dotcloud/docker

View on GitHub
daemon/cluster/convert/container.go

Summary

Maintainability
F
3 days
Test Coverage
package convert // import "github.com/docker/docker/daemon/cluster/convert"

import (
    "context"
    "encoding/json"
    "fmt"
    "strings"

    "github.com/containerd/log"
    "github.com/docker/docker/api/types/container"
    mounttypes "github.com/docker/docker/api/types/mount"
    types "github.com/docker/docker/api/types/swarm"
    gogotypes "github.com/gogo/protobuf/types"
    swarmapi "github.com/moby/swarmkit/v2/api"
    "github.com/pkg/errors"
)

func containerSpecFromGRPC(c *swarmapi.ContainerSpec) *types.ContainerSpec {
    if c == nil {
        return nil
    }
    containerSpec := &types.ContainerSpec{
        Image:          c.Image,
        Labels:         c.Labels,
        Command:        c.Command,
        Args:           c.Args,
        Hostname:       c.Hostname,
        Env:            c.Env,
        Dir:            c.Dir,
        User:           c.User,
        Groups:         c.Groups,
        StopSignal:     c.StopSignal,
        TTY:            c.TTY,
        OpenStdin:      c.OpenStdin,
        ReadOnly:       c.ReadOnly,
        Hosts:          c.Hosts,
        Secrets:        secretReferencesFromGRPC(c.Secrets),
        Configs:        configReferencesFromGRPC(c.Configs),
        Isolation:      IsolationFromGRPC(c.Isolation),
        Init:           initFromGRPC(c.Init),
        Sysctls:        c.Sysctls,
        CapabilityAdd:  c.CapabilityAdd,
        CapabilityDrop: c.CapabilityDrop,
        Ulimits:        ulimitsFromGRPC(c.Ulimits),
        OomScoreAdj:    c.OomScoreAdj,
    }

    if c.DNSConfig != nil {
        containerSpec.DNSConfig = &types.DNSConfig{
            Nameservers: c.DNSConfig.Nameservers,
            Search:      c.DNSConfig.Search,
            Options:     c.DNSConfig.Options,
        }
    }

    // Privileges
    if c.Privileges != nil {
        containerSpec.Privileges = &types.Privileges{}

        if c.Privileges.CredentialSpec != nil {
            containerSpec.Privileges.CredentialSpec = credentialSpecFromGRPC(c.Privileges.CredentialSpec)
        }

        if c.Privileges.SELinuxContext != nil {
            containerSpec.Privileges.SELinuxContext = &types.SELinuxContext{
                Disable: c.Privileges.SELinuxContext.Disable,
                User:    c.Privileges.SELinuxContext.User,
                Type:    c.Privileges.SELinuxContext.Type,
                Role:    c.Privileges.SELinuxContext.Role,
                Level:   c.Privileges.SELinuxContext.Level,
            }
        }

        if c.Privileges.Seccomp != nil {
            containerSpec.Privileges.Seccomp = &types.SeccompOpts{
                Profile: c.Privileges.Seccomp.Profile,
            }

            switch c.Privileges.Seccomp.Mode {
            case swarmapi.Privileges_SeccompOpts_DEFAULT:
                containerSpec.Privileges.Seccomp.Mode = types.SeccompModeDefault
            case swarmapi.Privileges_SeccompOpts_UNCONFINED:
                containerSpec.Privileges.Seccomp.Mode = types.SeccompModeUnconfined
            case swarmapi.Privileges_SeccompOpts_CUSTOM:
                containerSpec.Privileges.Seccomp.Mode = types.SeccompModeCustom
            }
        }

        if c.Privileges.Apparmor != nil {
            containerSpec.Privileges.AppArmor = &types.AppArmorOpts{}

            switch c.Privileges.Apparmor.Mode {
            case swarmapi.Privileges_AppArmorOpts_DEFAULT:
                containerSpec.Privileges.AppArmor.Mode = types.AppArmorModeDefault
            case swarmapi.Privileges_AppArmorOpts_DISABLED:
                containerSpec.Privileges.AppArmor.Mode = types.AppArmorModeDisabled
            }
        }

        containerSpec.Privileges.NoNewPrivileges = c.Privileges.NoNewPrivileges
    }

    // Mounts
    for _, m := range c.Mounts {
        mount := mounttypes.Mount{
            Target:   m.Target,
            Source:   m.Source,
            Type:     mounttypes.Type(strings.ToLower(swarmapi.Mount_MountType_name[int32(m.Type)])),
            ReadOnly: m.ReadOnly,
        }

        if m.BindOptions != nil {
            mount.BindOptions = &mounttypes.BindOptions{
                Propagation:            mounttypes.Propagation(strings.ToLower(swarmapi.Mount_BindOptions_MountPropagation_name[int32(m.BindOptions.Propagation)])),
                NonRecursive:           m.BindOptions.NonRecursive,
                CreateMountpoint:       m.BindOptions.CreateMountpoint,
                ReadOnlyNonRecursive:   m.BindOptions.ReadOnlyNonRecursive,
                ReadOnlyForceRecursive: m.BindOptions.ReadOnlyForceRecursive,
            }
        }

        if m.VolumeOptions != nil {
            mount.VolumeOptions = &mounttypes.VolumeOptions{
                NoCopy:  m.VolumeOptions.NoCopy,
                Labels:  m.VolumeOptions.Labels,
                Subpath: m.VolumeOptions.Subpath,
            }
            if m.VolumeOptions.DriverConfig != nil {
                mount.VolumeOptions.DriverConfig = &mounttypes.Driver{
                    Name:    m.VolumeOptions.DriverConfig.Name,
                    Options: m.VolumeOptions.DriverConfig.Options,
                }
            }
        }

        if m.TmpfsOptions != nil {
            mount.TmpfsOptions = &mounttypes.TmpfsOptions{
                SizeBytes: m.TmpfsOptions.SizeBytes,
                Mode:      m.TmpfsOptions.Mode,
                Options:   tmpfsOptionsFromGRPC(m.TmpfsOptions.Options),
            }
        }
        containerSpec.Mounts = append(containerSpec.Mounts, mount)
    }

    if c.StopGracePeriod != nil {
        grace, _ := gogotypes.DurationFromProto(c.StopGracePeriod)
        containerSpec.StopGracePeriod = &grace
    }

    if c.Healthcheck != nil {
        containerSpec.Healthcheck = healthConfigFromGRPC(c.Healthcheck)
    }

    return containerSpec
}

func initFromGRPC(v *gogotypes.BoolValue) *bool {
    if v == nil {
        return nil
    }
    value := v.GetValue()
    return &value
}

func initToGRPC(v *bool) *gogotypes.BoolValue {
    if v == nil {
        return nil
    }
    return &gogotypes.BoolValue{Value: *v}
}

func secretReferencesToGRPC(sr []*types.SecretReference) []*swarmapi.SecretReference {
    refs := make([]*swarmapi.SecretReference, 0, len(sr))
    for _, s := range sr {
        ref := &swarmapi.SecretReference{
            SecretID:   s.SecretID,
            SecretName: s.SecretName,
        }
        if s.File != nil {
            ref.Target = &swarmapi.SecretReference_File{
                File: &swarmapi.FileTarget{
                    Name: s.File.Name,
                    UID:  s.File.UID,
                    GID:  s.File.GID,
                    Mode: s.File.Mode,
                },
            }
        }

        refs = append(refs, ref)
    }

    return refs
}

func secretReferencesFromGRPC(sr []*swarmapi.SecretReference) []*types.SecretReference {
    refs := make([]*types.SecretReference, 0, len(sr))
    for _, s := range sr {
        target := s.GetFile()
        if target == nil {
            // not a file target
            log.G(context.TODO()).Warnf("secret target not a file: secret=%s", s.SecretID)
            continue
        }
        refs = append(refs, &types.SecretReference{
            File: &types.SecretReferenceFileTarget{
                Name: target.Name,
                UID:  target.UID,
                GID:  target.GID,
                Mode: target.Mode,
            },
            SecretID:   s.SecretID,
            SecretName: s.SecretName,
        })
    }

    return refs
}

func configReferencesToGRPC(sr []*types.ConfigReference) ([]*swarmapi.ConfigReference, error) {
    refs := make([]*swarmapi.ConfigReference, 0, len(sr))
    for _, s := range sr {
        ref := &swarmapi.ConfigReference{
            ConfigID:   s.ConfigID,
            ConfigName: s.ConfigName,
        }
        switch {
        case s.Runtime == nil && s.File == nil:
            return nil, errors.New("either File or Runtime should be set")
        case s.Runtime != nil && s.File != nil:
            return nil, errors.New("cannot specify both File and Runtime")
        case s.Runtime != nil:
            // Runtime target was added in API v1.40 and takes precedence over
            // File target. However, File and Runtime targets are mutually exclusive,
            // so we should never have both.
            ref.Target = &swarmapi.ConfigReference_Runtime{
                Runtime: &swarmapi.RuntimeTarget{},
            }
        case s.File != nil:
            ref.Target = &swarmapi.ConfigReference_File{
                File: &swarmapi.FileTarget{
                    Name: s.File.Name,
                    UID:  s.File.UID,
                    GID:  s.File.GID,
                    Mode: s.File.Mode,
                },
            }
        }

        refs = append(refs, ref)
    }

    return refs, nil
}

func configReferencesFromGRPC(sr []*swarmapi.ConfigReference) []*types.ConfigReference {
    refs := make([]*types.ConfigReference, 0, len(sr))
    for _, s := range sr {
        r := &types.ConfigReference{
            ConfigID:   s.ConfigID,
            ConfigName: s.ConfigName,
        }
        if target := s.GetRuntime(); target != nil {
            r.Runtime = &types.ConfigReferenceRuntimeTarget{}
        } else if target := s.GetFile(); target != nil {
            r.File = &types.ConfigReferenceFileTarget{
                Name: target.Name,
                UID:  target.UID,
                GID:  target.GID,
                Mode: target.Mode,
            }
        } else {
            // not a file target
            log.G(context.TODO()).Warnf("config target not known: config=%s", s.ConfigID)
            continue
        }
        refs = append(refs, r)
    }

    return refs
}

func containerToGRPC(c *types.ContainerSpec) (*swarmapi.ContainerSpec, error) {
    containerSpec := &swarmapi.ContainerSpec{
        Image:          c.Image,
        Labels:         c.Labels,
        Command:        c.Command,
        Args:           c.Args,
        Hostname:       c.Hostname,
        Env:            c.Env,
        Dir:            c.Dir,
        User:           c.User,
        Groups:         c.Groups,
        StopSignal:     c.StopSignal,
        TTY:            c.TTY,
        OpenStdin:      c.OpenStdin,
        ReadOnly:       c.ReadOnly,
        Hosts:          c.Hosts,
        Secrets:        secretReferencesToGRPC(c.Secrets),
        Isolation:      isolationToGRPC(c.Isolation),
        Init:           initToGRPC(c.Init),
        Sysctls:        c.Sysctls,
        CapabilityAdd:  c.CapabilityAdd,
        CapabilityDrop: c.CapabilityDrop,
        Ulimits:        ulimitsToGRPC(c.Ulimits),
        OomScoreAdj:    c.OomScoreAdj,
    }

    if c.DNSConfig != nil {
        containerSpec.DNSConfig = &swarmapi.ContainerSpec_DNSConfig{
            Nameservers: c.DNSConfig.Nameservers,
            Search:      c.DNSConfig.Search,
            Options:     c.DNSConfig.Options,
        }
    }

    if c.StopGracePeriod != nil {
        containerSpec.StopGracePeriod = gogotypes.DurationProto(*c.StopGracePeriod)
    }

    // Privileges
    if c.Privileges != nil {
        containerSpec.Privileges = &swarmapi.Privileges{}

        if c.Privileges.CredentialSpec != nil {
            cs, err := credentialSpecToGRPC(c.Privileges.CredentialSpec)
            if err != nil {
                return nil, errors.Wrap(err, "invalid CredentialSpec")
            }
            containerSpec.Privileges.CredentialSpec = cs
        }

        if c.Privileges.SELinuxContext != nil {
            containerSpec.Privileges.SELinuxContext = &swarmapi.Privileges_SELinuxContext{
                Disable: c.Privileges.SELinuxContext.Disable,
                User:    c.Privileges.SELinuxContext.User,
                Type:    c.Privileges.SELinuxContext.Type,
                Role:    c.Privileges.SELinuxContext.Role,
                Level:   c.Privileges.SELinuxContext.Level,
            }
        }

        if c.Privileges.Seccomp != nil {
            containerSpec.Privileges.Seccomp = &swarmapi.Privileges_SeccompOpts{
                Profile: c.Privileges.Seccomp.Profile,
            }

            switch c.Privileges.Seccomp.Mode {
            case types.SeccompModeDefault:
                containerSpec.Privileges.Seccomp.Mode = swarmapi.Privileges_SeccompOpts_DEFAULT
            case types.SeccompModeUnconfined:
                containerSpec.Privileges.Seccomp.Mode = swarmapi.Privileges_SeccompOpts_UNCONFINED
            case types.SeccompModeCustom:
                containerSpec.Privileges.Seccomp.Mode = swarmapi.Privileges_SeccompOpts_CUSTOM
            }
        }

        if c.Privileges.AppArmor != nil {
            containerSpec.Privileges.Apparmor = &swarmapi.Privileges_AppArmorOpts{}

            switch c.Privileges.AppArmor.Mode {
            case types.AppArmorModeDefault:
                containerSpec.Privileges.Apparmor.Mode = swarmapi.Privileges_AppArmorOpts_DEFAULT
            case types.AppArmorModeDisabled:
                containerSpec.Privileges.Apparmor.Mode = swarmapi.Privileges_AppArmorOpts_DISABLED
            }
        }

        containerSpec.Privileges.NoNewPrivileges = c.Privileges.NoNewPrivileges
    }

    if c.Configs != nil {
        configs, err := configReferencesToGRPC(c.Configs)
        if err != nil {
            return nil, errors.Wrap(err, "invalid Config")
        }
        containerSpec.Configs = configs
    }

    // Mounts
    for _, m := range c.Mounts {
        mount := swarmapi.Mount{
            Target:   m.Target,
            Source:   m.Source,
            ReadOnly: m.ReadOnly,
        }

        if mountType, ok := swarmapi.Mount_MountType_value[strings.ToUpper(string(m.Type))]; ok {
            mount.Type = swarmapi.Mount_MountType(mountType)
        } else if string(m.Type) != "" {
            return nil, fmt.Errorf("invalid MountType: %q", m.Type)
        }

        if m.BindOptions != nil {
            if mountPropagation, ok := swarmapi.Mount_BindOptions_MountPropagation_value[strings.ToUpper(string(m.BindOptions.Propagation))]; ok {
                mount.BindOptions = &swarmapi.Mount_BindOptions{Propagation: swarmapi.Mount_BindOptions_MountPropagation(mountPropagation)}
            } else if string(m.BindOptions.Propagation) != "" {
                return nil, fmt.Errorf("invalid MountPropagation: %q", m.BindOptions.Propagation)
            }

            if m.BindOptions.NonRecursive {
                if mount.BindOptions == nil {
                    // the propagation defaults to rprivate
                    mount.BindOptions = &swarmapi.Mount_BindOptions{}
                }
                mount.BindOptions.NonRecursive = m.BindOptions.NonRecursive
            }
        }

        if m.VolumeOptions != nil {
            mount.VolumeOptions = &swarmapi.Mount_VolumeOptions{
                NoCopy:  m.VolumeOptions.NoCopy,
                Labels:  m.VolumeOptions.Labels,
                Subpath: m.VolumeOptions.Subpath,
            }
            if m.VolumeOptions.DriverConfig != nil {
                mount.VolumeOptions.DriverConfig = &swarmapi.Driver{
                    Name:    m.VolumeOptions.DriverConfig.Name,
                    Options: m.VolumeOptions.DriverConfig.Options,
                }
            }
        }

        if m.TmpfsOptions != nil {
            mount.TmpfsOptions = &swarmapi.Mount_TmpfsOptions{
                SizeBytes: m.TmpfsOptions.SizeBytes,
                Mode:      m.TmpfsOptions.Mode,
                Options:   tmpfsOptionsToGRPC(m.TmpfsOptions.Options),
            }
        }

        containerSpec.Mounts = append(containerSpec.Mounts, mount)
    }

    if c.Healthcheck != nil {
        containerSpec.Healthcheck = healthConfigToGRPC(c.Healthcheck)
    }

    return containerSpec, nil
}

func credentialSpecFromGRPC(c *swarmapi.Privileges_CredentialSpec) *types.CredentialSpec {
    cs := &types.CredentialSpec{}
    switch c.Source.(type) {
    case *swarmapi.Privileges_CredentialSpec_Config:
        cs.Config = c.GetConfig()
    case *swarmapi.Privileges_CredentialSpec_File:
        cs.File = c.GetFile()
    case *swarmapi.Privileges_CredentialSpec_Registry:
        cs.Registry = c.GetRegistry()
    }
    return cs
}

func credentialSpecToGRPC(c *types.CredentialSpec) (*swarmapi.Privileges_CredentialSpec, error) {
    var opts []string

    if c.Config != "" {
        opts = append(opts, `"config"`)
    }
    if c.File != "" {
        opts = append(opts, `"file"`)
    }
    if c.Registry != "" {
        opts = append(opts, `"registry"`)
    }
    l := len(opts)
    switch {
    case l == 0:
        return nil, errors.New(`must either provide "file", "registry", or "config" for credential spec`)
    case l == 2:
        return nil, fmt.Errorf("cannot specify both %s and %s credential specs", opts[0], opts[1])
    case l > 2:
        return nil, fmt.Errorf("cannot specify both %s, and %s credential specs", strings.Join(opts[:l-1], ", "), opts[l-1])
    }

    spec := &swarmapi.Privileges_CredentialSpec{}
    switch {
    case c.Config != "":
        spec.Source = &swarmapi.Privileges_CredentialSpec_Config{
            Config: c.Config,
        }
    case c.File != "":
        spec.Source = &swarmapi.Privileges_CredentialSpec_File{
            File: c.File,
        }
    case c.Registry != "":
        spec.Source = &swarmapi.Privileges_CredentialSpec_Registry{
            Registry: c.Registry,
        }
    }

    return spec, nil
}

func healthConfigFromGRPC(h *swarmapi.HealthConfig) *container.HealthConfig {
    interval, _ := gogotypes.DurationFromProto(h.Interval)
    timeout, _ := gogotypes.DurationFromProto(h.Timeout)
    startPeriod, _ := gogotypes.DurationFromProto(h.StartPeriod)
    startInterval, _ := gogotypes.DurationFromProto(h.StartInterval)
    return &container.HealthConfig{
        Test:          h.Test,
        Interval:      interval,
        Timeout:       timeout,
        Retries:       int(h.Retries),
        StartPeriod:   startPeriod,
        StartInterval: startInterval,
    }
}

func healthConfigToGRPC(h *container.HealthConfig) *swarmapi.HealthConfig {
    return &swarmapi.HealthConfig{
        Test:          h.Test,
        Interval:      gogotypes.DurationProto(h.Interval),
        Timeout:       gogotypes.DurationProto(h.Timeout),
        Retries:       int32(h.Retries),
        StartPeriod:   gogotypes.DurationProto(h.StartPeriod),
        StartInterval: gogotypes.DurationProto(h.StartInterval),
    }
}

// IsolationFromGRPC converts a swarm api container isolation to a moby isolation representation
func IsolationFromGRPC(i swarmapi.ContainerSpec_Isolation) container.Isolation {
    switch i {
    case swarmapi.ContainerIsolationHyperV:
        return container.IsolationHyperV
    case swarmapi.ContainerIsolationProcess:
        return container.IsolationProcess
    case swarmapi.ContainerIsolationDefault:
        return container.IsolationDefault
    }
    return container.IsolationEmpty
}

func isolationToGRPC(i container.Isolation) swarmapi.ContainerSpec_Isolation {
    if i.IsHyperV() {
        return swarmapi.ContainerIsolationHyperV
    }
    if i.IsProcess() {
        return swarmapi.ContainerIsolationProcess
    }
    return swarmapi.ContainerIsolationDefault
}

func ulimitsFromGRPC(u []*swarmapi.ContainerSpec_Ulimit) []*container.Ulimit {
    ulimits := make([]*container.Ulimit, len(u))

    for i, ulimit := range u {
        ulimits[i] = &container.Ulimit{
            Name: ulimit.Name,
            Soft: ulimit.Soft,
            Hard: ulimit.Hard,
        }
    }

    return ulimits
}

func ulimitsToGRPC(u []*container.Ulimit) []*swarmapi.ContainerSpec_Ulimit {
    ulimits := make([]*swarmapi.ContainerSpec_Ulimit, len(u))

    for i, ulimit := range u {
        ulimits[i] = &swarmapi.ContainerSpec_Ulimit{
            Name: ulimit.Name,
            Soft: ulimit.Soft,
            Hard: ulimit.Hard,
        }
    }

    return ulimits
}

func tmpfsOptionsToGRPC(options [][]string) string {
    // The shape of the swarmkit API that tmpfs options are a string. The shape
    // of the docker API has them as a more structured array of arrays of
    // strings. To smooth this over, we will marshall the array-of-arrays to
    // json then pass that as the string.

    // Marshalling json can create an error, but only in specific cases which
    // are not relevant. We can ignore the possibility.
    jsonBytes, _ := json.Marshal(options)
    return string(jsonBytes)
}

func tmpfsOptionsFromGRPC(options string) [][]string {
    // See tmpfsOptionsToGRPC for the reasoning. We undo what we did.
    var unstring [][]string
    // We can't return errors from here, so just don't ever pass anything that
    // could result in an error.
    //
    // Duh.
    //
    // If there is something erroneous, then an empty return value will result,
    // which should not be catastrophic. Because we control the data that is
    // marshalled (in tmpfsOptionsToGRPC), we can more-or-less ensure that only
    // valid data is unmarshalled here. If someone does something like muck
    // with the GRPC API directly, then they get footgun, no apologies.
    _ = json.Unmarshal([]byte(options), &unstring)
    return unstring
}