hook

package
v0.0.0-...-28e5ed5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2017 License: MIT Imports: 14 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ACLHook = Hook{
	Name:     "acl",
	Priority: 0,
	RunPostRun: func(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error {

		network := taskInfo.GetContainer().GetDocker().GetNetwork()
		if network != mesos.ContainerInfo_DockerInfo_BRIDGE && network != mesos.ContainerInfo_DockerInfo_USER {
			logger.GetInstance().Warn("ACL hook can't inject iptables rules if network mode is not bridge or user")

			return nil
		}

		driver, err := iptables.New()
		if err != nil {
			return err
		}

		chain, err := checkChain(driver)
		if err != nil {
			return err
		}

		return generateACL(taskInfo, chain, driver.Append, true)

	},
	RunPreStop: func(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error {

		network := taskInfo.GetContainer().GetDocker().GetNetwork()
		if network != mesos.ContainerInfo_DockerInfo_BRIDGE && network != mesos.ContainerInfo_DockerInfo_USER {
			logger.GetInstance().Warn("ACL hook does not need to remove iptables rules if network mode is not bridge or user")

			return nil
		}

		driver, err := iptables.New()
		if err != nil {
			return err
		}

		chain, err := checkChain(driver)
		if err != nil {
			return err
		}

		return generateACL(taskInfo, chain, driver.Delete, false)

	},
}

ACLHook injects iptables rules into container namespace on post-run to allow only some IP to access the container. This hook needs to access to host procs (to mount network namespace).

View Source 
var IptablesHook = Hook{
	Name:     "iptables",
	Priority: 0,
	RunPostRun: func(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error {

		network := taskInfo.GetContainer().GetDocker().GetNetwork()
		if network != mesos.ContainerInfo_DockerInfo_BRIDGE && network != mesos.ContainerInfo_DockerInfo_USER {
			logger.GetInstance().Warn("Iptables hook can't inject iptables rules if network mode is not bridge or user")

			return nil
		}

		logger.GetInstance().Debug(fmt.Sprintf("Inserting iptables on host namespace for container %s", containerID))

		driver, err := iptables.New()
		if err != nil {
			return err
		}

		portMappings := taskInfo.GetContainer().GetDocker().GetPortMappings()

		containerInterface := viper.GetString("iptables.container_bridge_interface")
		if containerInterface == "" {
			return fmt.Errorf("could not retrieve container brigde interface")
		}

		containerIPs, err := c.ContainerGetIPsByInterface(containerID, containerInterface)
		if err != nil {
			return err
		}
		iptablesHookContainerIPCache.Store(containerID, containerIPs)

		return generateIptables(containerIPs, portMappings, containerInterface, driver, driver.Append, true)
	},
	RunPreStop: func(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error {

		network := taskInfo.GetContainer().GetDocker().GetNetwork()
		if network == mesos.ContainerInfo_DockerInfo_NONE || network == mesos.ContainerInfo_DockerInfo_HOST {
			logger.GetInstance().Warn("Iptables hook does not need to remove iptables rules if network mode is not bridged")

			return nil
		}

		logger.GetInstance().Debug(fmt.Sprintf("Removing iptables on host namespace for container %s", containerID))

		driver, err := iptables.New()
		if err != nil {
			return err
		}

		portMappings := taskInfo.GetContainer().GetDocker().GetPortMappings()

		ipsCacheValue, ok := iptablesHookContainerIPCache.Load(containerID)
		if !ok {
			return fmt.Errorf(
				"could not find ip in cache for container %s",
				containerID,
			)
		}

		containerIPs, ok := ipsCacheValue.([]net.IP)
		if !ok {
			return fmt.Errorf(
				"could not load ip from cache for container %s",
				containerID,
			)
		}

		containerInterface := viper.GetString("iptables.container_bridge_interface")
		if containerInterface == "" {
			return fmt.Errorf("could not retrieve container brigde interface")
		}

		return generateIptables(containerIPs, portMappings, containerInterface, driver, driver.Delete, false)
	},
}

IptablesHook injects iptables rules on host. This iptables allow container masquerading and network forwarding to container.

View Source 
var NetnsHook = Hook{
	Name:     "netns",
	Priority: 0,
	RunPostRun: func(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error {

		pid, err := c.ContainerGetPID(containerID)
		if err != nil {
			return err
		}
		netnsHookContainerPID = pid

		if err = os.Mkdir(viper.GetString("netns.path"), 0700); err != nil && !os.IsExist(err) {
			return err
		}

		nspath := fmt.Sprintf("%s/%d/ns/net", viper.GetString("proc_path"), netnsHookContainerPID)
		netnsHookSymlinkPath = fmt.Sprintf("%s/%s", viper.GetString("netns.path"), taskInfo.TaskID.GetValue())

		return os.Symlink(nspath, netnsHookSymlinkPath)
	},
	RunPostStop: func(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error {
		return os.Remove(netnsHookSymlinkPath)
	},
}

NetnsHook creates and removes a symlink in /var/run/netns in order to allow the "ip netns" command to execute commands in associated container network namespace (for debug purpose)

View Source 
var NetworkHook = Hook{
	Name:     "network",
	Priority: 0,
	RunPreCreate: func(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo) error {

		frameworkName := frameworkInfo.GetName()

		taskInfo.Container.Docker.Network = mesos.ContainerInfo_DockerInfo_USER.Enum()

		taskInfo.Container.NetworkInfos = []mesos.NetworkInfo{
			mesos.NetworkInfo{
				Name: &frameworkName,
			},
		}

		return nil
	},
}

NetworkHook ensure that containers are launched in a certain network.

View Source 
var RemoveContainerHook = Hook{
	Name:     "removeContainer",
	Priority: 0,
	RunPostStop: func(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error {
		logger.GetInstance().Info("Removing container",
			zap.String("containerID", containerID),
		)

		return c.ContainerRemove(containerID)
	},
}

RemoveContainerHook removes the stopped container on post-stop

Functions

This section is empty.

Types

type Hook 

type Hook struct {
	Name         string
	Priority     int64
	RunPreCreate func(container.Containerizer, *mesos.TaskInfo, *mesos.FrameworkInfo) error
	RunPreRun    func(container.Containerizer, *mesos.TaskInfo, *mesos.FrameworkInfo, string) error
	RunPostRun   func(container.Containerizer, *mesos.TaskInfo, *mesos.FrameworkInfo, string) error
	RunPreStop   func(container.Containerizer, *mesos.TaskInfo, *mesos.FrameworkInfo, string) error
	RunPostStop  func(container.Containerizer, *mesos.TaskInfo, *mesos.FrameworkInfo, string) error
}

Hook represents an executable hook (we don't care if it's a pre-create, post-stop or whatever)

type Manager 

type Manager struct {
	EnabledHooks map[string]struct{}
	Hooks        []*Hook
}

Manager is a hook manager with different kinds of hooks: - pre-create - pre-run - post-run - pre-stop - post-stop It also contains a list of enabled hooks names

func NewManager 

func NewManager(hooks []string) *Manager

NewManager returns an empty HookManager (with no hooks)

func (*Manager) RegisterHooks 

func (m *Manager) RegisterHooks(hooks ...*Hook)

RegisterHooks registers a list of hooks on the given "when" (pre-create, ...) It throws an error in case of the given "when" is incorrect

func (*Manager) RunPostRunHooks 

func (m *Manager) RunPostRunHooks(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error

RunPostRunHooks runs all pre-create hooks of the given manager

func (*Manager) RunPostStopHooks 

func (m *Manager) RunPostStopHooks(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error

RunPostStopHooks runs all pre-create hooks of the given manager

func (*Manager) RunPreCreateHooks 

func (m *Manager) RunPreCreateHooks(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo) error

RunPreCreateHooks runs all pre-create hooks of the given manager

func (*Manager) RunPreRunHooks 

func (m *Manager) RunPreRunHooks(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error

RunPreRunHooks runs all pre-create hooks of the given manager

func (*Manager) RunPreStopHooks 

func (m *Manager) RunPreStopHooks(c container.Containerizer, taskInfo *mesos.TaskInfo, frameworkInfo *mesos.FrameworkInfo, containerID string) error

RunPreStopHooks runs all pre-create hooks of the given manager

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳