| package daemon // import "github.com/docker/docker/daemon" |
| |
| import ( |
| "context" |
| "fmt" |
| "sort" |
| "strconv" |
| "strings" |
| |
| "github.com/containerd/log" |
| "github.com/docker/docker/api/types" |
| "github.com/docker/docker/api/types/backend" |
| containertypes "github.com/docker/docker/api/types/container" |
| "github.com/docker/docker/api/types/filters" |
| "github.com/docker/docker/container" |
| "github.com/docker/docker/errdefs" |
| "github.com/docker/docker/image" |
| "github.com/docker/go-connections/nat" |
| "github.com/pkg/errors" |
| ) |
| |
| var acceptedPsFilterTags = map[string]bool{ |
| "ancestor": true, |
| "before": true, |
| "exited": true, |
| "id": true, |
| "isolation": true, |
| "label": true, |
| "name": true, |
| "status": true, |
| "health": true, |
| "since": true, |
| "volume": true, |
| "network": true, |
| "is-task": true, |
| "publish": true, |
| "expose": true, |
| } |
| |
| // iterationAction represents possible outcomes happening during the container iteration. |
| type iterationAction int |
| |
| const ( |
| // includeContainer is the action to include a container. |
| includeContainer iterationAction = iota |
| // excludeContainer is the action to exclude a container. |
| excludeContainer |
| // stopIteration is the action to stop iterating over the list of containers. |
| stopIteration |
| ) |
| |
| // List returns an array of all containers registered in the daemon. |
| func (daemon *Daemon) List() []*container.Container { |
| return daemon.containers.List() |
| } |
| |
| // listContext is the daemon generated filtering to iterate over containers. |
| // This is created based on the user specification from [containertypes.ListOptions]. |
| type listContext struct { |
| // idx is the container iteration index for this context |
| idx int |
| // ancestorFilter tells whether it should check ancestors or not |
| ancestorFilter bool |
| // names is a list of container names to filter with |
| names map[string][]string |
| // images is a list of images to filter with |
| images map[image.ID]bool |
| // filters is a collection of arguments to filter with, specified by the user |
| filters filters.Args |
| // exitAllowed is a list of exit codes allowed to filter with |
| exitAllowed []int |
| |
| // beforeFilter is a filter to ignore containers that appear before the one given |
| beforeFilter *container.Snapshot |
| // sinceFilter is a filter to stop the filtering when the iterator arrives to the given container |
| sinceFilter *container.Snapshot |
| |
| // taskFilter tells if we should filter based on whether a container is part of a task |
| taskFilter bool |
| // isTask tells us if we should filter container that is a task (true) or not (false) |
| isTask bool |
| |
| // publish is a list of published ports to filter with |
| publish map[nat.Port]bool |
| // expose is a list of exposed ports to filter with |
| expose map[nat.Port]bool |
| |
| // ListOptions is the filters set by the user |
| *containertypes.ListOptions |
| } |
| |
| // byCreatedDescending is a temporary type used to sort a list of containers by creation time. |
| type byCreatedDescending []container.Snapshot |
| |
| func (r byCreatedDescending) Len() int { return len(r) } |
| func (r byCreatedDescending) Swap(i, j int) { r[i], r[j] = r[j], r[i] } |
| func (r byCreatedDescending) Less(i, j int) bool { |
| return r[j].CreatedAt.UnixNano() < r[i].CreatedAt.UnixNano() |
| } |
| |
| // Containers returns the list of containers to show given the user's filtering. |
| func (daemon *Daemon) Containers(ctx context.Context, config *containertypes.ListOptions) ([]*types.Container, error) { |
| if err := config.Filters.Validate(acceptedPsFilterTags); err != nil { |
| return nil, err |
| } |
| |
| var ( |
| view = daemon.containersReplica.Snapshot() |
| containers = []*types.Container{} |
| ) |
| |
| filter, err := daemon.foldFilter(ctx, view, config) |
| if err != nil { |
| return nil, err |
| } |
| |
| // fastpath to only look at a subset of containers if specific name |
| // or ID matches were provided by the user--otherwise we potentially |
| // end up querying many more containers than intended |
| containerList, err := daemon.filterByNameIDMatches(view, filter) |
| if err != nil { |
| return nil, err |
| } |
| |
| for i := range containerList { |
| currentContainer := &containerList[i] |
| switch includeContainerInList(currentContainer, filter) { |
| case excludeContainer: |
| continue |
| case stopIteration: |
| return containers, nil |
| } |
| |
| // transform internal container struct into api structs |
| newC, err := daemon.refreshImage(ctx, currentContainer) |
| if err != nil { |
| return nil, err |
| } |
| |
| // release lock because size calculation is slow |
| if filter.Size { |
| sizeRw, sizeRootFs, err := daemon.imageService.GetContainerLayerSize(ctx, newC.ID) |
| if err != nil { |
| return nil, err |
| } |
| newC.SizeRw = sizeRw |
| newC.SizeRootFs = sizeRootFs |
| } |
| if newC != nil { |
| containers = append(containers, newC) |
| filter.idx++ |
| } |
| } |
| |
| return containers, nil |
| } |
| |
| func (daemon *Daemon) filterByNameIDMatches(view *container.View, filter *listContext) ([]container.Snapshot, error) { |
| idSearch := false |
| names := filter.filters.Get("name") |
| ids := filter.filters.Get("id") |
| if len(names)+len(ids) == 0 { |
| // if name or ID filters are not in use, return to |
| // standard behavior of walking the entire container |
| // list from the daemon's in-memory store |
| all, err := view.All() |
| if err != nil { |
| return nil, err |
| } |
| sort.Sort(byCreatedDescending(all)) |
| return all, nil |
| } |
| |
| // idSearch will determine if we limit name matching to the IDs |
| // matched from any IDs which were specified as filters |
| if len(ids) > 0 { |
| idSearch = true |
| } |
| |
| matches := make(map[string]bool) |
| // find ID matches; errors represent "not found" and can be ignored |
| for _, id := range ids { |
| if fullID, err := daemon.containersReplica.GetByPrefix(id); err == nil { |
| matches[fullID] = true |
| } |
| } |
| |
| // look for name matches; if ID filtering was used, then limit the |
| // search space to the matches map only; errors represent "not found" |
| // and can be ignored |
| if len(names) > 0 { |
| for id, idNames := range filter.names { |
| // if ID filters were used and no matches on that ID were |
| // found, continue to next ID in the list |
| if idSearch && !matches[id] { |
| continue |
| } |
| for _, eachName := range idNames { |
| // match both on container name with, and without slash-prefix |
| if filter.filters.Match("name", eachName) || filter.filters.Match("name", strings.TrimPrefix(eachName, "/")) { |
| matches[id] = true |
| } |
| } |
| } |
| } |
| |
| cntrs := make([]container.Snapshot, 0, len(matches)) |
| for id := range matches { |
| c, err := view.Get(id) |
| if err != nil { |
| if errdefs.IsNotFound(err) { |
| // ignore error |
| continue |
| } |
| return nil, err |
| } |
| cntrs = append(cntrs, *c) |
| } |
| |
| // Restore sort-order after filtering |
| // Created gives us nanosec resolution for sorting |
| sort.Sort(byCreatedDescending(cntrs)) |
| |
| return cntrs, nil |
| } |
| |
| // foldFilter generates the container filter based on the user's filtering options. |
| func (daemon *Daemon) foldFilter(ctx context.Context, view *container.View, config *containertypes.ListOptions) (*listContext, error) { |
| psFilters := config.Filters |
| |
| var filtExited []int |
| |
| err := psFilters.WalkValues("exited", func(value string) error { |
| code, err := strconv.Atoi(value) |
| if err != nil { |
| return errdefs.InvalidParameter(errors.Wrapf(err, "invalid filter 'exited=%s'", value)) |
| } |
| filtExited = append(filtExited, code) |
| return nil |
| }) |
| if err != nil { |
| return nil, err |
| } |
| |
| err = psFilters.WalkValues("status", func(value string) error { |
| if !container.IsValidStateString(value) { |
| return errdefs.InvalidParameter(fmt.Errorf("invalid filter 'status=%s'", value)) |
| } |
| |
| config.All = true |
| return nil |
| }) |
| if err != nil { |
| return nil, err |
| } |
| |
| taskFilter := psFilters.Contains("is-task") |
| isTask, err := psFilters.GetBoolOrDefault("is-task", false) |
| if err != nil { |
| return nil, err |
| } |
| |
| err = psFilters.WalkValues("health", func(value string) error { |
| if !container.IsValidHealthString(value) { |
| return errdefs.InvalidParameter(fmt.Errorf("unrecognized filter value for health: %s", value)) |
| } |
| |
| return nil |
| }) |
| if err != nil { |
| return nil, err |
| } |
| |
| var beforeContFilter, sinceContFilter *container.Snapshot |
| |
| err = psFilters.WalkValues("before", func(value string) error { |
| beforeContFilter, err = idOrNameFilter(view, value) |
| return err |
| }) |
| if err != nil { |
| return nil, err |
| } |
| |
| err = psFilters.WalkValues("since", func(value string) error { |
| sinceContFilter, err = idOrNameFilter(view, value) |
| return err |
| }) |
| if err != nil { |
| return nil, err |
| } |
| |
| imagesFilter := map[image.ID]bool{} |
| var ancestorFilter bool |
| if psFilters.Contains("ancestor") { |
| ancestorFilter = true |
| err := psFilters.WalkValues("ancestor", func(ancestor string) error { |
| img, err := daemon.imageService.GetImage(ctx, ancestor, backend.GetImageOpts{}) |
| if err != nil { |
| log.G(ctx).Warnf("Error while looking up for image %v", ancestor) |
| return nil |
| } |
| if imagesFilter[img.ID()] { |
| // Already seen this ancestor, skip it |
| return nil |
| } |
| // Then walk down the graph and put the imageIds in imagesFilter |
| return populateImageFilterByParents(ctx, imagesFilter, img.ID(), daemon.imageService.Children) |
| }) |
| if err != nil { |
| return nil, err |
| } |
| } |
| |
| publishFilter := map[nat.Port]bool{} |
| err = psFilters.WalkValues("publish", portOp("publish", publishFilter)) |
| if err != nil { |
| return nil, err |
| } |
| |
| exposeFilter := map[nat.Port]bool{} |
| err = psFilters.WalkValues("expose", portOp("expose", exposeFilter)) |
| if err != nil { |
| return nil, err |
| } |
| |
| return &listContext{ |
| filters: psFilters, |
| ancestorFilter: ancestorFilter, |
| images: imagesFilter, |
| exitAllowed: filtExited, |
| beforeFilter: beforeContFilter, |
| sinceFilter: sinceContFilter, |
| taskFilter: taskFilter, |
| isTask: isTask, |
| publish: publishFilter, |
| expose: exposeFilter, |
| ListOptions: config, |
| names: view.GetAllNames(), |
| }, nil |
| } |
| |
| func idOrNameFilter(view *container.View, value string) (*container.Snapshot, error) { |
| filter, err := view.Get(value) |
| if err != nil && errdefs.IsNotFound(err) { |
| // Try name search instead |
| found := "" |
| for id, idNames := range view.GetAllNames() { |
| for _, eachName := range idNames { |
| if strings.TrimPrefix(value, "/") == strings.TrimPrefix(eachName, "/") { |
| if found != "" && found != id { |
| return nil, err |
| } |
| found = id |
| } |
| } |
| } |
| if found != "" { |
| filter, err = view.Get(found) |
| } |
| } |
| return filter, err |
| } |
| |
| func portOp(key string, filter map[nat.Port]bool) func(value string) error { |
| return func(value string) error { |
| if strings.Contains(value, ":") { |
| return fmt.Errorf("filter for '%s' should not contain ':': %s", key, value) |
| } |
| // support two formats, original format <portnum>/[<proto>] or <startport-endport>/[<proto>] |
| proto, port := nat.SplitProtoPort(value) |
| start, end, err := nat.ParsePortRange(port) |
| if err != nil { |
| return fmt.Errorf("error while looking up for %s %s: %s", key, value, err) |
| } |
| for i := start; i <= end; i++ { |
| p, err := nat.NewPort(proto, strconv.FormatUint(i, 10)) |
| if err != nil { |
| return fmt.Errorf("error while looking up for %s %s: %s", key, value, err) |
| } |
| filter[p] = true |
| } |
| return nil |
| } |
| } |
| |
| // includeContainerInList decides whether a container should be included in the output or not based in the filter. |
| // It also decides if the iteration should be stopped or not. |
| func includeContainerInList(container *container.Snapshot, filter *listContext) iterationAction { |
| // Do not include container if it's in the list before the filter container. |
| // Set the filter container to nil to include the rest of containers after this one. |
| if filter.beforeFilter != nil { |
| if container.ID == filter.beforeFilter.ID { |
| filter.beforeFilter = nil |
| } |
| return excludeContainer |
| } |
| |
| // Stop iteration when the container arrives to the filter container |
| if filter.sinceFilter != nil { |
| if container.ID == filter.sinceFilter.ID { |
| return stopIteration |
| } |
| } |
| |
| // Do not include container if it's stopped and we're not filters |
| if !container.Running && !filter.All && filter.Limit <= 0 { |
| return excludeContainer |
| } |
| |
| // Do not include container if the name doesn't match |
| if !filter.filters.Match("name", container.Name) && !filter.filters.Match("name", strings.TrimPrefix(container.Name, "/")) { |
| return excludeContainer |
| } |
| |
| // Do not include container if the id doesn't match |
| if !filter.filters.Match("id", container.ID) { |
| return excludeContainer |
| } |
| |
| if filter.taskFilter { |
| if filter.isTask != container.Managed { |
| return excludeContainer |
| } |
| } |
| |
| // Do not include container if any of the labels don't match |
| if !filter.filters.MatchKVList("label", container.Labels) { |
| return excludeContainer |
| } |
| |
| // Do not include container if isolation doesn't match |
| if excludeContainer == excludeByIsolation(container, filter) { |
| return excludeContainer |
| } |
| |
| // Stop iteration when the index is over the limit |
| if filter.Limit > 0 && filter.idx == filter.Limit { |
| return stopIteration |
| } |
| |
| // Do not include container if its exit code is not in the filter |
| if len(filter.exitAllowed) > 0 { |
| shouldSkip := true |
| for _, code := range filter.exitAllowed { |
| if code == container.ExitCode && !container.Running && !container.StartedAt.IsZero() { |
| shouldSkip = false |
| break |
| } |
| } |
| if shouldSkip { |
| return excludeContainer |
| } |
| } |
| |
| // Do not include container if its status doesn't match the filter |
| if !filter.filters.Match("status", container.State) { |
| return excludeContainer |
| } |
| |
| // Do not include container if its health doesn't match the filter |
| if !filter.filters.ExactMatch("health", container.Health) { |
| return excludeContainer |
| } |
| |
| if filter.filters.Contains("volume") { |
| volumesByName := make(map[string]types.MountPoint) |
| for _, m := range container.Mounts { |
| if m.Name != "" { |
| volumesByName[m.Name] = m |
| } else { |
| volumesByName[m.Source] = m |
| } |
| } |
| volumesByDestination := make(map[string]types.MountPoint) |
| for _, m := range container.Mounts { |
| if m.Destination != "" { |
| volumesByDestination[m.Destination] = m |
| } |
| } |
| |
| volumeExist := fmt.Errorf("volume mounted in container") |
| err := filter.filters.WalkValues("volume", func(value string) error { |
| if _, exist := volumesByDestination[value]; exist { |
| return volumeExist |
| } |
| if _, exist := volumesByName[value]; exist { |
| return volumeExist |
| } |
| return nil |
| }) |
| if err != volumeExist { |
| return excludeContainer |
| } |
| } |
| |
| if filter.ancestorFilter { |
| if len(filter.images) == 0 { |
| return excludeContainer |
| } |
| if !filter.images[image.ID(container.ImageID)] { |
| return excludeContainer |
| } |
| } |
| |
| var ( |
| networkExist = errors.New("container part of network") |
| noNetworks = errors.New("container is not part of any networks") |
| ) |
| if filter.filters.Contains("network") { |
| err := filter.filters.WalkValues("network", func(value string) error { |
| if container.NetworkSettings == nil { |
| return noNetworks |
| } |
| if _, ok := container.NetworkSettings.Networks[value]; ok { |
| return networkExist |
| } |
| for _, nw := range container.NetworkSettings.Networks { |
| if nw == nil { |
| continue |
| } |
| if strings.HasPrefix(nw.NetworkID, value) { |
| return networkExist |
| } |
| } |
| return nil |
| }) |
| if err != networkExist { |
| return excludeContainer |
| } |
| } |
| |
| if len(filter.expose) > 0 || len(filter.publish) > 0 { |
| var ( |
| shouldSkip = true |
| publishedPort nat.Port |
| exposedPort nat.Port |
| ) |
| for _, port := range container.Ports { |
| publishedPort = nat.Port(fmt.Sprintf("%d/%s", port.PublicPort, port.Type)) |
| exposedPort = nat.Port(fmt.Sprintf("%d/%s", port.PrivatePort, port.Type)) |
| if ok := filter.publish[publishedPort]; ok { |
| shouldSkip = false |
| break |
| } else if ok := filter.expose[exposedPort]; ok { |
| shouldSkip = false |
| break |
| } |
| } |
| if shouldSkip { |
| return excludeContainer |
| } |
| } |
| |
| return includeContainer |
| } |
| |
| // refreshImage checks if the Image ref still points to the correct ID, and |
| // updates the ref to the actual ID when it doesn't. |
| // This happens when the image with a reference that was used to create |
| // container was deleted or updated and now resolves to a different ID. |
| // |
| // For example: |
| // $ docker run -d busybox:latest |
| // $ docker ps -a |
| // CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES |
| // b0318bca5aef busybox "sh" 4 seconds ago Exited (0) 3 seconds ago ecstatic_beaver |
| // |
| // After some time, busybox image got updated on the Docker Hub: |
| // $ docker pull busybox:latest |
| // |
| // So now busybox:latest points to a different digest, but that doesn't impact |
| // the ecstatic_beaver container which was still created under an older |
| // version. In this case, it should still point to the original image ID it was |
| // created from. |
| // |
| // $ docker ps -a |
| // CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES |
| // b0318bca5aef 3fbc63216742 "sh" 3 years ago Exited (0) 3 years ago ecstatic_beaver |
| func (daemon *Daemon) refreshImage(ctx context.Context, s *container.Snapshot) (*types.Container, error) { |
| c := s.Container |
| |
| // s.Image is the image reference passed by the user to create an image |
| // can be a: |
| // - name (like nginx, ubuntu:latest, docker.io/library/busybox:latest), |
| // - truncated ID (abcdef), |
| // - full digest (sha256:abcdef...) |
| // |
| // s.ImageID is the ID of the image that s.Image resolved to at the time |
| // of the container creation. It's always a full digest. |
| |
| // If these match, there's nothing to refresh. |
| if s.Image == s.ImageID { |
| return &c, nil |
| } |
| |
| // Check if the image reference still resolves to the same digest. |
| img, err := daemon.imageService.GetImage(ctx, s.Image, backend.GetImageOpts{}) |
| // If the image is no longer found or can't be resolved for some other |
| // reason. Update the Image to the specific ID of the original image it |
| // resolved to when the container was created. |
| if err != nil { |
| if !errdefs.IsNotFound(err) { |
| log.G(ctx).WithFields(log.Fields{ |
| "error": err, |
| "containerID": c.ID, |
| "image": s.Image, |
| "imageID": s.ImageID, |
| }).Warn("failed to resolve container image") |
| } |
| c.Image = s.ImageID |
| return &c, nil |
| } |
| |
| // Also update the image to the specific image ID, if the Image now |
| // resolves to a different ID. |
| if img.ImageID() != s.ImageID { |
| c.Image = s.ImageID |
| } |
| |
| return &c, nil |
| } |
| |
| func populateImageFilterByParents(ctx context.Context, ancestorMap map[image.ID]bool, imageID image.ID, getChildren func(context.Context, image.ID) ([]image.ID, error)) error { |
| if !ancestorMap[imageID] { |
| children, err := getChildren(ctx, imageID) |
| if err != nil { |
| return err |
| } |
| for _, id := range children { |
| if err := populateImageFilterByParents(ctx, ancestorMap, id, getChildren); err != nil { |
| return err |
| } |
| } |
| ancestorMap[imageID] = true |
| } |
| return nil |
| } |