package shim
import (
"encoding/json"
"errors"
"fmt"
"io"
"io/ioutil"
"os"
"os/exec"
"path/filepath"
"strconv"
"strings"
"sync"
"syscall"
"time"
"github.com/Sirupsen/logrus"
"github.com/docker/containerkit"
specs "github.com/opencontainers/runtime-spec/specs-go"
"golang.org/x/sys/unix"
)
var (
ErrContainerStartTimeout = errors.New("shim: container did not start before the specified timeout")
ErrContainerNotStarted = errors.New("shim: container not started")
ErrProcessNotExited = errors.New("containerd: process has not exited")
ErrShimExited = errors.New("containerd: shim exited before container process was started")
errInvalidPidInt = errors.New("shim: process pid is invalid")
)
const UnknownStatus = 255
type processOpts struct {
root string
noPivotRoot bool
checkpoint string
c *containerkit.Container
cmd *exec.Cmd
exec bool
spec specs.Process
stdin io.Reader
stdout io.Writer
stderr io.Writer
}
func newProcess(opts processOpts) (*process, error) {
var (
spec = opts.c.Spec()
stdin, stdout, stderr string
)
uid, gid, err := getRootIDs(spec)
if err != nil {
return nil, err
}
for _, t := range []struct {
path *string
v interface{}
}{
{
path: &stdin,
v: opts.stdin,
},
{
path: &stdout,
v: opts.stdout,
},
{
path: &stderr,
v: opts.stderr,
},
} {
p, err := getFifoPath(t.v)
if err != nil {
return nil, err
}
*t.path = p
}
p := &process{
root: opts.root,
cmd: opts.cmd,
done: make(chan struct{}),
spec: opts.spec,
exec: opts.exec,
rootUid: uid,
rootGid: gid,
noPivotRoot: opts.noPivotRoot,
checkpoint: opts.checkpoint,
stdin: stdin,
stdout: stdout,
stderr: stderr,
}
f, err := os.Create(filepath.Join(opts.root, "process.json"))
if err != nil {
return nil, err
}
err = json.NewEncoder(f).Encode(p)
f.Close()
if err != nil {
return nil, err
}
exit, err := getExitPipe(filepath.Join(opts.root, "exit"))
if err != nil {
return nil, err
}
control, err := getControlPipe(filepath.Join(opts.root, "control"))
if err != nil {
return nil, err
}
p.exit, p.control = exit, control
return p, nil
}
type process struct {
root string
cmd *exec.Cmd
done chan struct{}
success bool
startTime string
mu sync.Mutex
pid int
exit *os.File
control *os.File
spec specs.Process
noPivotRoot bool
exec bool
rootUid int
rootGid int
checkpoint string
stdin string
stdout string
stderr string
}
type processState struct {
specs.Process
Exec bool `json:"exec"`
RootUID int `json:"rootUID"`
RootGID int `json:"rootGID"`
Checkpoint string `json:"checkpoint"`
NoPivotRoot bool `json:"noPivotRoot"`
RuntimeArgs []string `json:"runtimeArgs"`
Root string `json:"root"`
StartTime string `json:"startTime"`
// Stdin fifo filepath
Stdin string `json:"stdin"`
// Stdout fifo filepath
Stdout string `json:"stdout"`
// Stderr fifo filepath
Stderr string `json:"stderr"`
}
func (p *process) MarshalJSON() ([]byte, error) {
ps := processState{
Process: p.spec,
NoPivotRoot: p.noPivotRoot,
Checkpoint: p.checkpoint,
RootUID: p.rootUid,
RootGID: p.rootGid,
Exec: p.exec,
Stdin: p.stdin,
Stdout: p.stdout,
Stderr: p.stderr,
Root: p.root,
StartTime: p.startTime,
}
return json.Marshal(ps)
}
func (p *process) UnmarshalJSON(b []byte) error {
var ps processState
if err := json.Unmarshal(b, &ps); err != nil {
return err
}
p.spec = ps.Process
p.noPivotRoot = ps.NoPivotRoot
p.rootGid = ps.RootGID
p.rootUid = ps.RootUID
p.checkpoint = ps.Checkpoint
p.exec = ps.Exec
p.stdin = ps.Stdin
p.stdout = ps.Stdout
p.stderr = ps.Stderr
p.root = ps.Root
p.startTime = ps.StartTime
p.done = make(chan struct{})
pid, err := readPid(filepath.Join(p.root, "pid"))
if err != nil {
return err
}
p.pid = pid
exit, err := getExitPipe(filepath.Join(p.root, "exit"))
if err != nil {
return err
}
control, err := getControlPipe(filepath.Join(p.root, "control"))
if err != nil {
return err
}
p.exit, p.control = exit, control
return nil
}
func (p *process) Pid() int {
return p.pid
}
func (p *process) FD() int {
return int(p.exit.Fd())
}
func (p *process) Close() error {
return p.exit.Close()
}
func (p *process) Remove() bool {
return true
}
func (p *process) Wait() (rst uint32, rerr error) {
<-p.done
data, err := ioutil.ReadFile(filepath.Join(p.root, "exitStatus"))
defer func() {
if rerr != nil {
rst, rerr = p.handleSigkilledShim(rst, rerr)
}
}()
if err != nil {
if os.IsNotExist(err) {
return UnknownStatus, ErrProcessNotExited
}
return UnknownStatus, err
}
if len(data) == 0 {
return UnknownStatus, ErrProcessNotExited
}
i, err := strconv.ParseUint(string(data), 10, 32)
return uint32(i), err
}
func (p *process) Signal(s os.Signal) error {
_, err := fmt.Fprintf(p.control, "%d %d %d\n", 2, s, 0)
return err
}
// same checks if the process is the same process originally launched
func (p *process) same() (bool, error) {
/// for backwards compat assume true if it is not set
p.mu.Lock()
defer p.mu.Unlock()
if p.startTime == "" {
return true, nil
}
pid, err := readPid(filepath.Join(p.root, "pid"))
if err != nil {
return false, nil
}
started, err := readProcessStartTime(pid)
if err != nil {
return false, err
}
return p.startTime == started, nil
}
func (p *process) checkExited() {
err := p.cmd.Wait()
if err == nil {
p.mu.Lock()
if p.success {
p.mu.Unlock()
return
}
p.success = true
p.mu.Unlock()
}
if same, _ := p.same(); same && p.hasPid() {
// The process changed its PR_SET_PDEATHSIG, so force kill it
logrus.Infof("containerd: (pid %v) has become an orphan, killing it", p.pid)
if err := unix.Kill(p.pid, syscall.SIGKILL); err != nil && err != syscall.ESRCH {
logrus.Errorf("containerd: unable to SIGKILL (pid %v): %v", p.pid, err)
return
}
// wait for the container process to exit
for {
if err := unix.Kill(p.pid, 0); err != nil {
break
}
time.Sleep(5 * time.Millisecond)
}
}
}
func (p *process) hasPid() bool {
p.mu.Lock()
r := p.pid > 0
p.mu.Unlock()
return r
}
type pidResponse struct {
pid int
err error
}
func (p *process) waitForCreate(timeout time.Duration) error {
r := make(chan pidResponse, 1)
go p.readContainerPid(r)
select {
case resp := <-r:
if resp.err != nil {
return resp.err
}
p.mu.Lock()
p.pid = resp.pid
started, err := readProcessStartTime(resp.pid)
if err != nil {
if os.IsNotExist(err) {
// process already exited
p.success = true
p.mu.Unlock()
return nil
}
logrus.Warnf("shim: unable to save starttime: %v", err)
}
p.startTime = started
f, err := os.Create(filepath.Join(p.root, "process.json"))
if err != nil {
logrus.Warnf("shim: unable to create process.json: %v", err)
p.mu.Unlock()
return nil
}
defer f.Close()
if err := json.NewEncoder(f).Encode(p); err != nil {
logrus.Warnf("shim: unable to encode process: %v", err)
}
p.mu.Unlock()
return nil
case <-time.After(timeout):
p.cmd.Process.Kill()
p.cmd.Wait()
return ErrContainerStartTimeout
}
}
func (p *process) readContainerPid(r chan pidResponse) {
pidFile := filepath.Join(p.root, "pid")
for {
pid, err := readPid(pidFile)
if err != nil {
if os.IsNotExist(err) || err == errInvalidPidInt {
if serr := checkErrorLogs(p.cmd,
filepath.Join(p.root, "shim-log.json"),
filepath.Join(p.root, "log.json")); serr != nil && !os.IsNotExist(serr) {
r <- pidResponse{
err: serr,
}
break
}
time.Sleep(15 * time.Millisecond)
continue
}
r <- pidResponse{
err: err,
}
break
}
r <- pidResponse{
pid: pid,
}
break
}
}
func (p *process) handleSigkilledShim(rst uint32, rerr error) (uint32, error) {
if err := unix.Kill(p.pid, 0); err == syscall.ESRCH {
logrus.Warnf("containerd: (pid %d) does not exist", p.pid)
// The process died while containerd was down (probably of
// SIGKILL, but no way to be sure)
return UnknownStatus, writeExitStatus(filepath.Join(p.root, "exitStatus"), UnknownStatus)
}
// If it's not the same process, just mark it stopped and set
// the status to the UnknownStatus value (i.e. 255)
if same, _ := p.same(); !same {
// Create the file so we get the exit event generated once monitor kicks in
// without having to go through all this process again
return UnknownStatus, writeExitStatus(filepath.Join(p.root, "exitStatus"), UnknownStatus)
}
ppid, err := readProcStatField(p.pid, 4)
if err != nil {
return rst, fmt.Errorf("could not check process ppid: %v (%v)", err, rerr)
}
if ppid == "1" {
if err := unix.Kill(p.pid, syscall.SIGKILL); err != nil && err != syscall.ESRCH {
return UnknownStatus, fmt.Errorf(
"containerd: unable to SIGKILL (pid %v): %v", p.pid, err)
}
// wait for the process to die
for {
if err := unix.Kill(p.pid, 0); err == syscall.ESRCH {
break
}
time.Sleep(5 * time.Millisecond)
}
// Create the file so we get the exit event generated once monitor kicks in
// without having to go through all this process again
status := 128 + uint32(syscall.SIGKILL)
return status, writeExitStatus(filepath.Join(p.root, "exitStatus"), status)
}
return rst, rerr
}
func checkErrorLogs(cmd *exec.Cmd, shimLogPath, runtimeLogPath string) error {
alive, err := isAlive(cmd)
if err != nil {
return err
}
if !alive {
// runc could have failed to run the container so lets get the error
// out of the logs or the shim could have encountered an error
messages, err := readLogMessages(shimLogPath)
if err != nil {
return err
}
for _, m := range messages {
if m.Level == "error" {
return fmt.Errorf("shim error: %v", m.Msg)
}
}
// no errors reported back from shim, check for runc/runtime errors
messages, err = readLogMessages(runtimeLogPath)
if err != nil {
if os.IsNotExist(err) {
err = ErrContainerNotStarted
}
return err
}
for _, m := range messages {
if m.Level == "error" {
return fmt.Errorf("oci runtime error: %v", m.Msg)
}
}
return ErrContainerNotStarted
}
return nil
}
func readProcessStartTime(pid int) (string, error) {
return readProcStatField(pid, 22)
}
func readProcStatField(pid int, field int) (string, error) {
data, err := ioutil.ReadFile(filepath.Join(string(filepath.Separator), "proc", strconv.Itoa(pid), "stat"))
if err != nil {
return "", err
}
if field > 2 {
// First, split out the name since he could contains spaces.
parts := strings.Split(string(data), ") ")
// Now split out the rest, we end up with 2 fields less
parts = strings.Split(parts[1], " ")
return parts[field-2-1], nil // field count start at 1 in manual
}
parts := strings.Split(string(data), " (")
if field == 1 {
return parts[0], nil
}
return strings.Split(parts[1], ") ")[0], nil
}
func readPid(pidFile string) (int, error) {
data, err := ioutil.ReadFile(pidFile)
if err != nil {
return -1, err
}
i, err := strconv.Atoi(string(data))
if err != nil {
return -1, errInvalidPidInt
}
return i, nil
}
// isAlive checks if the shim that launched the container is still alive
func isAlive(cmd *exec.Cmd) (bool, error) {
if _, err := syscall.Wait4(cmd.Process.Pid, nil, syscall.WNOHANG, nil); err == nil {
return true, nil
}
if err := syscall.Kill(cmd.Process.Pid, 0); err != nil {
if err == syscall.ESRCH {
return false, nil
}
return false, err
}
return true, nil
}
type message struct {
Level string `json:"level"`
Msg string `json:"msg"`
}
func readLogMessages(path string) ([]message, error) {
var out []message
f, err := os.Open(path)
if err != nil {
return nil, err
}
defer f.Close()
dec := json.NewDecoder(f)
for {
var m message
if err := dec.Decode(&m); err != nil {
if err == io.EOF {
break
}
return nil, err
}
out = append(out, m)
}
return out, nil
}
func getExitPipe(path string) (*os.File, error) {
if err := unix.Mkfifo(path, 0755); err != nil && !os.IsExist(err) {
return nil, err
}
// add NONBLOCK in case the other side has already closed or else
// this function would never return
return os.OpenFile(path, syscall.O_RDONLY|syscall.O_NONBLOCK, 0)
}
func getControlPipe(path string) (*os.File, error) {
if err := unix.Mkfifo(path, 0755); err != nil && !os.IsExist(err) {
return nil, err
}
return os.OpenFile(path, syscall.O_RDWR|syscall.O_NONBLOCK, 0)
}
func writeExitStatus(path string, status uint32) error {
return ioutil.WriteFile(path, []byte(fmt.Sprintf("%u", status)), 0644)
}