Add volume management
the volumes table can later have backup flag, mount options etc
This commit is contained in:
Girish Ramakrishnan
182
src/docker.js
182
src/docker.js
@@ -44,6 +44,7 @@ var addons = require('./addons.js'),
|
||||
shell = require('./shell.js'),
|
||||
safe = require('safetydance'),
|
||||
util = require('util'),
|
||||
volumes = require('./volumes.js'),
|
||||
_ = require('underscore');
|
||||
|
||||
const CLEARVOLUME_CMD = path.join(__dirname, 'scripts/clearvolume.sh'),
|
||||
@@ -185,15 +186,24 @@ function downloadImage(manifest, callback) {
|
||||
});
|
||||
}
|
||||
|
||||
function getBindsSync(app) {
|
||||
function getBinds(app, callback) {
|
||||
assert.strictEqual(typeof app, 'object');
|
||||
assert.strictEqual(typeof callback, 'function');
|
||||
|
||||
if (app.volumes.length === 0) return callback(null);
|
||||
|
||||
let binds = [];
|
||||
|
||||
for (let name of Object.keys(app.binds)) {
|
||||
const bind = app.binds[name];
|
||||
binds.push(`${bind.hostPath}:/media/${name}:${bind.readOnly ? 'ro' : 'rw'}`);
|
||||
}
|
||||
volumes.list(function (error, result) {
|
||||
if (error) return callback(error);
|
||||
|
||||
for (const volume of result) {
|
||||
const appVolume = app.volumes.find(v => v.id === volume.id);
|
||||
if (!appVolume) continue;
|
||||
|
||||
binds.push(`${volume.hostPath}:/media/${volume.name}:${appVolume.readOnly ? 'ro' : 'rw'}`);
|
||||
}
|
||||
});
|
||||
|
||||
return binds;
|
||||
}
|
||||
@@ -261,94 +271,98 @@ function createSubcontainer(app, name, cmd, options, callback) {
|
||||
addons.getEnvironment(app, function (error, addonEnv) {
|
||||
if (error) return callback(error);
|
||||
|
||||
let containerOptions = {
|
||||
name: name, // for referencing containers
|
||||
Tty: isAppContainer,
|
||||
Image: app.manifest.dockerImage,
|
||||
Cmd: (isAppContainer && app.debugMode && app.debugMode.cmd) ? app.debugMode.cmd : cmd,
|
||||
Env: stdEnv.concat(addonEnv).concat(portEnv).concat(appEnv),
|
||||
ExposedPorts: isAppContainer ? exposedPorts : { },
|
||||
Volumes: { // see also ReadonlyRootfs
|
||||
'/tmp': {},
|
||||
'/run': {}
|
||||
},
|
||||
Labels: {
|
||||
'fqdn': app.fqdn,
|
||||
'appId': app.id,
|
||||
'isSubcontainer': String(!isAppContainer),
|
||||
'isCloudronManaged': String(true)
|
||||
},
|
||||
HostConfig: {
|
||||
Mounts: addons.getMountsSync(app, app.manifest.addons),
|
||||
Binds: getBindsSync(app), // ideally, we have to use 'Mounts' but we have to create volumes then
|
||||
LogConfig: {
|
||||
Type: 'syslog',
|
||||
Config: {
|
||||
'tag': app.id,
|
||||
'syslog-address': 'udp://127.0.0.1:2514', // see apps.js:validatePortBindings()
|
||||
'syslog-format': 'rfc5424'
|
||||
}
|
||||
},
|
||||
Memory: memoryLimit / 2,
|
||||
MemorySwap: memoryLimit, // Memory + Swap
|
||||
PortBindings: isAppContainer ? dockerPortBindings : { },
|
||||
PublishAllPorts: false,
|
||||
ReadonlyRootfs: app.debugMode ? !!app.debugMode.readonlyRootfs : true,
|
||||
RestartPolicy: {
|
||||
'Name': isAppContainer ? 'unless-stopped' : 'no',
|
||||
'MaximumRetryCount': 0
|
||||
},
|
||||
CpuShares: app.cpuShares,
|
||||
VolumesFrom: isAppContainer ? null : [ app.containerId + ':rw' ],
|
||||
SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
|
||||
CapAdd: [],
|
||||
CapDrop: []
|
||||
}
|
||||
};
|
||||
getBinds(app, function (error, binds) {
|
||||
if (error) return callback(error);
|
||||
|
||||
// do no set hostname of containers to location as it might conflict with addons names. for example, an app installed in mail
|
||||
// location may not reach mail container anymore by DNS. We cannot set hostname to fqdn either as that sets up the dns
|
||||
// name to look up the internal docker ip. this makes curl from within container fail
|
||||
// Note that Hostname has no effect on DNS. We have to use the --net-alias for dns.
|
||||
// Hostname cannot be set with container NetworkMode. Subcontainers run is the network space of the app container
|
||||
// This is done to prevent lots of up/down events and iptables locking
|
||||
if (isAppContainer) {
|
||||
containerOptions.Hostname = app.id;
|
||||
containerOptions.HostConfig.NetworkMode = 'cloudron'; // user defined bridge network
|
||||
containerOptions.HostConfig.Dns = ['172.18.0.1']; // use internal dns
|
||||
containerOptions.HostConfig.DnsSearch = ['.']; // use internal dns
|
||||
|
||||
containerOptions.NetworkingConfig = {
|
||||
EndpointsConfig: {
|
||||
cloudron: {
|
||||
Aliases: [ name ] // adds hostname entry with container name
|
||||
}
|
||||
let containerOptions = {
|
||||
name: name, // for referencing containers
|
||||
Tty: isAppContainer,
|
||||
Image: app.manifest.dockerImage,
|
||||
Cmd: (isAppContainer && app.debugMode && app.debugMode.cmd) ? app.debugMode.cmd : cmd,
|
||||
Env: stdEnv.concat(addonEnv).concat(portEnv).concat(appEnv),
|
||||
ExposedPorts: isAppContainer ? exposedPorts : { },
|
||||
Volumes: { // see also ReadonlyRootfs
|
||||
'/tmp': {},
|
||||
'/run': {}
|
||||
},
|
||||
Labels: {
|
||||
'fqdn': app.fqdn,
|
||||
'appId': app.id,
|
||||
'isSubcontainer': String(!isAppContainer),
|
||||
'isCloudronManaged': String(true)
|
||||
},
|
||||
HostConfig: {
|
||||
Mounts: addons.getMountsSync(app, app.manifest.addons),
|
||||
Binds: binds, // ideally, we have to use 'Mounts' but we have to create volumes then
|
||||
LogConfig: {
|
||||
Type: 'syslog',
|
||||
Config: {
|
||||
'tag': app.id,
|
||||
'syslog-address': 'udp://127.0.0.1:2514', // see apps.js:validatePortBindings()
|
||||
'syslog-format': 'rfc5424'
|
||||
}
|
||||
},
|
||||
Memory: memoryLimit / 2,
|
||||
MemorySwap: memoryLimit, // Memory + Swap
|
||||
PortBindings: isAppContainer ? dockerPortBindings : { },
|
||||
PublishAllPorts: false,
|
||||
ReadonlyRootfs: app.debugMode ? !!app.debugMode.readonlyRootfs : true,
|
||||
RestartPolicy: {
|
||||
'Name': isAppContainer ? 'unless-stopped' : 'no',
|
||||
'MaximumRetryCount': 0
|
||||
},
|
||||
CpuShares: app.cpuShares,
|
||||
VolumesFrom: isAppContainer ? null : [ app.containerId + ':rw' ],
|
||||
SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
|
||||
CapAdd: [],
|
||||
CapDrop: []
|
||||
}
|
||||
};
|
||||
} else {
|
||||
containerOptions.HostConfig.NetworkMode = `container:${app.containerId}`;
|
||||
}
|
||||
|
||||
var capabilities = manifest.capabilities || [];
|
||||
// do no set hostname of containers to location as it might conflict with addons names. for example, an app installed in mail
|
||||
// location may not reach mail container anymore by DNS. We cannot set hostname to fqdn either as that sets up the dns
|
||||
// name to look up the internal docker ip. this makes curl from within container fail
|
||||
// Note that Hostname has no effect on DNS. We have to use the --net-alias for dns.
|
||||
// Hostname cannot be set with container NetworkMode. Subcontainers run is the network space of the app container
|
||||
// This is done to prevent lots of up/down events and iptables locking
|
||||
if (isAppContainer) {
|
||||
containerOptions.Hostname = app.id;
|
||||
containerOptions.HostConfig.NetworkMode = 'cloudron'; // user defined bridge network
|
||||
containerOptions.HostConfig.Dns = ['172.18.0.1']; // use internal dns
|
||||
containerOptions.HostConfig.DnsSearch = ['.']; // use internal dns
|
||||
|
||||
// https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
|
||||
if (capabilities.includes('net_admin')) containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
|
||||
if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
|
||||
if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker
|
||||
containerOptions.NetworkingConfig = {
|
||||
EndpointsConfig: {
|
||||
cloudron: {
|
||||
Aliases: [ name ] // adds hostname entry with container name
|
||||
}
|
||||
}
|
||||
};
|
||||
} else {
|
||||
containerOptions.HostConfig.NetworkMode = `container:${app.containerId}`;
|
||||
}
|
||||
|
||||
if (capabilities.includes('vaapi') && safe.fs.existsSync('/dev/dri')) {
|
||||
containerOptions.HostConfig.Devices = [
|
||||
{ PathOnHost: '/dev/dri', PathInContainer: '/dev/dri', CgroupPermissions: 'rwm' }
|
||||
];
|
||||
}
|
||||
var capabilities = manifest.capabilities || [];
|
||||
|
||||
containerOptions = _.extend(containerOptions, options);
|
||||
// https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
|
||||
if (capabilities.includes('net_admin')) containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
|
||||
if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
|
||||
if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker
|
||||
|
||||
gConnection.createContainer(containerOptions, function (error, container) {
|
||||
if (error && error.statusCode === 409) return callback(new BoxError(BoxError.ALREADY_EXISTS, error));
|
||||
if (error) return callback(new BoxError(BoxError.DOCKER_ERROR, error));
|
||||
if (capabilities.includes('vaapi') && safe.fs.existsSync('/dev/dri')) {
|
||||
containerOptions.HostConfig.Devices = [
|
||||
{ PathOnHost: '/dev/dri', PathInContainer: '/dev/dri', CgroupPermissions: 'rwm' }
|
||||
];
|
||||
}
|
||||
|
||||
callback(null, container);
|
||||
containerOptions = _.extend(containerOptions, options);
|
||||
|
||||
gConnection.createContainer(containerOptions, function (error, container) {
|
||||
if (error && error.statusCode === 409) return callback(new BoxError(BoxError.ALREADY_EXISTS, error));
|
||||
if (error) return callback(new BoxError(BoxError.DOCKER_ERROR, error));
|
||||
|
||||
callback(null, container);
|
||||
});
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user