mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
d082bbcc05
Allow containerd shim refs in default-runtime
695 lines
26 KiB
Go
695 lines
26 KiB
Go
package config // import "github.com/docker/docker/daemon/config"
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net"
|
|
"net/url"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"sync"
|
|
|
|
"github.com/containerd/containerd/runtime/v2/shim"
|
|
"github.com/docker/docker/opts"
|
|
"github.com/docker/docker/pkg/authorization"
|
|
"github.com/docker/docker/registry"
|
|
"github.com/imdario/mergo"
|
|
"github.com/pkg/errors"
|
|
"github.com/sirupsen/logrus"
|
|
"github.com/spf13/pflag"
|
|
)
|
|
|
|
const (
|
|
// DefaultMaxConcurrentDownloads is the default value for
|
|
// maximum number of downloads that
|
|
// may take place at a time for each pull.
|
|
DefaultMaxConcurrentDownloads = 3
|
|
// DefaultMaxConcurrentUploads is the default value for
|
|
// maximum number of uploads that
|
|
// may take place at a time for each push.
|
|
DefaultMaxConcurrentUploads = 5
|
|
// DefaultDownloadAttempts is the default value for
|
|
// maximum number of attempts that
|
|
// may take place at a time for each pull when the connection is lost.
|
|
DefaultDownloadAttempts = 5
|
|
// DefaultShmSize is the default value for container's shm size (64 MiB)
|
|
DefaultShmSize int64 = 64 * 1024 * 1024
|
|
// DefaultNetworkMtu is the default value for network MTU
|
|
DefaultNetworkMtu = 1500
|
|
// DisableNetworkBridge is the default value of the option to disable network bridge
|
|
DisableNetworkBridge = "none"
|
|
// DefaultShutdownTimeout is the default shutdown timeout (in seconds) for
|
|
// the daemon for containers to stop when it is shutting down.
|
|
DefaultShutdownTimeout = 15
|
|
// DefaultInitBinary is the name of the default init binary
|
|
DefaultInitBinary = "docker-init"
|
|
// DefaultRuntimeBinary is the default runtime to be used by
|
|
// containerd if none is specified
|
|
DefaultRuntimeBinary = "runc"
|
|
// DefaultContainersNamespace is the name of the default containerd namespace used for users containers.
|
|
DefaultContainersNamespace = "moby"
|
|
// DefaultPluginNamespace is the name of the default containerd namespace used for plugins.
|
|
DefaultPluginNamespace = "plugins.moby"
|
|
|
|
// LinuxV2RuntimeName is the runtime used to specify the containerd v2 runc shim
|
|
LinuxV2RuntimeName = "io.containerd.runc.v2"
|
|
|
|
// SeccompProfileDefault is the built-in default seccomp profile.
|
|
SeccompProfileDefault = "builtin"
|
|
// SeccompProfileUnconfined is a special profile name for seccomp to use an
|
|
// "unconfined" seccomp profile.
|
|
SeccompProfileUnconfined = "unconfined"
|
|
)
|
|
|
|
var builtinRuntimes = map[string]bool{
|
|
StockRuntimeName: true,
|
|
LinuxV2RuntimeName: true,
|
|
}
|
|
|
|
// flatOptions contains configuration keys
|
|
// that MUST NOT be parsed as deep structures.
|
|
// Use this to differentiate these options
|
|
// with others like the ones in CommonTLSOptions.
|
|
var flatOptions = map[string]bool{
|
|
"cluster-store-opts": true,
|
|
"log-opts": true,
|
|
"runtimes": true,
|
|
"default-ulimits": true,
|
|
"features": true,
|
|
"builder": true,
|
|
}
|
|
|
|
// skipValidateOptions contains configuration keys
|
|
// that will be skipped from findConfigurationConflicts
|
|
// for unknown flag validation.
|
|
var skipValidateOptions = map[string]bool{
|
|
"features": true,
|
|
"builder": true,
|
|
// Corresponding flag has been removed because it was already unusable
|
|
"deprecated-key-path": true,
|
|
}
|
|
|
|
// skipDuplicates contains configuration keys that
|
|
// will be skipped when checking duplicated
|
|
// configuration field defined in both daemon
|
|
// config file and from dockerd cli flags.
|
|
// This allows some configurations to be merged
|
|
// during the parsing.
|
|
var skipDuplicates = map[string]bool{
|
|
"runtimes": true,
|
|
}
|
|
|
|
// LogConfig represents the default log configuration.
|
|
// It includes json tags to deserialize configuration from a file
|
|
// using the same names that the flags in the command line use.
|
|
type LogConfig struct {
|
|
Type string `json:"log-driver,omitempty"`
|
|
Config map[string]string `json:"log-opts,omitempty"`
|
|
}
|
|
|
|
// commonBridgeConfig stores all the platform-common bridge driver specific
|
|
// configuration.
|
|
type commonBridgeConfig struct {
|
|
Iface string `json:"bridge,omitempty"`
|
|
FixedCIDR string `json:"fixed-cidr,omitempty"`
|
|
}
|
|
|
|
// NetworkConfig stores the daemon-wide networking configurations
|
|
type NetworkConfig struct {
|
|
// Default address pools for docker networks
|
|
DefaultAddressPools opts.PoolsOpt `json:"default-address-pools,omitempty"`
|
|
// NetworkControlPlaneMTU allows to specify the control plane MTU, this will allow to optimize the network use in some components
|
|
NetworkControlPlaneMTU int `json:"network-control-plane-mtu,omitempty"`
|
|
}
|
|
|
|
// CommonTLSOptions defines TLS configuration for the daemon server.
|
|
// It includes json tags to deserialize configuration from a file
|
|
// using the same names that the flags in the command line use.
|
|
type CommonTLSOptions struct {
|
|
CAFile string `json:"tlscacert,omitempty"`
|
|
CertFile string `json:"tlscert,omitempty"`
|
|
KeyFile string `json:"tlskey,omitempty"`
|
|
}
|
|
|
|
// DNSConfig defines the DNS configurations.
|
|
type DNSConfig struct {
|
|
DNS []string `json:"dns,omitempty"`
|
|
DNSOptions []string `json:"dns-opts,omitempty"`
|
|
DNSSearch []string `json:"dns-search,omitempty"`
|
|
HostGatewayIP net.IP `json:"host-gateway-ip,omitempty"`
|
|
}
|
|
|
|
// CommonConfig defines the configuration of a docker daemon which is
|
|
// common across platforms.
|
|
// It includes json tags to deserialize configuration from a file
|
|
// using the same names that the flags in the command line use.
|
|
type CommonConfig struct {
|
|
AuthzMiddleware *authorization.Middleware `json:"-"`
|
|
AuthorizationPlugins []string `json:"authorization-plugins,omitempty"` // AuthorizationPlugins holds list of authorization plugins
|
|
AutoRestart bool `json:"-"`
|
|
Context map[string][]string `json:"-"`
|
|
DisableBridge bool `json:"-"`
|
|
ExecOptions []string `json:"exec-opts,omitempty"`
|
|
GraphDriver string `json:"storage-driver,omitempty"`
|
|
GraphOptions []string `json:"storage-opts,omitempty"`
|
|
Labels []string `json:"labels,omitempty"`
|
|
Mtu int `json:"mtu,omitempty"`
|
|
NetworkDiagnosticPort int `json:"network-diagnostic-port,omitempty"`
|
|
Pidfile string `json:"pidfile,omitempty"`
|
|
RawLogs bool `json:"raw-logs,omitempty"`
|
|
RootDeprecated string `json:"graph,omitempty"` // Deprecated: use Root instead. TODO(thaJeztah): remove in next release.
|
|
Root string `json:"data-root,omitempty"`
|
|
ExecRoot string `json:"exec-root,omitempty"`
|
|
SocketGroup string `json:"group,omitempty"`
|
|
CorsHeaders string `json:"api-cors-header,omitempty"`
|
|
|
|
// Proxies holds the proxies that are configured for the daemon.
|
|
Proxies `json:"proxies"`
|
|
|
|
// TrustKeyPath is used to generate the daemon ID and for signing schema 1 manifests
|
|
// when pushing to a registry which does not support schema 2. This field is marked as
|
|
// deprecated because schema 1 manifests are deprecated in favor of schema 2 and the
|
|
// daemon ID will use a dedicated identifier not shared with exported signatures.
|
|
TrustKeyPath string `json:"deprecated-key-path,omitempty"`
|
|
|
|
// LiveRestoreEnabled determines whether we should keep containers
|
|
// alive upon daemon shutdown/start
|
|
LiveRestoreEnabled bool `json:"live-restore,omitempty"`
|
|
|
|
// MaxConcurrentDownloads is the maximum number of downloads that
|
|
// may take place at a time for each pull.
|
|
MaxConcurrentDownloads int `json:"max-concurrent-downloads,omitempty"`
|
|
|
|
// MaxConcurrentUploads is the maximum number of uploads that
|
|
// may take place at a time for each push.
|
|
MaxConcurrentUploads int `json:"max-concurrent-uploads,omitempty"`
|
|
|
|
// MaxDownloadAttempts is the maximum number of attempts that
|
|
// may take place at a time for each push.
|
|
MaxDownloadAttempts int `json:"max-download-attempts,omitempty"`
|
|
|
|
// ShutdownTimeout is the timeout value (in seconds) the daemon will wait for the container
|
|
// to stop when daemon is being shutdown
|
|
ShutdownTimeout int `json:"shutdown-timeout,omitempty"`
|
|
|
|
Debug bool `json:"debug,omitempty"`
|
|
Hosts []string `json:"hosts,omitempty"`
|
|
LogLevel string `json:"log-level,omitempty"`
|
|
TLS *bool `json:"tls,omitempty"`
|
|
TLSVerify *bool `json:"tlsverify,omitempty"`
|
|
|
|
// Embedded structs that allow config
|
|
// deserialization without the full struct.
|
|
CommonTLSOptions
|
|
|
|
// SwarmDefaultAdvertiseAddr is the default host/IP or network interface
|
|
// to use if a wildcard address is specified in the ListenAddr value
|
|
// given to the /swarm/init endpoint and no advertise address is
|
|
// specified.
|
|
SwarmDefaultAdvertiseAddr string `json:"swarm-default-advertise-addr"`
|
|
|
|
// SwarmRaftHeartbeatTick is the number of ticks in time for swarm mode raft quorum heartbeat
|
|
// Typical value is 1
|
|
SwarmRaftHeartbeatTick uint32 `json:"swarm-raft-heartbeat-tick"`
|
|
|
|
// SwarmRaftElectionTick is the number of ticks to elapse before followers in the quorum can propose
|
|
// a new round of leader election. Default, recommended value is at least 10X that of Heartbeat tick.
|
|
// Higher values can make the quorum less sensitive to transient faults in the environment, but this also
|
|
// means it takes longer for the managers to detect a down leader.
|
|
SwarmRaftElectionTick uint32 `json:"swarm-raft-election-tick"`
|
|
|
|
MetricsAddress string `json:"metrics-addr"`
|
|
|
|
DNSConfig
|
|
LogConfig
|
|
BridgeConfig // bridgeConfig holds bridge network specific configuration.
|
|
NetworkConfig
|
|
registry.ServiceOptions
|
|
|
|
sync.Mutex
|
|
// FIXME(vdemeester) This part is not that clear and is mainly dependent on cli flags
|
|
// It should probably be handled outside this package.
|
|
ValuesSet map[string]interface{} `json:"-"`
|
|
|
|
Experimental bool `json:"experimental"` // Experimental indicates whether experimental features should be exposed or not
|
|
|
|
// Exposed node Generic Resources
|
|
// e.g: ["orange=red", "orange=green", "orange=blue", "apple=3"]
|
|
NodeGenericResources []string `json:"node-generic-resources,omitempty"`
|
|
|
|
// ContainerAddr is the address used to connect to containerd if we're
|
|
// not starting it ourselves
|
|
ContainerdAddr string `json:"containerd,omitempty"`
|
|
|
|
// CriContainerd determines whether a supervised containerd instance
|
|
// should be configured with the CRI plugin enabled. This allows using
|
|
// Docker's containerd instance directly with a Kubernetes kubelet.
|
|
CriContainerd bool `json:"cri-containerd,omitempty"`
|
|
|
|
// Features contains a list of feature key value pairs indicating what features are enabled or disabled.
|
|
// If a certain feature doesn't appear in this list then it's unset (i.e. neither true nor false).
|
|
Features map[string]bool `json:"features,omitempty"`
|
|
|
|
Builder BuilderConfig `json:"builder,omitempty"`
|
|
|
|
ContainerdNamespace string `json:"containerd-namespace,omitempty"`
|
|
ContainerdPluginNamespace string `json:"containerd-plugin-namespace,omitempty"`
|
|
|
|
DefaultRuntime string `json:"default-runtime,omitempty"`
|
|
}
|
|
|
|
// Proxies holds the proxies that are configured for the daemon.
|
|
type Proxies struct {
|
|
HTTPProxy string `json:"http-proxy,omitempty"`
|
|
HTTPSProxy string `json:"https-proxy,omitempty"`
|
|
NoProxy string `json:"no-proxy,omitempty"`
|
|
}
|
|
|
|
// IsValueSet returns true if a configuration value
|
|
// was explicitly set in the configuration file.
|
|
func (conf *Config) IsValueSet(name string) bool {
|
|
if conf.ValuesSet == nil {
|
|
return false
|
|
}
|
|
_, ok := conf.ValuesSet[name]
|
|
return ok
|
|
}
|
|
|
|
// New returns a new fully initialized Config struct with default values set.
|
|
func New() (*Config, error) {
|
|
// platform-agnostic default values for the Config.
|
|
cfg := &Config{
|
|
CommonConfig: CommonConfig{
|
|
ShutdownTimeout: DefaultShutdownTimeout,
|
|
LogConfig: LogConfig{
|
|
Config: make(map[string]string),
|
|
},
|
|
MaxConcurrentDownloads: DefaultMaxConcurrentDownloads,
|
|
MaxConcurrentUploads: DefaultMaxConcurrentUploads,
|
|
MaxDownloadAttempts: DefaultDownloadAttempts,
|
|
Mtu: DefaultNetworkMtu,
|
|
NetworkConfig: NetworkConfig{
|
|
NetworkControlPlaneMTU: DefaultNetworkMtu,
|
|
},
|
|
ContainerdNamespace: DefaultContainersNamespace,
|
|
ContainerdPluginNamespace: DefaultPluginNamespace,
|
|
DefaultRuntime: StockRuntimeName,
|
|
},
|
|
}
|
|
|
|
if err := setPlatformDefaults(cfg); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return cfg, nil
|
|
}
|
|
|
|
// GetConflictFreeLabels validates Labels for conflict
|
|
// In swarm the duplicates for labels are removed
|
|
// so we only take same values here, no conflict values
|
|
// If the key-value is the same we will only take the last label
|
|
func GetConflictFreeLabels(labels []string) ([]string, error) {
|
|
labelMap := map[string]string{}
|
|
for _, label := range labels {
|
|
stringSlice := strings.SplitN(label, "=", 2)
|
|
if len(stringSlice) > 1 {
|
|
// If there is a conflict we will return an error
|
|
if v, ok := labelMap[stringSlice[0]]; ok && v != stringSlice[1] {
|
|
return nil, fmt.Errorf("conflict labels for %s=%s and %s=%s", stringSlice[0], stringSlice[1], stringSlice[0], v)
|
|
}
|
|
labelMap[stringSlice[0]] = stringSlice[1]
|
|
}
|
|
}
|
|
|
|
newLabels := []string{}
|
|
for k, v := range labelMap {
|
|
newLabels = append(newLabels, fmt.Sprintf("%s=%s", k, v))
|
|
}
|
|
return newLabels, nil
|
|
}
|
|
|
|
// Reload reads the configuration in the host and reloads the daemon and server.
|
|
func Reload(configFile string, flags *pflag.FlagSet, reload func(*Config)) error {
|
|
logrus.Infof("Got signal to reload configuration, reloading from: %s", configFile)
|
|
newConfig, err := getConflictFreeConfiguration(configFile, flags)
|
|
if err != nil {
|
|
if flags.Changed("config-file") || !os.IsNotExist(err) {
|
|
return errors.Wrapf(err, "unable to configure the Docker daemon with file %s", configFile)
|
|
}
|
|
newConfig, err = New()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Check if duplicate label-keys with different values are found
|
|
newLabels, err := GetConflictFreeLabels(newConfig.Labels)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
newConfig.Labels = newLabels
|
|
|
|
// TODO(thaJeztah) This logic is problematic and needs a rewrite;
|
|
// This is validating newConfig before the "reload()" callback is executed.
|
|
// At this point, newConfig may be a partial configuration, to be merged
|
|
// with the existing configuration in the "reload()" callback. Validating
|
|
// this config before it's merged can result in incorrect validation errors.
|
|
//
|
|
// However, the current "reload()" callback we use is DaemonCli.reloadConfig(),
|
|
// which includes a call to Daemon.Reload(), which both performs "merging"
|
|
// and validation, as well as actually updating the daemon configuration.
|
|
// Calling DaemonCli.reloadConfig() *before* validation, could thus lead to
|
|
// a failure in that function (making the reload non-atomic).
|
|
//
|
|
// While *some* errors could always occur when applying/updating the config,
|
|
// we should make it more atomic, and;
|
|
//
|
|
// 1. get (a copy of) the active configuration
|
|
// 2. get the new configuration
|
|
// 3. apply the (reloadable) options from the new configuration
|
|
// 4. validate the merged results
|
|
// 5. apply the new configuration.
|
|
if err := Validate(newConfig); err != nil {
|
|
return errors.Wrap(err, "file configuration validation failed")
|
|
}
|
|
|
|
reload(newConfig)
|
|
return nil
|
|
}
|
|
|
|
// boolValue is an interface that boolean value flags implement
|
|
// to tell the command line how to make -name equivalent to -name=true.
|
|
type boolValue interface {
|
|
IsBoolFlag() bool
|
|
}
|
|
|
|
// MergeDaemonConfigurations reads a configuration file,
|
|
// loads the file configuration in an isolated structure,
|
|
// and merges the configuration provided from flags on top
|
|
// if there are no conflicts.
|
|
func MergeDaemonConfigurations(flagsConfig *Config, flags *pflag.FlagSet, configFile string) (*Config, error) {
|
|
fileConfig, err := getConflictFreeConfiguration(configFile, flags)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// merge flags configuration on top of the file configuration
|
|
if err := mergo.Merge(fileConfig, flagsConfig); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// validate the merged fileConfig and flagsConfig
|
|
if err := Validate(fileConfig); err != nil {
|
|
return nil, errors.Wrap(err, "merged configuration validation from file and command line flags failed")
|
|
}
|
|
|
|
return fileConfig, nil
|
|
}
|
|
|
|
// getConflictFreeConfiguration loads the configuration from a JSON file.
|
|
// It compares that configuration with the one provided by the flags,
|
|
// and returns an error if there are conflicts.
|
|
func getConflictFreeConfiguration(configFile string, flags *pflag.FlagSet) (*Config, error) {
|
|
b, err := os.ReadFile(configFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var config Config
|
|
|
|
b = bytes.TrimSpace(b)
|
|
if len(b) == 0 {
|
|
// empty config file
|
|
return &config, nil
|
|
}
|
|
|
|
if flags != nil {
|
|
var jsonConfig map[string]interface{}
|
|
if err := json.Unmarshal(b, &jsonConfig); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
configSet := configValuesSet(jsonConfig)
|
|
|
|
if err := findConfigurationConflicts(configSet, flags); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Override flag values to make sure the values set in the config file with nullable values, like `false`,
|
|
// are not overridden by default truthy values from the flags that were not explicitly set.
|
|
// See https://github.com/docker/docker/issues/20289 for an example.
|
|
//
|
|
// TODO: Rewrite configuration logic to avoid same issue with other nullable values, like numbers.
|
|
namedOptions := make(map[string]interface{})
|
|
for key, value := range configSet {
|
|
f := flags.Lookup(key)
|
|
if f == nil { // ignore named flags that don't match
|
|
namedOptions[key] = value
|
|
continue
|
|
}
|
|
|
|
if _, ok := f.Value.(boolValue); ok {
|
|
f.Value.Set(fmt.Sprintf("%v", value))
|
|
}
|
|
}
|
|
if len(namedOptions) > 0 {
|
|
// set also default for mergeVal flags that are boolValue at the same time.
|
|
flags.VisitAll(func(f *pflag.Flag) {
|
|
if opt, named := f.Value.(opts.NamedOption); named {
|
|
v, set := namedOptions[opt.Name()]
|
|
_, boolean := f.Value.(boolValue)
|
|
if set && boolean {
|
|
f.Value.Set(fmt.Sprintf("%v", v))
|
|
}
|
|
}
|
|
})
|
|
}
|
|
|
|
config.ValuesSet = configSet
|
|
}
|
|
|
|
if err := json.Unmarshal(b, &config); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &config, nil
|
|
}
|
|
|
|
// configValuesSet returns the configuration values explicitly set in the file.
|
|
func configValuesSet(config map[string]interface{}) map[string]interface{} {
|
|
flatten := make(map[string]interface{})
|
|
for k, v := range config {
|
|
if m, isMap := v.(map[string]interface{}); isMap && !flatOptions[k] {
|
|
for km, vm := range m {
|
|
flatten[km] = vm
|
|
}
|
|
continue
|
|
}
|
|
|
|
flatten[k] = v
|
|
}
|
|
return flatten
|
|
}
|
|
|
|
// findConfigurationConflicts iterates over the provided flags searching for
|
|
// duplicated configurations and unknown keys. It returns an error with all the conflicts if
|
|
// it finds any.
|
|
func findConfigurationConflicts(config map[string]interface{}, flags *pflag.FlagSet) error {
|
|
// 1. Search keys from the file that we don't recognize as flags.
|
|
unknownKeys := make(map[string]interface{})
|
|
for key, value := range config {
|
|
if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] {
|
|
unknownKeys[key] = value
|
|
}
|
|
}
|
|
|
|
// 2. Discard values that implement NamedOption.
|
|
// Their configuration name differs from their flag name, like `labels` and `label`.
|
|
if len(unknownKeys) > 0 {
|
|
unknownNamedConflicts := func(f *pflag.Flag) {
|
|
if namedOption, ok := f.Value.(opts.NamedOption); ok {
|
|
delete(unknownKeys, namedOption.Name())
|
|
}
|
|
}
|
|
flags.VisitAll(unknownNamedConflicts)
|
|
}
|
|
|
|
if len(unknownKeys) > 0 {
|
|
var unknown []string
|
|
for key := range unknownKeys {
|
|
unknown = append(unknown, key)
|
|
}
|
|
return fmt.Errorf("the following directives don't match any configuration option: %s", strings.Join(unknown, ", "))
|
|
}
|
|
|
|
var conflicts []string
|
|
printConflict := func(name string, flagValue, fileValue interface{}) string {
|
|
switch name {
|
|
case "http-proxy", "https-proxy":
|
|
flagValue = MaskCredentials(flagValue.(string))
|
|
fileValue = MaskCredentials(fileValue.(string))
|
|
}
|
|
return fmt.Sprintf("%s: (from flag: %v, from file: %v)", name, flagValue, fileValue)
|
|
}
|
|
|
|
// 3. Search keys that are present as a flag and as a file option.
|
|
duplicatedConflicts := func(f *pflag.Flag) {
|
|
// search option name in the json configuration payload if the value is a named option
|
|
if namedOption, ok := f.Value.(opts.NamedOption); ok {
|
|
if optsValue, ok := config[namedOption.Name()]; ok && !skipDuplicates[namedOption.Name()] {
|
|
conflicts = append(conflicts, printConflict(namedOption.Name(), f.Value.String(), optsValue))
|
|
}
|
|
} else {
|
|
// search flag name in the json configuration payload
|
|
for _, name := range []string{f.Name, f.Shorthand} {
|
|
if value, ok := config[name]; ok && !skipDuplicates[name] {
|
|
conflicts = append(conflicts, printConflict(name, f.Value.String(), value))
|
|
break
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
flags.Visit(duplicatedConflicts)
|
|
|
|
if len(conflicts) > 0 {
|
|
return fmt.Errorf("the following directives are specified both as a flag and in the configuration file: %s", strings.Join(conflicts, ", "))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Validate validates some specific configs.
|
|
// such as config.DNS, config.Labels, config.DNSSearch,
|
|
// as well as config.MaxConcurrentDownloads, config.MaxConcurrentUploads and config.MaxDownloadAttempts.
|
|
func Validate(config *Config) error {
|
|
//nolint:staticcheck // TODO(thaJeztah): remove in next release.
|
|
if config.RootDeprecated != "" {
|
|
return errors.New(`the "graph" config file option is deprecated; use "data-root" instead`)
|
|
}
|
|
|
|
// validate log-level
|
|
if config.LogLevel != "" {
|
|
if _, err := logrus.ParseLevel(config.LogLevel); err != nil {
|
|
return fmt.Errorf("invalid logging level: %s", config.LogLevel)
|
|
}
|
|
}
|
|
|
|
// validate DNS
|
|
for _, dns := range config.DNS {
|
|
if _, err := opts.ValidateIPAddress(dns); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// validate DNSSearch
|
|
for _, dnsSearch := range config.DNSSearch {
|
|
if _, err := opts.ValidateDNSSearch(dnsSearch); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// validate Labels
|
|
for _, label := range config.Labels {
|
|
if _, err := opts.ValidateLabel(label); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// TODO(thaJeztah) Validations below should not accept "0" to be valid; see Validate() for a more in-depth description of this problem
|
|
if config.Mtu < 0 {
|
|
return fmt.Errorf("invalid default MTU: %d", config.Mtu)
|
|
}
|
|
if config.MaxConcurrentDownloads < 0 {
|
|
return fmt.Errorf("invalid max concurrent downloads: %d", config.MaxConcurrentDownloads)
|
|
}
|
|
if config.MaxConcurrentUploads < 0 {
|
|
return fmt.Errorf("invalid max concurrent uploads: %d", config.MaxConcurrentUploads)
|
|
}
|
|
if config.MaxDownloadAttempts < 0 {
|
|
return fmt.Errorf("invalid max download attempts: %d", config.MaxDownloadAttempts)
|
|
}
|
|
|
|
// validate that "default" runtime is not reset
|
|
if runtimes := config.GetAllRuntimes(); len(runtimes) > 0 {
|
|
if _, ok := runtimes[StockRuntimeName]; ok {
|
|
return fmt.Errorf("runtime name '%s' is reserved", StockRuntimeName)
|
|
}
|
|
}
|
|
|
|
if _, err := ParseGenericResources(config.NodeGenericResources); err != nil {
|
|
return err
|
|
}
|
|
|
|
if defaultRuntime := config.GetDefaultRuntimeName(); defaultRuntime != "" {
|
|
if !builtinRuntimes[defaultRuntime] {
|
|
runtimes := config.GetAllRuntimes()
|
|
if _, ok := runtimes[defaultRuntime]; !ok && !IsPermissibleC8dRuntimeName(defaultRuntime) {
|
|
return fmt.Errorf("specified default runtime '%s' does not exist", defaultRuntime)
|
|
}
|
|
}
|
|
}
|
|
|
|
for _, h := range config.Hosts {
|
|
if _, err := opts.ValidateHost(h); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// validate platform-specific settings
|
|
return config.ValidatePlatformConfig()
|
|
}
|
|
|
|
// GetDefaultRuntimeName returns the current default runtime
|
|
func (conf *Config) GetDefaultRuntimeName() string {
|
|
conf.Lock()
|
|
rt := conf.DefaultRuntime
|
|
conf.Unlock()
|
|
|
|
return rt
|
|
}
|
|
|
|
// MaskCredentials masks credentials that are in an URL.
|
|
func MaskCredentials(rawURL string) string {
|
|
parsedURL, err := url.Parse(rawURL)
|
|
if err != nil || parsedURL.User == nil {
|
|
return rawURL
|
|
}
|
|
parsedURL.User = url.UserPassword("xxxxx", "xxxxx")
|
|
return parsedURL.String()
|
|
}
|
|
|
|
// IsPermissibleC8dRuntimeName tests whether name is safe to pass into
|
|
// containerd as a runtime name, and whether the name is well-formed.
|
|
// It does not check if the runtime is installed.
|
|
//
|
|
// A runtime name containing slash characters is interpreted by containerd as
|
|
// the path to a runtime binary. If we allowed this, anyone with Engine API
|
|
// access could get containerd to execute an arbitrary binary as root. Although
|
|
// Engine API access is already equivalent to root on the host, the runtime name
|
|
// has not historically been a vector to run arbitrary code as root so users are
|
|
// not expecting it to become one.
|
|
//
|
|
// This restriction is not configurable. There are viable workarounds for
|
|
// legitimate use cases: administrators and runtime developers can make runtimes
|
|
// available for use with Docker by installing them onto PATH following the
|
|
// [binary naming convention] for containerd Runtime v2.
|
|
//
|
|
// [binary naming convention]: https://github.com/containerd/containerd/blob/main/runtime/v2/README.md#binary-naming
|
|
func IsPermissibleC8dRuntimeName(name string) bool {
|
|
// containerd uses a rather permissive test to validate runtime names:
|
|
//
|
|
// - Any name for which filepath.IsAbs(name) is interpreted as the absolute
|
|
// path to a shim binary. We want to block this behaviour.
|
|
// - Any name which contains at least one '.' character and no '/' characters
|
|
// and does not begin with a '.' character is a valid runtime name. The shim
|
|
// binary name is derived from the final two components of the name and
|
|
// searched for on the PATH. The name "a.." is technically valid per
|
|
// containerd's implementation: it would resolve to a binary named
|
|
// "containerd-shim---".
|
|
//
|
|
// https://github.com/containerd/containerd/blob/11ded166c15f92450958078cd13c6d87131ec563/runtime/v2/manager.go#L297-L317
|
|
// https://github.com/containerd/containerd/blob/11ded166c15f92450958078cd13c6d87131ec563/runtime/v2/shim/util.go#L83-L93
|
|
return !filepath.IsAbs(name) && !strings.ContainsRune(name, '/') && shim.BinaryName(name) != ""
|
|
}
|