diff --git a/api/client/cli.go b/api/client/cli.go index d7cf4f56b3..19c635d776 100644 --- a/api/client/cli.go +++ b/api/client/cli.go @@ -1,11 +1,9 @@ package client import ( - "crypto/tls" "errors" "fmt" "io" - "net/http" "os" "runtime" @@ -44,22 +42,6 @@ type DockerCli struct { isTerminalOut bool // client is the http client that performs all API operations client apiClient - - // DEPRECATED OPTIONS TO MAKE THE CLIENT COMPILE - // TODO: Remove - // proto holds the client protocol i.e. unix. - proto string - // addr holds the client address. - addr string - // basePath holds the path to prepend to the requests - basePath string - // tlsConfig holds the TLS configuration for the client, and will - // set the scheme to https in NewDockerCli if present. - tlsConfig *tls.Config - // scheme holds the scheme of the client i.e. https. - scheme string - // transport holds the client transport instance. - transport *http.Transport } // Initialize calls the init function that will setup the configuration for the client @@ -126,12 +108,6 @@ func NewDockerCli(in io.ReadCloser, out, err io.Writer, clientFlags *cli.ClientF } cli.client = client - // FIXME: Deprecated, only to keep the old code running. - cli.transport = client.HTTPClient.Transport.(*http.Transport) - cli.basePath = client.BasePath - cli.addr = client.Addr - cli.scheme = client.Scheme - if cli.in != nil { cli.inFd, cli.isTerminalIn = term.GetFdInfo(cli.in) } diff --git a/api/client/hijack.go b/api/client/hijack.go index 696546dd27..72f5ed43de 100644 --- a/api/client/hijack.go +++ b/api/client/hijack.go @@ -1,22 +1,11 @@ package client import ( - "crypto/tls" - "errors" - "fmt" "io" - "net" - "net/http" - "net/http/httputil" "os" - "runtime" - "strings" - "time" "github.com/Sirupsen/logrus" - "github.com/docker/docker/api" "github.com/docker/docker/api/types" - "github.com/docker/docker/dockerversion" "github.com/docker/docker/pkg/stdcopy" "github.com/docker/docker/pkg/term" ) @@ -87,239 +76,3 @@ func (cli *DockerCli) holdHijackedConnection(setRawTerminal bool, inputStream io return nil } - -type tlsClientCon struct { - *tls.Conn - rawConn net.Conn -} - -func (c *tlsClientCon) CloseWrite() error { - // Go standard tls.Conn doesn't provide the CloseWrite() method so we do it - // on its underlying connection. - if cwc, ok := c.rawConn.(interface { - CloseWrite() error - }); ok { - return cwc.CloseWrite() - } - return nil -} - -func tlsDial(network, addr string, config *tls.Config) (net.Conn, error) { - return tlsDialWithDialer(new(net.Dialer), network, addr, config) -} - -// We need to copy Go's implementation of tls.Dial (pkg/cryptor/tls/tls.go) in -// order to return our custom tlsClientCon struct which holds both the tls.Conn -// object _and_ its underlying raw connection. The rationale for this is that -// we need to be able to close the write end of the connection when attaching, -// which tls.Conn does not provide. -func tlsDialWithDialer(dialer *net.Dialer, network, addr string, config *tls.Config) (net.Conn, error) { - // We want the Timeout and Deadline values from dialer to cover the - // whole process: TCP connection and TLS handshake. This means that we - // also need to start our own timers now. - timeout := dialer.Timeout - - if !dialer.Deadline.IsZero() { - deadlineTimeout := dialer.Deadline.Sub(time.Now()) - if timeout == 0 || deadlineTimeout < timeout { - timeout = deadlineTimeout - } - } - - var errChannel chan error - - if timeout != 0 { - errChannel = make(chan error, 2) - time.AfterFunc(timeout, func() { - errChannel <- errors.New("") - }) - } - - rawConn, err := dialer.Dial(network, addr) - if err != nil { - return nil, err - } - // When we set up a TCP connection for hijack, there could be long periods - // of inactivity (a long running command with no output) that in certain - // network setups may cause ECONNTIMEOUT, leaving the client in an unknown - // state. Setting TCP KeepAlive on the socket connection will prohibit - // ECONNTIMEOUT unless the socket connection truly is broken - if tcpConn, ok := rawConn.(*net.TCPConn); ok { - tcpConn.SetKeepAlive(true) - tcpConn.SetKeepAlivePeriod(30 * time.Second) - } - - colonPos := strings.LastIndex(addr, ":") - if colonPos == -1 { - colonPos = len(addr) - } - hostname := addr[:colonPos] - - // If no ServerName is set, infer the ServerName - // from the hostname we're connecting to. - if config.ServerName == "" { - // Make a copy to avoid polluting argument or default. - c := *config - c.ServerName = hostname - config = &c - } - - conn := tls.Client(rawConn, config) - - if timeout == 0 { - err = conn.Handshake() - } else { - go func() { - errChannel <- conn.Handshake() - }() - - err = <-errChannel - } - - if err != nil { - rawConn.Close() - return nil, err - } - - // This is Docker difference with standard's crypto/tls package: returned a - // wrapper which holds both the TLS and raw connections. - return &tlsClientCon{conn, rawConn}, nil -} - -func (cli *DockerCli) dial() (net.Conn, error) { - if cli.tlsConfig != nil && cli.proto != "unix" { - // Notice this isn't Go standard's tls.Dial function - return tlsDial(cli.proto, cli.addr, cli.tlsConfig) - } - return net.Dial(cli.proto, cli.addr) -} - -func (cli *DockerCli) hijack(method, path string, setRawTerminal bool, in io.ReadCloser, stdout, stderr io.Writer, started chan io.Closer, data interface{}) error { - return cli.hijackWithContentType(method, path, "text/plain", setRawTerminal, in, stdout, stderr, started, data) -} - -func (cli *DockerCli) hijackWithContentType(method, path, contentType string, setRawTerminal bool, in io.ReadCloser, stdout, stderr io.Writer, started chan io.Closer, data interface{}) error { - defer func() { - if started != nil { - close(started) - } - }() - - params, err := cli.encodeData(data) - if err != nil { - return err - } - req, err := http.NewRequest(method, fmt.Sprintf("%s/v%s%s", cli.basePath, api.Version, path), params) - if err != nil { - return err - } - - // Add CLI Config's HTTP Headers BEFORE we set the Docker headers - // then the user can't change OUR headers - for k, v := range cli.configFile.HTTPHeaders { - req.Header.Set(k, v) - } - - req.Header.Set("User-Agent", "Docker-Client/"+dockerversion.Version+" ("+runtime.GOOS+")") - req.Header.Set("Content-Type", contentType) - req.Header.Set("Connection", "Upgrade") - req.Header.Set("Upgrade", "tcp") - req.Host = cli.addr - - dial, err := cli.dial() - if err != nil { - if strings.Contains(err.Error(), "connection refused") { - return fmt.Errorf("Cannot connect to the Docker daemon. Is 'docker daemon' running on this host?") - } - return err - } - - // When we set up a TCP connection for hijack, there could be long periods - // of inactivity (a long running command with no output) that in certain - // network setups may cause ECONNTIMEOUT, leaving the client in an unknown - // state. Setting TCP KeepAlive on the socket connection will prohibit - // ECONNTIMEOUT unless the socket connection truly is broken - if tcpConn, ok := dial.(*net.TCPConn); ok { - tcpConn.SetKeepAlive(true) - tcpConn.SetKeepAlivePeriod(30 * time.Second) - } - - clientconn := httputil.NewClientConn(dial, nil) - defer clientconn.Close() - - // Server hijacks the connection, error 'connection closed' expected - clientconn.Do(req) - - rwc, br := clientconn.Hijack() - defer rwc.Close() - - if started != nil { - started <- rwc - } - - var oldState *term.State - if in != nil && setRawTerminal && cli.isTerminalIn && os.Getenv("NORAW") == "" { - oldState, err = term.SetRawTerminal(cli.inFd) - if err != nil { - return err - } - defer term.RestoreTerminal(cli.inFd, oldState) - } - - receiveStdout := make(chan error, 1) - if stdout != nil || stderr != nil { - go func() { - defer func() { - if in != nil { - if setRawTerminal && cli.isTerminalIn { - term.RestoreTerminal(cli.inFd, oldState) - } - in.Close() - } - }() - - // When TTY is ON, use regular copy - if setRawTerminal && stdout != nil { - _, err = io.Copy(stdout, br) - } else { - _, err = stdcopy.StdCopy(stdout, stderr, br) - } - logrus.Debugf("[hijack] End of stdout") - receiveStdout <- err - }() - } - - stdinDone := make(chan struct{}) - go func() { - if in != nil { - io.Copy(rwc, in) - logrus.Debugf("[hijack] End of stdin") - } - - if conn, ok := rwc.(interface { - CloseWrite() error - }); ok { - if err := conn.CloseWrite(); err != nil { - logrus.Debugf("Couldn't send EOF: %s", err) - } - } - close(stdinDone) - }() - - select { - case err := <-receiveStdout: - if err != nil { - logrus.Debugf("Error receiveStdout: %s", err) - return err - } - case <-stdinDone: - if stdout != nil || stderr != nil { - if err := <-receiveStdout; err != nil { - logrus.Debugf("Error receiveStdout: %s", err) - return err - } - } - } - - return nil -} diff --git a/api/client/lib/client.go b/api/client/lib/client.go index 31bd3efc02..3625a8170f 100644 --- a/api/client/lib/client.go +++ b/api/client/lib/client.go @@ -17,17 +17,17 @@ import ( // against a docker server. type Client struct { // proto holds the client protocol i.e. unix. - Proto string + proto string // addr holds the client address. - Addr string + addr string // basePath holds the path to prepend to the requests - BasePath string + basePath string // scheme holds the scheme of the client i.e. https. - Scheme string + scheme string // tlsConfig holds the tls configuration to use in hijacked requests. tlsConfig *tls.Config // httpClient holds the client transport instance. Exported to keep the old code running. - HTTPClient *http.Client + httpClient *http.Client // version of the server to talk to. version version.Version // custom http headers configured by users @@ -80,12 +80,12 @@ func NewClientWithVersion(host string, version version.Version, tlsOptions *tlsc sockets.ConfigureTCPTransport(transport, proto, addr) return &Client{ - Proto: proto, - Addr: addr, - BasePath: basePath, - Scheme: scheme, + proto: proto, + addr: addr, + basePath: basePath, + scheme: scheme, tlsConfig: tlsConfig, - HTTPClient: &http.Client{Transport: transport}, + httpClient: &http.Client{Transport: transport}, version: version, customHTTPHeaders: httpHeaders, }, nil @@ -94,7 +94,7 @@ func NewClientWithVersion(host string, version version.Version, tlsOptions *tlsc // getAPIPath returns the versioned request path to call the api. // It appends the query parameters to the path if they are not empty. func (cli *Client) getAPIPath(p string, query url.Values) string { - apiPath := fmt.Sprintf("%s/v%s%s", cli.BasePath, cli.version, p) + apiPath := fmt.Sprintf("%s/v%s%s", cli.basePath, cli.version, p) if len(query) > 0 { apiPath += "?" + query.Encode() } diff --git a/api/client/lib/hijack.go b/api/client/lib/hijack.go index 70ada0369b..4fcb4f62b0 100644 --- a/api/client/lib/hijack.go +++ b/api/client/lib/hijack.go @@ -39,12 +39,12 @@ func (cli *Client) postHijacked(path string, query url.Values, body interface{}, if err != nil { return types.HijackedResponse{}, err } - req.Host = cli.Addr + req.Host = cli.addr req.Header.Set("Connection", "Upgrade") req.Header.Set("Upgrade", "tcp") - conn, err := dial(cli.Proto, cli.Addr, cli.tlsConfig) + conn, err := dial(cli.proto, cli.addr, cli.tlsConfig) if err != nil { if strings.Contains(err.Error(), "connection refused") { return types.HijackedResponse{}, fmt.Errorf("Cannot connect to the Docker daemon. Is 'docker daemon' running on this host?") diff --git a/api/client/lib/request.go b/api/client/lib/request.go index 9fcab7e425..db3e5065a2 100644 --- a/api/client/lib/request.go +++ b/api/client/lib/request.go @@ -83,14 +83,14 @@ func (cli *Client) sendClientRequest(method, path string, query url.Values, body } req, err := cli.newRequest(method, path, query, body, headers) - req.URL.Host = cli.Addr - req.URL.Scheme = cli.Scheme + req.URL.Host = cli.addr + req.URL.Scheme = cli.scheme if expectedPayload && req.Header.Get("Content-Type") == "" { req.Header.Set("Content-Type", "text/plain") } - resp, err := cli.HTTPClient.Do(req) + resp, err := cli.httpClient.Do(req) if resp != nil { serverResp.statusCode = resp.StatusCode } @@ -100,10 +100,10 @@ func (cli *Client) sendClientRequest(method, path string, query url.Values, body return serverResp, ErrConnectionFailed } - if cli.Scheme == "http" && strings.Contains(err.Error(), "malformed HTTP response") { + if cli.scheme == "http" && strings.Contains(err.Error(), "malformed HTTP response") { return serverResp, fmt.Errorf("%v.\n* Are you trying to connect to a TLS-enabled daemon without TLS?", err) } - if cli.Scheme == "https" && strings.Contains(err.Error(), "remote error: bad certificate") { + if cli.scheme == "https" && strings.Contains(err.Error(), "remote error: bad certificate") { return serverResp, fmt.Errorf("The server probably has client authentication (--tlsverify) enabled. Please check your TLS client certification settings: %v", err) } diff --git a/api/client/utils.go b/api/client/utils.go index 40b14efac1..e03ec5ffaa 100644 --- a/api/client/utils.go +++ b/api/client/utils.go @@ -1,164 +1,20 @@ package client import ( - "bytes" - "encoding/base64" - "encoding/json" - "errors" "fmt" - "io" - "io/ioutil" - "net/http" "os" gosignal "os/signal" "runtime" - "strings" "time" "github.com/Sirupsen/logrus" - "github.com/docker/docker/api" "github.com/docker/docker/api/client/lib" "github.com/docker/docker/api/types" - "github.com/docker/docker/cliconfig" - "github.com/docker/docker/dockerversion" - "github.com/docker/docker/pkg/jsonmessage" "github.com/docker/docker/pkg/signal" - "github.com/docker/docker/pkg/stdcopy" "github.com/docker/docker/pkg/term" "github.com/docker/docker/registry" - "github.com/docker/docker/utils" ) -var ( - errConnectionFailed = errors.New("Cannot connect to the Docker daemon. Is the docker daemon running on this host?") -) - -type serverResponse struct { - body io.ReadCloser - header http.Header - statusCode int -} - -// HTTPClient creates a new HTTP client with the cli's client transport instance. -func (cli *DockerCli) HTTPClient() *http.Client { - return &http.Client{Transport: cli.transport} -} - -func (cli *DockerCli) encodeData(data interface{}) (*bytes.Buffer, error) { - params := bytes.NewBuffer(nil) - if data != nil { - if err := json.NewEncoder(params).Encode(data); err != nil { - return nil, err - } - } - return params, nil -} - -func (cli *DockerCli) clientRequest(method, path string, in io.Reader, headers map[string][]string) (*serverResponse, error) { - - serverResp := &serverResponse{ - body: nil, - statusCode: -1, - } - - expectedPayload := (method == "POST" || method == "PUT") - if expectedPayload && in == nil { - in = bytes.NewReader([]byte{}) - } - req, err := http.NewRequest(method, fmt.Sprintf("%s/v%s%s", cli.basePath, api.Version, path), in) - if err != nil { - return serverResp, err - } - - // Add CLI Config's HTTP Headers BEFORE we set the Docker headers - // then the user can't change OUR headers - for k, v := range cli.configFile.HTTPHeaders { - req.Header.Set(k, v) - } - - req.Header.Set("User-Agent", "Docker-Client/"+dockerversion.Version+" ("+runtime.GOOS+")") - req.URL.Host = cli.addr - req.URL.Scheme = cli.scheme - - if headers != nil { - for k, v := range headers { - req.Header[k] = v - } - } - - if expectedPayload && req.Header.Get("Content-Type") == "" { - req.Header.Set("Content-Type", "text/plain") - } - - resp, err := cli.HTTPClient().Do(req) - if resp != nil { - serverResp.statusCode = resp.StatusCode - } - - if err != nil { - if utils.IsTimeout(err) || strings.Contains(err.Error(), "connection refused") || strings.Contains(err.Error(), "dial unix") { - return serverResp, errConnectionFailed - } - - if cli.tlsConfig == nil && strings.Contains(err.Error(), "malformed HTTP response") { - return serverResp, fmt.Errorf("%v.\n* Are you trying to connect to a TLS-enabled daemon without TLS?", err) - } - if cli.tlsConfig != nil && strings.Contains(err.Error(), "remote error: bad certificate") { - return serverResp, fmt.Errorf("The server probably has client authentication (--tlsverify) enabled. Please check your TLS client certification settings: %v", err) - } - - return serverResp, fmt.Errorf("An error occurred trying to connect: %v", err) - } - - if serverResp.statusCode < 200 || serverResp.statusCode >= 400 { - body, err := ioutil.ReadAll(resp.Body) - if err != nil { - return serverResp, err - } - if len(body) == 0 { - return serverResp, fmt.Errorf("Error: request returned %s for API route and version %s, check if the server supports the requested API version", http.StatusText(serverResp.statusCode), req.URL) - } - return serverResp, fmt.Errorf("Error response from daemon: %s", bytes.TrimSpace(body)) - } - - serverResp.body = resp.Body - serverResp.header = resp.Header - return serverResp, nil -} - -// cmdAttempt builds the corresponding registry Auth Header from the given -// authConfig. It returns the servers body, status, error response -func (cli *DockerCli) cmdAttempt(authConfig cliconfig.AuthConfig, method, path string, in io.Reader, out io.Writer) (io.ReadCloser, int, error) { - buf, err := json.Marshal(authConfig) - if err != nil { - return nil, -1, err - } - registryAuthHeader := []string{ - base64.URLEncoding.EncodeToString(buf), - } - - // begin the request - serverResp, err := cli.clientRequest(method, path, in, map[string][]string{ - "X-Registry-Auth": registryAuthHeader, - }) - if err == nil && out != nil { - // If we are streaming output, complete the stream since - // errors may not appear until later. - err = cli.streamBody(serverResp.body, serverResp.header.Get("Content-Type"), true, out, nil) - } - if err != nil { - // Since errors in a stream appear after status 200 has been written, - // we may need to change the status code. - if strings.Contains(err.Error(), "Authentication is required") || - strings.Contains(err.Error(), "Status 401") || - strings.Contains(err.Error(), "401 Unauthorized") || - strings.Contains(err.Error(), "status code 401") { - serverResp.statusCode = http.StatusUnauthorized - } - } - return serverResp.body, serverResp.statusCode, err -} - func (cli *DockerCli) encodeRegistryAuth(index *registry.IndexInfo) (string, error) { authConfig := registry.ResolveAuthConfig(cli.configFile, index) return authConfig.EncodeToBase64() @@ -174,85 +30,6 @@ func (cli *DockerCli) registryAuthenticationPrivilegedFunc(index *registry.Index } } -func (cli *DockerCli) clientRequestAttemptLogin(method, path string, in io.Reader, out io.Writer, index *registry.IndexInfo, cmdName string) (io.ReadCloser, int, error) { - - // Resolve the Auth config relevant for this server - authConfig := registry.ResolveAuthConfig(cli.configFile, index) - body, statusCode, err := cli.cmdAttempt(authConfig, method, path, in, out) - if statusCode == http.StatusUnauthorized { - fmt.Fprintf(cli.out, "\nPlease login prior to %s:\n", cmdName) - if err = cli.CmdLogin(index.GetAuthConfigKey()); err != nil { - return nil, -1, err - } - authConfig = registry.ResolveAuthConfig(cli.configFile, index) - return cli.cmdAttempt(authConfig, method, path, in, out) - } - return body, statusCode, err -} - -func (cli *DockerCli) callWrapper(method, path string, data interface{}, headers map[string][]string) (io.ReadCloser, http.Header, int, error) { - sr, err := cli.call(method, path, data, headers) - return sr.body, sr.header, sr.statusCode, err -} - -func (cli *DockerCli) call(method, path string, data interface{}, headers map[string][]string) (*serverResponse, error) { - params, err := cli.encodeData(data) - if err != nil { - sr := &serverResponse{ - body: nil, - header: nil, - statusCode: -1, - } - return sr, nil - } - - if data != nil { - if headers == nil { - headers = make(map[string][]string) - } - headers["Content-Type"] = []string{"application/json"} - } - - serverResp, err := cli.clientRequest(method, path, params, headers) - return serverResp, err -} - -type streamOpts struct { - rawTerminal bool - in io.Reader - out io.Writer - err io.Writer - headers map[string][]string -} - -func (cli *DockerCli) stream(method, path string, opts *streamOpts) (*serverResponse, error) { - serverResp, err := cli.clientRequest(method, path, opts.in, opts.headers) - if err != nil { - return serverResp, err - } - return serverResp, cli.streamBody(serverResp.body, serverResp.header.Get("Content-Type"), opts.rawTerminal, opts.out, opts.err) -} - -func (cli *DockerCli) streamBody(body io.ReadCloser, contentType string, rawTerminal bool, stdout, stderr io.Writer) error { - defer body.Close() - - if api.MatchesContentType(contentType, "application/json") { - return jsonmessage.DisplayJSONMessagesStream(body, stdout, cli.outFd, cli.isTerminalOut) - } - if stdout != nil || stderr != nil { - // When TTY is ON, use regular copy - var err error - if rawTerminal { - _, err = io.Copy(stdout, body) - } else { - _, err = stdcopy.StdCopy(stdout, stderr, body) - } - logrus.Debugf("[stream] End of stdout") - return err - } - return nil -} - func (cli *DockerCli) resizeTty(id string, isExec bool) { height, width := cli.getTtySize() if height == 0 && width == 0 { @@ -349,17 +126,3 @@ func (cli *DockerCli) getTtySize() (int, int) { } return int(ws.Height), int(ws.Width) } - -func readBody(serverResp *serverResponse, err error) ([]byte, int, error) { - if serverResp.body != nil { - defer serverResp.body.Close() - } - if err != nil { - return nil, serverResp.statusCode, err - } - body, err := ioutil.ReadAll(serverResp.body) - if err != nil { - return nil, -1, err - } - return body, serverResp.statusCode, nil -}