src/dockerproxy.js

'use strict';

exports = module.exports = {
    start,
    stop
};

const apps = require('./apps.js'),
    assert = require('assert'),
    constants = require('./constants.js'),
    express = require('express'),
    debug = require('debug')('box:dockerproxy'),
    http = require('http'),
    HttpError = require('connect-lastmile').HttpError,
    middleware = require('./middleware'),
    net = require('net'),
    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
    util = require('util'),
    _ = require('underscore');

let gHttpServer = null;

async function authorizeApp(req, res, next) {
    // make the tests pass for now
    if (constants.TEST) {
        req.app = { id: 'testappid' };
        return next();
    }

    const [error, app] = await safe(apps.getByIpAddress(req.connection.remoteAddress));
    if (error) return next(new HttpError(500, error));
    if (!app) return next(new HttpError(401, 'Unauthorized'));

    if (!('docker' in app.manifest.addons)) return next(new HttpError(401, 'Unauthorized'));

    req.app = app;

    next();
}

function attachDockerRequest(req, res, next) {
    const options = {
        socketPath: '/var/run/docker.sock',
        method: req.method,
        path: req.url,
        headers: req.headers
    };

    req.dockerRequest = http.request(options, function (dockerResponse) {
        res.writeHead(dockerResponse.statusCode, dockerResponse.headers);

        // Force node to send out the headers, this is required for the /container/wait api to make the docker cli proceed
        res.write(' ');

        dockerResponse.on('error', function (error) { debug('dockerResponse error:', error); });
        dockerResponse.pipe(res, { end: true });
    });

    req.dockerRequest.on('error', () => {}); // abort() throws

    next();
}

// eslint-disable-next-line no-unused-vars
function containersCreate(req, res, next) {
    safe.set(req.body, 'HostConfig.NetworkMode', 'cloudron'); // overwrite the network the container lives in
    safe.set(req.body, 'NetworkingConfig', {}); // drop any custom network configs
    safe.set(req.body, 'Labels',  _.extend({ }, safe.query(req.body, 'Labels'), { appId: req.app.id, isCloudronManaged: String(false) }));    // overwrite the app id to track containers of an app
    safe.set(req.body, 'HostConfig.LogConfig', { Type: 'syslog', Config: { 'tag': req.app.id, 'syslog-address': 'udp://127.0.0.1:2514', 'syslog-format': 'rfc5424' }});

    const appDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'data');

    debug('Original bind mounts:', req.body.HostConfig.Binds);

    let binds = [];
    for (let bind of (req.body.HostConfig.Binds || [])) {
        if (!bind.startsWith('/app/data/')) {
            req.dockerRequest.abort();
            return next(new HttpError(400, 'Binds must be under /app/data/'));
        }

        binds.push(bind.replace(new RegExp('^/app/data/'), appDataDir + '/'));
    }

    debug('Rewritten bind mounts:', binds);
    safe.set(req.body, 'HostConfig.Binds', binds);

    let plainBody = JSON.stringify(req.body);

    req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));
    req.dockerRequest.end(plainBody);
}

// eslint-disable-next-line no-unused-vars
function process(req, res, next) {
    // we have to rebuild the body since we consumed in in the parser
    if (Object.keys(req.body).length !== 0) {
        let plainBody = JSON.stringify(req.body);
        req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));
        req.dockerRequest.end(plainBody);
    } else if (!req.readable) {
        req.dockerRequest.end();
    } else {
        req.pipe(req.dockerRequest, { end: true });
    }
}

async function start() {
    assert(gHttpServer === null, 'Already started');

    const json = middleware.json({ strict: true });

    // we protect container create as the app/admin can otherwise mount random paths (like the ghost file)
    // protected other paths is done by preventing install/exec access of apps using docker addon
    const router = new express.Router();
    router.post('/:version/containers/create', containersCreate);

    const proxyServer = express();

    if (constants.TEST) {
        proxyServer.use(function (req, res, next) {
            debug('proxying: ' + req.method, req.url);
            next();
        });
    }

    proxyServer.use(authorizeApp)
        .use(attachDockerRequest)
        .use(json)
        .use(router)
        .use(process)
        .use(middleware.lastMile());

    gHttpServer = http.createServer(proxyServer);

    // Overwrite the default 2min request timeout. This is required for large builds for example
    gHttpServer.setTimeout(60 * 60 * 1000);

    debug(`startDockerProxy: started proxy on port ${constants.DOCKER_PROXY_PORT}`);

    // eslint-disable-next-line no-unused-vars
    gHttpServer.on('upgrade', function (req, client, head) {
        // Create a new tcp connection to the TCP server
        const remote = net.connect('/var/run/docker.sock', function () {
            let upgradeMessage = req.method + ' ' + req.url + ' HTTP/1.1\r\n' +
                                `Host: ${req.headers.host}\r\n` +
                                'Connection: Upgrade\r\n' +
                                'Upgrade: tcp\r\n';

            if (req.headers['content-type'] === 'application/json') {
                // TODO we have to parse the immediate upgrade request body, but I don't know how
                let plainBody = '{"Detach":false,"Tty":false}\r\n';
                upgradeMessage += 'Content-Type: application/json\r\n';
                upgradeMessage += `Content-Length: ${Buffer.byteLength(plainBody)}\r\n`;
                upgradeMessage += '\r\n';
                upgradeMessage += plainBody;
            }

            upgradeMessage += '\r\n';

            // resend the upgrade event to the docker daemon, so it responds with the proper message through the pipes
            remote.write(upgradeMessage);

            // two-way pipes between client and docker daemon
            client.pipe(remote).pipe(client);
        });
    });

    await util.promisify(gHttpServer.listen.bind(gHttpServer))(constants.DOCKER_PROXY_PORT, '172.18.0.1');
}

async function stop() {
    if (gHttpServer) gHttpServer.close();

    gHttpServer = null;
}
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00			`'use strict';`

			`exports = module.exports = {`
lint 2021-05-01 11:21:09 -07:00			`start,`
			`stop`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00			`};`

merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const apps = require('./apps.js'),`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`assert = require('assert'),`
Make ldap and docker proxy port as constants 2019-07-25 15:33:34 -07:00			`constants = require('./constants.js'),`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`express = require('express'),`
Set the correct debug label 2018-08-13 22:06:28 +02:00			`debug = require('debug')('box:dockerproxy'),`
Make the docker proxy work 2018-08-13 22:14:56 +02:00			`http = require('http'),`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`HttpError = require('connect-lastmile').HttpError,`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`middleware = require('./middleware'),`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`net = require('net'),`
			`path = require('path'),`
			`paths = require('./paths.js'),`
			`safe = require('safetydance'),`
more async'ification 2021-09-07 09:57:49 -07:00			`util = require('util'),`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`_ = require('underscore');`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`let gHttpServer = null;`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`async function authorizeApp(req, res, next) {`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00			`// make the tests pass for now`
move use of TEST and CLOUDRON to constants 2019-07-26 10:10:14 -07:00			`if (constants.TEST) {`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00			`req.app = { id: 'testappid' };`
			`return next();`
			`}`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00
Add missing safe() 2021-08-31 08:37:16 -07:00			`const [error, app] = await safe(apps.getByIpAddress(req.connection.remoteAddress));`
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`if (error) return next(new HttpError(500, error));`
			`if (!app) return next(new HttpError(401, 'Unauthorized'));`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`if (!('docker' in app.manifest.addons)) return next(new HttpError(401, 'Unauthorized'));`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`req.app = app;`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`next();`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`}`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`function attachDockerRequest(req, res, next) {`
constness 2022-04-14 17:41:41 -05:00			`const options = {`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`socketPath: '/var/run/docker.sock',`
			`method: req.method,`
			`path: req.url,`
			`headers: req.headers`
			`};`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`req.dockerRequest = http.request(options, function (dockerResponse) {`
			`res.writeHead(dockerResponse.statusCode, dockerResponse.headers);`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`// Force node to send out the headers, this is required for the /container/wait api to make the docker cli proceed`
			`res.write(' ');`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
Use debug instead of console.* everywhere No need to patch up console.* anymore also removes supererror 2020-08-02 11:43:18 -07:00			`dockerResponse.on('error', function (error) { debug('dockerResponse error:', error); });`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`dockerResponse.pipe(res, { end: true });`
			`});`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`req.dockerRequest.on('error', () => {}); // abort() throws`

dockerproxy: use express 2018-08-14 18:27:08 -07:00			`next();`
			`}`
No need to pull in underscore to build an object 2018-08-13 22:01:51 +02:00
Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`// eslint-disable-next-line no-unused-vars`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`function containersCreate(req, res, next) {`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`safe.set(req.body, 'HostConfig.NetworkMode', 'cloudron'); // overwrite the network the container lives in`
Drop all custom network configs in docker proxy 2018-08-17 16:50:11 +02:00			`safe.set(req.body, 'NetworkingConfig', {}); // drop any custom network configs`
Remove all app containers before removing volume If volume location changes, we re-create the volume. However, volume can only be removed if all the containers using it are deleted. For example, the scheduler might be running a container using it. 2019-01-17 23:32:24 -08:00			`safe.set(req.body, 'Labels', _.extend({ }, safe.query(req.body, 'Labels'), { appId: req.app.id, isCloudronManaged: String(false) })); // overwrite the app id to track containers of an app`
Remove nativeLogging docker addon support Was only required for eclipse che 2018-08-20 15:22:08 +02:00			`safe.set(req.body, 'HostConfig.LogConfig', { Type: 'syslog', Config: { 'tag': req.app.id, 'syslog-address': 'udp://127.0.0.1:2514', 'syslog-format': 'rfc5424' }});`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`const appDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'data');`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`debug('Original bind mounts:', req.body.HostConfig.Binds);`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`let binds = [];`
			`for (let bind of (req.body.HostConfig.Binds \|\| [])) {`
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`if (!bind.startsWith('/app/data/')) {`
			`req.dockerRequest.abort();`
			`return next(new HttpError(400, 'Binds must be under /app/data/'));`
			`}`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`binds.push(bind.replace(new RegExp('^/app/data/'), appDataDir + '/'));`
			`}`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`debug('Rewritten bind mounts:', binds);`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`safe.set(req.body, 'HostConfig.Binds', binds);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`let plainBody = JSON.stringify(req.body);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));`
			`req.dockerRequest.end(plainBody);`
			`}`

Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`// eslint-disable-next-line no-unused-vars`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`function process(req, res, next) {`
Ensure we pipe the parsed body again upstream to docker 2018-08-16 14:28:51 +02:00			`// we have to rebuild the body since we consumed in in the parser`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00			`if (Object.keys(req.body).length !== 0) {`
Ensure we pipe the parsed body again upstream to docker 2018-08-16 14:28:51 +02:00			`let plainBody = JSON.stringify(req.body);`
			`req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));`
			`req.dockerRequest.end(plainBody);`
			`} else if (!req.readable) {`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`req.dockerRequest.end();`
			`} else {`
			`req.pipe(req.dockerRequest, { end: true });`
			`}`
			`}`

more async'ification 2021-09-07 09:57:49 -07:00			`async function start() {`
rename variable 2018-08-14 19:03:10 -07:00			`assert(gHttpServer === null, 'Already started');`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
more async'ification 2021-09-07 09:57:49 -07:00			`const json = middleware.json({ strict: true });`
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00
			`// we protect container create as the app/admin can otherwise mount random paths (like the ghost file)`
			`// protected other paths is done by preventing install/exec access of apps using docker addon`
more async'ification 2021-09-07 09:57:49 -07:00			`const router = new express.Router();`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`router.post('/:version/containers/create', containersCreate);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
more async'ification 2021-09-07 09:57:49 -07:00			`const proxyServer = express();`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00
move use of TEST and CLOUDRON to constants 2019-07-26 10:10:14 -07:00			`if (constants.TEST) {`
Make tests work 2018-08-20 20:10:14 -07:00			`proxyServer.use(function (req, res, next) {`
Fix failing tests 2019-01-04 10:04:28 -08:00			`debug('proxying: ' + req.method, req.url);`
Make tests work 2018-08-20 20:10:14 -07:00			`next();`
			`});`
			`}`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`proxyServer.use(authorizeApp)`
			`.use(attachDockerRequest)`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`.use(json)`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`.use(router)`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`.use(process)`
			`.use(middleware.lastMile());`
Overwrite the docker container network in the proxy 2018-08-14 22:52:00 +02:00
rename variable 2018-08-14 19:03:10 -07:00			`gHttpServer = http.createServer(proxyServer);`
Overwrite the docker container network in the proxy 2018-08-14 22:52:00 +02:00
node's http server has a default timeout of 2min which is too short for build bot 2019-11-14 13:15:12 +01:00			`// Overwrite the default 2min request timeout. This is required for large builds for example`
			`gHttpServer.setTimeout(60 * 60 * 1000);`

Make ldap and docker proxy port as constants 2019-07-25 15:33:34 -07:00			debug(`startDockerProxy: started proxy on port ${constants.DOCKER_PROXY_PORT}`);
Make the docker proxy work 2018-08-13 22:14:56 +02:00
Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`// eslint-disable-next-line no-unused-vars`
rename variable 2018-08-14 19:03:10 -07:00			`gHttpServer.on('upgrade', function (req, client, head) {`
Make the docker proxy work 2018-08-13 22:14:56 +02:00			`// Create a new tcp connection to the TCP server`
constness 2022-04-14 17:41:41 -05:00			`const remote = net.connect('/var/run/docker.sock', function () {`
			`let upgradeMessage = req.method + ' ' + req.url + ' HTTP/1.1\r\n' +`
Bare bones support of docker exec through the proxy 2018-08-17 15:30:23 +02:00			`Host: ${req.headers.host}\r\n` +
			`'Connection: Upgrade\r\n' +`
			`'Upgrade: tcp\r\n';`

			`if (req.headers['content-type'] === 'application/json') {`
			`// TODO we have to parse the immediate upgrade request body, but I don't know how`
			`let plainBody = '{"Detach":false,"Tty":false}\r\n';`
Make ldap and docker proxy port as constants 2019-07-25 15:33:34 -07:00			`upgradeMessage += 'Content-Type: application/json\r\n';`
Bare bones support of docker exec through the proxy 2018-08-17 15:30:23 +02:00			upgradeMessage += `Content-Length: ${Buffer.byteLength(plainBody)}\r\n`;
			`upgradeMessage += '\r\n';`
			`upgradeMessage += plainBody;`
			`}`

			`upgradeMessage += '\r\n';`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
			`// resend the upgrade event to the docker daemon, so it responds with the proper message through the pipes`
Bare bones support of docker exec through the proxy 2018-08-17 15:30:23 +02:00			`remote.write(upgradeMessage);`

			`// two-way pipes between client and docker daemon`
			`client.pipe(remote).pipe(client);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00			`});`
			`});`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
more async'ification 2021-09-07 09:57:49 -07:00			`await util.promisify(gHttpServer.listen.bind(gHttpServer))(constants.DOCKER_PROXY_PORT, '172.18.0.1');`
			`}`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
more async'ification 2021-09-07 09:57:49 -07:00			`async function stop() {`
rename variable 2018-08-14 19:03:10 -07:00			`if (gHttpServer) gHttpServer.close();`

			`gHttpServer = null;`
Fix bind mapping logic 2018-08-15 16:47:06 -07:00			`}`