diff --git a/cmd/docker/docker.go b/cmd/docker/docker.go index 29a3ed5957..66db8c2d42 100644 --- a/cmd/docker/docker.go +++ b/cmd/docker/docker.go @@ -19,8 +19,10 @@ import ( cliflags "github.com/docker/cli/cli/flags" "github.com/docker/cli/cli/version" platformsignals "github.com/docker/cli/cmd/docker/internal/signals" + "github.com/docker/docker/api/types/versions" "github.com/docker/docker/errdefs" + "github.com/docker/docker/pkg/reexec" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -29,6 +31,10 @@ import ( ) func main() { + if reexec.Init() { + return + } + err := dockerMain(context.Background()) if err != nil && !errdefs.IsCancelled(err) { _, _ = fmt.Fprintln(os.Stderr, err) diff --git a/cmd/docker/file_helper.go b/cmd/docker/file_helper.go new file mode 100644 index 0000000000..08fca8bd56 --- /dev/null +++ b/cmd/docker/file_helper.go @@ -0,0 +1,69 @@ +package main + +import ( + "os" + + credhelpers "github.com/docker/docker-credential-helpers/credentials" + "github.com/docker/docker/pkg/reexec" + + "github.com/docker/cli/cli/config" + "github.com/docker/cli/cli/config/credentials" + "github.com/docker/cli/cli/config/types" +) + +//nolint:gosec // ignore G101: Potential hardcoded credentials +const fileCredsHelperBinary = "docker-credential-file" + +func init() { + reexec.Register(fileCredsHelperBinary, serveFileCredHelper) +} + +func serveFileCredHelper() { + configfile := config.LoadDefaultConfigFile(os.Stderr) + store := credentials.NewFileStore(configfile) + credhelpers.Serve(&FileHelper{ + fileStore: store, + }) +} + +var _ credhelpers.Helper = &FileHelper{} + +type FileHelper struct { + fileStore credentials.Store +} + +func (f *FileHelper) Add(creds *credhelpers.Credentials) error { + return f.fileStore.Store(types.AuthConfig{ + Username: creds.Username, + Password: creds.Secret, + ServerAddress: creds.ServerURL, + }) +} + +func (f *FileHelper) Delete(serverAddress string) error { + return f.fileStore.Erase(serverAddress) +} + +func (f *FileHelper) Get(serverAddress string) (string, string, error) { + authConfig, err := f.fileStore.Get(serverAddress) + if err != nil { + return "", "", err + } + + return authConfig.Username, authConfig.Password, nil +} + +func (f *FileHelper) List() (map[string]string, error) { + creds := make(map[string]string) + + authConfig, err := f.fileStore.GetAll() + if err != nil { + return nil, err + } + + for k, v := range authConfig { + creds[k] = v.Username + } + + return creds, nil +} diff --git a/vendor/github.com/docker/docker/pkg/reexec/command_linux.go b/vendor/github.com/docker/docker/pkg/reexec/command_linux.go new file mode 100644 index 0000000000..952633c864 --- /dev/null +++ b/vendor/github.com/docker/docker/pkg/reexec/command_linux.go @@ -0,0 +1,26 @@ +package reexec + +import ( + "os/exec" + "syscall" +) + +// Command returns an [*exec.Cmd] which has Path as current binary which, +// on Linux, is set to the in-memory version (/proc/self/exe) of the current +// binary, it is thus safe to delete or replace the on-disk binary (os.Args[0]). +// +// On Linux, the Pdeathsig of [*exec.Cmd.SysProcAttr] is set to SIGTERM. +// This signal will be sent to the process when the OS thread which created +// the process dies. +// +// It is the caller's responsibility to ensure that the creating thread is +// not terminated prematurely. See https://go.dev/issue/27505 for more details. +func Command(args ...string) *exec.Cmd { + return &exec.Cmd{ + Path: Self(), + Args: args, + SysProcAttr: &syscall.SysProcAttr{ + Pdeathsig: syscall.SIGTERM, + }, + } +} diff --git a/vendor/github.com/docker/docker/pkg/reexec/command_other.go b/vendor/github.com/docker/docker/pkg/reexec/command_other.go new file mode 100644 index 0000000000..b458ef2d20 --- /dev/null +++ b/vendor/github.com/docker/docker/pkg/reexec/command_other.go @@ -0,0 +1,19 @@ +//go:build freebsd || darwin || windows + +package reexec + +import ( + "os/exec" +) + +// Command returns *exec.Cmd with its Path set to the path of the current +// binary using the result of [Self]. For example if current binary is +// "my-binary" at "/usr/bin/" (or "my-binary.exe" at "C:\" on Windows), +// then cmd.Path is set to "/usr/bin/my-binary" and "C:\my-binary.exe" +// respectively. +func Command(args ...string) *exec.Cmd { + return &exec.Cmd{ + Path: Self(), + Args: args, + } +} diff --git a/vendor/github.com/docker/docker/pkg/reexec/command_unsupported.go b/vendor/github.com/docker/docker/pkg/reexec/command_unsupported.go new file mode 100644 index 0000000000..3e98b989a3 --- /dev/null +++ b/vendor/github.com/docker/docker/pkg/reexec/command_unsupported.go @@ -0,0 +1,12 @@ +//go:build !linux && !windows && !freebsd && !darwin + +package reexec + +import ( + "os/exec" +) + +// Command is unsupported on operating systems apart from Linux, Windows, and Darwin. +func Command(args ...string) *exec.Cmd { + return nil +} diff --git a/vendor/github.com/docker/docker/pkg/reexec/reexec.go b/vendor/github.com/docker/docker/pkg/reexec/reexec.go new file mode 100644 index 0000000000..b9d11a2a58 --- /dev/null +++ b/vendor/github.com/docker/docker/pkg/reexec/reexec.go @@ -0,0 +1,64 @@ +// Package reexec facilitates the busybox style reexec of a binary. +// +// Handlers can be registered with a name and the argv 0 of the exec of +// the binary will be used to find and execute custom init paths. +// +// It is used in dockerd to work around forking limitations when using Go. +package reexec + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "runtime" +) + +var registeredInitializers = make(map[string]func()) + +// Register adds an initialization func under the specified name. It panics +// if the given name is already registered. +func Register(name string, initializer func()) { + if _, exists := registeredInitializers[name]; exists { + panic(fmt.Sprintf("reexec func already registered under name %q", name)) + } + + registeredInitializers[name] = initializer +} + +// Init is called as the first part of the exec process and returns true if an +// initialization function was called. +func Init() bool { + if initializer, ok := registeredInitializers[os.Args[0]]; ok { + initializer() + return true + } + return false +} + +// Self returns the path to the current process's binary. On Linux, it +// returns "/proc/self/exe", which provides the in-memory version of the +// current binary, whereas on other platforms it attempts to looks up the +// absolute path for os.Args[0], or otherwise returns os.Args[0] as-is. +func Self() string { + if runtime.GOOS == "linux" { + return "/proc/self/exe" + } + return naiveSelf() +} + +func naiveSelf() string { + name := os.Args[0] + if filepath.Base(name) == name { + if lp, err := exec.LookPath(name); err == nil { + return lp + } + } + // handle conversion of relative paths to absolute + if absName, err := filepath.Abs(name); err == nil { + return absName + } + // if we couldn't get absolute name, return original + // (NOTE: Go only errors on Abs() if os.Getwd fails) + return name +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 430194d842..501db43946 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -91,6 +91,7 @@ github.com/docker/docker/pkg/longpath github.com/docker/docker/pkg/pools github.com/docker/docker/pkg/process github.com/docker/docker/pkg/progress +github.com/docker/docker/pkg/reexec github.com/docker/docker/pkg/stdcopy github.com/docker/docker/pkg/streamformatter github.com/docker/docker/pkg/stringid