Prior to commit b5bf89c31, all socket fds passed to the docker-proxy
were getting the O_NONBLOCK flag set. However, that commit added support
for SCTP socket-passing, and had to conditionally guard this behavior to
not use it on SCTP sockets due to ishidawataru/sctp not clearing the
flag.
A fix was made in ishidawataru/sctp (see [1]), so we can remove that
condition.
[1]: https://github.com/ishidawataru/sctp/commit/4b890084db30
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Since commit b3fabedec, the bridge driver maps ports following a 3-step
process: 1. create a socket, and bind it to the host port; 2. create
iptables rules; 3. start the userland proxy (if it's enabled). This
ensures that the port is really free before inserting iptables rules
that could otherwise disrupt host services.
However, this 3-step process wasn't implemented for SCTP, because we had
no way to instiantiate an SCTP listener from an fd. Since
github.com/ishidawataru/sctp@4719921f9, we can.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
These comments were added to enforce using the correct import path for
our packages ("github.com/docker/docker", not "github.com/moby/moby").
However, when working in go module mode (not GOPATH / vendor), they have
no effect, so their impact is limited.
Remove these imports in preparation of migrating our code to become an
actual go module.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Instead of passing the dirs for buildkit to configure the same cache
instance, just pass the shared CDI cache instance.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Commit 7b153b9e28 changed the daemon to
advertise the recommended builder to use to V2 (BuildKit) for Linux
daemons, and V1 (Legacy Builder) for Windows daemons. For Linux daemons
we allowed the default to be overridden through the "features" field
in the daemon config (daemon.json), but for Windows we hard-coded it
to be V1, and no option to override.
With work in progress on implementing support for Windows in BuildKit,
we should remove this hardcoded assumption, and allow the default to
be overridden to advertise that BuildKit is supported.
Note that BuildKit on Windows is still very much a "work in progress",
and enabling it in the daemon may not even work, so users should not
try to enable this feature; a warning-level log is added to make it
visible that the feature is enabled.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The image api already defines the backend used and does
not directly use the reference store backend. It also should not
directly use the reference store backend.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Per-network option com.docker.network.bridge.trusted-host-interfaces
accepts a list of interfaces that are allowed to route
directly to a container's published ports in a bridge
network with nat enabled.
This daemon level option disables direct access filtering,
enabling direct access to published ports on container
addresses in all bridge networks, via all host interfaces.
It overlaps with short-term env-var workaround:
DOCKER_INSECURE_NO_IPTABLES_RAW=1
- it does not allow packets sent from outside the host to reach
ports published only to 127.0.0.1
- it will outlive iptables (the workaround was initially intended
for hosts that do not have kernel support for the "raw" iptables
table).
Signed-off-by: Rob Murray <rob.murray@docker.com>
The build exporter now clears the image tags and always exported to a
dangling image. It then uses the image tagger to perform the tagging
which causes the dangling image to be removed and the naming message to
be sent correctly.
An additional progress message is sent to indicate the renaming.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
gotest.tools v3.0.1 and up support Go's native test.Cleanup(), which
means that manually calling the cleanup functions in a defer is no
longer needed.
Some of these could probably be replaced by Go's native `t.TempDir()`,
but keeping that for a follow-up exercise.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This option was deprecated in 1932091e21, and
is no longer used. It was only kept to allow priniting a deprecation warning
if the config would happen to have the field set.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The UDP proxy is setting a deadline of 90 seconds when reading from the
backend. If no data is received within this interval, it reclaims the
connection.
This means, the backend would see a different connection every 90
seconds if the backend never sends back any reply to a client.
This change prevents the proxy from eagerly GC'ing such connections by
taking into account the last time a datagram was proxyed to the backend.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
The UDP proxy used by cmd/docker-proxy is executing Write and Close in
two separate goroutines, such that a Close could interrupt an in-flight
Write.
Introduce a `connTrackEntry` that wraps a `net.Conn` and a `sync.Mutex`
to ensure that Write and Close are serialized.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
This function had to be called both in the daemon startup, as well as
the CLI startup. Which, in case of the cli, meant that the registry
package became a required dependency for all CLI-plugins.
Make the package itself aware of situations where it's running with
rootlessKit enabled. Altogether we should get rid of this package-level
variable, and instead store this in our configuration, and pass through
where it's used.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We return errors in this function, except for this one, which was logged
as Fatal. If we want errors to be logged, we should probably do so in
the function calling daemonCLI.start.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function could produce various logs ("Running in rootless mode") at
the start, but further steps could still fail (such as running with
RootlessKit, but not being configured as rootless).
This patch moves the informational / warning logs further down, so that
we don't produce logs before failing.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Explicitly access config field through the Config field, instead
of the top-level "cli". This allows spotting locations where we don't
depend on the CLI, but really just the Config.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This method only depended on the CLI config; rewrite it to a
regular function, returning the opts to use for the containerd
daemon.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function took the whole daemon CLI as argument, but only needed
the config; change the signature to accept that.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This method only required the config to be passed; rewrite it to a
regular func that accepts the config.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The WatchStream field was set as configuration option in cmd/dockerd,
but not configurable. Move creating the stream to the constructor,
and remove the configuration option. This field was introduced in
59d45c384a, at which time the cmd/dockerd
code needed direct access to the stream, but a later refactor in
05346355db introduced an accessor
(GetWatchStream) for this.
The cluster.Config struct is only used internally, it's unlikely
for any external project to use this, so skipping deprecation.
With this change, the cmd/dockerd package no longer has a direct
import of swarmkit.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Move logging out of config.Reload and daemon.Reload itself, as it was not
the right place to know whether it was a "signal" that triggered the reload.
- Use Daemon.Config() to get the new config after reloading. This returns an
immutable copy of the daemon's config, so we can redact fields without having
to use an ad-hoc struct to shadow the underlying fields.
- Use structured logs for logging config reload events.
Before this (plain text):
INFO[2025-02-08T12:13:53.389649297Z] Got signal to reload configuration, reloading from: /etc/docker/daemon.json
INFO[2025-02-08T12:30:34.857691260Z] Reloaded configuration: {"pidfile":"/var/run/docker.pid","data-root":"/var/lib/docker","exec-root":"/var/run/docker","group":"docker","max-concurrent-downloads":3,"max-concurrent-uploads":5,"max-download-attempts":5,"shutdown-timeout":15,"hosts":["unix:///var/run/docker.sock"],"log-level":"info","log-format":"text","swarm-default-advertise-addr":"","swarm-raft-heartbeat-tick":0,"swarm-raft-election-tick":0,"metrics-addr":"","host-gateway-ips":[""],"log-driver":"json-file","mtu":1500,"ip":"0.0.0.0","icc":true,"iptables":true,"ip6tables":true,"ip-forward":true,"ip-masq":true,"userland-proxy":true,"userland-proxy-path":"/usr/local/bin/docker-proxy","default-address-pools":{"Values":null},"network-control-plane-mtu":1500,"experimental":false,"containerd":"/var/run/docker/containerd/containerd.sock","features":{"containerd-snapshotter":false},"builder":{"GC":{},"Entitlements":{}},"containerd-namespace":"moby","containerd-plugin-namespace":"plugins.moby","default-runtime":"runc","runtimes":{"crun":{"path":"/usr/local/bin/crun"}},"seccomp-profile":"builtin","default-shm-size":67108864,"default-ipc-mode":"private","default-cgroupns-mode":"private","resolv-conf":"/etc/resolv.conf","proxies":{}}
Before this (JSON logs):
{"level":"info","msg":"Reloaded configuration: {\"pidfile\":\"/var/run/docker.pid\",\"data-root\":\"/var/lib/docker\",\"exec-root\":\"/var/run/docker\",\"group\":\"docker\",\"max-concurrent-downloads\":3,\"max-concurrent-uploads\":5,\"max-download-attempts\":5,\"shutdown-timeout\":15,\"hosts\":[\"unix:///var/run/docker.sock\"],\"log-level\":\"info\",\"log-format\":\"json\",\"swarm-default-advertise-addr\":\"\",\"swarm-raft-heartbeat-tick\":0,\"swarm-raft-election-tick\":0,\"metrics-addr\":\"\",\"host-gateway-ips\":[\"\"],\"log-driver\":\"json-file\",\"mtu\":1500,\"ip\":\"0.0.0.0\",\"icc\":true,\"iptables\":true,\"ip6tables\":true,\"ip-forward\":true,\"ip-masq\":true,\"userland-proxy\":true,\"userland-proxy-path\":\"/usr/local/bin/docker-proxy\",\"default-address-pools\":{\"Values\":null},\"network-control-plane-mtu\":1500,\"experimental\":false,\"containerd\":\"/var/run/docker/containerd/containerd.sock\",\"features\":{\"containerd-snapshotter\":false},\"builder\":{\"GC\":{},\"Entitlements\":{}},\"containerd-namespace\":\"moby\",\"containerd-plugin-namespace\":\"plugins.moby\",\"default-runtime\":\"runc\",\"runtimes\":{\"crun\":{\"path\":\"/usr/local/bin/crun\"}},\"seccomp-profile\":\"builtin\",\"default-shm-size\":67108864,\"default-ipc-mode\":\"private\",\"default-cgroupns-mode\":\"private\",\"resolv-conf\":\"/etc/resolv.conf\",\"proxies\":{}}","time":"2025-02-08T12:24:38.600761054Z"}
After this (plain text):
INFO[2025-02-08T12:30:34.835953594Z] Got signal to reload configuration config-file=/etc/docker/daemon.json
INFO[2025-02-08T12:30:34.857614135Z] Reloaded configuration config="{\"pidfile\":\"/var/run/docker.pid\",\"data-root\":\"/var/lib/docker\",\"exec-root\":\"/var/run/docker\",\"group\":\"docker\",\"max-concurrent-downloads\":3,\"max-concurrent-uploads\":5,\"max-download-attempts\":5,\"shutdown-timeout\":15,\"hosts\":[\"unix:///var/run/docker.sock\"],\"log-level\":\"info\",\"log-format\":\"text\",\"swarm-default-advertise-addr\":\"\",\"swarm-raft-heartbeat-tick\":0,\"swarm-raft-election-tick\":0,\"metrics-addr\":\"\",\"host-gateway-ips\":[\"\"],\"log-driver\":\"json-file\",\"mtu\":1500,\"ip\":\"0.0.0.0\",\"icc\":true,\"iptables\":true,\"ip6tables\":true,\"ip-forward\":true,\"ip-masq\":true,\"userland-proxy\":true,\"userland-proxy-path\":\"/usr/local/bin/docker-proxy\",\"default-address-pools\":{\"Values\":null},\"network-control-plane-mtu\":1500,\"experimental\":false,\"containerd\":\"/var/run/docker/containerd/containerd.sock\",\"features\":{\"containerd-snapshotter\":false},\"builder\":{\"GC\":{},\"Entitlements\":{}},\"containerd-namespace\":\"moby\",\"containerd-plugin-namespace\":\"plugins.moby\",\"default-runtime\":\"runc\",\"runtimes\":{\"crun\":{\"path\":\"/usr/local/bin/crun\"}},\"seccomp-profile\":\"builtin\",\"default-shm-size\":67108864,\"default-ipc-mode\":\"private\",\"default-cgroupns-mode\":\"private\",\"resolv-conf\":\"/etc/resolv.conf\",\"proxies\":{}}"
After this (JSON logs):
{"config-file":"/etc/docker/daemon.json","level":"info","msg":"Got signal to reload configuration","time":"2025-02-08T12:24:38.589955637Z"}
{"config":"{\"pidfile\":\"/var/run/docker.pid\",\"data-root\":\"/var/lib/docker\",\"exec-root\":\"/var/run/docker\",\"group\":\"docker\",\"max-concurrent-downloads\":3,\"max-concurrent-uploads\":5,\"max-download-attempts\":5,\"shutdown-timeout\":15,\"hosts\":[\"unix:///var/run/docker.sock\"],\"log-level\":\"info\",\"log-format\":\"json\",\"swarm-default-advertise-addr\":\"\",\"swarm-raft-heartbeat-tick\":0,\"swarm-raft-election-tick\":0,\"metrics-addr\":\"\",\"host-gateway-ips\":[\"\"],\"log-driver\":\"json-file\",\"mtu\":1500,\"ip\":\"0.0.0.0\",\"icc\":true,\"iptables\":true,\"ip6tables\":true,\"ip-forward\":true,\"ip-masq\":true,\"userland-proxy\":true,\"userland-proxy-path\":\"/usr/local/bin/docker-proxy\",\"default-address-pools\":{\"Values\":null},\"network-control-plane-mtu\":1500,\"experimental\":false,\"containerd\":\"/var/run/docker/containerd/containerd.sock\",\"features\":{\"containerd-snapshotter\":false},\"builder\":{\"GC\":{},\"Entitlements\":{}},\"containerd-namespace\":\"moby\",\"containerd-plugin-namespace\":\"plugins.moby\",\"default-runtime\":\"runc\",\"runtimes\":{\"crun\":{\"path\":\"/usr/local/bin/crun\"}},\"seccomp-profile\":\"builtin\",\"default-shm-size\":67108864,\"default-ipc-mode\":\"private\",\"default-cgroupns-mode\":\"private\",\"resolv-conf\":\"/etc/resolv.conf\",\"proxies\":{}}","level":"info","msg":"Reloaded configuration","time":"2025-02-08T12:24:38.600736179Z"}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Move the "Daemon has completed initialization" log to where it has
actually completed initialization.
- Move buildkit init to its own function.
- Move the builder options to a separate struct, and change initBuildkit
to return it instead of passing the router-options and manipulate it.
Co-authored-by: Brian Goff <cpuguy83@gmail.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This required a minor hack to accommodate Cobra's logic (and a TODO was
added to see if we can improve that logic in upstream). Some changes also
had to be made to our "Usage" template, as our custom template did not
take into account subcommands and long descriptions for commands. We
should review these templates, as some additional features were added
in upstream Cobra that we currently may not be using.
With this patch:
instructions for the (hidden) completion subcommand:
docker completion --help
Usage: docker completion COMMAND
Generate the autocompletion script for docker for the specified shell.
See each sub-command's help for details on how to use the generated script.
Commands:
bash Generate the autocompletion script for bash
fish Generate the autocompletion script for fish
powershell Generate the autocompletion script for powershell
zsh Generate the autocompletion script for zsh
Run 'docker completion COMMAND --help' for more information on a command.
and instructions for installing:
dockerd completion bash --help
Usage: dockerd completion bash
Generate the autocompletion script for the bash shell.
This script depends on the 'bash-completion' package.
If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:
source <(dockerd completion bash)
To load completions for every new session, execute once:
#### Linux:
dockerd completion bash > /etc/bash_completion.d/dockerd
#### macOS:
dockerd completion bash > $(brew --prefix)/etc/bash_completion.d/dockerd
You will need to start a new shell for this setup to take effect.
Options:
--help Print usage
--no-descriptions disable completion descriptions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Reverts otel workaround, added in cca7085464,
as it's no longer needed:
=== Failed
=== FAIL: cmd/dockerd TestOtelMeterLeak (0.64s)
daemon_test.go:303: Allocations: 3
daemon_test.go:307: Allocations count decreased. OTEL leak workaround is no longer needed!
We're keeping the test for now, so that we can check for possible
regressions in the OTel dependencies.
Co-authored-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Next commits will introduce a new internal `metrics` package, so alias
the "external" import to avoid confusion.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Commit 8fb71ce208 moved access to these to
the image service directly, so they are no longer used in the router.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
