docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #22728 from Microsoft/jstarks/improve_import 

Windows: reexec during layer import
This commit is contained in:
John Howard 2016-05-16 11:08:05 -07:00
parent 0088b8fbbe b3bc5e0fe4
commit 4c6838137c
7 changed files with 193 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
daemon/graphdriver/windows/windows.go
View File

@ -4,6 +4,7 @@ package windows
import ( import (
"bufio" "bufio"
"bytes"
"crypto/sha512" "crypto/sha512"
"encoding/json" "encoding/json"
"fmt" "fmt"
@ -12,6 +13,7 @@ import (
"os" "os"
"path" "path"
"path/filepath" "path/filepath"
"strconv"
"strings" "strings"
"syscall" "syscall"
"time" "time"
@ -28,6 +30,7 @@ import (
"github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/ioutils" "github.com/docker/docker/pkg/ioutils"
"github.com/docker/docker/pkg/longpath" "github.com/docker/docker/pkg/longpath"
"github.com/docker/docker/pkg/reexec"
"github.com/docker/docker/pkg/system" "github.com/docker/docker/pkg/system"
"github.com/vbatts/tar-split/tar/storage" "github.com/vbatts/tar-split/tar/storage"
) )
@ -36,6 +39,7 @@ import (
func init() { func init() {
graphdriver.Register("windowsfilter", InitFilter) graphdriver.Register("windowsfilter", InitFilter)
graphdriver.Register("windowsdiff", InitDiff) graphdriver.Register("windowsdiff", InitDiff)
reexec.Register("docker-windows-write-layer", writeLayer)
} }
const ( const (
@ -308,18 +312,21 @@ func (d *Driver) Diff(id, parent string) (_ archive.Archive, err error) {
if err := hcsshim.UnprepareLayer(d.info, rID); err != nil { if err := hcsshim.UnprepareLayer(d.info, rID); err != nil {
return nil, err return nil, err
} }
defer func() { prepare := func() {
if err := hcsshim.PrepareLayer(d.info, rID, layerChain); err != nil { if err := hcsshim.PrepareLayer(d.info, rID, layerChain); err != nil {
logrus.Warnf("Failed to Deactivate %s: %s", rID, err) logrus.Warnf("Failed to Deactivate %s: %s", rID, err)
} }
}() }
arch, err := d.exportLayer(rID, layerChain) arch, err := d.exportLayer(rID, layerChain)
if err != nil { if err != nil {
prepare()
return return
} }
return ioutils.NewReadCloserWrapper(arch, func() error { return ioutils.NewReadCloserWrapper(arch, func() error {
return arch.Close() err := arch.Close()
prepare()
return err
}), nil }), nil
} }
@ -346,20 +353,21 @@ func (d *Driver) Changes(id, parent string) ([]archive.Change, error) {
} }
}() }()
var changes []archive.Change
err = winio.RunWithPrivilege(winio.SeBackupPrivilege, func() error {
r, err := hcsshim.NewLayerReader(d.info, id, parentChain) r, err := hcsshim.NewLayerReader(d.info, id, parentChain)
if err != nil { if err != nil {
return nil, err return err
} }
defer r.Close() defer r.Close()
var changes []archive.Change
for { for {
name, _, fileInfo, err := r.Next() name, _, fileInfo, err := r.Next()
if err == io.EOF { if err == io.EOF {
break return nil
} }
if err != nil { if err != nil {
return nil, err return err
} }
name = filepath.ToSlash(name) name = filepath.ToSlash(name)
if fileInfo == nil { if fileInfo == nil {
@ -369,6 +377,11 @@ func (d *Driver) Changes(id, parent string) ([]archive.Change, error) {
changes = append(changes, archive.Change{Path: name, Kind: archive.ChangeModify}) changes = append(changes, archive.Change{Path: name, Kind: archive.ChangeModify})
} }
} }
})
if err != nil {
return nil, err
}
return changes, nil return changes, nil
} }
@ -554,19 +567,21 @@ func writeTarFromLayer(r hcsshim.LayerReader, w io.Writer) error {
// exportLayer generates an archive from a layer based on the given ID. // exportLayer generates an archive from a layer based on the given ID.
func (d *Driver) exportLayer(id string, parentLayerPaths []string) (archive.Archive, error) { func (d *Driver) exportLayer(id string, parentLayerPaths []string) (archive.Archive, error) {
var r hcsshim.LayerReader
r, err := hcsshim.NewLayerReader(d.info, id, parentLayerPaths)
if err != nil {
return nil, err
}
archive, w := io.Pipe() archive, w := io.Pipe()
go func() { go func() {
err := writeTarFromLayer(r, w) err := winio.RunWithPrivilege(winio.SeBackupPrivilege, func() error {
r, err := hcsshim.NewLayerReader(d.info, id, parentLayerPaths)
if err != nil {
return err
}
err = writeTarFromLayer(r, w)
cerr := r.Close() cerr := r.Close()
if err == nil { if err == nil {
err = cerr err = cerr
} }
return err
})
w.CloseWithError(err) w.CloseWithError(err)
}() }()
@ -682,21 +697,63 @@ func addAceToSddlDacl(sddl, ace string) (string, bool) {
// importLayer adds a new layer to the tag and graph store based on the given data. // importLayer adds a new layer to the tag and graph store based on the given data.
func (d *Driver) importLayer(id string, layerData archive.Reader, parentLayerPaths []string) (size int64, err error) { func (d *Driver) importLayer(id string, layerData archive.Reader, parentLayerPaths []string) (size int64, err error) {
var w hcsshim.LayerWriter cmd := reexec.Command(append([]string{"docker-windows-write-layer", d.info.HomeDir, id}, parentLayerPaths...)...)
w, err = hcsshim.NewLayerWriter(d.info, id, parentLayerPaths) output := bytes.NewBuffer(nil)
if err != nil { cmd.Stdin = layerData
cmd.Stdout = output
cmd.Stderr = output
if err = cmd.Start(); err != nil {
return return
} }
size, err = writeLayerFromTar(layerData, w)
if err != nil { if err = cmd.Wait(); err != nil {
w.Close() return 0, fmt.Errorf("re-exec error: %v: output: %s", err, output)
return
} }
return strconv.ParseInt(output.String(), 10, 64)
}
// writeLayer is the re-exec entry point for writing a layer from a tar file
func writeLayer() {
home := os.Args[1]
id := os.Args[2]
parentLayerPaths := os.Args[3:]
err := func() error {
err := winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege})
if err != nil {
return err
}
info := hcsshim.DriverInfo{
Flavour: filterDriver,
HomeDir: home,
}
w, err := hcsshim.NewLayerWriter(info, id, parentLayerPaths)
if err != nil {
return err
}
size, err := writeLayerFromTar(os.Stdin, w)
if err != nil {
return err
}
err = w.Close() err = w.Close()
if err != nil { if err != nil {
return return err
}
fmt.Fprint(os.Stdout, size)
return nil
}()
if err != nil {
fmt.Fprint(os.Stderr, err)
os.Exit(1)
} }
return
} }
// resolveID computes the layerID information based on the given id. // resolveID computes the layerID information based on the given id.

2
hack/vendor.sh
View File

@ -8,7 +8,7 @@ source 'hack/.vendor-helpers.sh'
# the following lines are in sorted order, FYI # the following lines are in sorted order, FYI
clone git github.com/Azure/go-ansiterm 388960b655244e76e24c75f48631564eaefade62 clone git github.com/Azure/go-ansiterm 388960b655244e76e24c75f48631564eaefade62
clone git github.com/Microsoft/hcsshim v0.2.2 clone git github.com/Microsoft/hcsshim v0.2.2
clone git github.com/Microsoft/go-winio v0.3.0 clone git github.com/Microsoft/go-winio v0.3.4
clone git github.com/Sirupsen/logrus v0.9.0 # logrus is a common dependency among multiple deps clone git github.com/Sirupsen/logrus v0.9.0 # logrus is a common dependency among multiple deps
clone git github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a clone git github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a
clone git github.com/go-check/check 03a4d9dcf2f92eae8e90ed42aa2656f63fdd0b14 https://github.com/cpuguy83/check.git clone git github.com/go-check/check 03a4d9dcf2f92eae8e90ed42aa2656f63fdd0b14 https://github.com/cpuguy83/check.git

1
vendor/src/github.com/Microsoft/go-winio/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.exe

28
vendor/src/github.com/Microsoft/go-winio/backuptar/tar.go vendored
View File

@ -1,6 +1,7 @@
package backuptar package backuptar
import ( import (
"encoding/base64"
"errors" "errors"
"fmt" "fmt"
"io" "io"
@ -31,6 +32,7 @@ const (
const ( const (
hdrFileAttributes = "fileattr" hdrFileAttributes = "fileattr"
hdrSecurityDescriptor = "sd" hdrSecurityDescriptor = "sd"
hdrRawSecurityDescriptor = "rawsd"
hdrMountPoint = "mountpoint" hdrMountPoint = "mountpoint"
) )
@ -108,7 +110,7 @@ func BasicInfoHeader(name string, size int64, fileInfo *winio.FileBasicInfo) *ta
// //
// MSWINDOWS.fileattr: The Win32 file attributes, as a decimal value // MSWINDOWS.fileattr: The Win32 file attributes, as a decimal value
// //
// MSWINDOWS.sd: The Win32 security descriptor, in SDDL (string) format // MSWINDOWS.rawsd: The Win32 security descriptor, in raw binary format
// //
// MSWINDOWS.mountpoint: If present, this is a mount point and not a symlink, even though the type is '2' (symlink) // MSWINDOWS.mountpoint: If present, this is a mount point and not a symlink, even though the type is '2' (symlink)
func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size int64, fileInfo *winio.FileBasicInfo) error { func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size int64, fileInfo *winio.FileBasicInfo) error {
@ -133,11 +135,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size
if err != nil { if err != nil {
return err return err
} }
sddl, err := winio.SecurityDescriptorToSddl(sd) hdr.Winheaders[hdrRawSecurityDescriptor] = base64.StdEncoding.EncodeToString(sd)
if err != nil {
return err
}
hdr.Winheaders[hdrSecurityDescriptor] = sddl
case winio.BackupReparseData: case winio.BackupReparseData:
hdr.Mode |= c_ISLNK hdr.Mode |= c_ISLNK
@ -263,16 +261,28 @@ func FileInfoFromHeader(hdr *tar.Header) (name string, size int64, fileInfo *win
// tar file that was not processed, or io.EOF is there are no more. // tar file that was not processed, or io.EOF is there are no more.
func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (*tar.Header, error) { func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (*tar.Header, error) {
bw := winio.NewBackupStreamWriter(w) bw := winio.NewBackupStreamWriter(w)
var sd []byte
var err error
// Maintaining old SDDL-based behavior for backward compatibility. All new tar headers written
// by this library will have raw binary for the security descriptor.
if sddl, ok := hdr.Winheaders[hdrSecurityDescriptor]; ok { if sddl, ok := hdr.Winheaders[hdrSecurityDescriptor]; ok {
sd, err := winio.SddlToSecurityDescriptor(sddl) sd, err = winio.SddlToSecurityDescriptor(sddl)
if err != nil { if err != nil {
return nil, err return nil, err
} }
}
if sdraw, ok := hdr.Winheaders[hdrRawSecurityDescriptor]; ok {
sd, err = base64.StdEncoding.DecodeString(sdraw)
if err != nil {
return nil, err
}
}
if len(sd) != 0 {
bhdr := winio.BackupHeader{ bhdr := winio.BackupHeader{
Id: winio.BackupSecurity, Id: winio.BackupSecurity,
Size: int64(len(sd)), Size: int64(len(sd)),
} }
err = bw.WriteHeader(&bhdr) err := bw.WriteHeader(&bhdr)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -284,7 +294,7 @@ func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (
if hdr.Typeflag == tar.TypeSymlink { if hdr.Typeflag == tar.TypeSymlink {
_, isMountPoint := hdr.Winheaders[hdrMountPoint] _, isMountPoint := hdr.Winheaders[hdrMountPoint]
rp := winio.ReparsePoint{ rp := winio.ReparsePoint{
Target: hdr.Linkname, Target: filepath.FromSlash(hdr.Linkname),
IsMountPoint: isMountPoint, IsMountPoint: isMountPoint,
} }
reparse := winio.EncodeReparsePoint(&rp) reparse := winio.EncodeReparsePoint(&rp)

75
vendor/src/github.com/Microsoft/go-winio/privilege.go vendored
View File

@ -5,14 +5,17 @@ import (
"encoding/binary" "encoding/binary"
"fmt" "fmt"
"runtime" "runtime"
"sync"
"syscall" "syscall"
"unicode/utf16" "unicode/utf16"
"golang.org/x/sys/windows"
) )
//sys adjustTokenPrivileges(token syscall.Handle, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) [true] = advapi32.AdjustTokenPrivileges //sys adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) [true] = advapi32.AdjustTokenPrivileges
//sys impersonateSelf(level uint32) (err error) = advapi32.ImpersonateSelf //sys impersonateSelf(level uint32) (err error) = advapi32.ImpersonateSelf
//sys revertToSelf() (err error) = advapi32.RevertToSelf //sys revertToSelf() (err error) = advapi32.RevertToSelf
//sys openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *syscall.Handle) (err error) = advapi32.OpenThreadToken //sys openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) = advapi32.OpenThreadToken
//sys getCurrentThread() (h syscall.Handle) = GetCurrentThread //sys getCurrentThread() (h syscall.Handle) = GetCurrentThread
//sys lookupPrivilegeValue(systemName string, name string, luid *uint64) (err error) = advapi32.LookupPrivilegeValueW //sys lookupPrivilegeValue(systemName string, name string, luid *uint64) (err error) = advapi32.LookupPrivilegeValueW
//sys lookupPrivilegeName(systemName string, luid *uint64, buffer *uint16, size *uint32) (err error) = advapi32.LookupPrivilegeNameW //sys lookupPrivilegeName(systemName string, luid *uint64, buffer *uint16, size *uint32) (err error) = advapi32.LookupPrivilegeNameW
@ -34,6 +37,12 @@ const (
securityDelegation securityDelegation
) )
var (
privNames = make(map[string]uint64)
privNameMutex sync.Mutex
)
// PrivilegeError represents an error enabling privileges.
type PrivilegeError struct { type PrivilegeError struct {
privileges []uint64 privileges []uint64
} }
@ -56,20 +65,17 @@ func (e *PrivilegeError) Error() string {
return s return s
} }
// RunWithPrivilege enables a single privilege for a function call.
func RunWithPrivilege(name string, fn func() error) error { func RunWithPrivilege(name string, fn func() error) error {
return RunWithPrivileges([]string{name}, fn) return RunWithPrivileges([]string{name}, fn)
} }
// RunWithPrivileges enables privileges for a function call.
func RunWithPrivileges(names []string, fn func() error) error { func RunWithPrivileges(names []string, fn func() error) error {
var privileges []uint64 privileges, err := mapPrivileges(names)
for _, name := range names {
p := uint64(0)
err := lookupPrivilegeValue("", name, &p)
if err != nil { if err != nil {
return err return err
} }
privileges = append(privileges, p)
}
runtime.LockOSThread() runtime.LockOSThread()
defer runtime.UnlockOSThread() defer runtime.UnlockOSThread()
token, err := newThreadToken() token, err := newThreadToken()
@ -84,7 +90,43 @@ func RunWithPrivileges(names []string, fn func() error) error {
return fn() return fn()
} }
func adjustPrivileges(token syscall.Handle, privileges []uint64) error { func mapPrivileges(names []string) ([]uint64, error) {
var privileges []uint64
privNameMutex.Lock()
defer privNameMutex.Unlock()
for _, name := range names {
p, ok := privNames[name]
if !ok {
err := lookupPrivilegeValue("", name, &p)
if err != nil {
return nil, err
}
privNames[name] = p
}
privileges = append(privileges, p)
}
return privileges, nil
}
// EnableProcessPrivileges enables privileges globally for the process.
func EnableProcessPrivileges(names []string) error {
privileges, err := mapPrivileges(names)
if err != nil {
return err
}
p, _ := windows.GetCurrentProcess()
var token windows.Token
err = windows.OpenProcessToken(p, windows.TOKEN_ADJUST_PRIVILEGES|windows.TOKEN_QUERY, &token)
if err != nil {
return err
}
defer token.Close()
return adjustPrivileges(token, privileges)
}
func adjustPrivileges(token windows.Token, privileges []uint64) error {
var b bytes.Buffer var b bytes.Buffer
binary.Write(&b, binary.LittleEndian, uint32(len(privileges))) binary.Write(&b, binary.LittleEndian, uint32(len(privileges)))
for _, p := range privileges { for _, p := range privileges {
@ -113,23 +155,22 @@ func getPrivilegeName(luid uint64) string {
var displayNameBuffer [256]uint16 var displayNameBuffer [256]uint16
displayBufSize := uint32(len(displayNameBuffer)) displayBufSize := uint32(len(displayNameBuffer))
var langId uint32 var langID uint32
err = lookupPrivilegeDisplayName("", &nameBuffer[0], &displayNameBuffer[0], &displayBufSize, &langId) err = lookupPrivilegeDisplayName("", &nameBuffer[0], &displayNameBuffer[0], &displayBufSize, &langID)
if err != nil { if err != nil {
return fmt.Sprintf("<unknown privilege %s>", utf16.Decode(nameBuffer[:bufSize])) return fmt.Sprintf("<unknown privilege %s>", string(utf16.Decode(nameBuffer[:bufSize])))
} }
return string(utf16.Decode(displayNameBuffer[:displayBufSize])) return string(utf16.Decode(displayNameBuffer[:displayBufSize]))
} }
func newThreadToken() (syscall.Handle, error) { func newThreadToken() (windows.Token, error) {
err := impersonateSelf(securityImpersonation) err := impersonateSelf(securityImpersonation)
if err != nil { if err != nil {
panic(err)
return 0, err return 0, err
} }
var token syscall.Handle var token windows.Token
err = openThreadToken(getCurrentThread(), syscall.TOKEN_ADJUST_PRIVILEGES|syscall.TOKEN_QUERY, false, &token) err = openThreadToken(getCurrentThread(), syscall.TOKEN_ADJUST_PRIVILEGES|syscall.TOKEN_QUERY, false, &token)
if err != nil { if err != nil {
rerr := revertToSelf() rerr := revertToSelf()
@ -141,10 +182,10 @@ func newThreadToken() (syscall.Handle, error) {
return token, nil return token, nil
} }
func releaseThreadToken(h syscall.Handle) { func releaseThreadToken(h windows.Token) {
err := revertToSelf() err := revertToSelf()
if err != nil { if err != nil {
panic(err) panic(err)
} }
syscall.Close(h) h.Close()
} }

2
vendor/src/github.com/Microsoft/go-winio/reparse.go vendored
View File

@ -80,7 +80,7 @@ func EncodeReparsePoint(rp *ReparsePoint) []byte {
var ntTarget string var ntTarget string
relative := false relative := false
if strings.HasPrefix(rp.Target, `\\?\`) { if strings.HasPrefix(rp.Target, `\\?\`) {
ntTarget = rp.Target ntTarget = `\??\` + rp.Target[4:]
} else if strings.HasPrefix(rp.Target, `\\`) { } else if strings.HasPrefix(rp.Target, `\\`) {
ntTarget = `\??\UNC\` + rp.Target[2:] ntTarget = `\??\UNC\` + rp.Target[2:]
} else if len(rp.Target) >= 2 && isDriveLetter(rp.Target[0]) && rp.Target[1] == ':' { } else if len(rp.Target) >= 2 && isDriveLetter(rp.Target[0]) && rp.Target[1] == ':' {

12
vendor/src/github.com/Microsoft/go-winio/zsyscall.go vendored
View File

@ -2,8 +2,12 @@
package winio package winio
import "unsafe" import (
import "syscall" "syscall"
"unsafe"
"golang.org/x/sys/windows"
)
var _ unsafe.Pointer var _ unsafe.Pointer
@ -300,7 +304,7 @@ func setFileInformationByHandle(h syscall.Handle, class uint32, buffer *byte, si
return return
} }
func adjustTokenPrivileges(token syscall.Handle, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) { func adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) {
var _p0 uint32 var _p0 uint32
if releaseAll { if releaseAll {
_p0 = 1 _p0 = 1
@ -343,7 +347,7 @@ func revertToSelf() (err error) {
return return
} }
func openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *syscall.Handle) (err error) { func openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) {
var _p0 uint32 var _p0 uint32
if openAsSelf { if openAsSelf {
_p0 = 1 _p0 = 1