1 // +build linux freebsd solaris
12 "github.com/Sirupsen/logrus"
13 "github.com/docker/docker/api/types"
14 containertypes "github.com/docker/docker/api/types/container"
15 mounttypes "github.com/docker/docker/api/types/mount"
16 "github.com/docker/docker/pkg/chrootarchive"
17 "github.com/docker/docker/pkg/mount"
18 "github.com/docker/docker/pkg/stringid"
19 "github.com/docker/docker/pkg/symlink"
20 "github.com/docker/docker/pkg/system"
21 "github.com/docker/docker/volume"
22 "github.com/opencontainers/selinux/go-selinux/label"
23 "golang.org/x/sys/unix"
27 containerSecretMountPath = "/run/secrets"
30 // ExitStatus provides exit reasons for a container.
31 type ExitStatus struct {
32 // The exit code with which the container exited.
35 // Whether the container encountered an OOM.
39 // TrySetNetworkMount attempts to set the network mounts given a provided destination and
40 // the path to use for it; return true if the given destination was a network mount file
41 func (container *Container) TrySetNetworkMount(destination string, path string) bool {
42 if destination == "/etc/resolv.conf" {
43 container.ResolvConfPath = path
46 if destination == "/etc/hostname" {
47 container.HostnamePath = path
50 if destination == "/etc/hosts" {
51 container.HostsPath = path
58 // BuildHostnameFile writes the container's hostname file.
59 func (container *Container) BuildHostnameFile() error {
60 hostnamePath, err := container.GetRootResourcePath("hostname")
64 container.HostnamePath = hostnamePath
65 return ioutil.WriteFile(container.HostnamePath, []byte(container.Config.Hostname+"\n"), 0644)
68 // NetworkMounts returns the list of network mounts.
69 func (container *Container) NetworkMounts() []Mount {
71 shared := container.HostConfig.NetworkMode.IsContainer()
72 if container.ResolvConfPath != "" {
73 if _, err := os.Stat(container.ResolvConfPath); err != nil {
74 logrus.Warnf("ResolvConfPath set to %q, but can't stat this filename (err = %v); skipping", container.ResolvConfPath, err)
76 if !container.HasMountFor("/etc/resolv.conf") {
77 label.Relabel(container.ResolvConfPath, container.MountLabel, shared)
79 writable := !container.HostConfig.ReadonlyRootfs
80 if m, exists := container.MountPoints["/etc/resolv.conf"]; exists {
83 mounts = append(mounts, Mount{
84 Source: container.ResolvConfPath,
85 Destination: "/etc/resolv.conf",
87 Propagation: string(volume.DefaultPropagationMode),
91 if container.HostnamePath != "" {
92 if _, err := os.Stat(container.HostnamePath); err != nil {
93 logrus.Warnf("HostnamePath set to %q, but can't stat this filename (err = %v); skipping", container.HostnamePath, err)
95 if !container.HasMountFor("/etc/hostname") {
96 label.Relabel(container.HostnamePath, container.MountLabel, shared)
98 writable := !container.HostConfig.ReadonlyRootfs
99 if m, exists := container.MountPoints["/etc/hostname"]; exists {
102 mounts = append(mounts, Mount{
103 Source: container.HostnamePath,
104 Destination: "/etc/hostname",
106 Propagation: string(volume.DefaultPropagationMode),
110 if container.HostsPath != "" {
111 if _, err := os.Stat(container.HostsPath); err != nil {
112 logrus.Warnf("HostsPath set to %q, but can't stat this filename (err = %v); skipping", container.HostsPath, err)
114 if !container.HasMountFor("/etc/hosts") {
115 label.Relabel(container.HostsPath, container.MountLabel, shared)
117 writable := !container.HostConfig.ReadonlyRootfs
118 if m, exists := container.MountPoints["/etc/hosts"]; exists {
121 mounts = append(mounts, Mount{
122 Source: container.HostsPath,
123 Destination: "/etc/hosts",
125 Propagation: string(volume.DefaultPropagationMode),
132 // CopyImagePathContent copies files in destination to the volume.
133 func (container *Container) CopyImagePathContent(v volume.Volume, destination string) error {
134 rootfs, err := symlink.FollowSymlinkInScope(filepath.Join(container.BaseFS, destination), container.BaseFS)
139 if _, err = ioutil.ReadDir(rootfs); err != nil {
140 if os.IsNotExist(err) {
146 id := stringid.GenerateNonCryptoID()
147 path, err := v.Mount(id)
153 if err := v.Unmount(id); err != nil {
154 logrus.Warnf("error while unmounting volume %s: %v", v.Name(), err)
157 if err := label.Relabel(path, container.MountLabel, true); err != nil && err != unix.ENOTSUP {
160 return copyExistingContents(rootfs, path)
163 // ShmResourcePath returns path to shm
164 func (container *Container) ShmResourcePath() (string, error) {
165 return container.GetRootResourcePath("shm")
168 // HasMountFor checks if path is a mountpoint
169 func (container *Container) HasMountFor(path string) bool {
170 _, exists := container.MountPoints[path]
174 // UnmountIpcMounts uses the provided unmount function to unmount shm and mqueue if they were mounted
175 func (container *Container) UnmountIpcMounts(unmount func(pth string) error) {
176 if container.HostConfig.IpcMode.IsContainer() || container.HostConfig.IpcMode.IsHost() {
180 var warnings []string
182 if !container.HasMountFor("/dev/shm") {
183 shmPath, err := container.ShmResourcePath()
186 warnings = append(warnings, err.Error())
187 } else if shmPath != "" {
188 if err := unmount(shmPath); err != nil && !os.IsNotExist(err) {
189 if mounted, mErr := mount.Mounted(shmPath); mounted || mErr != nil {
190 warnings = append(warnings, fmt.Sprintf("failed to umount %s: %v", shmPath, err))
197 if len(warnings) > 0 {
198 logrus.Warnf("failed to cleanup ipc mounts:\n%v", strings.Join(warnings, "\n"))
202 // IpcMounts returns the list of IPC mounts
203 func (container *Container) IpcMounts() []Mount {
206 if !container.HasMountFor("/dev/shm") {
207 label.SetFileLabel(container.ShmPath, container.MountLabel)
208 mounts = append(mounts, Mount{
209 Source: container.ShmPath,
210 Destination: "/dev/shm",
212 Propagation: string(volume.DefaultPropagationMode),
219 // SecretMounts returns the mounts for the secret path.
220 func (container *Container) SecretMounts() []Mount {
222 for _, r := range container.SecretReferences {
226 mounts = append(mounts, Mount{
227 Source: container.SecretFilePath(*r),
228 Destination: getSecretTargetPath(r),
236 // UnmountSecrets unmounts the local tmpfs for secrets
237 func (container *Container) UnmountSecrets() error {
238 if _, err := os.Stat(container.SecretMountPath()); err != nil {
239 if os.IsNotExist(err) {
245 return detachMounted(container.SecretMountPath())
248 // ConfigMounts returns the mounts for configs.
249 func (container *Container) ConfigMounts() []Mount {
251 for _, configRef := range container.ConfigReferences {
252 if configRef.File == nil {
255 mounts = append(mounts, Mount{
256 Source: container.ConfigFilePath(*configRef),
257 Destination: configRef.File.Name,
265 // UpdateContainer updates configuration of a container. Callers must hold a Lock on the Container.
266 func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error {
267 // update resources of container
268 resources := hostConfig.Resources
269 cResources := &container.HostConfig.Resources
271 // validate NanoCPUs, CPUPeriod, and CPUQuota
272 // Becuase NanoCPU effectively updates CPUPeriod/CPUQuota,
273 // once NanoCPU is already set, updating CPUPeriod/CPUQuota will be blocked, and vice versa.
274 // In the following we make sure the intended update (resources) does not conflict with the existing (cResource).
275 if resources.NanoCPUs > 0 && cResources.CPUPeriod > 0 {
276 return fmt.Errorf("Conflicting options: Nano CPUs cannot be updated as CPU Period has already been set")
278 if resources.NanoCPUs > 0 && cResources.CPUQuota > 0 {
279 return fmt.Errorf("Conflicting options: Nano CPUs cannot be updated as CPU Quota has already been set")
281 if resources.CPUPeriod > 0 && cResources.NanoCPUs > 0 {
282 return fmt.Errorf("Conflicting options: CPU Period cannot be updated as NanoCPUs has already been set")
284 if resources.CPUQuota > 0 && cResources.NanoCPUs > 0 {
285 return fmt.Errorf("Conflicting options: CPU Quota cannot be updated as NanoCPUs has already been set")
288 if resources.BlkioWeight != 0 {
289 cResources.BlkioWeight = resources.BlkioWeight
291 if resources.CPUShares != 0 {
292 cResources.CPUShares = resources.CPUShares
294 if resources.NanoCPUs != 0 {
295 cResources.NanoCPUs = resources.NanoCPUs
297 if resources.CPUPeriod != 0 {
298 cResources.CPUPeriod = resources.CPUPeriod
300 if resources.CPUQuota != 0 {
301 cResources.CPUQuota = resources.CPUQuota
303 if resources.CpusetCpus != "" {
304 cResources.CpusetCpus = resources.CpusetCpus
306 if resources.CpusetMems != "" {
307 cResources.CpusetMems = resources.CpusetMems
309 if resources.Memory != 0 {
310 // if memory limit smaller than already set memoryswap limit and doesn't
311 // update the memoryswap limit, then error out.
312 if resources.Memory > cResources.MemorySwap && resources.MemorySwap == 0 {
313 return fmt.Errorf("Memory limit should be smaller than already set memoryswap limit, update the memoryswap at the same time")
315 cResources.Memory = resources.Memory
317 if resources.MemorySwap != 0 {
318 cResources.MemorySwap = resources.MemorySwap
320 if resources.MemoryReservation != 0 {
321 cResources.MemoryReservation = resources.MemoryReservation
323 if resources.KernelMemory != 0 {
324 cResources.KernelMemory = resources.KernelMemory
327 // update HostConfig of container
328 if hostConfig.RestartPolicy.Name != "" {
329 if container.HostConfig.AutoRemove && !hostConfig.RestartPolicy.IsNone() {
330 return fmt.Errorf("Restart policy cannot be updated because AutoRemove is enabled for the container")
332 container.HostConfig.RestartPolicy = hostConfig.RestartPolicy
338 // DetachAndUnmount uses a detached mount on all mount destinations, then
339 // unmounts each volume normally.
340 // This is used from daemon/archive for `docker cp`
341 func (container *Container) DetachAndUnmount(volumeEventLog func(name, action string, attributes map[string]string)) error {
342 networkMounts := container.NetworkMounts()
343 mountPaths := make([]string, 0, len(container.MountPoints)+len(networkMounts))
345 for _, mntPoint := range container.MountPoints {
346 dest, err := container.GetResourcePath(mntPoint.Destination)
348 logrus.Warnf("Failed to get volume destination path for container '%s' at '%s' while lazily unmounting: %v", container.ID, mntPoint.Destination, err)
351 mountPaths = append(mountPaths, dest)
354 for _, m := range networkMounts {
355 dest, err := container.GetResourcePath(m.Destination)
357 logrus.Warnf("Failed to get volume destination path for container '%s' at '%s' while lazily unmounting: %v", container.ID, m.Destination, err)
360 mountPaths = append(mountPaths, dest)
363 for _, mountPath := range mountPaths {
364 if err := detachMounted(mountPath); err != nil {
365 logrus.Warnf("%s unmountVolumes: Failed to do lazy umount fo volume '%s': %v", container.ID, mountPath, err)
368 return container.UnmountVolumes(volumeEventLog)
371 // copyExistingContents copies from the source to the destination and
372 // ensures the ownership is appropriately set.
373 func copyExistingContents(source, destination string) error {
374 volList, err := ioutil.ReadDir(source)
378 if len(volList) > 0 {
379 srcList, err := ioutil.ReadDir(destination)
383 if len(srcList) == 0 {
384 // If the source volume is empty, copies files from the root into the volume
385 if err := chrootarchive.NewArchiver(nil).CopyWithTar(source, destination); err != nil {
390 return copyOwnership(source, destination)
393 // copyOwnership copies the permissions and uid:gid of the source file
394 // to the destination file
395 func copyOwnership(source, destination string) error {
396 stat, err := system.Stat(source)
401 destStat, err := system.Stat(destination)
406 // In some cases, even though UID/GID match and it would effectively be a no-op,
407 // this can return a permission denied error... for example if this is an NFS
409 // Since it's not really an error that we can't chown to the same UID/GID, don't
410 // even bother trying in such cases.
411 if stat.UID() != destStat.UID() || stat.GID() != destStat.GID() {
412 if err := os.Chown(destination, int(stat.UID()), int(stat.GID())); err != nil {
417 if stat.Mode() != destStat.Mode() {
418 return os.Chmod(destination, os.FileMode(stat.Mode()))
423 // TmpfsMounts returns the list of tmpfs mounts
424 func (container *Container) TmpfsMounts() ([]Mount, error) {
426 for dest, data := range container.HostConfig.Tmpfs {
427 mounts = append(mounts, Mount{
433 for dest, mnt := range container.MountPoints {
434 if mnt.Type == mounttypes.TypeTmpfs {
435 data, err := volume.ConvertTmpfsOptions(mnt.Spec.TmpfsOptions, mnt.Spec.ReadOnly)
439 mounts = append(mounts, Mount{
449 // cleanResourcePath cleans a resource path and prepares to combine with mnt path
450 func cleanResourcePath(path string) string {
451 return filepath.Join(string(os.PathSeparator), path)
454 // EnableServiceDiscoveryOnDefaultNetwork Enable service discovery on default network
455 func (container *Container) EnableServiceDiscoveryOnDefaultNetwork() bool {
459 // GetMountPoints gives a platform specific transformation to types.MountPoint. Callers must hold a Container lock.
460 func (container *Container) GetMountPoints() []types.MountPoint {
461 mountPoints := make([]types.MountPoint, 0, len(container.MountPoints))
462 for _, m := range container.MountPoints {
463 mountPoints = append(mountPoints, types.MountPoint{
467 Destination: m.Destination,
471 Propagation: m.Propagation,