mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
e98e56bb1e
Properly CloseWrite() the client socket once done with stdin when using TLS connection (this used to rely on an erroneous type assertion). Fixes #8658. Fixes #8642. Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> Signed-off-by: Michael Crosby <crosby.michael@gmail.com>
230 lines
5.5 KiB
Go
230 lines
5.5 KiB
Go
package client
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"os"
|
|
"runtime"
|
|
"strings"
|
|
"time"
|
|
|
|
log "github.com/Sirupsen/logrus"
|
|
"github.com/docker/docker/api"
|
|
"github.com/docker/docker/dockerversion"
|
|
"github.com/docker/docker/pkg/promise"
|
|
"github.com/docker/docker/pkg/stdcopy"
|
|
"github.com/docker/docker/pkg/term"
|
|
)
|
|
|
|
type tlsClientCon struct {
|
|
*tls.Conn
|
|
rawConn net.Conn
|
|
}
|
|
|
|
func (c *tlsClientCon) CloseWrite() error {
|
|
// Go standard tls.Conn doesn't provide the CloseWrite() method so we do it
|
|
// on its underlying connection.
|
|
if cwc, ok := c.rawConn.(interface {
|
|
CloseWrite() error
|
|
}); ok {
|
|
return cwc.CloseWrite()
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func tlsDial(network, addr string, config *tls.Config) (net.Conn, error) {
|
|
return tlsDialWithDialer(new(net.Dialer), network, addr, config)
|
|
}
|
|
|
|
// We need to copy Go's implementation of tls.Dial (pkg/cryptor/tls/tls.go) in
|
|
// order to return our custom tlsClientCon struct which holds both the tls.Conn
|
|
// object _and_ its underlying raw connection. The rationale for this is that
|
|
// we need to be able to close the write end of the connection when attaching,
|
|
// which tls.Conn does not provide.
|
|
func tlsDialWithDialer(dialer *net.Dialer, network, addr string, config *tls.Config) (net.Conn, error) {
|
|
// We want the Timeout and Deadline values from dialer to cover the
|
|
// whole process: TCP connection and TLS handshake. This means that we
|
|
// also need to start our own timers now.
|
|
timeout := dialer.Timeout
|
|
|
|
if !dialer.Deadline.IsZero() {
|
|
deadlineTimeout := dialer.Deadline.Sub(time.Now())
|
|
if timeout == 0 || deadlineTimeout < timeout {
|
|
timeout = deadlineTimeout
|
|
}
|
|
}
|
|
|
|
var errChannel chan error
|
|
|
|
if timeout != 0 {
|
|
errChannel = make(chan error, 2)
|
|
time.AfterFunc(timeout, func() {
|
|
errChannel <- errors.New("")
|
|
})
|
|
}
|
|
|
|
rawConn, err := dialer.Dial(network, addr)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
colonPos := strings.LastIndex(addr, ":")
|
|
if colonPos == -1 {
|
|
colonPos = len(addr)
|
|
}
|
|
hostname := addr[:colonPos]
|
|
|
|
// If no ServerName is set, infer the ServerName
|
|
// from the hostname we're connecting to.
|
|
if config.ServerName == "" {
|
|
// Make a copy to avoid polluting argument or default.
|
|
c := *config
|
|
c.ServerName = hostname
|
|
config = &c
|
|
}
|
|
|
|
conn := tls.Client(rawConn, config)
|
|
|
|
if timeout == 0 {
|
|
err = conn.Handshake()
|
|
} else {
|
|
go func() {
|
|
errChannel <- conn.Handshake()
|
|
}()
|
|
|
|
err = <-errChannel
|
|
}
|
|
|
|
if err != nil {
|
|
rawConn.Close()
|
|
return nil, err
|
|
}
|
|
|
|
// This is Docker difference with standard's crypto/tls package: returned a
|
|
// wrapper which holds both the TLS and raw connections.
|
|
return &tlsClientCon{conn, rawConn}, nil
|
|
}
|
|
|
|
func (cli *DockerCli) dial() (net.Conn, error) {
|
|
if cli.tlsConfig != nil && cli.proto != "unix" {
|
|
// Notice this isn't Go standard's tls.Dial function
|
|
return tlsDial(cli.proto, cli.addr, cli.tlsConfig)
|
|
}
|
|
return net.Dial(cli.proto, cli.addr)
|
|
}
|
|
|
|
func (cli *DockerCli) hijack(method, path string, setRawTerminal bool, in io.ReadCloser, stdout, stderr io.Writer, started chan io.Closer, data interface{}) error {
|
|
defer func() {
|
|
if started != nil {
|
|
close(started)
|
|
}
|
|
}()
|
|
|
|
params, err := cli.encodeData(data)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
req, err := http.NewRequest(method, fmt.Sprintf("/v%s%s", api.APIVERSION, path), params)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
req.Header.Set("User-Agent", "Docker-Client/"+dockerversion.VERSION)
|
|
req.Header.Set("Content-Type", "plain/text")
|
|
req.Host = cli.addr
|
|
|
|
dial, err := cli.dial()
|
|
if err != nil {
|
|
if strings.Contains(err.Error(), "connection refused") {
|
|
return fmt.Errorf("Cannot connect to the Docker daemon. Is 'docker -d' running on this host?")
|
|
}
|
|
return err
|
|
}
|
|
clientconn := httputil.NewClientConn(dial, nil)
|
|
defer clientconn.Close()
|
|
|
|
// Server hijacks the connection, error 'connection closed' expected
|
|
clientconn.Do(req)
|
|
|
|
rwc, br := clientconn.Hijack()
|
|
defer rwc.Close()
|
|
|
|
if started != nil {
|
|
started <- rwc
|
|
}
|
|
|
|
var receiveStdout chan error
|
|
|
|
var oldState *term.State
|
|
|
|
if in != nil && setRawTerminal && cli.isTerminalIn && os.Getenv("NORAW") == "" {
|
|
oldState, err = term.SetRawTerminal(cli.inFd)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer term.RestoreTerminal(cli.inFd, oldState)
|
|
}
|
|
|
|
if stdout != nil || stderr != nil {
|
|
receiveStdout = promise.Go(func() (err error) {
|
|
defer func() {
|
|
if in != nil {
|
|
if setRawTerminal && cli.isTerminalIn {
|
|
term.RestoreTerminal(cli.inFd, oldState)
|
|
}
|
|
// For some reason this Close call blocks on darwin..
|
|
// As the client exists right after, simply discard the close
|
|
// until we find a better solution.
|
|
if runtime.GOOS != "darwin" {
|
|
in.Close()
|
|
}
|
|
}
|
|
}()
|
|
|
|
// When TTY is ON, use regular copy
|
|
if setRawTerminal && stdout != nil {
|
|
_, err = io.Copy(stdout, br)
|
|
} else {
|
|
_, err = stdcopy.StdCopy(stdout, stderr, br)
|
|
}
|
|
log.Debugf("[hijack] End of stdout")
|
|
return err
|
|
})
|
|
}
|
|
|
|
sendStdin := promise.Go(func() error {
|
|
if in != nil {
|
|
io.Copy(rwc, in)
|
|
log.Debugf("[hijack] End of stdin")
|
|
}
|
|
|
|
if conn, ok := rwc.(interface {
|
|
CloseWrite() error
|
|
}); ok {
|
|
if err := conn.CloseWrite(); err != nil {
|
|
log.Debugf("Couldn't send EOF: %s", err)
|
|
}
|
|
}
|
|
// Discard errors due to pipe interruption
|
|
return nil
|
|
})
|
|
|
|
if stdout != nil || stderr != nil {
|
|
if err := <-receiveStdout; err != nil {
|
|
log.Debugf("Error receiveStdout: %s", err)
|
|
return err
|
|
}
|
|
}
|
|
|
|
if !cli.isTerminalIn {
|
|
if err := <-sendStdin; err != nil {
|
|
log.Debugf("Error sendStdin: %s", err)
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|