2021-08-23 09:14:53 -04:00
|
|
|
//go:build !windows
|
2017-04-13 21:56:50 -04:00
|
|
|
// +build !windows
|
|
|
|
|
2018-02-05 16:05:59 -05:00
|
|
|
package daemon // import "github.com/docker/docker/daemon"
|
2017-04-13 21:56:50 -04:00
|
|
|
|
|
|
|
import (
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"path/filepath"
|
2020-01-29 11:51:01 -05:00
|
|
|
"strings"
|
set ReadHeaderTimeout to address G112: Potential Slowloris Attack (gosec)
After discussing in the maintainers meeting, we concluded that Slowloris attacks
are not a real risk other than potentially having some additional goroutines
lingering around, so setting a long timeout to satisfy the linter, and to at
least have "some" timeout.
libnetwork/diagnostic/server.go:96:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
srv := &http.Server{
Addr: net.JoinHostPort(ip, strconv.Itoa(port)),
Handler: s,
}
api/server/server.go:60:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
srv: &http.Server{
Addr: addr,
},
daemon/metrics_unix.go:34:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
^
cmd/dockerd/metrics.go:27:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 55fd77f7246a8113b81eb0de5644ce651db1ace0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-22 06:13:28 -04:00
|
|
|
"time"
|
2017-04-13 21:56:50 -04:00
|
|
|
|
|
|
|
"github.com/docker/docker/pkg/plugingetter"
|
|
|
|
"github.com/docker/docker/pkg/plugins"
|
2017-12-13 15:24:51 -05:00
|
|
|
"github.com/docker/docker/plugin"
|
2019-08-05 10:37:47 -04:00
|
|
|
metrics "github.com/docker/go-metrics"
|
|
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
2017-04-13 21:56:50 -04:00
|
|
|
"github.com/pkg/errors"
|
2017-07-26 17:42:13 -04:00
|
|
|
"github.com/sirupsen/logrus"
|
2017-05-23 10:22:32 -04:00
|
|
|
"golang.org/x/sys/unix"
|
2017-04-13 21:56:50 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
func (daemon *Daemon) listenMetricsSock() (string, error) {
|
|
|
|
path := filepath.Join(daemon.configStore.ExecRoot, "metrics.sock")
|
2017-05-23 10:22:32 -04:00
|
|
|
unix.Unlink(path)
|
2017-04-13 21:56:50 -04:00
|
|
|
l, err := net.Listen("unix", path)
|
|
|
|
if err != nil {
|
|
|
|
return "", errors.Wrap(err, "error setting up metrics plugin listener")
|
|
|
|
}
|
|
|
|
|
|
|
|
mux := http.NewServeMux()
|
|
|
|
mux.Handle("/metrics", metrics.Handler())
|
|
|
|
go func() {
|
2020-01-29 11:51:01 -05:00
|
|
|
logrus.Debugf("metrics API listening on %s", l.Addr())
|
set ReadHeaderTimeout to address G112: Potential Slowloris Attack (gosec)
After discussing in the maintainers meeting, we concluded that Slowloris attacks
are not a real risk other than potentially having some additional goroutines
lingering around, so setting a long timeout to satisfy the linter, and to at
least have "some" timeout.
libnetwork/diagnostic/server.go:96:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
srv := &http.Server{
Addr: net.JoinHostPort(ip, strconv.Itoa(port)),
Handler: s,
}
api/server/server.go:60:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
srv: &http.Server{
Addr: addr,
},
daemon/metrics_unix.go:34:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
^
cmd/dockerd/metrics.go:27:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 55fd77f7246a8113b81eb0de5644ce651db1ace0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-22 06:13:28 -04:00
|
|
|
srv := &http.Server{
|
|
|
|
Handler: mux,
|
|
|
|
ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
|
|
|
|
}
|
|
|
|
if err := srv.Serve(l); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
|
2020-01-29 11:51:01 -05:00
|
|
|
logrus.WithError(err).Error("error serving metrics API")
|
|
|
|
}
|
2017-04-13 21:56:50 -04:00
|
|
|
}()
|
|
|
|
daemon.metricsPluginListener = l
|
|
|
|
return path, nil
|
|
|
|
}
|
|
|
|
|
2017-12-13 15:24:51 -05:00
|
|
|
func registerMetricsPluginCallback(store *plugin.Store, sockPath string) {
|
|
|
|
store.RegisterRuntimeOpt(metricsPluginType, func(s *specs.Spec) {
|
|
|
|
f := plugin.WithSpecMounts([]specs.Mount{
|
|
|
|
{Type: "bind", Source: sockPath, Destination: "/run/docker/metrics.sock", Options: []string{"bind", "ro"}},
|
|
|
|
})
|
|
|
|
f(s)
|
|
|
|
})
|
|
|
|
store.Handle(metricsPluginType, func(name string, client *plugins.Client) {
|
2017-04-13 21:56:50 -04:00
|
|
|
// Use lookup since nothing in the system can really reference it, no need
|
|
|
|
// to protect against removal
|
2017-12-13 15:24:51 -05:00
|
|
|
p, err := store.Get(name, metricsPluginType, plugingetter.Lookup)
|
2017-04-13 21:56:50 -04:00
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2018-04-24 21:45:00 -04:00
|
|
|
adapter, err := makePluginAdapter(p)
|
|
|
|
if err != nil {
|
2018-10-08 07:15:38 -04:00
|
|
|
logrus.WithError(err).WithField("plugin", p.Name()).Error("Error creating plugin adapter")
|
2018-04-24 21:45:00 -04:00
|
|
|
}
|
|
|
|
if err := adapter.StartMetrics(); err != nil {
|
|
|
|
logrus.WithError(err).WithField("plugin", p.Name()).Error("Error starting metrics collector plugin")
|
2017-04-13 21:56:50 -04:00
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|