src/dockerproxy.js

'use strict';

exports = module.exports = {
    start: start,
    stop: stop
};

var apps = require('./apps.js'),
    assert = require('assert'),
    BoxError = require('./boxerror.js'),
    constants = require('./constants.js'),
    express = require('express'),
    debug = require('debug')('box:dockerproxy'),
    http = require('http'),
    HttpError = require('connect-lastmile').HttpError,
    middleware = require('./middleware'),
    net = require('net'),
    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
    _ = require('underscore');

var gHttpServer = null;

function authorizeApp(req, res, next) {
    // TODO add here some authorization
    // - block apps not using the docker addon
    // - block calls regarding platform containers
    // - only allow managing and inspection of containers belonging to the app

    // make the tests pass for now
    if (constants.TEST) {
        req.app = { id: 'testappid' };
        return next();
    }

    apps.getByIpAddress(req.connection.remoteAddress, function (error, app) {
        if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));
        if (error) return next(new HttpError(500, error));

        if (!('docker' in app.manifest.addons)) return next(new HttpError(401, 'Unauthorized'));

        req.app = app;

        next();
    });
}

function attachDockerRequest(req, res, next) {
    var options = {
        socketPath: '/var/run/docker.sock',
        method: req.method,
        path: req.url,
        headers: req.headers
    };

    req.dockerRequest = http.request(options, function (dockerResponse) {
        res.writeHead(dockerResponse.statusCode, dockerResponse.headers);

        // Force node to send out the headers, this is required for the /container/wait api to make the docker cli proceed
        res.write(' ');

        dockerResponse.on('error', function (error) { console.error('dockerResponse error:', error); });
        dockerResponse.pipe(res, { end: true });
    });

    next();
}

// eslint-disable-next-line no-unused-vars
function containersCreate(req, res, next) {
    safe.set(req.body, 'HostConfig.NetworkMode', 'cloudron'); // overwrite the network the container lives in
    safe.set(req.body, 'NetworkingConfig', {}); // drop any custom network configs
    safe.set(req.body, 'Labels',  _.extend({ }, safe.query(req.body, 'Labels'), { appId: req.app.id, isCloudronManaged: String(false) }));    // overwrite the app id to track containers of an app
    safe.set(req.body, 'HostConfig.LogConfig', { Type: 'syslog', Config: { 'tag': req.app.id, 'syslog-address': 'udp://127.0.0.1:2514', 'syslog-format': 'rfc5424' }});

    const appDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'data'),
        dockerDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'docker');

    debug('Original volume binds:', req.body.HostConfig.Binds);

    let binds = [];
    for (let bind of (req.body.HostConfig.Binds || [])) {
        if (bind.startsWith(appDataDir)) binds.push(bind); // eclipse will inspect docker to find out the host folders and pass that to child containers
        else if (bind.startsWith('/app/data')) binds.push(bind.replace(new RegExp('^/app/data'), appDataDir));
        else binds.push(`${dockerDataDir}/${bind}`);
    }

    // cleanup the paths from potential double slashes
    binds = binds.map(function (bind) { return bind.replace(/\/+/g, '/'); });

    debug('Rewritten volume binds:', binds);
    safe.set(req.body, 'HostConfig.Binds', binds);

    let plainBody = JSON.stringify(req.body);

    req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));
    req.dockerRequest.end(plainBody);
}

// eslint-disable-next-line no-unused-vars
function process(req, res, next) {
    // we have to rebuild the body since we consumed in in the parser
    if (Object.keys(req.body).length !== 0) {
        let plainBody = JSON.stringify(req.body);
        req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));
        req.dockerRequest.end(plainBody);
    } else if (!req.readable) {
        req.dockerRequest.end();
    } else {
        req.pipe(req.dockerRequest, { end: true });
    }
}

function start(callback) {
    assert.strictEqual(typeof callback, 'function');
    assert(gHttpServer === null, 'Already started');

    let json = middleware.json({ strict: true });
    let router = new express.Router();
    router.post('/:version/containers/create', containersCreate);

    let proxyServer = express();

    if (constants.TEST) {
        proxyServer.use(function (req, res, next) {
            debug('proxying: ' + req.method, req.url);
            next();
        });
    }

    proxyServer.use(authorizeApp)
        .use(attachDockerRequest)
        .use(json)
        .use(router)
        .use(process)
        .use(middleware.lastMile());

    gHttpServer = http.createServer(proxyServer);
    gHttpServer.listen(constants.DOCKER_PROXY_PORT, '0.0.0.0', callback);

    debug(`startDockerProxy: started proxy on port ${constants.DOCKER_PROXY_PORT}`);

    // eslint-disable-next-line no-unused-vars
    gHttpServer.on('upgrade', function (req, client, head) {
        // Create a new tcp connection to the TCP server
        var remote = net.connect('/var/run/docker.sock', function () {
            var upgradeMessage = req.method + ' ' + req.url + ' HTTP/1.1\r\n' +
                                `Host: ${req.headers.host}\r\n` +
                                'Connection: Upgrade\r\n' +
                                'Upgrade: tcp\r\n';

            if (req.headers['content-type'] === 'application/json') {
                // TODO we have to parse the immediate upgrade request body, but I don't know how
                let plainBody = '{"Detach":false,"Tty":false}\r\n';
                upgradeMessage += 'Content-Type: application/json\r\n';
                upgradeMessage += `Content-Length: ${Buffer.byteLength(plainBody)}\r\n`;
                upgradeMessage += '\r\n';
                upgradeMessage += plainBody;
            }

            upgradeMessage += '\r\n';

            // resend the upgrade event to the docker daemon, so it responds with the proper message through the pipes
            remote.write(upgradeMessage);

            // two-way pipes between client and docker daemon
            client.pipe(remote).pipe(client);
        });
    });
}

function stop(callback) {
    assert.strictEqual(typeof callback, 'function');

    if (gHttpServer) gHttpServer.close();

    gHttpServer = null;

    callback();
}
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00			`'use strict';`

			`exports = module.exports = {`
			`start: start,`
			`stop: stop`
			`};`

dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`var apps = require('./apps.js'),`
			`assert = require('assert'),`
Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`BoxError = require('./boxerror.js'),`
Make ldap and docker proxy port as constants 2019-07-25 15:33:34 -07:00			`constants = require('./constants.js'),`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`express = require('express'),`
Set the correct debug label 2018-08-13 22:06:28 +02:00			`debug = require('debug')('box:dockerproxy'),`
Make the docker proxy work 2018-08-13 22:14:56 +02:00			`http = require('http'),`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`HttpError = require('connect-lastmile').HttpError,`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`middleware = require('./middleware'),`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`net = require('net'),`
			`path = require('path'),`
			`paths = require('./paths.js'),`
			`safe = require('safetydance'),`
			`_ = require('underscore');`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
rename variable 2018-08-14 19:03:10 -07:00			`var gHttpServer = null;`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`function authorizeApp(req, res, next) {`
			`// TODO add here some authorization`
			`// - block apps not using the docker addon`
			`// - block calls regarding platform containers`
			`// - only allow managing and inspection of containers belonging to the app`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00			`// make the tests pass for now`
move use of TEST and CLOUDRON to constants 2019-07-26 10:10:14 -07:00			`if (constants.TEST) {`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00			`req.app = { id: 'testappid' };`
			`return next();`
			`}`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00
			`apps.getByIpAddress(req.connection.remoteAddress, function (error, app) {`
Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`if (error && error.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`if (error) return next(new HttpError(500, error));`

			`if (!('docker' in app.manifest.addons)) return next(new HttpError(401, 'Unauthorized'));`

			`req.app = app;`

			`next();`
			`});`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`}`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`function attachDockerRequest(req, res, next) {`
			`var options = {`
			`socketPath: '/var/run/docker.sock',`
			`method: req.method,`
			`path: req.url,`
			`headers: req.headers`
			`};`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`req.dockerRequest = http.request(options, function (dockerResponse) {`
			`res.writeHead(dockerResponse.statusCode, dockerResponse.headers);`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`// Force node to send out the headers, this is required for the /container/wait api to make the docker cli proceed`
			`res.write(' ');`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`dockerResponse.on('error', function (error) { console.error('dockerResponse error:', error); });`
			`dockerResponse.pipe(res, { end: true });`
			`});`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`next();`
			`}`
No need to pull in underscore to build an object 2018-08-13 22:01:51 +02:00
Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`// eslint-disable-next-line no-unused-vars`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`function containersCreate(req, res, next) {`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`safe.set(req.body, 'HostConfig.NetworkMode', 'cloudron'); // overwrite the network the container lives in`
Drop all custom network configs in docker proxy 2018-08-17 16:50:11 +02:00			`safe.set(req.body, 'NetworkingConfig', {}); // drop any custom network configs`
Remove all app containers before removing volume If volume location changes, we re-create the volume. However, volume can only be removed if all the containers using it are deleted. For example, the scheduler might be running a container using it. 2019-01-17 23:32:24 -08:00			`safe.set(req.body, 'Labels', _.extend({ }, safe.query(req.body, 'Labels'), { appId: req.app.id, isCloudronManaged: String(false) })); // overwrite the app id to track containers of an app`
Remove nativeLogging docker addon support Was only required for eclipse che 2018-08-20 15:22:08 +02:00			`safe.set(req.body, 'HostConfig.LogConfig', { Type: 'syslog', Config: { 'tag': req.app.id, 'syslog-address': 'udp://127.0.0.1:2514', 'syslog-format': 'rfc5424' }});`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00
Fix bind mapping logic 2018-08-15 16:47:06 -07:00			`const appDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'data'),`
			`dockerDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'docker');`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
Add some debugs for volume rewriting 2018-08-15 16:51:10 +02:00			`debug('Original volume binds:', req.body.HostConfig.Binds);`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`let binds = [];`
			`for (let bind of (req.body.HostConfig.Binds \|\| [])) {`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00			`if (bind.startsWith(appDataDir)) binds.push(bind); // eclipse will inspect docker to find out the host folders and pass that to child containers`
			`else if (bind.startsWith('/app/data')) binds.push(bind.replace(new RegExp('^/app/data'), appDataDir));`
Fix bind mapping logic 2018-08-15 16:47:06 -07:00			else binds.push(`${dockerDataDir}/${bind}`);
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`}`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
			`// cleanup the paths from potential double slashes`
			`binds = binds.map(function (bind) { return bind.replace(/\/+/g, '/'); });`

			`debug('Rewritten volume binds:', binds);`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`safe.set(req.body, 'HostConfig.Binds', binds);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`let plainBody = JSON.stringify(req.body);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));`
			`req.dockerRequest.end(plainBody);`
			`}`

Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`// eslint-disable-next-line no-unused-vars`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`function process(req, res, next) {`
Ensure we pipe the parsed body again upstream to docker 2018-08-16 14:28:51 +02:00			`// we have to rebuild the body since we consumed in in the parser`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00			`if (Object.keys(req.body).length !== 0) {`
Ensure we pipe the parsed body again upstream to docker 2018-08-16 14:28:51 +02:00			`let plainBody = JSON.stringify(req.body);`
			`req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));`
			`req.dockerRequest.end(plainBody);`
			`} else if (!req.readable) {`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`req.dockerRequest.end();`
			`} else {`
			`req.pipe(req.dockerRequest, { end: true });`
			`}`
			`}`

			`function start(callback) {`
			`assert.strictEqual(typeof callback, 'function');`
rename variable 2018-08-14 19:03:10 -07:00			`assert(gHttpServer === null, 'Already started');`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`let json = middleware.json({ strict: true });`
			`let router = new express.Router();`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`router.post('/:version/containers/create', containersCreate);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`let proxyServer = express();`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00
move use of TEST and CLOUDRON to constants 2019-07-26 10:10:14 -07:00			`if (constants.TEST) {`
Make tests work 2018-08-20 20:10:14 -07:00			`proxyServer.use(function (req, res, next) {`
Fix failing tests 2019-01-04 10:04:28 -08:00			`debug('proxying: ' + req.method, req.url);`
Make tests work 2018-08-20 20:10:14 -07:00			`next();`
			`});`
			`}`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`proxyServer.use(authorizeApp)`
			`.use(attachDockerRequest)`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`.use(json)`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`.use(router)`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`.use(process)`
			`.use(middleware.lastMile());`
Overwrite the docker container network in the proxy 2018-08-14 22:52:00 +02:00
rename variable 2018-08-14 19:03:10 -07:00			`gHttpServer = http.createServer(proxyServer);`
Make ldap and docker proxy port as constants 2019-07-25 15:33:34 -07:00			`gHttpServer.listen(constants.DOCKER_PROXY_PORT, '0.0.0.0', callback);`
Overwrite the docker container network in the proxy 2018-08-14 22:52:00 +02:00
Make ldap and docker proxy port as constants 2019-07-25 15:33:34 -07:00			debug(`startDockerProxy: started proxy on port ${constants.DOCKER_PROXY_PORT}`);
Make the docker proxy work 2018-08-13 22:14:56 +02:00
Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`// eslint-disable-next-line no-unused-vars`
rename variable 2018-08-14 19:03:10 -07:00			`gHttpServer.on('upgrade', function (req, client, head) {`
Make the docker proxy work 2018-08-13 22:14:56 +02:00			`// Create a new tcp connection to the TCP server`
			`var remote = net.connect('/var/run/docker.sock', function () {`
Bare bones support of docker exec through the proxy 2018-08-17 15:30:23 +02:00			`var upgradeMessage = req.method + ' ' + req.url + ' HTTP/1.1\r\n' +`
			`Host: ${req.headers.host}\r\n` +
			`'Connection: Upgrade\r\n' +`
			`'Upgrade: tcp\r\n';`

			`if (req.headers['content-type'] === 'application/json') {`
			`// TODO we have to parse the immediate upgrade request body, but I don't know how`
			`let plainBody = '{"Detach":false,"Tty":false}\r\n';`
Make ldap and docker proxy port as constants 2019-07-25 15:33:34 -07:00			`upgradeMessage += 'Content-Type: application/json\r\n';`
Bare bones support of docker exec through the proxy 2018-08-17 15:30:23 +02:00			upgradeMessage += `Content-Length: ${Buffer.byteLength(plainBody)}\r\n`;
			`upgradeMessage += '\r\n';`
			`upgradeMessage += plainBody;`
			`}`

			`upgradeMessage += '\r\n';`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
			`// resend the upgrade event to the docker daemon, so it responds with the proper message through the pipes`
Bare bones support of docker exec through the proxy 2018-08-17 15:30:23 +02:00			`remote.write(upgradeMessage);`

			`// two-way pipes between client and docker daemon`
			`client.pipe(remote).pipe(client);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00			`});`
			`});`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00			`}`

			`function stop(callback) {`
			`assert.strictEqual(typeof callback, 'function');`

rename variable 2018-08-14 19:03:10 -07:00			`if (gHttpServer) gHttpServer.close();`

			`gHttpServer = null;`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
			`callback();`
Fix bind mapping logic 2018-08-15 16:47:06 -07:00			`}`