kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity
moby--moby/daemon
History
John Howard 20833b06a0 Windows: (WCOW) Generate OCI spec that remote runtime can escape 
Signed-off-by: John Howard <jhoward@microsoft.com>

Also fixes https://github.com/moby/moby/issues/22874

This commit is a pre-requisite to moving moby/moby on Windows to using
Containerd for its runtime.

The reason for this is that the interface between moby and containerd
for the runtime is an OCI spec which must be unambigious.

It is the responsibility of the runtime (runhcs in the case of
containerd on Windows) to ensure that arguments are escaped prior
to calling into HCS and onwards to the Win32 CreateProcess call.

Previously, the builder was always escaping arguments which has
led to several bugs in moby. Because the local runtime in
libcontainerd had context of whether or not arguments were escaped,
it was possible to hack around in daemon/oci_windows.go with
knowledge of the context of the call (from builder or not).

With a remote runtime, this is not possible as there's rightly
no context of the caller passed across in the OCI spec. Put another
way, as I put above, the OCI spec must be unambigious.

The other previous limitation (which leads to various subtle bugs)
is that moby is coded entirely from a Linux-centric point of view.

Unfortunately, Windows != Linux. Windows CreateProcess uses a
command line, not an array of arguments. And it has very specific
rules about how to escape a command line. Some interesting reading
links about this are:

https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess
https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017

For this reason, the OCI spec has recently been updated to cater
for more natural syntax by including a CommandLine option in
Process.

What does this commit do?

Primary objective is to ensure that the built OCI spec is unambigious.

It changes the builder so that `ArgsEscaped` as commited in a
layer is only controlled by the use of CMD or ENTRYPOINT.

Subsequently, when calling in to create a container from the builder,
if follows a different path to both `docker run` and `docker create`
using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows
a RUN from the builder to control how to escape in the OCI spec.

It changes the builder so that when shell form is used for RUN,
CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line
using the original as put by the user in the dockerfile, not
the parsed version as a set of args which loses fidelity.
This command line is put into args[0] and `ArgsEscaped` is set
to true for CMD or ENTRYPOINT. A RUN statement does not commit
`ArgsEscaped` to the commited layer regardless or whether shell
or exec form were used.
2019-03-12 18:41:55 -07:00
..
cluster set bigger grpc limit for GetConfigs api 2019-02-26 11:09:25 -05:00
config allow running dockerd in an unprivileged user namespace (rootless mode) 2019-02-04 00:24:27 +09:00
discovery Update tests to use gotest.tools 👼 2018-06-13 09:04:30 +02:00
events Add canonical import comment 2018-02-05 16:51:57 -05:00
exec Fix race condition between exec start and resize 2018-06-08 11:07:48 +08:00
graphdriver Graphdriver: fix "device" mode not being detected if "character-device" bit is set 2019-02-20 11:08:58 +01:00
images cli: fix images filter when use multi reference filter 2018-11-22 10:33:45 +08:00
initlayer Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
links fix typo 2018-09-08 08:13:30 +08:00
listeners allow running dockerd in an unprivileged user namespace (rootless mode) 2019-02-04 00:24:27 +09:00
logger Use assert.NilError() instead of assert.Assert() 2019-01-21 13:16:02 +01:00
names Add canonical import comment 2018-02-05 16:51:57 -05:00
network Block task starting until node attachments are ready 2018-08-20 15:28:15 -05:00
stats Fix stats collector spinning CPU if no stats are collected 2018-03-15 17:56:15 +01:00
testdata
apparmor_default.go Add canonical import comment 2018-02-05 16:51:57 -05:00
apparmor_default_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
archive.go Add canonical import comment 2018-02-05 16:51:57 -05:00
archive_tarcopyoptions.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
archive_tarcopyoptions_unix.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
archive_tarcopyoptions_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
archive_unix.go Move mount parsing to separate package. 2018-04-19 06:35:54 -04:00
archive_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
attach.go daemon.ContainerLogs(): fix resource leak on follow 2018-09-06 11:47:42 -07:00
auth.go Switch from x/net/context -> context 2018-04-23 13:52:44 -07:00
bindmount_unix.go Add canonical import comment 2018-02-05 16:51:57 -05:00
changes.go c.RWLayer: check for nil before use 2018-02-09 11:24:09 -08:00
checkpoint.go fix typo 2018-12-28 01:30:31 +01:00
cluster.go Move network conversions out of API router 2018-06-27 17:11:29 -07:00
commit.go Windows: (WCOW) Generate OCI spec that remote runtime can escape 2019-03-12 18:41:55 -07:00
configs.go Merge configs/secrets in unix implementation 2018-02-16 11:25:14 -05:00
configs_linux.go Add canonical import comment 2018-02-05 16:51:57 -05:00
configs_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
configs_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
container.go Capabilities refactor 2019-01-22 21:50:41 +02:00
container_linux.go Add canonical import comment 2018-02-05 16:51:57 -05:00
container_operations.go Fixes for resolv.conf 2018-07-26 11:17:56 -07:00
container_operations_unix.go Use Runtime target 2019-02-19 13:14:17 -06:00
container_operations_windows.go Use Runtime target 2019-02-19 13:14:17 -06:00
container_unix_test.go Update tests to use gotest.tools 👼 2018-06-13 09:04:30 +02:00
container_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
create.go Windows: (WCOW) Generate OCI spec that remote runtime can escape 2019-03-12 18:41:55 -07:00
create_test.go Update tests to use gotest.tools 👼 2018-06-13 09:04:30 +02:00
create_unix.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
create_windows.go Extract volume interaction to a volumes service 2018-05-25 14:21:07 -04:00
daemon.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
daemon_linux.go Fixes for resolv.conf 2018-07-26 11:17:56 -07:00
daemon_linux_test.go Use assert.NilError() instead of assert.Assert() 2019-01-21 13:16:02 +01:00
daemon_test.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
daemon_unix.go Merge pull request #32519 from darkowlzz/32443-docker-update-pids-limit 2019-02-23 15:20:59 +01:00
daemon_unix_test.go Rename verifyContainerResources to verifyPlatformContainerResources 2018-12-19 10:24:09 +01:00
daemon_unsupported.go Fixes for resolv.conf 2018-07-26 11:17:56 -07:00
daemon_windows.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
daemon_windows_test.go Add canonical import comment 2018-02-05 16:51:57 -05:00
debugtrap_unix.go Add canonical import comment 2018-02-05 16:51:57 -05:00
debugtrap_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
debugtrap_windows.go Windows:Update dumpstack event name 2019-02-15 15:26:56 -08:00
delete.go Extract volume interaction to a volumes service 2018-05-25 14:21:07 -04:00
delete_test.go Update tests to use gotest.tools 👼 2018-06-13 09:04:30 +02:00
dependency.go Add canonical import comment 2018-02-05 16:51:57 -05:00
disk_usage.go Extract volume interaction to a volumes service 2018-05-25 14:21:07 -04:00
errors.go Replace deprecated grpc.ErrorDesc() and grpc.Code() calls 2018-12-30 12:34:28 +01:00
events.go Image events 2018-02-21 18:26:16 -05:00
events_test.go Add canonical import comment 2018-02-05 16:51:57 -05:00
exec.go Fix race condition between exec start and resize 2018-06-08 11:07:48 +08:00
exec_linux.go Move caps and device spec utils to oci pkg 2018-12-11 10:20:25 -05:00
exec_linux_test.go Update tests to use gotest.tools 👼 2018-06-13 09:04:30 +02:00
exec_windows.go Windows: (WCOW) Generate OCI spec that remote runtime can escape 2019-03-12 18:41:55 -07:00
export.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
health.go Switch from x/net/context -> context 2018-04-23 13:52:44 -07:00
health_test.go Add canonical import comment 2018-02-05 16:51:57 -05:00
info.go allow running dockerd in an unprivileged user namespace (rootless mode) 2019-02-04 00:24:27 +09:00
info_test.go Masking credentials from proxy URL 2018-10-01 14:06:00 -04:00
info_unix.go Merge pull request #32519 from darkowlzz/32443-docker-update-pids-limit 2019-02-23 15:20:59 +01:00
info_unix_test.go Add containerd, runc, and docker-init versions to /version 2019-01-14 23:27:05 +01:00
info_windows.go allow running dockerd in an unprivileged user namespace (rootless mode) 2019-02-04 00:24:27 +09:00
inspect.go Extract volume interaction to a volumes service 2018-05-25 14:21:07 -04:00
inspect_linux.go Add canonical import comment 2018-02-05 16:51:57 -05:00
inspect_test.go Update tests to use gotest.tools 👼 2018-06-13 09:04:30 +02:00
inspect_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
keys.go Add canonical import comment 2018-02-05 16:51:57 -05:00
keys_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
kill.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
licensing.go Expose license status in Info (#37612) 2018-08-17 17:05:21 -07:00
licensing_test.go go vet fix for TestfillLicense 2018-12-09 00:51:37 +00:00
links.go Add canonical import comment 2018-02-05 16:51:57 -05:00
list.go Fix some typos 2018-09-20 20:00:35 +08:00
list_test.go Fix regression when filtering container names using a leading slash 2018-08-28 21:40:13 +02:00
list_unix.go Add canonical import comment 2018-02-05 16:51:57 -05:00
list_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
logdrivers_linux.go Add new local log driver 2018-08-17 09:36:56 -07:00
logdrivers_windows.go enable gcplogs driver on windows 2018-08-23 20:02:04 +00:00
logs.go daemon.ContainerLogs(): fix resource leak on follow 2018-09-06 11:47:42 -07:00
logs_test.go Add canonical import comment 2018-02-05 16:51:57 -05:00
metrics.go Fix typo: adapater -> adapter 2018-10-08 19:15:38 +08:00
metrics_unix.go Fix typo: adapater -> adapter 2018-10-08 19:15:38 +08:00
metrics_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
monitor.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
mounts.go Extract volume interaction to a volumes service 2018-05-25 14:21:07 -04:00
names.go Add canonical import comment 2018-02-05 16:51:57 -05:00
network.go builder: setup code for a bridge networking 2018-08-20 18:55:01 +00:00
oci_linux.go Merge pull request #32519 from darkowlzz/32443-docker-update-pids-limit 2019-02-23 15:20:59 +01:00
oci_linux_test.go oci: add integration tests for kernel.domainname configuration 2018-11-30 19:44:50 +11:00
oci_windows.go Windows: (WCOW) Generate OCI spec that remote runtime can escape 2019-03-12 18:41:55 -07:00
pause.go Add canonical import comment 2018-02-05 16:51:57 -05:00
prune.go Move network conversions out of API router 2018-06-27 17:11:29 -07:00
reload.go Fix possible segfault in config reload 2019-01-10 15:34:02 +01:00
reload_test.go Update tests to use gotest.tools 👼 2018-06-13 09:04:30 +02:00
reload_unix.go Add canonical import comment 2018-02-05 16:51:57 -05:00
reload_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
rename.go docker rename enhancement 2018-09-21 09:43:06 +08:00
resize.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
resize_test.go Update tests to use gotest.tools 👼 2018-06-13 09:04:30 +02:00
restart.go Windows: Fix restart for Hyper-V containers 2019-02-22 10:37:39 -08:00
seccomp_disabled.go Add canonical import comment 2018-02-05 16:51:57 -05:00
seccomp_linux.go Add canonical import comment 2018-02-05 16:51:57 -05:00
seccomp_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
secrets.go Add canonical import comment 2018-02-05 16:51:57 -05:00
secrets_linux.go Add canonical import comment 2018-02-05 16:51:57 -05:00
secrets_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
secrets_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
selinux_linux.go Add canonical import comment 2018-02-05 16:51:57 -05:00
selinux_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
start.go Delete stale containerd object on start failure 2019-02-14 11:46:44 -08:00
start_unix.go vendor: update containerd to 63522d9 2018-06-08 19:19:06 -07:00
start_windows.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
stats.go Switch from x/net/context -> context 2018-04-23 13:52:44 -07:00
stats_collector.go Add canonical import comment 2018-02-05 16:51:57 -05:00
stats_unix.go Add canonical import comment 2018-02-05 16:51:57 -05:00
stats_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
stop.go daemon.ContainerStop(): fix for a negative timeout 2018-05-03 10:04:33 -07:00
top_unix.go ContainerTop: improve error message 2018-05-24 18:24:36 -07:00
top_unix_test.go Add canonical import comment 2018-02-05 16:51:57 -05:00
top_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
trustkey.go Loosen permissions on /etc/docker directory 2018-09-14 14:14:39 +02:00
trustkey_test.go Update tests to use gotest.tools 👼 2018-06-13 09:04:30 +02:00
unpause.go daemon/*.go: fix some Wrap[f]/Warn[f] errors 2018-07-11 15:51:51 +02:00
update.go Add canonical import comment 2018-02-05 16:51:57 -05:00
update_linux.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
update_windows.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
util_test.go Windows: Experimental: Allow containerd for runtime 2019-03-12 18:41:55 -07:00
volumes.go Fix relabeling local volume source dir 2018-08-30 15:58:49 -07:00
volumes_linux.go Fix the several typos detected by github.com/client9/misspell 2018-08-09 00:45:00 +09:00
volumes_linux_test.go Use rslave propagation for mounts from daemon root 2018-02-07 14:27:09 -05:00
volumes_unit_test.go Move mount parsing to separate package. 2018-04-19 06:35:54 -04:00
volumes_unix.go mount: add BindOptions.NonRecursive (API v1.40) 2018-11-06 17:51:58 +09:00
volumes_unix_test.go Move mount parsing to separate package. 2018-04-19 06:35:54 -04:00
volumes_windows.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00
wait.go Switch from x/net/context -> context 2018-04-23 13:52:44 -07:00
workdir.go Add ADD/COPY --chown flag support to Windows 2018-08-13 21:59:11 -07:00