mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
098a44c07f
Finish the refactor which was partially completed with commit
34536c498d, passing around IdentityMapping structs instead of pairs of
[]IDMap slices.
Existing code which uses []IDMap relies on zero-valued fields to be
valid, empty mappings. So in order to successfully finish the
refactoring without introducing bugs, their replacement therefore also
needs to have a useful zero value which represents an empty mapping.
Change IdentityMapping to be a pass-by-value type so that there are no
nil pointers to worry about.
The functionality provided by the deprecated NewIDMappingsFromMaps
function is required by unit tests to to construct arbitrary
IdentityMapping values. And the daemon will always need to access the
mappings to pass them to the Linux kernel. Accommodate these use cases
by exporting the struct fields instead. BuildKit currently depends on
the UIDs and GIDs methods so we cannot get rid of them yet.
Signed-off-by: Cory Snider <csnider@mirantis.com>
161 lines
4.4 KiB
Go
161 lines
4.4 KiB
Go
//go:build !windows
|
|
// +build !windows
|
|
|
|
package buildkit
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
"strconv"
|
|
"sync"
|
|
|
|
"github.com/docker/docker/daemon/config"
|
|
"github.com/docker/docker/libnetwork"
|
|
"github.com/docker/docker/pkg/idtools"
|
|
"github.com/docker/docker/pkg/stringid"
|
|
"github.com/moby/buildkit/executor"
|
|
"github.com/moby/buildkit/executor/oci"
|
|
"github.com/moby/buildkit/executor/runcexecutor"
|
|
"github.com/moby/buildkit/identity"
|
|
"github.com/moby/buildkit/solver/pb"
|
|
"github.com/moby/buildkit/util/network"
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const networkName = "bridge"
|
|
|
|
func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dnsConfig *oci.DNSConfig, rootless bool, idmap idtools.IdentityMapping, apparmorProfile string) (executor.Executor, error) {
|
|
netRoot := filepath.Join(root, "net")
|
|
networkProviders := map[pb.NetMode]network.Provider{
|
|
pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: netRoot},
|
|
pb.NetMode_HOST: network.NewHostProvider(),
|
|
pb.NetMode_NONE: network.NewNoneProvider(),
|
|
}
|
|
|
|
// make sure net state directory is cleared from previous state
|
|
fis, err := os.ReadDir(netRoot)
|
|
if err == nil {
|
|
for _, fi := range fis {
|
|
fp := filepath.Join(netRoot, fi.Name())
|
|
if err := os.RemoveAll(fp); err != nil {
|
|
logrus.WithError(err).Errorf("failed to delete old network state: %v", fp)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Returning a non-nil but empty *IdentityMapping breaks BuildKit:
|
|
// https://github.com/moby/moby/pull/39444
|
|
pidmap := &idmap
|
|
if idmap.Empty() {
|
|
pidmap = nil
|
|
}
|
|
|
|
return runcexecutor.New(runcexecutor.Opt{
|
|
Root: filepath.Join(root, "executor"),
|
|
CommandCandidates: []string{"runc"},
|
|
DefaultCgroupParent: cgroupParent,
|
|
Rootless: rootless,
|
|
NoPivot: os.Getenv("DOCKER_RAMDISK") != "",
|
|
IdentityMapping: pidmap,
|
|
DNS: dnsConfig,
|
|
ApparmorProfile: apparmorProfile,
|
|
}, networkProviders)
|
|
}
|
|
|
|
type bridgeProvider struct {
|
|
libnetwork.NetworkController
|
|
Root string
|
|
}
|
|
|
|
func (p *bridgeProvider) New() (network.Namespace, error) {
|
|
n, err := p.NetworkByName(networkName)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
iface := &lnInterface{ready: make(chan struct{}), provider: p}
|
|
iface.Once.Do(func() {
|
|
go iface.init(p.NetworkController, n)
|
|
})
|
|
|
|
return iface, nil
|
|
}
|
|
|
|
type lnInterface struct {
|
|
ep libnetwork.Endpoint
|
|
sbx libnetwork.Sandbox
|
|
sync.Once
|
|
err error
|
|
ready chan struct{}
|
|
provider *bridgeProvider
|
|
}
|
|
|
|
func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Network) {
|
|
defer close(iface.ready)
|
|
id := identity.NewID()
|
|
|
|
ep, err := n.CreateEndpoint(id, libnetwork.CreateOptionDisableResolution())
|
|
if err != nil {
|
|
iface.err = err
|
|
return
|
|
}
|
|
|
|
sbx, err := c.NewSandbox(id, libnetwork.OptionUseExternalKey(), libnetwork.OptionHostsPath(filepath.Join(iface.provider.Root, id, "hosts")),
|
|
libnetwork.OptionResolvConfPath(filepath.Join(iface.provider.Root, id, "resolv.conf")))
|
|
if err != nil {
|
|
iface.err = err
|
|
return
|
|
}
|
|
|
|
if err := ep.Join(sbx); err != nil {
|
|
iface.err = err
|
|
return
|
|
}
|
|
|
|
iface.sbx = sbx
|
|
iface.ep = ep
|
|
}
|
|
|
|
func (iface *lnInterface) Set(s *specs.Spec) error {
|
|
<-iface.ready
|
|
if iface.err != nil {
|
|
logrus.WithError(iface.err).Error("failed to set networking spec")
|
|
return iface.err
|
|
}
|
|
shortNetCtlrID := stringid.TruncateID(iface.provider.NetworkController.ID())
|
|
// attach netns to bridge within the container namespace, using reexec in a prestart hook
|
|
s.Hooks = &specs.Hooks{
|
|
Prestart: []specs.Hook{{
|
|
Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
|
|
Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), shortNetCtlrID},
|
|
}},
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (iface *lnInterface) Close() error {
|
|
<-iface.ready
|
|
if iface.sbx != nil {
|
|
go func() {
|
|
if err := iface.sbx.Delete(); err != nil {
|
|
logrus.WithError(err).Errorf("failed to delete builder network sandbox")
|
|
}
|
|
if err := os.RemoveAll(filepath.Join(iface.provider.Root, iface.sbx.ContainerID())); err != nil {
|
|
logrus.WithError(err).Errorf("failed to delete builder sandbox directory")
|
|
}
|
|
}()
|
|
}
|
|
return iface.err
|
|
}
|
|
|
|
func getDNSConfig(cfg config.DNSConfig) *oci.DNSConfig {
|
|
if cfg.DNS != nil || cfg.DNSSearch != nil || cfg.DNSOptions != nil {
|
|
return &oci.DNSConfig{
|
|
Nameservers: cfg.DNS,
|
|
SearchDomains: cfg.DNSSearch,
|
|
Options: cfg.DNSOptions,
|
|
}
|
|
}
|
|
return nil
|
|
}
|