src/dockerproxy.js

'use strict';

exports = module.exports = {
    start,
    stop
};

const apps = require('./apps.js'),
    assert = require('assert'),
    constants = require('./constants.js'),
    express = require('express'),
    debug = require('debug')('box:dockerproxy'),
    http = require('http'),
    HttpError = require('connect-lastmile').HttpError,
    middleware = require('./middleware'),
    net = require('net'),
    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
    util = require('util'),
    volumes = require('./volumes.js');

let gHttpServer = null;

async function authorizeApp(req, res, next) {
    // make the tests pass for now
    if (constants.TEST) {
        req.app = { id: 'testappid' };
        return next();
    }

    const [error, app] = await safe(apps.getByIpAddress(req.socket.remoteAddress));
    if (error) return next(new HttpError(500, error));
    if (!app) return next(new HttpError(401, 'Unauthorized'));
    if (!app.manifest.addons?.docker) return next(new HttpError(401, 'Unauthorized'));

    req.app = app;

    next();
}

function attachDockerRequest(req, res, next) {
    const options = {
        socketPath: '/var/run/docker.sock',
        method: req.method,
        path: req.url,
        headers: req.headers
    };

    req.dockerRequest = http.request(options, function (dockerResponse) {
        res.writeHead(dockerResponse.statusCode, dockerResponse.headers);

        // Force node to send out the headers, this is required for the /container/wait api to make the docker cli proceed
        res.write(' ');

        dockerResponse.on('error', function (error) { debug('dockerResponse error: %o', error); });
        dockerResponse.pipe(res, { end: true });
    });

    req.dockerRequest.on('error', () => {}); // abort() throws

    next();
}

async function containersCreate(req, res, next) {
    safe.set(req.body, 'HostConfig.NetworkMode', 'cloudron'); // overwrite the network the container lives in
    safe.set(req.body, 'NetworkingConfig', {}); // drop any custom network configs
    safe.set(req.body, 'Labels',  Object.assign({}, safe.query(req.body, 'Labels'), { appId: req.app.id, isCloudronManaged: String(false) }));    // overwrite the app id to track containers of an app
    safe.set(req.body, 'HostConfig.LogConfig', { Type: 'syslog', Config: { 'tag': req.app.id, 'syslog-address': `unix://${paths.SYSLOG_SOCKET_FILE}`, 'syslog-format': 'rfc5424' }});

    const appDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'data');

    debug('containersCreate: original bind mounts:', req.body.HostConfig.Binds);

    const [error, result] = await safe(volumes.list());
    if (error) return next(new HttpError(500, `Error listing volumes: ${error.message}`));

    const volumesByName = {};
    result.forEach(r => volumesByName[r.name] = r);

    const binds = [];
    for (const bind of (req.body.HostConfig.Binds || [])) { // bind is of the host:container:rw format
        if (bind.startsWith('/app/data')) {
            binds.push(bind.replace(new RegExp('^/app/data/'), appDataDir + '/'));
        } else if (bind.startsWith('/media/')) {
            const volumeName = bind.match(new RegExp('/media/([^:/]+)/?'))[1];
            const volume = volumesByName[volumeName];
            if (volume) binds.push(bind.replace(new RegExp(`^/media/${volumeName}`), volume.hostPath));
            else debug(`containersCreate: dropped unknown volume ${volumeName}`);
        } else {
            req.dockerRequest.abort();
            return next(new HttpError(400, 'Binds must be under /app/data/ or /media'));
        }
    }

    debug('containersCreate: rewritten bind mounts:', binds);
    safe.set(req.body, 'HostConfig.Binds', binds);

    const plainBody = JSON.stringify(req.body);
    req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));
    req.dockerRequest.end(plainBody);
}

// eslint-disable-next-line no-unused-vars
function process(req, res, next) {
    // we have to rebuild the body since we consumed in in the parser
    if (Object.keys(req.body).length !== 0) {
        const plainBody = JSON.stringify(req.body);
        req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));
        req.dockerRequest.end(plainBody);
    } else if (!req.readable) {
        req.dockerRequest.end();
    } else {
        req.pipe(req.dockerRequest, { end: true });
    }
}

async function start() {
    assert(gHttpServer === null, 'Already started');

    const json = express.json({ strict: true });

    // we protect container create as the app/admin can otherwise mount random paths (like the ghost file)
    // protected other paths is done by preventing install/exec access of apps using docker addon
    const router = new express.Router();
    router.post('/:version/containers/create', containersCreate);

    const proxyServer = express();

    if (constants.TEST) {
        proxyServer.use(function (req, res, next) {
            debug('proxying: ' + req.method, req.url);
            next();
        });
    }

    proxyServer.use(authorizeApp)
        .use(attachDockerRequest)
        .use(json)
        .use(router)
        .use(process)
        .use(middleware.lastMile());

    // disable slowloris prevention: https://github.com/nodejs/node/issues/47421
    gHttpServer = http.createServer({ headersTimeout: 0, requestTimeout: 0 }, proxyServer);

    // Overwrite the default 2min request timeout. This is required for large builds for example
    gHttpServer.setTimeout(60 * 60 * 1000);

    // eslint-disable-next-line no-unused-vars
    gHttpServer.on('upgrade', function (req, client, head) {
        // Create a new tcp connection to the TCP server
        const remote = net.connect('/var/run/docker.sock', function () {
            let upgradeMessage = req.method + ' ' + req.url + ' HTTP/1.1\r\n' +
                                `Host: ${req.headers.host}\r\n` +
                                'Connection: Upgrade\r\n' +
                                'Upgrade: tcp\r\n';

            if (req.headers['content-type'] === 'application/json') {
                // TODO we have to parse the immediate upgrade request body, but I don't know how
                const plainBody = '{"Detach":false,"Tty":false}\r\n';
                upgradeMessage += 'Content-Type: application/json\r\n';
                upgradeMessage += `Content-Length: ${Buffer.byteLength(plainBody)}\r\n`;
                upgradeMessage += '\r\n';
                upgradeMessage += plainBody;
            }

            upgradeMessage += '\r\n';

            // resend the upgrade event to the docker daemon, so it responds with the proper message through the pipes
            remote.write(upgradeMessage);

            // two-way pipes between client and docker daemon
            client.pipe(remote).pipe(client);
        });
    });

    debug(`start: listening on 172.18.0.1:${constants.DOCKER_PROXY_PORT}`);
    await util.promisify(gHttpServer.listen.bind(gHttpServer))(constants.DOCKER_PROXY_PORT, '172.18.0.1');
}

async function stop() {
    if (!gHttpServer) return;

    await util.promisify(gHttpServer.close.bind(gHttpServer))();
    gHttpServer = null;
}
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00			`'use strict';`

			`exports = module.exports = {`
lint 2021-05-01 11:21:09 -07:00			`start,`
			`stop`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00			`};`

merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`const apps = require('./apps.js'),`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`assert = require('assert'),`
Make ldap and docker proxy port as constants 2019-07-25 15:33:34 -07:00			`constants = require('./constants.js'),`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`express = require('express'),`
Set the correct debug label 2018-08-13 22:06:28 +02:00			`debug = require('debug')('box:dockerproxy'),`
Make the docker proxy work 2018-08-13 22:14:56 +02:00			`http = require('http'),`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`HttpError = require('connect-lastmile').HttpError,`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`middleware = require('./middleware'),`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`net = require('net'),`
			`path = require('path'),`
			`paths = require('./paths.js'),`
			`safe = require('safetydance'),`
dockerproxy: all volumes to be mounted in child containers this will allow jupyterhub notebooks to access volumes 2023-11-27 22:07:31 +01:00			`util = require('util'),`
			`volumes = require('./volumes.js');`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`let gHttpServer = null;`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`async function authorizeApp(req, res, next) {`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00			`// make the tests pass for now`
move use of TEST and CLOUDRON to constants 2019-07-26 10:10:14 -07:00			`if (constants.TEST) {`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00			`req.app = { id: 'testappid' };`
			`return next();`
			`}`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00
req.connection.remoteAddress is deprecated (cherry picked from commit 74f48491445ae536e1fceb3caff81a2b586fa9a7) 2025-01-29 10:35:09 +01:00			`const [error, app] = await safe(apps.getByIpAddress(req.socket.remoteAddress));`
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`if (error) return next(new HttpError(500, error));`
			`if (!app) return next(new HttpError(401, 'Unauthorized'));`
dockerproxy: fix typo 2023-11-04 13:28:02 +01:00			`if (!app.manifest.addons?.docker) return next(new HttpError(401, 'Unauthorized'));`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`req.app = app;`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00
merge appdb.js into apps.js 2021-08-20 09:19:44 -07:00			`next();`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`}`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`function attachDockerRequest(req, res, next) {`
constness 2022-04-14 17:41:41 -05:00			`const options = {`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`socketPath: '/var/run/docker.sock',`
			`method: req.method,`
			`path: req.url,`
			`headers: req.headers`
			`};`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`req.dockerRequest = http.request(options, function (dockerResponse) {`
			`res.writeHead(dockerResponse.statusCode, dockerResponse.headers);`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`// Force node to send out the headers, this is required for the /container/wait api to make the docker cli proceed`
			`res.write(' ');`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
logs: use %o to format error otherwise, they are printed as multi-line and this messes up tail+date formatting 2023-04-16 10:49:59 +02:00			`dockerResponse.on('error', function (error) { debug('dockerResponse error: %o', error); });`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`dockerResponse.pipe(res, { end: true });`
			`});`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`req.dockerRequest.on('error', () => {}); // abort() throws`

dockerproxy: use express 2018-08-14 18:27:08 -07:00			`next();`
			`}`
No need to pull in underscore to build an object 2018-08-13 22:01:51 +02:00
dockerproxy: all volumes to be mounted in child containers this will allow jupyterhub notebooks to access volumes 2023-11-27 22:07:31 +01:00			`async function containersCreate(req, res, next) {`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`safe.set(req.body, 'HostConfig.NetworkMode', 'cloudron'); // overwrite the network the container lives in`
Drop all custom network configs in docker proxy 2018-08-17 16:50:11 +02:00			`safe.set(req.body, 'NetworkingConfig', {}); // drop any custom network configs`
replace usage of _.extend with Object.assign 2023-05-25 11:27:23 +02:00			`safe.set(req.body, 'Labels', Object.assign({}, safe.query(req.body, 'Labels'), { appId: req.app.id, isCloudronManaged: String(false) })); // overwrite the app id to track containers of an app`
syslog: change it to unix domain socket docker is using a extra udp port for every container. when there is a lot of containers, a lot of random udp ports get used up. this causes problems when installing apps that require contiguous port ranges 2024-03-21 17:30:50 +01:00			safe.set(req.body, 'HostConfig.LogConfig', { Type: 'syslog', Config: { 'tag': req.app.id, 'syslog-address': `unix://${paths.SYSLOG_SOCKET_FILE}`, 'syslog-format': 'rfc5424' }});
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`const appDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'data');`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
dockerproxy: all volumes to be mounted in child containers this will allow jupyterhub notebooks to access volumes 2023-11-27 22:07:31 +01:00			`debug('containersCreate: original bind mounts:', req.body.HostConfig.Binds);`

fix dockerproxy test 2023-12-04 00:11:11 +01:00			`const [error, result] = await safe(volumes.list());`
			if (error) return next(new HttpError(500, `Error listing volumes: ${error.message}`));

dockerproxy: all volumes to be mounted in child containers this will allow jupyterhub notebooks to access volumes 2023-11-27 22:07:31 +01:00			`const volumesByName = {};`
			`result.forEach(r => volumesByName[r.name] = r);`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
dockerproxy: lint 2023-10-01 12:12:02 +05:30			`const binds = [];`
dockerproxy: all volumes to be mounted in child containers this will allow jupyterhub notebooks to access volumes 2023-11-27 22:07:31 +01:00			`for (const bind of (req.body.HostConfig.Binds \|\| [])) { // bind is of the host:container:rw format`
			`if (bind.startsWith('/app/data')) {`
			`binds.push(bind.replace(new RegExp('^/app/data/'), appDataDir + '/'));`
			`} else if (bind.startsWith('/media/')) {`
			`const volumeName = bind.match(new RegExp('/media/([^:/]+)/?'))[1];`
			`const volume = volumesByName[volumeName];`
			if (volume) binds.push(bind.replace(new RegExp(`^/media/${volumeName}`), volume.hostPath));
			else debug(`containersCreate: dropped unknown volume ${volumeName}`);
			`} else {`
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`req.dockerRequest.abort();`
dockerproxy: all volumes to be mounted in child containers this will allow jupyterhub notebooks to access volumes 2023-11-27 22:07:31 +01:00			`return next(new HttpError(400, 'Binds must be under /app/data/ or /media'));`
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00			`}`
			`}`
Simply prefix all docker volume mounts with the app data dir 2018-08-15 17:23:58 +02:00
dockerproxy: all volumes to be mounted in child containers this will allow jupyterhub notebooks to access volumes 2023-11-27 22:07:31 +01:00			`debug('containersCreate: rewritten bind mounts:', binds);`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`safe.set(req.body, 'HostConfig.Binds', binds);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
dockerproxy: lint 2023-10-01 12:12:02 +05:30			`const plainBody = JSON.stringify(req.body);`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));`
			`req.dockerRequest.end(plainBody);`
			`}`

Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`// eslint-disable-next-line no-unused-vars`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`function process(req, res, next) {`
Ensure we pipe the parsed body again upstream to docker 2018-08-16 14:28:51 +02:00			`// we have to rebuild the body since we consumed in in the parser`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00			`if (Object.keys(req.body).length !== 0) {`
dockerproxy: lint 2023-10-01 12:12:02 +05:30			`const plainBody = JSON.stringify(req.body);`
Ensure we pipe the parsed body again upstream to docker 2018-08-16 14:28:51 +02:00			`req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));`
			`req.dockerRequest.end(plainBody);`
			`} else if (!req.readable) {`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`req.dockerRequest.end();`
			`} else {`
			`req.pipe(req.dockerRequest, { end: true });`
			`}`
			`}`

more async'ification 2021-09-07 09:57:49 -07:00			`async function start() {`
rename variable 2018-08-14 19:03:10 -07:00			`assert(gHttpServer === null, 'Already started');`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
json middleware is part of Express v4.16.0 2024-07-19 22:11:30 +02:00			`const json = express.json({ strict: true });`
restrict the app to bind mount under /app/data only rest have to be volumes 2020-03-29 13:38:34 -07:00
			`// we protect container create as the app/admin can otherwise mount random paths (like the ghost file)`
			`// protected other paths is done by preventing install/exec access of apps using docker addon`
more async'ification 2021-09-07 09:57:49 -07:00			`const router = new express.Router();`
dockerproxy: rewrite labels and binds 2018-08-14 20:20:19 -07:00			`router.post('/:version/containers/create', containersCreate);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
more async'ification 2021-09-07 09:57:49 -07:00			`const proxyServer = express();`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00
move use of TEST and CLOUDRON to constants 2019-07-26 10:10:14 -07:00			`if (constants.TEST) {`
Make tests work 2018-08-20 20:10:14 -07:00			`proxyServer.use(function (req, res, next) {`
Fix failing tests 2019-01-04 10:04:28 -08:00			`debug('proxying: ' + req.method, req.url);`
Make tests work 2018-08-20 20:10:14 -07:00			`next();`
			`});`
			`}`
Make PUT requests through the docker proxy work 2018-08-16 14:34:55 +02:00
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`proxyServer.use(authorizeApp)`
			`.use(attachDockerRequest)`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`.use(json)`
dockerproxy: use express 2018-08-14 18:27:08 -07:00			`.use(router)`
dockerproxy: Add app authorization 2018-08-14 19:35:14 -07:00			`.use(process)`
			`.use(middleware.lastMile());`
Overwrite the docker container network in the proxy 2018-08-14 22:52:00 +02:00
disable slowloris prevention: https://github.com/nodejs/node/issues/47421 2023-04-10 10:35:25 +02:00			`// disable slowloris prevention: https://github.com/nodejs/node/issues/47421`
			`gHttpServer = http.createServer({ headersTimeout: 0, requestTimeout: 0 }, proxyServer);`
Overwrite the docker container network in the proxy 2018-08-14 22:52:00 +02:00
node's http server has a default timeout of 2min which is too short for build bot 2019-11-14 13:15:12 +01:00			`// Overwrite the default 2min request timeout. This is required for large builds for example`
			`gHttpServer.setTimeout(60 * 60 * 1000);`

Move AppsError to BoxError 2019-10-24 10:39:47 -07:00			`// eslint-disable-next-line no-unused-vars`
rename variable 2018-08-14 19:03:10 -07:00			`gHttpServer.on('upgrade', function (req, client, head) {`
Make the docker proxy work 2018-08-13 22:14:56 +02:00			`// Create a new tcp connection to the TCP server`
constness 2022-04-14 17:41:41 -05:00			`const remote = net.connect('/var/run/docker.sock', function () {`
			`let upgradeMessage = req.method + ' ' + req.url + ' HTTP/1.1\r\n' +`
Bare bones support of docker exec through the proxy 2018-08-17 15:30:23 +02:00			`Host: ${req.headers.host}\r\n` +
			`'Connection: Upgrade\r\n' +`
			`'Upgrade: tcp\r\n';`

			`if (req.headers['content-type'] === 'application/json') {`
			`// TODO we have to parse the immediate upgrade request body, but I don't know how`
dockerproxy: lint 2023-10-01 12:12:02 +05:30			`const plainBody = '{"Detach":false,"Tty":false}\r\n';`
Make ldap and docker proxy port as constants 2019-07-25 15:33:34 -07:00			`upgradeMessage += 'Content-Type: application/json\r\n';`
Bare bones support of docker exec through the proxy 2018-08-17 15:30:23 +02:00			upgradeMessage += `Content-Length: ${Buffer.byteLength(plainBody)}\r\n`;
			`upgradeMessage += '\r\n';`
			`upgradeMessage += plainBody;`
			`}`

			`upgradeMessage += '\r\n';`
Make the docker proxy work 2018-08-13 22:14:56 +02:00
			`// resend the upgrade event to the docker daemon, so it responds with the proper message through the pipes`
Bare bones support of docker exec through the proxy 2018-08-17 15:30:23 +02:00			`remote.write(upgradeMessage);`

			`// two-way pipes between client and docker daemon`
			`client.pipe(remote).pipe(client);`
Make the docker proxy work 2018-08-13 22:14:56 +02:00			`});`
			`});`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
fix dockerproxy test 2023-12-04 00:11:11 +01:00			debug(`start: listening on 172.18.0.1:${constants.DOCKER_PROXY_PORT}`);
more async'ification 2021-09-07 09:57:49 -07:00			`await util.promisify(gHttpServer.listen.bind(gHttpServer))(constants.DOCKER_PROXY_PORT, '172.18.0.1');`
			`}`
Move docker proxy into its own file 2018-08-13 21:10:53 +02:00
more async'ification 2021-09-07 09:57:49 -07:00			`async function stop() {`
dockerproxy: await on close 2024-01-23 12:38:57 +01:00			`if (!gHttpServer) return;`
rename variable 2018-08-14 19:03:10 -07:00
dockerproxy: await on close 2024-01-23 12:38:57 +01:00			`await util.promisify(gHttpServer.close.bind(gHttpServer))();`
rename variable 2018-08-14 19:03:10 -07:00			`gHttpServer = null;`
Fix bind mapping logic 2018-08-15 16:47:06 -07:00			`}`