File: sandbox_dns_unix.go

package info (click to toggle)
docker.io 26.1.5%2Bdfsg1-9
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 68,576 kB
  • sloc: sh: 5,748; makefile: 912; ansic: 664; asm: 228; python: 162
file content (385 lines) | stat: -rw-r--r-- 12,574 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
 
//go:build !windows

package libnetwork

import (
	"context"
	"fmt"
	"io/fs"
	"net/netip"
	"os"
	"path/filepath"
	"strings"

	"github.com/containerd/log"
	"github.com/docker/docker/errdefs"
	"github.com/docker/docker/libnetwork/etchosts"
	"github.com/docker/docker/libnetwork/internal/resolvconf"
	"github.com/docker/docker/libnetwork/types"
	"github.com/pkg/errors"
)

const (
	defaultPrefix = "/var/lib/docker/network/files"
	dirPerm       = 0o755
	filePerm      = 0o644

	resolverIPSandbox = "127.0.0.11"
)

// finishInitDNS is to be called after the container namespace has been created,
// before it the user process is started. The container's support for IPv6 can be
// determined at this point.
func (sb *Sandbox) finishInitDNS() error {
	if err := sb.buildHostsFile(); err != nil {
		return errdefs.System(err)
	}
	for _, ep := range sb.Endpoints() {
		if err := sb.updateHostsFile(ep.getEtcHostsAddrs()); err != nil {
			return errdefs.System(err)
		}
	}
	return nil
}

func (sb *Sandbox) startResolver(restore bool) {
	sb.resolverOnce.Do(func() {
		var err error
		// The resolver is started with proxyDNS=false if the sandbox does not currently
		// have a gateway. So, if the Sandbox is only connected to an 'internal' network,
		// it will not forward DNS requests to external resolvers. The resolver's
		// proxyDNS setting is then updated as network Endpoints are added/removed.
		sb.resolver = NewResolver(resolverIPSandbox, sb.hasExternalAccess(), sb)
		defer func() {
			if err != nil {
				sb.resolver = nil
			}
		}()

		// In the case of live restore container is already running with
		// right resolv.conf contents created before. Just update the
		// external DNS servers from the restored sandbox for embedded
		// server to use.
		if !restore {
			err = sb.rebuildDNS()
			if err != nil {
				log.G(context.TODO()).Errorf("Updating resolv.conf failed for container %s, %q", sb.ContainerID(), err)
				return
			}
		}
		sb.resolver.SetExtServers(sb.extDNS)

		if err = sb.osSbox.InvokeFunc(sb.resolver.SetupFunc(0)); err != nil {
			log.G(context.TODO()).Errorf("Resolver Setup function failed for container %s, %q", sb.ContainerID(), err)
			return
		}

		if err = sb.resolver.Start(); err != nil {
			log.G(context.TODO()).Errorf("Resolver Start failed for container %s, %q", sb.ContainerID(), err)
		}
	})
}

func (sb *Sandbox) setupResolutionFiles() error {
	// Create a hosts file that can be mounted during container setup. For most
	// networking modes (not host networking) it will be re-created before the
	// container start, once its support for IPv6 is known.
	if sb.config.hostsPath == "" {
		sb.config.hostsPath = defaultPrefix + "/" + sb.id + "/hosts"
	}
	dir, _ := filepath.Split(sb.config.hostsPath)
	if err := createBasePath(dir); err != nil {
		return err
	}
	if err := sb.buildHostsFile(); err != nil {
		return err
	}

	return sb.setupDNS()
}

func (sb *Sandbox) buildHostsFile() error {
	sb.restoreHostsPath()

	dir, _ := filepath.Split(sb.config.hostsPath)
	if err := createBasePath(dir); err != nil {
		return err
	}

	// This is for the host mode networking
	if sb.config.useDefaultSandBox && len(sb.config.extraHosts) == 0 {
		// We are working under the assumption that the origin file option had been properly expressed by the upper layer
		// if not here we are going to error out
		if err := copyFile(sb.config.originHostsPath, sb.config.hostsPath); err != nil && !os.IsNotExist(err) {
			return types.InternalErrorf("could not copy source hosts file %s to %s: %v", sb.config.originHostsPath, sb.config.hostsPath, err)
		}
		return nil
	}

	extraContent := make([]etchosts.Record, 0, len(sb.config.extraHosts))
	for _, extraHost := range sb.config.extraHosts {
		extraContent = append(extraContent, etchosts.Record{Hosts: extraHost.name, IP: extraHost.IP})
	}

	// Assume IPv6 support, unless it's definitely disabled.
	buildf := etchosts.Build
	if en, ok := sb.ipv6Enabled(); ok && !en {
		buildf = etchosts.BuildNoIPv6
	}
	if err := buildf(sb.config.hostsPath, extraContent); err != nil {
		return err
	}

	return sb.updateParentHosts()
}

func (sb *Sandbox) updateHostsFile(ifaceIPs []string) error {
	if len(ifaceIPs) == 0 {
		return nil
	}

	if sb.config.originHostsPath != "" {
		return nil
	}

	// User might have provided a FQDN in hostname or split it across hostname
	// and domainname.  We want the FQDN and the bare hostname.
	fqdn := sb.config.hostName
	if sb.config.domainName != "" {
		fqdn += "." + sb.config.domainName
	}
	hosts := fqdn

	if hostName, _, ok := strings.Cut(fqdn, "."); ok {
		hosts += " " + hostName
	}

	var extraContent []etchosts.Record
	for _, ip := range ifaceIPs {
		extraContent = append(extraContent, etchosts.Record{Hosts: hosts, IP: ip})
	}

	sb.addHostsEntries(extraContent)
	return nil
}

func (sb *Sandbox) addHostsEntries(recs []etchosts.Record) {
	// Assume IPv6 support, unless it's definitely disabled.
	if en, ok := sb.ipv6Enabled(); ok && !en {
		var filtered []etchosts.Record
		for _, rec := range recs {
			if addr, err := netip.ParseAddr(rec.IP); err == nil && !addr.Is6() {
				filtered = append(filtered, rec)
			}
		}
		recs = filtered
	}
	if err := etchosts.Add(sb.config.hostsPath, recs); err != nil {
		log.G(context.TODO()).Warnf("Failed adding service host entries to the running container: %v", err)
	}
}

func (sb *Sandbox) deleteHostsEntries(recs []etchosts.Record) {
	if err := etchosts.Delete(sb.config.hostsPath, recs); err != nil {
		log.G(context.TODO()).Warnf("Failed deleting service host entries to the running container: %v", err)
	}
}

func (sb *Sandbox) updateParentHosts() error {
	var pSb *Sandbox

	for _, update := range sb.config.parentUpdates {
		// TODO(thaJeztah): was it intentional for this loop to re-use prior results of pSB? If not, we should make pSb local and always replace here.
		if s, _ := sb.controller.GetSandbox(update.cid); s != nil {
			pSb = s
		}
		if pSb == nil {
			continue
		}
		// TODO(robmry) - filter out IPv6 addresses here if !sb.ipv6Enabled() but...
		// - this is part of the implementation of '--link', which will be removed along
		//   with the rest of legacy networking.
		// - IPv6 addresses shouldn't be allocated if IPv6 is not available in a container,
		//   and that change will come along later.
		// - I think this may be dead code, it's not possible to start a parent container with
		//   '--link child' unless the child has already started ("Error response from daemon:
		//   Cannot link to a non running container"). So, when the child starts and this method
		//   is called with updates for parents, the parents aren't running and GetSandbox()
		//   returns nil.)
		if err := etchosts.Update(pSb.config.hostsPath, update.ip, update.name); err != nil {
			return err
		}
	}

	return nil
}

func (sb *Sandbox) restoreResolvConfPath() {
	if sb.config.resolvConfPath == "" {
		sb.config.resolvConfPath = defaultPrefix + "/" + sb.id + "/resolv.conf"
	}
	sb.config.resolvConfHashFile = sb.config.resolvConfPath + ".hash"
}

func (sb *Sandbox) restoreHostsPath() {
	if sb.config.hostsPath == "" {
		sb.config.hostsPath = defaultPrefix + "/" + sb.id + "/hosts"
	}
}

func (sb *Sandbox) setExternalResolvers(entries []resolvconf.ExtDNSEntry) {
	sb.extDNS = make([]extDNSEntry, 0, len(entries))
	for _, entry := range entries {
		sb.extDNS = append(sb.extDNS, extDNSEntry{
			IPStr:        entry.Addr.String(),
			HostLoopback: entry.HostLoopback,
		})
	}
}

func (c *containerConfig) getOriginResolvConfPath() string {
	if c.originResolvConfPath != "" {
		return c.originResolvConfPath
	}
	// Fallback if not specified.
	return resolvconf.Path()
}

// loadResolvConf reads the resolv.conf file at path, and merges in overrides for
// nameservers, options, and search domains.
func (sb *Sandbox) loadResolvConf(path string) (*resolvconf.ResolvConf, error) {
	rc, err := resolvconf.Load(path)
	if err != nil && !errors.Is(err, fs.ErrNotExist) {
		return nil, err
	}
	// Proceed with rc, which might be zero-valued if path does not exist.

	rc.SetHeader(`# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.`)
	if len(sb.config.dnsList) > 0 {
		var dnsAddrs []netip.Addr
		for _, ns := range sb.config.dnsList {
			addr, err := netip.ParseAddr(ns)
			if err != nil {
				return nil, errors.Wrapf(err, "bad nameserver address %s", ns)
			}
			dnsAddrs = append(dnsAddrs, addr)
		}
		rc.OverrideNameServers(dnsAddrs)
	}
	if len(sb.config.dnsSearchList) > 0 {
		rc.OverrideSearch(sb.config.dnsSearchList)
	}
	if len(sb.config.dnsOptionsList) > 0 {
		rc.OverrideOptions(sb.config.dnsOptionsList)
	}
	return &rc, nil
}

// For a new sandbox, write an initial version of the container's resolv.conf. It'll
// be a copy of the host's file, with overrides for nameservers, options and search
// domains applied.
func (sb *Sandbox) setupDNS() error {
	// Make sure the directory exists.
	sb.restoreResolvConfPath()
	dir, _ := filepath.Split(sb.config.resolvConfPath)
	if err := createBasePath(dir); err != nil {
		return err
	}

	rc, err := sb.loadResolvConf(sb.config.getOriginResolvConfPath())
	if err != nil {
		return err
	}
	return rc.WriteFile(sb.config.resolvConfPath, sb.config.resolvConfHashFile, filePerm)
}

// Called when an endpoint has joined the sandbox.
func (sb *Sandbox) updateDNS(ipv6Enabled bool) error {
	if mod, err := resolvconf.UserModified(sb.config.resolvConfPath, sb.config.resolvConfHashFile); err != nil || mod {
		return err
	}

	// Load the host's resolv.conf as a starting point.
	rc, err := sb.loadResolvConf(sb.config.getOriginResolvConfPath())
	if err != nil {
		return err
	}
	// For host-networking, no further change is needed.
	if !sb.config.useDefaultSandBox {
		// The legacy bridge network has no internal nameserver. So, strip localhost
		// nameservers from the host's config, then add default nameservers if there
		// are none remaining.
		rc.TransformForLegacyNw(ipv6Enabled)
	}
	return rc.WriteFile(sb.config.resolvConfPath, sb.config.resolvConfHashFile, filePerm)
}

// Embedded DNS server has to be enabled for this sandbox. Rebuild the container's resolv.conf.
func (sb *Sandbox) rebuildDNS() error {
	// Don't touch the file if the user has modified it.
	if mod, err := resolvconf.UserModified(sb.config.resolvConfPath, sb.config.resolvConfHashFile); err != nil || mod {
		return err
	}

	// Load the host's resolv.conf as a starting point.
	rc, err := sb.loadResolvConf(sb.config.getOriginResolvConfPath())
	if err != nil {
		return err
	}

	// Check for IPv6 endpoints in this sandbox. If there are any, and the container has
	// IPv6 enabled, upstream requests from the internal DNS resolver can be made from
	// the container's namespace.
	// TODO(robmry) - this can only check networks connected when the resolver is set up,
	//  the configuration won't be updated if the container gets an IPv6 address later.
	ipv6 := false
	for _, ep := range sb.endpoints {
		if ep.network.enableIPv6 {
			if en, ok := sb.ipv6Enabled(); ok {
				ipv6 = en
			}
			break
		}
	}

	intNS := sb.resolver.NameServer()
	if !intNS.IsValid() {
		return fmt.Errorf("no listen-address for internal resolver")
	}

	// Work out whether ndots has been set from host config or overrides.
	_, sb.ndotsSet = rc.Option("ndots")
	// Swap nameservers for the internal one, and make sure the required options are set.
	var extNameServers []resolvconf.ExtDNSEntry
	extNameServers, err = rc.TransformForIntNS(ipv6, intNS, sb.resolver.ResolverOptions())
	if err != nil {
		return err
	}
	// Extract the list of nameservers that just got swapped out, and store them as
	// upstream nameservers.
	sb.setExternalResolvers(extNameServers)

	// Write the file for the container - preserving old behaviour, not updating the
	// hash file (so, no further updates will be made).
	// TODO(robmry) - I think that's probably accidental, I can't find a reason for it,
	//  and the old resolvconf.Build() function wrote the file but not the hash, which
	//  is surprising. But, before fixing it, a guard/flag needs to be added to
	//  sb.updateDNS() to make sure that when an endpoint joins a sandbox that already
	//  has an internal resolver, the container's resolv.conf is still (re)configured
	//  for an internal resolver.
	return rc.WriteFile(sb.config.resolvConfPath, "", filePerm)
}

func createBasePath(dir string) error {
	return os.MkdirAll(dir, dirPerm)
}

func copyFile(src, dst string) error {
	sBytes, err := os.ReadFile(src)
	if err != nil {
		return err
	}
	return os.WriteFile(dst, sBytes, filePerm)
}