1#!/usr/bin/env python3 2# 3# Docker controlling module 4# 5# Copyright (c) 2016 Red Hat Inc. 6# 7# Authors: 8# Fam Zheng <famz@redhat.com> 9# 10# This work is licensed under the terms of the GNU GPL, version 2 11# or (at your option) any later version. See the COPYING file in 12# the top-level directory. 13 14import os 15import sys 16import subprocess 17import json 18import hashlib 19import atexit 20import uuid 21import argparse 22import enum 23import tempfile 24import re 25import signal 26from tarfile import TarFile, TarInfo 27from io import StringIO 28from shutil import copy, rmtree 29from pwd import getpwuid 30from datetime import datetime, timedelta 31 32 33FILTERED_ENV_NAMES = ['ftp_proxy', 'http_proxy', 'https_proxy'] 34 35 36DEVNULL = open(os.devnull, 'wb') 37 38class EngineEnum(enum.IntEnum): 39 AUTO = 1 40 DOCKER = 2 41 PODMAN = 3 42 43 def __str__(self): 44 return self.name.lower() 45 46 def __repr__(self): 47 return str(self) 48 49 @staticmethod 50 def argparse(s): 51 try: 52 return EngineEnum[s.upper()] 53 except KeyError: 54 return s 55 56 57USE_ENGINE = EngineEnum.AUTO 58 59def _text_checksum(text): 60 """Calculate a digest string unique to the text content""" 61 return hashlib.sha1(text.encode('utf-8')).hexdigest() 62 63def _read_dockerfile(path): 64 return open(path, 'rt', encoding='utf-8').read() 65 66def _file_checksum(filename): 67 return _text_checksum(_read_dockerfile(filename)) 68 69 70def _guess_engine_command(): 71 """ Guess a working engine command or raise exception if not found""" 72 commands = [] 73 74 if USE_ENGINE in [EngineEnum.AUTO, EngineEnum.PODMAN]: 75 commands += [["podman"]] 76 if USE_ENGINE in [EngineEnum.AUTO, EngineEnum.DOCKER]: 77 commands += [["docker"], ["sudo", "-n", "docker"]] 78 for cmd in commands: 79 try: 80 # docker version will return the client details in stdout 81 # but still report a status of 1 if it can't contact the daemon 82 if subprocess.call(cmd + ["version"], 83 stdout=DEVNULL, stderr=DEVNULL) == 0: 84 return cmd 85 except OSError: 86 pass 87 commands_txt = "\n".join([" " + " ".join(x) for x in commands]) 88 raise Exception("Cannot find working engine command. Tried:\n%s" % 89 commands_txt) 90 91 92def _copy_with_mkdir(src, root_dir, sub_path='.'): 93 """Copy src into root_dir, creating sub_path as needed.""" 94 dest_dir = os.path.normpath("%s/%s" % (root_dir, sub_path)) 95 try: 96 os.makedirs(dest_dir) 97 except OSError: 98 # we can safely ignore already created directories 99 pass 100 101 dest_file = "%s/%s" % (dest_dir, os.path.basename(src)) 102 copy(src, dest_file) 103 104 105def _get_so_libs(executable): 106 """Return a list of libraries associated with an executable. 107 108 The paths may be symbolic links which would need to be resolved to 109 ensure the right data is copied.""" 110 111 libs = [] 112 ldd_re = re.compile(r"(?:\S+ => )?(\S*) \(:?0x[0-9a-f]+\)") 113 try: 114 ldd_output = subprocess.check_output(["ldd", executable]).decode('utf-8') 115 for line in ldd_output.split("\n"): 116 search = ldd_re.search(line) 117 if search: 118 try: 119 libs.append(s.group(1)) 120 except IndexError: 121 pass 122 except subprocess.CalledProcessError: 123 print("%s had no associated libraries (static build?)" % (executable)) 124 125 return libs 126 127 128def _copy_binary_with_libs(src, bin_dest, dest_dir): 129 """Maybe copy a binary and all its dependent libraries. 130 131 If bin_dest isn't set we only copy the support libraries because 132 we don't need qemu in the docker path to run (due to persistent 133 mapping). Indeed users may get confused if we aren't running what 134 is in the image. 135 136 This does rely on the host file-system being fairly multi-arch 137 aware so the file don't clash with the guests layout. 138 """ 139 140 if bin_dest: 141 _copy_with_mkdir(src, dest_dir, os.path.dirname(bin_dest)) 142 else: 143 print("only copying support libraries for %s" % (src)) 144 145 libs = _get_so_libs(src) 146 if libs: 147 for l in libs: 148 so_path = os.path.dirname(l) 149 real_l = os.path.realpath(l) 150 _copy_with_mkdir(real_l, dest_dir, so_path) 151 152 153def _check_binfmt_misc(executable): 154 """Check binfmt_misc has entry for executable in the right place. 155 156 The details of setting up binfmt_misc are outside the scope of 157 this script but we should at least fail early with a useful 158 message if it won't work. 159 160 Returns the configured binfmt path and a valid flag. For 161 persistent configurations we will still want to copy and dependent 162 libraries. 163 """ 164 165 binary = os.path.basename(executable) 166 binfmt_entry = "/proc/sys/fs/binfmt_misc/%s" % (binary) 167 168 if not os.path.exists(binfmt_entry): 169 print ("No binfmt_misc entry for %s" % (binary)) 170 return None, False 171 172 with open(binfmt_entry) as x: entry = x.read() 173 174 if re.search("flags:.*F.*\n", entry): 175 print("binfmt_misc for %s uses persistent(F) mapping to host binary" % 176 (binary)) 177 return None, True 178 179 m = re.search("interpreter (\S+)\n", entry) 180 interp = m.group(1) 181 if interp and interp != executable: 182 print("binfmt_misc for %s does not point to %s, using %s" % 183 (binary, executable, interp)) 184 185 return interp, True 186 187 188def _read_qemu_dockerfile(img_name): 189 # special case for Debian linux-user images 190 if img_name.startswith("debian") and img_name.endswith("user"): 191 img_name = "debian-bootstrap" 192 193 df = os.path.join(os.path.dirname(__file__), "dockerfiles", 194 img_name + ".docker") 195 return _read_dockerfile(df) 196 197 198def _dockerfile_preprocess(df): 199 out = "" 200 for l in df.splitlines(): 201 if len(l.strip()) == 0 or l.startswith("#"): 202 continue 203 from_pref = "FROM qemu:" 204 if l.startswith(from_pref): 205 # TODO: Alternatively we could replace this line with "FROM $ID" 206 # where $ID is the image's hex id obtained with 207 # $ docker images $IMAGE --format="{{.Id}}" 208 # but unfortunately that's not supported by RHEL 7. 209 inlining = _read_qemu_dockerfile(l[len(from_pref):]) 210 out += _dockerfile_preprocess(inlining) 211 continue 212 out += l + "\n" 213 return out 214 215 216class Docker(object): 217 """ Running Docker commands """ 218 def __init__(self): 219 self._command = _guess_engine_command() 220 self._instance = None 221 atexit.register(self._kill_instances) 222 signal.signal(signal.SIGTERM, self._kill_instances) 223 signal.signal(signal.SIGHUP, self._kill_instances) 224 225 def _do(self, cmd, quiet=True, **kwargs): 226 if quiet: 227 kwargs["stdout"] = DEVNULL 228 return subprocess.call(self._command + cmd, **kwargs) 229 230 def _do_check(self, cmd, quiet=True, **kwargs): 231 if quiet: 232 kwargs["stdout"] = DEVNULL 233 return subprocess.check_call(self._command + cmd, **kwargs) 234 235 def _do_kill_instances(self, only_known, only_active=True): 236 cmd = ["ps", "-q"] 237 if not only_active: 238 cmd.append("-a") 239 240 filter = "--filter=label=com.qemu.instance.uuid" 241 if only_known: 242 if self._instance: 243 filter += "=%s" % (self._instance) 244 else: 245 # no point trying to kill, we finished 246 return 247 248 print("filter=%s" % (filter)) 249 cmd.append(filter) 250 for i in self._output(cmd).split(): 251 self._do(["rm", "-f", i]) 252 253 def clean(self): 254 self._do_kill_instances(False, False) 255 return 0 256 257 def _kill_instances(self, *args, **kwargs): 258 return self._do_kill_instances(True) 259 260 def _output(self, cmd, **kwargs): 261 if sys.version_info[1] >= 6: 262 return subprocess.check_output(self._command + cmd, 263 stderr=subprocess.STDOUT, 264 encoding='utf-8', 265 **kwargs) 266 else: 267 return subprocess.check_output(self._command + cmd, 268 stderr=subprocess.STDOUT, 269 **kwargs).decode('utf-8') 270 271 272 def inspect_tag(self, tag): 273 try: 274 return self._output(["inspect", tag]) 275 except subprocess.CalledProcessError: 276 return None 277 278 def get_image_creation_time(self, info): 279 return json.loads(info)[0]["Created"] 280 281 def get_image_dockerfile_checksum(self, tag): 282 resp = self.inspect_tag(tag) 283 labels = json.loads(resp)[0]["Config"].get("Labels", {}) 284 return labels.get("com.qemu.dockerfile-checksum", "") 285 286 def build_image(self, tag, docker_dir, dockerfile, 287 quiet=True, user=False, argv=None, extra_files_cksum=[]): 288 if argv is None: 289 argv = [] 290 291 tmp_df = tempfile.NamedTemporaryFile(mode="w+t", 292 encoding='utf-8', 293 dir=docker_dir, suffix=".docker") 294 tmp_df.write(dockerfile) 295 296 if user: 297 uid = os.getuid() 298 uname = getpwuid(uid).pw_name 299 tmp_df.write("\n") 300 tmp_df.write("RUN id %s 2>/dev/null || useradd -u %d -U %s" % 301 (uname, uid, uname)) 302 303 tmp_df.write("\n") 304 tmp_df.write("LABEL com.qemu.dockerfile-checksum=%s" % 305 _text_checksum(_dockerfile_preprocess(dockerfile))) 306 for f, c in extra_files_cksum: 307 tmp_df.write("LABEL com.qemu.%s-checksum=%s" % (f, c)) 308 309 tmp_df.flush() 310 311 self._do_check(["build", "-t", tag, "-f", tmp_df.name] + argv + 312 [docker_dir], 313 quiet=quiet) 314 315 def update_image(self, tag, tarball, quiet=True): 316 "Update a tagged image using " 317 318 self._do_check(["build", "-t", tag, "-"], quiet=quiet, stdin=tarball) 319 320 def image_matches_dockerfile(self, tag, dockerfile): 321 try: 322 checksum = self.get_image_dockerfile_checksum(tag) 323 except Exception: 324 return False 325 return checksum == _text_checksum(_dockerfile_preprocess(dockerfile)) 326 327 def run(self, cmd, keep, quiet, as_user=False): 328 label = uuid.uuid4().hex 329 if not keep: 330 self._instance = label 331 332 if as_user: 333 uid = os.getuid() 334 cmd = [ "-u", str(uid) ] + cmd 335 # podman requires a bit more fiddling 336 if self._command[0] == "podman": 337 cmd.insert(0, '--userns=keep-id') 338 339 ret = self._do_check(["run", "--label", 340 "com.qemu.instance.uuid=" + label] + cmd, 341 quiet=quiet) 342 if not keep: 343 self._instance = None 344 return ret 345 346 def command(self, cmd, argv, quiet): 347 return self._do([cmd] + argv, quiet=quiet) 348 349 350class SubCommand(object): 351 """A SubCommand template base class""" 352 name = None # Subcommand name 353 354 def shared_args(self, parser): 355 parser.add_argument("--quiet", action="store_true", 356 help="Run quietly unless an error occurred") 357 358 def args(self, parser): 359 """Setup argument parser""" 360 pass 361 362 def run(self, args, argv): 363 """Run command. 364 args: parsed argument by argument parser. 365 argv: remaining arguments from sys.argv. 366 """ 367 pass 368 369 370class RunCommand(SubCommand): 371 """Invoke docker run and take care of cleaning up""" 372 name = "run" 373 374 def args(self, parser): 375 parser.add_argument("--keep", action="store_true", 376 help="Don't remove image when command completes") 377 parser.add_argument("--run-as-current-user", action="store_true", 378 help="Run container using the current user's uid") 379 380 def run(self, args, argv): 381 return Docker().run(argv, args.keep, quiet=args.quiet, 382 as_user=args.run_as_current_user) 383 384 385class BuildCommand(SubCommand): 386 """ Build docker image out of a dockerfile. Arg: <tag> <dockerfile>""" 387 name = "build" 388 389 def args(self, parser): 390 parser.add_argument("--include-executable", "-e", 391 help="""Specify a binary that will be copied to the 392 container together with all its dependent 393 libraries""") 394 parser.add_argument("--extra-files", "-f", nargs='*', 395 help="""Specify files that will be copied in the 396 Docker image, fulfilling the ADD directive from the 397 Dockerfile""") 398 parser.add_argument("--add-current-user", "-u", dest="user", 399 action="store_true", 400 help="Add the current user to image's passwd") 401 parser.add_argument("tag", 402 help="Image Tag") 403 parser.add_argument("dockerfile", 404 help="Dockerfile name") 405 406 def run(self, args, argv): 407 dockerfile = _read_dockerfile(args.dockerfile) 408 tag = args.tag 409 410 dkr = Docker() 411 if "--no-cache" not in argv and \ 412 dkr.image_matches_dockerfile(tag, dockerfile): 413 if not args.quiet: 414 print("Image is up to date.") 415 else: 416 # Create a docker context directory for the build 417 docker_dir = tempfile.mkdtemp(prefix="docker_build") 418 419 # Validate binfmt_misc will work 420 if args.include_executable: 421 qpath, enabled = _check_binfmt_misc(args.include_executable) 422 if not enabled: 423 return 1 424 425 # Is there a .pre file to run in the build context? 426 docker_pre = os.path.splitext(args.dockerfile)[0]+".pre" 427 if os.path.exists(docker_pre): 428 stdout = DEVNULL if args.quiet else None 429 rc = subprocess.call(os.path.realpath(docker_pre), 430 cwd=docker_dir, stdout=stdout) 431 if rc == 3: 432 print("Skip") 433 return 0 434 elif rc != 0: 435 print("%s exited with code %d" % (docker_pre, rc)) 436 return 1 437 438 # Copy any extra files into the Docker context. These can be 439 # included by the use of the ADD directive in the Dockerfile. 440 cksum = [] 441 if args.include_executable: 442 # FIXME: there is no checksum of this executable and the linked 443 # libraries, once the image built any change of this executable 444 # or any library won't trigger another build. 445 _copy_binary_with_libs(args.include_executable, 446 qpath, docker_dir) 447 448 for filename in args.extra_files or []: 449 _copy_with_mkdir(filename, docker_dir) 450 cksum += [(filename, _file_checksum(filename))] 451 452 argv += ["--build-arg=" + k.lower() + "=" + v 453 for k, v in os.environ.items() 454 if k.lower() in FILTERED_ENV_NAMES] 455 dkr.build_image(tag, docker_dir, dockerfile, 456 quiet=args.quiet, user=args.user, argv=argv, 457 extra_files_cksum=cksum) 458 459 rmtree(docker_dir) 460 461 return 0 462 463 464class UpdateCommand(SubCommand): 465 """ Update a docker image with new executables. Args: <tag> <executable>""" 466 name = "update" 467 468 def args(self, parser): 469 parser.add_argument("tag", 470 help="Image Tag") 471 parser.add_argument("executable", 472 help="Executable to copy") 473 474 def run(self, args, argv): 475 # Create a temporary tarball with our whole build context and 476 # dockerfile for the update 477 tmp = tempfile.NamedTemporaryFile(suffix="dckr.tar.gz") 478 tmp_tar = TarFile(fileobj=tmp, mode='w') 479 480 # Add the executable to the tarball, using the current 481 # configured binfmt_misc path. If we don't get a path then we 482 # only need the support libraries copied 483 ff, enabled = _check_binfmt_misc(args.executable) 484 485 if not enabled: 486 print("binfmt_misc not enabled, update disabled") 487 return 1 488 489 if ff: 490 tmp_tar.add(args.executable, arcname=ff) 491 492 # Add any associated libraries 493 libs = _get_so_libs(args.executable) 494 if libs: 495 for l in libs: 496 tmp_tar.add(os.path.realpath(l), arcname=l) 497 498 # Create a Docker buildfile 499 df = StringIO() 500 df.write("FROM %s\n" % args.tag) 501 df.write("ADD . /\n") 502 df.seek(0) 503 504 df_tar = TarInfo(name="Dockerfile") 505 df_tar.size = len(df.buf) 506 tmp_tar.addfile(df_tar, fileobj=df) 507 508 tmp_tar.close() 509 510 # reset the file pointers 511 tmp.flush() 512 tmp.seek(0) 513 514 # Run the build with our tarball context 515 dkr = Docker() 516 dkr.update_image(args.tag, tmp, quiet=args.quiet) 517 518 return 0 519 520 521class CleanCommand(SubCommand): 522 """Clean up docker instances""" 523 name = "clean" 524 525 def run(self, args, argv): 526 Docker().clean() 527 return 0 528 529 530class ImagesCommand(SubCommand): 531 """Run "docker images" command""" 532 name = "images" 533 534 def run(self, args, argv): 535 return Docker().command("images", argv, args.quiet) 536 537 538class ProbeCommand(SubCommand): 539 """Probe if we can run docker automatically""" 540 name = "probe" 541 542 def run(self, args, argv): 543 try: 544 docker = Docker() 545 if docker._command[0] == "docker": 546 print("docker") 547 elif docker._command[0] == "sudo": 548 print("sudo docker") 549 elif docker._command[0] == "podman": 550 print("podman") 551 except Exception: 552 print("no") 553 554 return 555 556 557class CcCommand(SubCommand): 558 """Compile sources with cc in images""" 559 name = "cc" 560 561 def args(self, parser): 562 parser.add_argument("--image", "-i", required=True, 563 help="The docker image in which to run cc") 564 parser.add_argument("--cc", default="cc", 565 help="The compiler executable to call") 566 parser.add_argument("--source-path", "-s", nargs="*", dest="paths", 567 help="""Extra paths to (ro) mount into container for 568 reading sources""") 569 570 def run(self, args, argv): 571 if argv and argv[0] == "--": 572 argv = argv[1:] 573 cwd = os.getcwd() 574 cmd = ["--rm", "-w", cwd, 575 "-v", "%s:%s:rw" % (cwd, cwd)] 576 if args.paths: 577 for p in args.paths: 578 cmd += ["-v", "%s:%s:ro,z" % (p, p)] 579 cmd += [args.image, args.cc] 580 cmd += argv 581 return Docker().run(cmd, False, quiet=args.quiet, 582 as_user=True) 583 584 585class CheckCommand(SubCommand): 586 """Check if we need to re-build a docker image out of a dockerfile. 587 Arguments: <tag> <dockerfile>""" 588 name = "check" 589 590 def args(self, parser): 591 parser.add_argument("tag", 592 help="Image Tag") 593 parser.add_argument("dockerfile", default=None, 594 help="Dockerfile name", nargs='?') 595 parser.add_argument("--checktype", choices=["checksum", "age"], 596 default="checksum", help="check type") 597 parser.add_argument("--olderthan", default=60, type=int, 598 help="number of minutes") 599 600 def run(self, args, argv): 601 tag = args.tag 602 603 try: 604 dkr = Docker() 605 except subprocess.CalledProcessError: 606 print("Docker not set up") 607 return 1 608 609 info = dkr.inspect_tag(tag) 610 if info is None: 611 print("Image does not exist") 612 return 1 613 614 if args.checktype == "checksum": 615 if not args.dockerfile: 616 print("Need a dockerfile for tag:%s" % (tag)) 617 return 1 618 619 dockerfile = _read_dockerfile(args.dockerfile) 620 621 if dkr.image_matches_dockerfile(tag, dockerfile): 622 if not args.quiet: 623 print("Image is up to date") 624 return 0 625 else: 626 print("Image needs updating") 627 return 1 628 elif args.checktype == "age": 629 timestr = dkr.get_image_creation_time(info).split(".")[0] 630 created = datetime.strptime(timestr, "%Y-%m-%dT%H:%M:%S") 631 past = datetime.now() - timedelta(minutes=args.olderthan) 632 if created < past: 633 print ("Image created @ %s more than %d minutes old" % 634 (timestr, args.olderthan)) 635 return 1 636 else: 637 if not args.quiet: 638 print ("Image less than %d minutes old" % (args.olderthan)) 639 return 0 640 641 642def main(): 643 global USE_ENGINE 644 645 parser = argparse.ArgumentParser(description="A Docker helper", 646 usage="%s <subcommand> ..." % 647 os.path.basename(sys.argv[0])) 648 parser.add_argument("--engine", type=EngineEnum.argparse, choices=list(EngineEnum), 649 help="specify which container engine to use") 650 subparsers = parser.add_subparsers(title="subcommands", help=None) 651 for cls in SubCommand.__subclasses__(): 652 cmd = cls() 653 subp = subparsers.add_parser(cmd.name, help=cmd.__doc__) 654 cmd.shared_args(subp) 655 cmd.args(subp) 656 subp.set_defaults(cmdobj=cmd) 657 args, argv = parser.parse_known_args() 658 if args.engine: 659 USE_ENGINE = args.engine 660 return args.cmdobj.run(args, argv) 661 662 663if __name__ == "__main__": 664 sys.exit(main()) 665