2018-02-05 21:05:59 +00:00
|
|
|
package config // import "github.com/docker/docker/daemon/config"
|
2013-10-05 02:25:15 +00:00
|
|
|
|
|
|
|
|
import (
|
2015-12-10 23:35:10 +00:00
|
|
|
"bytes"
|
|
|
|
|
"encoding/json"
|
2016-06-07 07:45:21 +00:00
|
|
|
"errors"
|
2015-12-10 23:35:10 +00:00
|
|
|
"fmt"
|
|
|
|
|
"io"
|
|
|
|
|
"io/ioutil"
|
2017-10-07 21:26:50 +00:00
|
|
|
"os"
|
2017-01-23 11:23:07 +00:00
|
|
|
"reflect"
|
2016-06-21 20:42:47 +00:00
|
|
|
"runtime"
|
2015-12-10 23:35:10 +00:00
|
|
|
"strings"
|
|
|
|
|
"sync"
|
|
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
daemondiscovery "github.com/docker/docker/daemon/discovery"
|
2014-08-10 01:18:32 +00:00
|
|
|
"github.com/docker/docker/opts"
|
2017-03-17 21:57:23 +00:00
|
|
|
"github.com/docker/docker/pkg/authorization"
|
2015-12-10 23:35:10 +00:00
|
|
|
"github.com/docker/docker/pkg/discovery"
|
2016-03-08 21:03:37 +00:00
|
|
|
"github.com/docker/docker/registry"
|
2015-12-10 23:35:10 +00:00
|
|
|
"github.com/imdario/mergo"
|
2017-07-26 21:42:13 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2016-06-21 20:42:47 +00:00
|
|
|
"github.com/spf13/pflag"
|
2013-10-05 02:25:15 +00:00
|
|
|
)
|
|
|
|
|
|
2016-05-06 04:45:55 +00:00
|
|
|
const (
|
2017-01-23 11:23:07 +00:00
|
|
|
// DefaultMaxConcurrentDownloads is the default value for
|
2016-05-06 04:45:55 +00:00
|
|
|
// maximum number of downloads that
|
|
|
|
|
// may take place at a time for each pull.
|
2017-01-23 11:23:07 +00:00
|
|
|
DefaultMaxConcurrentDownloads = 3
|
|
|
|
|
// DefaultMaxConcurrentUploads is the default value for
|
2016-05-06 04:45:55 +00:00
|
|
|
// maximum number of uploads that
|
|
|
|
|
// may take place at a time for each push.
|
2017-01-23 11:23:07 +00:00
|
|
|
DefaultMaxConcurrentUploads = 5
|
|
|
|
|
// StockRuntimeName is the reserved name/alias used to represent the
|
2016-06-20 19:14:27 +00:00
|
|
|
// OCI runtime being shipped with the docker daemon package.
|
2017-01-23 11:23:07 +00:00
|
|
|
StockRuntimeName = "runc"
|
|
|
|
|
// DefaultShmSize is the default value for container's shm size
|
|
|
|
|
DefaultShmSize = int64(67108864)
|
|
|
|
|
// DefaultNetworkMtu is the default value for network MTU
|
|
|
|
|
DefaultNetworkMtu = 1500
|
|
|
|
|
// DisableNetworkBridge is the default value of the option to disable network bridge
|
|
|
|
|
DisableNetworkBridge = "none"
|
2017-04-10 09:25:15 +00:00
|
|
|
// DefaultInitBinary is the name of the default init binary
|
|
|
|
|
DefaultInitBinary = "docker-init"
|
2016-05-26 21:07:30 +00:00
|
|
|
)
|
|
|
|
|
|
2016-02-02 19:33:41 +00:00
|
|
|
// flatOptions contains configuration keys
|
|
|
|
|
// that MUST NOT be parsed as deep structures.
|
|
|
|
|
// Use this to differentiate these options
|
|
|
|
|
// with others like the ones in CommonTLSOptions.
|
|
|
|
|
var flatOptions = map[string]bool{
|
|
|
|
|
"cluster-store-opts": true,
|
|
|
|
|
"log-opts": true,
|
2016-05-23 21:49:50 +00:00
|
|
|
"runtimes": true,
|
2016-08-10 10:52:06 +00:00
|
|
|
"default-ulimits": true,
|
2018-08-21 23:20:19 +00:00
|
|
|
"features": true,
|
2016-02-02 19:33:41 +00:00
|
|
|
}
|
|
|
|
|
|
2018-08-06 01:52:35 +00:00
|
|
|
// skipValidateOptions contains configuration keys
|
|
|
|
|
// that will be skipped from findConfigurationConflicts
|
|
|
|
|
// for unknown flag validation.
|
|
|
|
|
var skipValidateOptions = map[string]bool{
|
|
|
|
|
"features": true,
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-10 23:35:10 +00:00
|
|
|
// LogConfig represents the default log configuration.
|
|
|
|
|
// It includes json tags to deserialize configuration from a file
|
2016-03-28 10:57:55 +00:00
|
|
|
// using the same names that the flags in the command line use.
|
2015-12-10 23:35:10 +00:00
|
|
|
type LogConfig struct {
|
|
|
|
|
Type string `json:"log-driver,omitempty"`
|
|
|
|
|
Config map[string]string `json:"log-opts,omitempty"`
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-28 18:55:20 +00:00
|
|
|
// commonBridgeConfig stores all the platform-common bridge driver specific
|
|
|
|
|
// configuration.
|
|
|
|
|
type commonBridgeConfig struct {
|
|
|
|
|
Iface string `json:"bridge,omitempty"`
|
|
|
|
|
FixedCIDR string `json:"fixed-cidr,omitempty"`
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-13 23:04:59 +00:00
|
|
|
// NetworkConfig stores the daemon-wide networking configurations
|
|
|
|
|
type NetworkConfig struct {
|
|
|
|
|
// Default address pools for docker networks
|
|
|
|
|
DefaultAddressPools opts.PoolsOpt `json:"default-address-pools,omitempty"`
|
2018-07-17 19:11:38 +00:00
|
|
|
// NetworkControlPlaneMTU allows to specify the control plane MTU, this will allow to optimize the network use in some components
|
|
|
|
|
NetworkControlPlaneMTU int `json:"network-control-plane-mtu,omitempty"`
|
2016-12-13 23:04:59 +00:00
|
|
|
}
|
|
|
|
|
|
2015-12-10 23:35:10 +00:00
|
|
|
// CommonTLSOptions defines TLS configuration for the daemon server.
|
|
|
|
|
// It includes json tags to deserialize configuration from a file
|
2016-03-28 10:57:55 +00:00
|
|
|
// using the same names that the flags in the command line use.
|
2015-12-10 23:35:10 +00:00
|
|
|
type CommonTLSOptions struct {
|
|
|
|
|
CAFile string `json:"tlscacert,omitempty"`
|
|
|
|
|
CertFile string `json:"tlscert,omitempty"`
|
|
|
|
|
KeyFile string `json:"tlskey,omitempty"`
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-28 10:57:55 +00:00
|
|
|
// CommonConfig defines the configuration of a docker daemon which is
|
2015-04-24 22:36:11 +00:00
|
|
|
// common across platforms.
|
2015-12-10 23:35:10 +00:00
|
|
|
// It includes json tags to deserialize configuration from a file
|
2016-03-28 10:57:55 +00:00
|
|
|
// using the same names that the flags in the command line use.
|
2015-04-24 22:36:11 +00:00
|
|
|
type CommonConfig struct {
|
2017-12-01 19:24:14 +00:00
|
|
|
AuthzMiddleware *authorization.Middleware `json:"-"`
|
|
|
|
|
AuthorizationPlugins []string `json:"authorization-plugins,omitempty"` // AuthorizationPlugins holds list of authorization plugins
|
|
|
|
|
AutoRestart bool `json:"-"`
|
|
|
|
|
Context map[string][]string `json:"-"`
|
|
|
|
|
DisableBridge bool `json:"-"`
|
|
|
|
|
DNS []string `json:"dns,omitempty"`
|
|
|
|
|
DNSOptions []string `json:"dns-opts,omitempty"`
|
|
|
|
|
DNSSearch []string `json:"dns-search,omitempty"`
|
|
|
|
|
ExecOptions []string `json:"exec-opts,omitempty"`
|
|
|
|
|
GraphDriver string `json:"storage-driver,omitempty"`
|
|
|
|
|
GraphOptions []string `json:"storage-opts,omitempty"`
|
|
|
|
|
Labels []string `json:"labels,omitempty"`
|
|
|
|
|
Mtu int `json:"mtu,omitempty"`
|
|
|
|
|
NetworkDiagnosticPort int `json:"network-diagnostic-port,omitempty"`
|
|
|
|
|
Pidfile string `json:"pidfile,omitempty"`
|
|
|
|
|
RawLogs bool `json:"raw-logs,omitempty"`
|
|
|
|
|
RootDeprecated string `json:"graph,omitempty"`
|
|
|
|
|
Root string `json:"data-root,omitempty"`
|
|
|
|
|
ExecRoot string `json:"exec-root,omitempty"`
|
|
|
|
|
SocketGroup string `json:"group,omitempty"`
|
|
|
|
|
CorsHeaders string `json:"api-cors-header,omitempty"`
|
2016-07-27 15:30:15 +00:00
|
|
|
|
2017-04-26 22:57:58 +00:00
|
|
|
// TrustKeyPath is used to generate the daemon ID and for signing schema 1 manifests
|
|
|
|
|
// when pushing to a registry which does not support schema 2. This field is marked as
|
|
|
|
|
// deprecated because schema 1 manifests are deprecated in favor of schema 2 and the
|
|
|
|
|
// daemon ID will use a dedicated identifier not shared with exported signatures.
|
|
|
|
|
TrustKeyPath string `json:"deprecated-key-path,omitempty"`
|
|
|
|
|
|
2016-07-27 15:30:15 +00:00
|
|
|
// LiveRestoreEnabled determines whether we should keep containers
|
|
|
|
|
// alive upon daemon shutdown/start
|
|
|
|
|
LiveRestoreEnabled bool `json:"live-restore,omitempty"`
|
2015-09-10 23:12:00 +00:00
|
|
|
|
|
|
|
|
// ClusterStore is the storage backend used for the cluster information. It is used by both
|
|
|
|
|
// multihost networking (to store networks and endpoints information) and by the node discovery
|
|
|
|
|
// mechanism.
|
2015-12-10 23:35:10 +00:00
|
|
|
ClusterStore string `json:"cluster-store,omitempty"`
|
2015-09-10 23:12:00 +00:00
|
|
|
|
2015-09-28 23:22:57 +00:00
|
|
|
// ClusterOpts is used to pass options to the discovery package for tuning libkv settings, such
|
|
|
|
|
// as TLS configuration settings.
|
2015-12-10 23:35:10 +00:00
|
|
|
ClusterOpts map[string]string `json:"cluster-store-opts,omitempty"`
|
2015-09-28 23:22:57 +00:00
|
|
|
|
2015-09-10 23:12:00 +00:00
|
|
|
// ClusterAdvertise is the network endpoint that the Engine advertises for the purpose of node
|
|
|
|
|
// discovery. This should be a 'host:port' combination on which that daemon instance is
|
|
|
|
|
// reachable by other hosts.
|
2015-12-10 23:35:10 +00:00
|
|
|
ClusterAdvertise string `json:"cluster-advertise,omitempty"`
|
|
|
|
|
|
2016-05-06 04:45:55 +00:00
|
|
|
// MaxConcurrentDownloads is the maximum number of downloads that
|
|
|
|
|
// may take place at a time for each pull.
|
|
|
|
|
MaxConcurrentDownloads *int `json:"max-concurrent-downloads,omitempty"`
|
|
|
|
|
|
|
|
|
|
// MaxConcurrentUploads is the maximum number of uploads that
|
|
|
|
|
// may take place at a time for each push.
|
|
|
|
|
MaxConcurrentUploads *int `json:"max-concurrent-uploads,omitempty"`
|
|
|
|
|
|
2016-05-26 21:07:30 +00:00
|
|
|
// ShutdownTimeout is the timeout value (in seconds) the daemon will wait for the container
|
|
|
|
|
// to stop when daemon is being shutdown
|
|
|
|
|
ShutdownTimeout int `json:"shutdown-timeout,omitempty"`
|
|
|
|
|
|
2016-01-22 18:14:48 +00:00
|
|
|
Debug bool `json:"debug,omitempty"`
|
|
|
|
|
Hosts []string `json:"hosts,omitempty"`
|
|
|
|
|
LogLevel string `json:"log-level,omitempty"`
|
|
|
|
|
TLS bool `json:"tls,omitempty"`
|
|
|
|
|
TLSVerify bool `json:"tlsverify,omitempty"`
|
|
|
|
|
|
|
|
|
|
// Embedded structs that allow config
|
|
|
|
|
// deserialization without the full struct.
|
|
|
|
|
CommonTLSOptions
|
2016-07-01 01:07:35 +00:00
|
|
|
|
|
|
|
|
// SwarmDefaultAdvertiseAddr is the default host/IP or network interface
|
|
|
|
|
// to use if a wildcard address is specified in the ListenAddr value
|
|
|
|
|
// given to the /swarm/init endpoint and no advertise address is
|
|
|
|
|
// specified.
|
|
|
|
|
SwarmDefaultAdvertiseAddr string `json:"swarm-default-advertise-addr"`
|
2018-03-28 23:54:43 +00:00
|
|
|
|
|
|
|
|
// SwarmRaftHeartbeatTick is the number of ticks in time for swarm mode raft quorum heartbeat
|
|
|
|
|
// Typical value is 1
|
|
|
|
|
SwarmRaftHeartbeatTick uint32 `json:"swarm-raft-heartbeat-tick"`
|
|
|
|
|
|
|
|
|
|
// SwarmRaftElectionTick is the number of ticks to elapse before followers in the quorum can propose
|
|
|
|
|
// a new round of leader election. Default, recommended value is at least 10X that of Heartbeat tick.
|
|
|
|
|
// Higher values can make the quorum less sensitive to transient faults in the environment, but this also
|
|
|
|
|
// means it takes longer for the managers to detect a down leader.
|
|
|
|
|
SwarmRaftElectionTick uint32 `json:"swarm-raft-election-tick"`
|
|
|
|
|
|
|
|
|
|
MetricsAddress string `json:"metrics-addr"`
|
2016-07-01 01:07:35 +00:00
|
|
|
|
2016-01-22 18:14:48 +00:00
|
|
|
LogConfig
|
2017-01-23 11:23:07 +00:00
|
|
|
BridgeConfig // bridgeConfig holds bridge network specific configuration.
|
2016-12-13 23:04:59 +00:00
|
|
|
NetworkConfig
|
2016-03-08 21:03:37 +00:00
|
|
|
registry.ServiceOptions
|
2015-12-10 23:35:10 +00:00
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
sync.Mutex
|
|
|
|
|
// FIXME(vdemeester) This part is not that clear and is mainly dependent on cli flags
|
|
|
|
|
// It should probably be handled outside this package.
|
Log active configuration when reloading
When succesfully reloading the daemon configuration, print a message
in the logs with the active configuration:
INFO[2018-01-15T15:36:20.901688317Z] Got signal to reload configuration, reloading from: /etc/docker/daemon.json
INFO[2018-01-14T02:23:48.782769942Z] Reloaded configuration: {"mtu":1500,"pidfile":"/var/run/docker.pid","data-root":"/var/lib/docker","exec-root":"/var/run/docker","group":"docker","deprecated-key-path":"/etc/docker/key.json","max-concurrent-downloads":3,"max-concurrent-uploads":5,"shutdown-timeout":15,"debug":true,"hosts":["unix:///var/run/docker.sock"],"log-level":"info","swarm-default-advertise-addr":"","metrics-addr":"","log-driver":"json-file","ip":"0.0.0.0","icc":true,"iptables":true,"ip-forward":true,"ip-masq":true,"userland-proxy":true,"disable-legacy-registry":true,"experimental":false,"network-control-plane-mtu":1500,"runtimes":{"runc":{"path":"docker-runc"}},"default-runtime":"runc","oom-score-adjust":-500,"default-shm-size":67108864,"default-ipc-mode":"shareable"}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-01-15 16:11:05 +00:00
|
|
|
ValuesSet map[string]interface{} `json:"-"`
|
2016-10-06 14:09:54 +00:00
|
|
|
|
|
|
|
|
Experimental bool `json:"experimental"` // Experimental indicates whether experimental features should be exposed or not
|
2017-05-31 00:02:11 +00:00
|
|
|
|
|
|
|
|
// Exposed node Generic Resources
|
2017-10-29 19:30:31 +00:00
|
|
|
// e.g: ["orange=red", "orange=green", "orange=blue", "apple=3"]
|
|
|
|
|
NodeGenericResources []string `json:"node-generic-resources,omitempty"`
|
2017-09-22 13:52:41 +00:00
|
|
|
|
|
|
|
|
// ContainerAddr is the address used to connect to containerd if we're
|
|
|
|
|
// not starting it ourselves
|
|
|
|
|
ContainerdAddr string `json:"containerd,omitempty"`
|
2018-06-19 22:53:40 +00:00
|
|
|
|
|
|
|
|
// CriContainerd determines whether a supervised containerd instance
|
|
|
|
|
// should be configured with the CRI plugin enabled. This allows using
|
|
|
|
|
// Docker's containerd instance directly with a Kubernetes kubelet.
|
|
|
|
|
CriContainerd bool `json:"cri-containerd,omitempty"`
|
2018-08-06 01:52:35 +00:00
|
|
|
|
|
|
|
|
// Features contains a list of feature key value pairs indicating what features are enabled or disabled.
|
|
|
|
|
// If a certain feature doesn't appear in this list then it's unset (i.e. neither true nor false).
|
|
|
|
|
Features map[string]bool `json:"features,omitempty"`
|
2013-10-05 02:25:15 +00:00
|
|
|
}
|
2013-10-21 16:04:42 +00:00
|
|
|
|
2016-01-19 19:16:07 +00:00
|
|
|
// IsValueSet returns true if a configuration value
|
|
|
|
|
// was explicitly set in the configuration file.
|
2017-01-23 11:23:07 +00:00
|
|
|
func (conf *Config) IsValueSet(name string) bool {
|
|
|
|
|
if conf.ValuesSet == nil {
|
2016-01-19 19:16:07 +00:00
|
|
|
return false
|
|
|
|
|
}
|
2017-01-23 11:23:07 +00:00
|
|
|
_, ok := conf.ValuesSet[name]
|
2016-01-19 19:16:07 +00:00
|
|
|
return ok
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
// New returns a new fully initialized Config struct
|
|
|
|
|
func New() *Config {
|
2016-06-21 20:42:47 +00:00
|
|
|
config := Config{}
|
|
|
|
|
config.LogConfig.Config = make(map[string]string)
|
|
|
|
|
config.ClusterOpts = make(map[string]string)
|
|
|
|
|
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
config.V2Only = true
|
|
|
|
|
}
|
|
|
|
|
return &config
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
// ParseClusterAdvertiseSettings parses the specified advertise settings
|
|
|
|
|
func ParseClusterAdvertiseSettings(clusterStore, clusterAdvertise string) (string, error) {
|
2015-12-10 23:35:10 +00:00
|
|
|
if clusterAdvertise == "" {
|
2017-01-23 11:23:07 +00:00
|
|
|
return "", daemondiscovery.ErrDiscoveryDisabled
|
2015-12-10 23:35:10 +00:00
|
|
|
}
|
|
|
|
|
if clusterStore == "" {
|
2016-12-25 06:37:31 +00:00
|
|
|
return "", errors.New("invalid cluster configuration. --cluster-advertise must be accompanied by --cluster-store configuration")
|
2015-12-10 23:35:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
advertise, err := discovery.ParseAdvertise(clusterAdvertise)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("discovery advertise parsing failed (%v)", err)
|
|
|
|
|
}
|
|
|
|
|
return advertise, nil
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-23 12:48:25 +00:00
|
|
|
// GetConflictFreeLabels validates Labels for conflict
|
2016-07-12 12:08:05 +00:00
|
|
|
// In swarm the duplicates for labels are removed
|
|
|
|
|
// so we only take same values here, no conflict values
|
|
|
|
|
// If the key-value is the same we will only take the last label
|
|
|
|
|
func GetConflictFreeLabels(labels []string) ([]string, error) {
|
|
|
|
|
labelMap := map[string]string{}
|
|
|
|
|
for _, label := range labels {
|
|
|
|
|
stringSlice := strings.SplitN(label, "=", 2)
|
|
|
|
|
if len(stringSlice) > 1 {
|
|
|
|
|
// If there is a conflict we will return an error
|
|
|
|
|
if v, ok := labelMap[stringSlice[0]]; ok && v != stringSlice[1] {
|
|
|
|
|
return nil, fmt.Errorf("conflict labels for %s=%s and %s=%s", stringSlice[0], stringSlice[1], stringSlice[0], v)
|
|
|
|
|
}
|
|
|
|
|
labelMap[stringSlice[0]] = stringSlice[1]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newLabels := []string{}
|
|
|
|
|
for k, v := range labelMap {
|
|
|
|
|
newLabels = append(newLabels, fmt.Sprintf("%s=%s", k, v))
|
|
|
|
|
}
|
|
|
|
|
return newLabels, nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-23 19:24:01 +00:00
|
|
|
// ValidateReservedNamespaceLabels errors if the reserved namespaces com.docker.*,
|
|
|
|
|
// io.docker.*, org.dockerproject.* are used in a configured engine label.
|
|
|
|
|
//
|
|
|
|
|
// TODO: This is a separate function because we need to warn users first of the
|
|
|
|
|
// deprecation. When we return an error, this logic can be added to Validate
|
|
|
|
|
// or GetConflictFreeLabels instead of being here.
|
|
|
|
|
func ValidateReservedNamespaceLabels(labels []string) error {
|
|
|
|
|
for _, label := range labels {
|
|
|
|
|
lowered := strings.ToLower(label)
|
|
|
|
|
if strings.HasPrefix(lowered, "com.docker.") || strings.HasPrefix(lowered, "io.docker.") ||
|
|
|
|
|
strings.HasPrefix(lowered, "org.dockerproject.") {
|
|
|
|
|
return fmt.Errorf(
|
|
|
|
|
"label %s not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for Docker's internal use",
|
|
|
|
|
label)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
// Reload reads the configuration in the host and reloads the daemon and server.
|
|
|
|
|
func Reload(configFile string, flags *pflag.FlagSet, reload func(*Config)) error {
|
2015-12-10 23:35:10 +00:00
|
|
|
logrus.Infof("Got signal to reload configuration, reloading from: %s", configFile)
|
|
|
|
|
newConfig, err := getConflictFreeConfiguration(configFile, flags)
|
|
|
|
|
if err != nil {
|
2017-10-07 21:26:50 +00:00
|
|
|
if flags.Changed("config-file") || !os.IsNotExist(err) {
|
|
|
|
|
return fmt.Errorf("unable to configure the Docker daemon with file %s: %v", configFile, err)
|
|
|
|
|
}
|
|
|
|
|
newConfig = New()
|
2015-12-10 23:35:10 +00:00
|
|
|
}
|
2016-03-11 08:50:49 +00:00
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
if err := Validate(newConfig); err != nil {
|
2016-03-11 08:50:49 +00:00
|
|
|
return fmt.Errorf("file configuration validation failed (%v)", err)
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-12 02:09:28 +00:00
|
|
|
// Check if duplicate label-keys with different values are found
|
|
|
|
|
newLabels, err := GetConflictFreeLabels(newConfig.Labels)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2016-07-12 12:08:05 +00:00
|
|
|
}
|
2017-11-12 02:09:28 +00:00
|
|
|
newConfig.Labels = newLabels
|
2016-07-12 12:08:05 +00:00
|
|
|
|
2016-02-18 21:55:03 +00:00
|
|
|
reload(newConfig)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// boolValue is an interface that boolean value flags implement
|
|
|
|
|
// to tell the command line how to make -name equivalent to -name=true.
|
|
|
|
|
type boolValue interface {
|
|
|
|
|
IsBoolFlag() bool
|
2015-12-10 23:35:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// MergeDaemonConfigurations reads a configuration file,
|
|
|
|
|
// loads the file configuration in an isolated structure,
|
|
|
|
|
// and merges the configuration provided from flags on top
|
|
|
|
|
// if there are no conflicts.
|
2016-06-21 20:42:47 +00:00
|
|
|
func MergeDaemonConfigurations(flagsConfig *Config, flags *pflag.FlagSet, configFile string) (*Config, error) {
|
2015-12-10 23:35:10 +00:00
|
|
|
fileConfig, err := getConflictFreeConfiguration(configFile, flags)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
if err := Validate(fileConfig); err != nil {
|
2017-03-02 00:58:06 +00:00
|
|
|
return nil, fmt.Errorf("configuration validation from file failed (%v)", err)
|
2016-03-11 08:50:49 +00:00
|
|
|
}
|
|
|
|
|
|
2015-12-10 23:35:10 +00:00
|
|
|
// merge flags configuration on top of the file configuration
|
|
|
|
|
if err := mergo.Merge(fileConfig, flagsConfig); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-23 21:49:50 +00:00
|
|
|
// We need to validate again once both fileConfig and flagsConfig
|
|
|
|
|
// have been merged
|
2017-01-23 11:23:07 +00:00
|
|
|
if err := Validate(fileConfig); err != nil {
|
2017-03-02 00:58:06 +00:00
|
|
|
return nil, fmt.Errorf("merged configuration validation from file and command line flags failed (%v)", err)
|
2016-05-23 21:49:50 +00:00
|
|
|
}
|
|
|
|
|
|
2015-12-10 23:35:10 +00:00
|
|
|
return fileConfig, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getConflictFreeConfiguration loads the configuration from a JSON file.
|
|
|
|
|
// It compares that configuration with the one provided by the flags,
|
|
|
|
|
// and returns an error if there are conflicts.
|
2016-06-21 20:42:47 +00:00
|
|
|
func getConflictFreeConfiguration(configFile string, flags *pflag.FlagSet) (*Config, error) {
|
2015-12-10 23:35:10 +00:00
|
|
|
b, err := ioutil.ReadFile(configFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-19 19:16:07 +00:00
|
|
|
var config Config
|
2015-12-10 23:35:10 +00:00
|
|
|
var reader io.Reader
|
|
|
|
|
if flags != nil {
|
|
|
|
|
var jsonConfig map[string]interface{}
|
|
|
|
|
reader = bytes.NewReader(b)
|
|
|
|
|
if err := json.NewDecoder(reader).Decode(&jsonConfig); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-19 19:16:07 +00:00
|
|
|
configSet := configValuesSet(jsonConfig)
|
|
|
|
|
|
|
|
|
|
if err := findConfigurationConflicts(configSet, flags); err != nil {
|
2015-12-10 23:35:10 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2016-01-19 19:16:07 +00:00
|
|
|
|
2016-02-18 21:55:03 +00:00
|
|
|
// Override flag values to make sure the values set in the config file with nullable values, like `false`,
|
2016-07-03 17:58:11 +00:00
|
|
|
// are not overridden by default truthy values from the flags that were not explicitly set.
|
2016-02-18 21:55:03 +00:00
|
|
|
// See https://github.com/docker/docker/issues/20289 for an example.
|
|
|
|
|
//
|
|
|
|
|
// TODO: Rewrite configuration logic to avoid same issue with other nullable values, like numbers.
|
|
|
|
|
namedOptions := make(map[string]interface{})
|
|
|
|
|
for key, value := range configSet {
|
2016-06-22 22:36:51 +00:00
|
|
|
f := flags.Lookup(key)
|
2016-02-18 21:55:03 +00:00
|
|
|
if f == nil { // ignore named flags that don't match
|
|
|
|
|
namedOptions[key] = value
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if _, ok := f.Value.(boolValue); ok {
|
|
|
|
|
f.Value.Set(fmt.Sprintf("%v", value))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if len(namedOptions) > 0 {
|
|
|
|
|
// set also default for mergeVal flags that are boolValue at the same time.
|
2016-06-21 20:42:47 +00:00
|
|
|
flags.VisitAll(func(f *pflag.Flag) {
|
2016-02-18 21:55:03 +00:00
|
|
|
if opt, named := f.Value.(opts.NamedOption); named {
|
|
|
|
|
v, set := namedOptions[opt.Name()]
|
|
|
|
|
_, boolean := f.Value.(boolValue)
|
|
|
|
|
if set && boolean {
|
|
|
|
|
f.Value.Set(fmt.Sprintf("%v", v))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
config.ValuesSet = configSet
|
2015-12-10 23:35:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
reader = bytes.NewReader(b)
|
2016-11-22 06:17:24 +00:00
|
|
|
if err := json.NewDecoder(reader).Decode(&config); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if config.RootDeprecated != "" {
|
|
|
|
|
logrus.Warn(`The "graph" config file option is deprecated. Please use "data-root" instead.`)
|
|
|
|
|
|
|
|
|
|
if config.Root != "" {
|
|
|
|
|
return nil, fmt.Errorf(`cannot specify both "graph" and "data-root" config file options`)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
config.Root = config.RootDeprecated
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &config, nil
|
2015-12-10 23:35:10 +00:00
|
|
|
}
|
|
|
|
|
|
2016-01-19 19:16:07 +00:00
|
|
|
// configValuesSet returns the configuration values explicitly set in the file.
|
|
|
|
|
func configValuesSet(config map[string]interface{}) map[string]interface{} {
|
2015-12-10 23:35:10 +00:00
|
|
|
flatten := make(map[string]interface{})
|
|
|
|
|
for k, v := range config {
|
2016-02-02 19:33:41 +00:00
|
|
|
if m, isMap := v.(map[string]interface{}); isMap && !flatOptions[k] {
|
2015-12-10 23:35:10 +00:00
|
|
|
for km, vm := range m {
|
|
|
|
|
flatten[km] = vm
|
|
|
|
|
}
|
2016-02-02 19:33:41 +00:00
|
|
|
continue
|
2015-12-10 23:35:10 +00:00
|
|
|
}
|
2016-02-02 19:33:41 +00:00
|
|
|
|
|
|
|
|
flatten[k] = v
|
2015-12-10 23:35:10 +00:00
|
|
|
}
|
2016-01-19 19:16:07 +00:00
|
|
|
return flatten
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// findConfigurationConflicts iterates over the provided flags searching for
|
2016-01-20 22:16:49 +00:00
|
|
|
// duplicated configurations and unknown keys. It returns an error with all the conflicts if
|
2016-01-19 19:16:07 +00:00
|
|
|
// it finds any.
|
2016-06-21 20:42:47 +00:00
|
|
|
func findConfigurationConflicts(config map[string]interface{}, flags *pflag.FlagSet) error {
|
2016-01-20 22:16:49 +00:00
|
|
|
// 1. Search keys from the file that we don't recognize as flags.
|
|
|
|
|
unknownKeys := make(map[string]interface{})
|
|
|
|
|
for key, value := range config {
|
2018-08-06 01:52:35 +00:00
|
|
|
if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] {
|
2016-01-20 22:16:49 +00:00
|
|
|
unknownKeys[key] = value
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-22 18:14:48 +00:00
|
|
|
// 2. Discard values that implement NamedOption.
|
|
|
|
|
// Their configuration name differs from their flag name, like `labels` and `label`.
|
2016-02-18 21:55:03 +00:00
|
|
|
if len(unknownKeys) > 0 {
|
2016-06-21 20:42:47 +00:00
|
|
|
unknownNamedConflicts := func(f *pflag.Flag) {
|
2016-02-18 21:55:03 +00:00
|
|
|
if namedOption, ok := f.Value.(opts.NamedOption); ok {
|
|
|
|
|
if _, valid := unknownKeys[namedOption.Name()]; valid {
|
|
|
|
|
delete(unknownKeys, namedOption.Name())
|
|
|
|
|
}
|
2016-01-20 22:16:49 +00:00
|
|
|
}
|
|
|
|
|
}
|
2016-02-18 21:55:03 +00:00
|
|
|
flags.VisitAll(unknownNamedConflicts)
|
2016-01-20 22:16:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(unknownKeys) > 0 {
|
|
|
|
|
var unknown []string
|
|
|
|
|
for key := range unknownKeys {
|
|
|
|
|
unknown = append(unknown, key)
|
|
|
|
|
}
|
|
|
|
|
return fmt.Errorf("the following directives don't match any configuration option: %s", strings.Join(unknown, ", "))
|
|
|
|
|
}
|
2015-12-10 23:35:10 +00:00
|
|
|
|
2016-01-20 22:16:49 +00:00
|
|
|
var conflicts []string
|
2015-12-10 23:35:10 +00:00
|
|
|
printConflict := func(name string, flagValue, fileValue interface{}) string {
|
|
|
|
|
return fmt.Sprintf("%s: (from flag: %v, from file: %v)", name, flagValue, fileValue)
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-20 22:16:49 +00:00
|
|
|
// 3. Search keys that are present as a flag and as a file option.
|
2016-06-21 20:42:47 +00:00
|
|
|
duplicatedConflicts := func(f *pflag.Flag) {
|
2015-12-10 23:35:10 +00:00
|
|
|
// search option name in the json configuration payload if the value is a named option
|
|
|
|
|
if namedOption, ok := f.Value.(opts.NamedOption); ok {
|
2016-01-19 19:16:07 +00:00
|
|
|
if optsValue, ok := config[namedOption.Name()]; ok {
|
2015-12-10 23:35:10 +00:00
|
|
|
conflicts = append(conflicts, printConflict(namedOption.Name(), f.Value.String(), optsValue))
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2016-06-21 20:42:47 +00:00
|
|
|
// search flag name in the json configuration payload
|
|
|
|
|
for _, name := range []string{f.Name, f.Shorthand} {
|
2016-01-19 19:16:07 +00:00
|
|
|
if value, ok := config[name]; ok {
|
2015-12-10 23:35:10 +00:00
|
|
|
conflicts = append(conflicts, printConflict(name, f.Value.String(), value))
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-20 22:16:49 +00:00
|
|
|
flags.Visit(duplicatedConflicts)
|
2015-12-10 23:35:10 +00:00
|
|
|
|
|
|
|
|
if len(conflicts) > 0 {
|
|
|
|
|
return fmt.Errorf("the following directives are specified both as a flag and in the configuration file: %s", strings.Join(conflicts, ", "))
|
|
|
|
|
}
|
|
|
|
|
return nil
|
2014-08-10 01:18:32 +00:00
|
|
|
}
|
2016-03-11 08:50:49 +00:00
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
// Validate validates some specific configs.
|
2016-05-06 04:45:55 +00:00
|
|
|
// such as config.DNS, config.Labels, config.DNSSearch,
|
|
|
|
|
// as well as config.MaxConcurrentDownloads, config.MaxConcurrentUploads.
|
2017-01-23 11:23:07 +00:00
|
|
|
func Validate(config *Config) error {
|
2016-03-11 08:50:49 +00:00
|
|
|
// validate DNS
|
|
|
|
|
for _, dns := range config.DNS {
|
|
|
|
|
if _, err := opts.ValidateIPAddress(dns); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// validate DNSSearch
|
|
|
|
|
for _, dnsSearch := range config.DNSSearch {
|
|
|
|
|
if _, err := opts.ValidateDNSSearch(dnsSearch); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// validate Labels
|
|
|
|
|
for _, label := range config.Labels {
|
|
|
|
|
if _, err := opts.ValidateLabel(label); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-05-06 04:45:55 +00:00
|
|
|
// validate MaxConcurrentDownloads
|
2017-03-02 00:58:06 +00:00
|
|
|
if config.MaxConcurrentDownloads != nil && *config.MaxConcurrentDownloads < 0 {
|
2016-05-06 04:45:55 +00:00
|
|
|
return fmt.Errorf("invalid max concurrent downloads: %d", *config.MaxConcurrentDownloads)
|
|
|
|
|
}
|
|
|
|
|
// validate MaxConcurrentUploads
|
2017-03-02 00:58:06 +00:00
|
|
|
if config.MaxConcurrentUploads != nil && *config.MaxConcurrentUploads < 0 {
|
2016-05-06 04:45:55 +00:00
|
|
|
return fmt.Errorf("invalid max concurrent uploads: %d", *config.MaxConcurrentUploads)
|
|
|
|
|
}
|
2016-05-23 21:49:50 +00:00
|
|
|
|
|
|
|
|
// validate that "default" runtime is not reset
|
|
|
|
|
if runtimes := config.GetAllRuntimes(); len(runtimes) > 0 {
|
2017-01-23 11:23:07 +00:00
|
|
|
if _, ok := runtimes[StockRuntimeName]; ok {
|
|
|
|
|
return fmt.Errorf("runtime name '%s' is reserved", StockRuntimeName)
|
2016-05-23 21:49:50 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-29 19:28:33 +00:00
|
|
|
if _, err := ParseGenericResources(config.NodeGenericResources); err != nil {
|
2017-05-31 00:02:11 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
if defaultRuntime := config.GetDefaultRuntimeName(); defaultRuntime != "" && defaultRuntime != StockRuntimeName {
|
2016-05-23 21:49:50 +00:00
|
|
|
runtimes := config.GetAllRuntimes()
|
|
|
|
|
if _, ok := runtimes[defaultRuntime]; !ok {
|
|
|
|
|
return fmt.Errorf("specified default runtime '%s' does not exist", defaultRuntime)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Implement none, private, and shareable ipc modes
Since the commit d88fe447df0e8 ("Add support for sharing /dev/shm/ and
/dev/mqueue between containers") container's /dev/shm is mounted on the
host first, then bind-mounted inside the container. This is done that
way in order to be able to share this container's IPC namespace
(and the /dev/shm mount point) with another container.
Unfortunately, this functionality breaks container checkpoint/restore
(even if IPC is not shared). Since /dev/shm is an external mount, its
contents is not saved by `criu checkpoint`, and so upon restore any
application that tries to access data under /dev/shm is severily
disappointed (which usually results in a fatal crash).
This commit solves the issue by introducing new IPC modes for containers
(in addition to 'host' and 'container:ID'). The new modes are:
- 'shareable': enables sharing this container's IPC with others
(this used to be the implicit default);
- 'private': disables sharing this container's IPC.
In 'private' mode, container's /dev/shm is truly mounted inside the
container, without any bind-mounting from the host, which solves the
issue.
While at it, let's also implement 'none' mode. The motivation, as
eloquently put by Justin Cormack, is:
> I wondered a while back about having a none shm mode, as currently it is
> not possible to have a totally unwriteable container as there is always
> a /dev/shm writeable mount. It is a bit of a niche case (and clearly
> should never be allowed to be daemon default) but it would be trivial to
> add now so maybe we should...
...so here's yet yet another mode:
- 'none': no /dev/shm mount inside the container (though it still
has its own private IPC namespace).
Now, to ultimately solve the abovementioned checkpoint/restore issue, we'd
need to make 'private' the default mode, but unfortunately it breaks the
backward compatibility. So, let's make the default container IPC mode
per-daemon configurable (with the built-in default set to 'shareable'
for now). The default can be changed either via a daemon CLI option
(--default-shm-mode) or a daemon.json configuration file parameter
of the same name.
Note one can only set either 'shareable' or 'private' IPC modes as a
daemon default (i.e. in this context 'host', 'container', or 'none'
do not make much sense).
Some other changes this patch introduces are:
1. A mount for /dev/shm is added to default OCI Linux spec.
2. IpcMode.Valid() is simplified to remove duplicated code that parsed
'container:ID' form. Note the old version used to check that ID does
not contain a semicolon -- this is no longer the case (tests are
modified accordingly). The motivation is we should either do a
proper check for container ID validity, or don't check it at all
(since it is checked in other places anyway). I chose the latter.
3. IpcMode.Container() is modified to not return container ID if the
mode value does not start with "container:", unifying the check to
be the same as in IpcMode.IsContainer().
3. IPC mode unit tests (runconfig/hostconfig_test.go) are modified
to add checks for newly added values.
[v2: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-51345997]
[v3: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-53902833]
[v4: addressed the case of upgrading from older daemon, in this case
container.HostConfig.IpcMode is unset and this is valid]
[v5: document old and new IpcMode values in api/swagger.yaml]
[v6: add the 'none' mode, changelog entry to docs/api/version-history.md]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-06-27 21:58:50 +00:00
|
|
|
// validate platform-specific settings
|
2018-01-14 23:42:25 +00:00
|
|
|
return config.ValidatePlatformConfig()
|
2016-03-11 08:50:49 +00:00
|
|
|
}
|
2017-01-22 06:59:29 +00:00
|
|
|
|
2017-01-23 11:23:07 +00:00
|
|
|
// ModifiedDiscoverySettings returns whether the discovery configuration has been modified or not.
|
|
|
|
|
func ModifiedDiscoverySettings(config *Config, backendType, advertise string, clusterOpts map[string]string) bool {
|
|
|
|
|
if config.ClusterStore != backendType || config.ClusterAdvertise != advertise {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (config.ClusterOpts == nil && clusterOpts == nil) ||
|
|
|
|
|
(config.ClusterOpts == nil && len(clusterOpts) == 0) ||
|
|
|
|
|
(len(config.ClusterOpts) == 0 && clusterOpts == nil) {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return !reflect.DeepEqual(config.ClusterOpts, clusterOpts)
|
|
|
|
|
}
|