From 0c84c322ae41d0b66ef3fc72a4f4aebc38aea32a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 27 Jul 2021 12:12:11 +0200 Subject: [PATCH] daemon, oci: remove LCOW bits Signed-off-by: Sebastiaan van Stijn --- daemon/create.go | 9 +- daemon/create_windows.go | 15 +-- daemon/daemon_windows.go | 12 +- daemon/oci_windows.go | 65 +-------- oci/defaults.go | 277 +++++++++++++++++++-------------------- 5 files changed, 148 insertions(+), 230 deletions(-) diff --git a/daemon/create.go b/daemon/create.go index b71e183a64..d672688088 100644 --- a/daemon/create.go +++ b/daemon/create.go @@ -16,6 +16,7 @@ import ( "github.com/docker/docker/errdefs" "github.com/docker/docker/image" "github.com/docker/docker/pkg/idtools" + "github.com/docker/docker/pkg/system" "github.com/docker/docker/runconfig" v1 "github.com/opencontainers/image-spec/specs-go/v1" "github.com/opencontainers/selinux/go-selinux" @@ -113,19 +114,17 @@ func (daemon *Daemon) create(opts createOpts) (retC *container.Container, retErr img *image.Image imgID image.ID err error + os = runtime.GOOS ) - os := runtime.GOOS if opts.params.Config.Image != "" { img, err = daemon.imageService.GetImage(opts.params.Config.Image, opts.params.Platform) if err != nil { return nil, err } - if img.OS != "" { - os = img.OS - } + os = img.OperatingSystem() imgID = img.ID() - if isWindows && img.OS == "linux" { + if !system.IsOSSupported(os) { return nil, errors.New("operating system on which parent image was created is not Windows") } } else if isWindows { diff --git a/daemon/create_windows.go b/daemon/create_windows.go index de89f693ef..f47b732fbd 100644 --- a/daemon/create_windows.go +++ b/daemon/create_windows.go @@ -3,7 +3,6 @@ package daemon // import "github.com/docker/docker/daemon" import ( "context" "fmt" - "runtime" containertypes "github.com/docker/docker/api/types/container" "github.com/docker/docker/container" @@ -14,19 +13,9 @@ import ( // createContainerOSSpecificSettings performs host-OS specific container create functionality func (daemon *Daemon) createContainerOSSpecificSettings(container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error { - - if container.OS == runtime.GOOS { + if containertypes.Isolation.IsDefault(hostConfig.Isolation) { // Make sure the host config has the default daemon isolation if not specified by caller. - if containertypes.Isolation.IsDefault(containertypes.Isolation(hostConfig.Isolation)) { - hostConfig.Isolation = daemon.defaultIsolation - } - } else { - // LCOW must be a Hyper-V container as you can't run a shared kernel when one - // is a Windows kernel, the other is a Linux kernel. - if containertypes.Isolation.IsProcess(containertypes.Isolation(hostConfig.Isolation)) { - return fmt.Errorf("process isolation is invalid for Linux containers on Windows") - } - hostConfig.Isolation = "hyperv" + hostConfig.Isolation = daemon.defaultIsolation } parser := volumemounts.NewParser() for spec := range config.Volumes { diff --git a/daemon/daemon_windows.go b/daemon/daemon_windows.go index a87f700bb0..f333b737aa 100644 --- a/daemon/daemon_windows.go +++ b/daemon/daemon_windows.go @@ -510,17 +510,11 @@ func (daemon *Daemon) conditionalMountOnStart(container *container.Container) er // conditionalUnmountOnCleanup is a platform specific helper function called // during the cleanup of a container to unmount. func (daemon *Daemon) conditionalUnmountOnCleanup(container *container.Container) error { - - // Bail out now for Linux containers - if system.LCOWSupported() && container.OS != "windows" { + if daemon.runAsHyperVContainer(container.HostConfig) { + // We do not unmount if a Hyper-V container return nil } - - // We do not unmount if a Hyper-V container - if !daemon.runAsHyperVContainer(container.HostConfig) { - return daemon.Unmount(container) - } - return nil + return daemon.Unmount(container) } func driverOptions(config *config.Config) []nwconfig.Option { diff --git a/daemon/oci_windows.go b/daemon/oci_windows.go index 16054f356c..4236f260b0 100644 --- a/daemon/oci_windows.go +++ b/daemon/oci_windows.go @@ -5,7 +5,6 @@ import ( "fmt" "io/ioutil" "path/filepath" - "runtime" "strings" "github.com/Microsoft/hcsshim/osversion" @@ -13,7 +12,6 @@ import ( "github.com/docker/docker/container" "github.com/docker/docker/errdefs" "github.com/docker/docker/oci" - "github.com/docker/docker/oci/caps" "github.com/docker/docker/pkg/sysinfo" "github.com/docker/docker/pkg/system" specs "github.com/opencontainers/runtime-spec/specs-go" @@ -33,8 +31,11 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) { if err != nil { return nil, err } + if !system.IsOSSupported(img.OperatingSystem()) { + return nil, system.ErrNotSupportedOperatingSystem + } - s := oci.DefaultOSSpec(img.OS) + s := oci.DefaultSpec() linkedEnv, err := daemon.setupLinkedContainers(c) if err != nil { @@ -116,11 +117,6 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) { if !mount.Writable { m.Options = append(m.Options, "ro") } - if img.OS != runtime.GOOS { - m.Type = "bind" - m.Options = append(m.Options, "rbind") - m.Options = append(m.Options, fmt.Sprintf("uvmpath=/tmp/gcs/%s/binds", c.ID)) - } s.Mounts = append(s.Mounts, m) } @@ -200,20 +196,8 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) { NetworkSharedContainerName: networkSharedContainerID, } - switch img.OS { - case "windows": - if err := daemon.createSpecWindowsFields(c, &s, isHyperV); err != nil { - return nil, err - } - case "linux": - if !system.LCOWSupported() { - return nil, fmt.Errorf("Linux containers on Windows are not supported") - } - if err := daemon.createSpecLinuxFields(c, &s); err != nil { - return nil, err - } - default: - return nil, fmt.Errorf("Unsupported platform %q", img.OS) + if err := daemon.createSpecWindowsFields(c, &s, isHyperV); err != nil { + return nil, err } if logrus.IsLevelEnabled(logrus.DebugLevel) { @@ -222,7 +206,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) { } } - return (*specs.Spec)(&s), nil + return &s, nil } // Sets the Windows-specific fields of the OCI spec @@ -370,41 +354,6 @@ func (daemon *Daemon) setWindowsCredentialSpec(c *container.Container, s *specs. return nil } -// Sets the Linux-specific fields of the OCI spec -// TODO: LCOW Support. We need to do a lot more pulling in what can -// be pulled in from oci_linux.go. -func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spec) error { - s.Root = &specs.Root{ - Path: "rootfs", - Readonly: c.HostConfig.ReadonlyRootfs, - } - - s.Hostname = c.Config.Hostname - setLinuxDomainname(c, s) - - if len(s.Process.Cwd) == 0 { - s.Process.Cwd = `/` - } - s.Process.Args = append([]string{c.Path}, c.Args...) - - // Note these are against the UVM. - setResourcesInSpec(c, s, true) // LCOW is Hyper-V only - - capabilities, err := caps.TweakCapabilities(caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged) - if err != nil { - return fmt.Errorf("linux spec capabilities: %v", err) - } - if err := oci.SetCapabilities(s, capabilities); err != nil { - return fmt.Errorf("linux spec capabilities: %v", err) - } - devPermissions, err := oci.AppendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules) - if err != nil { - return fmt.Errorf("linux runtime spec devices: %v", err) - } - s.Linux.Resources.Devices = devPermissions - return nil -} - func setResourcesInSpec(c *container.Container, s *specs.Spec, isHyperV bool) { // In s.Windows.Resources cpuShares := uint16(c.HostConfig.CPUShares) diff --git a/oci/defaults.go b/oci/defaults.go index 390618a89c..55a1d7a99e 100644 --- a/oci/defaults.go +++ b/oci/defaults.go @@ -14,12 +14,7 @@ func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm } // DefaultSpec returns the default spec used by docker for the current Platform func DefaultSpec() specs.Spec { - return DefaultOSSpec(runtime.GOOS) -} - -// DefaultOSSpec returns the spec for a given OS -func DefaultOSSpec(osName string) specs.Spec { - if osName == "windows" { + if runtime.GOOS == "windows" { return DefaultWindowsSpec() } return DefaultLinuxSpec() @@ -37,7 +32,7 @@ func DefaultWindowsSpec() specs.Spec { // DefaultLinuxSpec create a default spec for running Linux containers func DefaultLinuxSpec() specs.Spec { - s := specs.Spec{ + return specs.Spec{ Version: specs.Version, Process: &specs.Process{ Capabilities: &specs.LinuxCapabilities{ @@ -48,147 +43,139 @@ func DefaultLinuxSpec() specs.Spec { }, }, Root: &specs.Root{}, - } - s.Mounts = []specs.Mount{ - { - Destination: "/proc", - Type: "proc", - Source: "proc", - Options: []string{"nosuid", "noexec", "nodev"}, + Mounts: []specs.Mount{ + { + Destination: "/proc", + Type: "proc", + Source: "proc", + Options: []string{"nosuid", "noexec", "nodev"}, + }, + { + Destination: "/dev", + Type: "tmpfs", + Source: "tmpfs", + Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, + }, + { + Destination: "/dev/pts", + Type: "devpts", + Source: "devpts", + Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, + }, + { + Destination: "/sys", + Type: "sysfs", + Source: "sysfs", + Options: []string{"nosuid", "noexec", "nodev", "ro"}, + }, + { + Destination: "/sys/fs/cgroup", + Type: "cgroup", + Source: "cgroup", + Options: []string{"ro", "nosuid", "noexec", "nodev"}, + }, + { + Destination: "/dev/mqueue", + Type: "mqueue", + Source: "mqueue", + Options: []string{"nosuid", "noexec", "nodev"}, + }, + { + Destination: "/dev/shm", + Type: "tmpfs", + Source: "shm", + Options: []string{"nosuid", "noexec", "nodev", "mode=1777"}, + }, }, - { - Destination: "/dev", - Type: "tmpfs", - Source: "tmpfs", - Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, - }, - { - Destination: "/dev/pts", - Type: "devpts", - Source: "devpts", - Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, - }, - { - Destination: "/sys", - Type: "sysfs", - Source: "sysfs", - Options: []string{"nosuid", "noexec", "nodev", "ro"}, - }, - { - Destination: "/sys/fs/cgroup", - Type: "cgroup", - Source: "cgroup", - Options: []string{"ro", "nosuid", "noexec", "nodev"}, - }, - { - Destination: "/dev/mqueue", - Type: "mqueue", - Source: "mqueue", - Options: []string{"nosuid", "noexec", "nodev"}, - }, - { - Destination: "/dev/shm", - Type: "tmpfs", - Source: "shm", - Options: []string{"nosuid", "noexec", "nodev", "mode=1777"}, - }, - } - - s.Linux = &specs.Linux{ - MaskedPaths: []string{ - "/proc/asound", - "/proc/acpi", - "/proc/kcore", - "/proc/keys", - "/proc/latency_stats", - "/proc/timer_list", - "/proc/timer_stats", - "/proc/sched_debug", - "/proc/scsi", - "/sys/firmware", - }, - ReadonlyPaths: []string{ - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger", - }, - Namespaces: []specs.LinuxNamespace{ - {Type: "mount"}, - {Type: "network"}, - {Type: "uts"}, - {Type: "pid"}, - {Type: "ipc"}, - }, - // Devices implicitly contains the following devices: - // null, zero, full, random, urandom, tty, console, and ptmx. - // ptmx is a bind mount or symlink of the container's ptmx. - // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices - Devices: []specs.LinuxDevice{}, - Resources: &specs.LinuxResources{ - Devices: []specs.LinuxDeviceCgroup{ - { - Allow: false, - Access: "rwm", - }, - { - Allow: true, - Type: "c", - Major: iPtr(1), - Minor: iPtr(5), - Access: "rwm", - }, - { - Allow: true, - Type: "c", - Major: iPtr(1), - Minor: iPtr(3), - Access: "rwm", - }, - { - Allow: true, - Type: "c", - Major: iPtr(1), - Minor: iPtr(9), - Access: "rwm", - }, - { - Allow: true, - Type: "c", - Major: iPtr(1), - Minor: iPtr(8), - Access: "rwm", - }, - { - Allow: true, - Type: "c", - Major: iPtr(5), - Minor: iPtr(0), - Access: "rwm", - }, - { - Allow: true, - Type: "c", - Major: iPtr(5), - Minor: iPtr(1), - Access: "rwm", - }, - { - Allow: false, - Type: "c", - Major: iPtr(10), - Minor: iPtr(229), - Access: "rwm", + Linux: &specs.Linux{ + MaskedPaths: []string{ + "/proc/asound", + "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/proc/scsi", + "/sys/firmware", + }, + ReadonlyPaths: []string{ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", + }, + Namespaces: []specs.LinuxNamespace{ + {Type: "mount"}, + {Type: "network"}, + {Type: "uts"}, + {Type: "pid"}, + {Type: "ipc"}, + }, + // Devices implicitly contains the following devices: + // null, zero, full, random, urandom, tty, console, and ptmx. + // ptmx is a bind mount or symlink of the container's ptmx. + // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices + Devices: []specs.LinuxDevice{}, + Resources: &specs.LinuxResources{ + Devices: []specs.LinuxDeviceCgroup{ + { + Allow: false, + Access: "rwm", + }, + { + Allow: true, + Type: "c", + Major: iPtr(1), + Minor: iPtr(5), + Access: "rwm", + }, + { + Allow: true, + Type: "c", + Major: iPtr(1), + Minor: iPtr(3), + Access: "rwm", + }, + { + Allow: true, + Type: "c", + Major: iPtr(1), + Minor: iPtr(9), + Access: "rwm", + }, + { + Allow: true, + Type: "c", + Major: iPtr(1), + Minor: iPtr(8), + Access: "rwm", + }, + { + Allow: true, + Type: "c", + Major: iPtr(5), + Minor: iPtr(0), + Access: "rwm", + }, + { + Allow: true, + Type: "c", + Major: iPtr(5), + Minor: iPtr(1), + Access: "rwm", + }, + { + Allow: false, + Type: "c", + Major: iPtr(10), + Minor: iPtr(229), + Access: "rwm", + }, }, }, }, } - - // For LCOW support, populate a blank Windows spec - if runtime.GOOS == "windows" { - s.Windows = &specs.Windows{} - } - - return s }