
|
2022-08-17 14:50:19 -04:00
|
|
|
|
|
|
|
// IsPermissibleC8dRuntimeName tests whether name is safe to pass into
|
|
|
|
// containerd as a runtime name, and whether the name is well-formed.
|
|
|
|
// It does not check if the runtime is installed.
|
|
|
|
//
|
|
|
|
// A runtime name containing slash characters is interpreted by containerd as
|
|
|
|
// the path to a runtime binary. If we allowed this, anyone with Engine API
|
|
|
|
// access could get containerd to execute an arbitrary binary as root. Although
|
|
|
|
// Engine API access is already equivalent to root on the host, the runtime name
|
|
|
|
// has not historically been a vector to run arbitrary code as root so users are
|
|
|
|
// not expecting it to become one.
|
|
|
|
//
|
|
|
|
// This restriction is not configurable. There are viable workarounds for
|
|
|
|
// legitimate use cases: administrators and runtime developers can make runtimes
|
|
|
|
// available for use with Docker by installing them onto PATH following the
|
|
|
|
// [binary naming convention] for containerd Runtime v2.
|
|
|
|
//
|
|
|
|
// [binary naming convention]: https://github.com/containerd/containerd/blob/main/runtime/v2/README.md#binary-naming
|
|
|
|
func IsPermissibleC8dRuntimeName(name string) bool {
|
|
|
|
// containerd uses a rather permissive test to validate runtime names:
|
|
|
|
//
|
|
|
|
// - Any name for which filepath.IsAbs(name) is interpreted as the absolute
|
|
|
|
// path to a shim binary. We want to block this behaviour.
|
|
|
|
// - Any name which contains at least one '.' character and no '/' characters
|
|
|
|
// and does not begin with a '.' character is a valid runtime name. The shim
|
|
|
|
// binary name is derived from the final two components of the name and
|
|
|
|
// searched for on the PATH. The name "a.." is technically valid per
|
|
|
|
// containerd's implementation: it would resolve to a binary named
|
|
|
|
// "containerd-shim---".
|
|
|
|
//
|
|
|
|
// https://github.com/containerd/containerd/blob/11ded166c15f92450958078cd13c6d87131ec563/runtime/v2/manager.go#L297-L317
|
|
|
|
// https://github.com/containerd/containerd/blob/11ded166c15f92450958078cd13c6d87131ec563/runtime/v2/shim/util.go#L83-L93
|
|
|
|
return !filepath.IsAbs(name) && !strings.ContainsRune(name, '/') && shim.BinaryName(name) != ""
|
|
|
|
}
|