github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e401724d43'
${ noResults }
portainer/api/http/handler/stacks/create_compose_stack.go

383 lines
13 KiB
Raw Normal View History Unescape

feat(stacks): support compose v2.0 stack (#1963)
7 years ago
package stacks
import (
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)
5 years ago
"errors"
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
"net/http"
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)
5 years ago
"path"
fix(libcompose): apply same normalize name rule as libcompose on stack name (#3395)
5 years ago
"regexp"
fix(stacks): fix an issue with stack update
7 years ago
"strconv"
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
"strings"
feat(docker/stacks): introduce date info for stacks (#4660) * feat(docker/stacks): add creation and update dates * feat(docker/stacks): put ownership column as the last column * feat(docker/stacks): fix the no stacks message * refactor(docker/stacks): make external stacks helpers more readable * feat(docker/stacks): add updated and created by * feat(docker/stacks): toggle updated column * refactor(datatable): create column visibility component Co-authored-by: alice groux <alice.grx@gmail.com>
4 years ago
"time"
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
"github.com/asaskevich/govalidator"
refactor(api): introduce libhttp usage (#2263)
6 years ago
httperror "github.com/portainer/libhttp/error"
"github.com/portainer/libhttp/request"
feat(docker/stacks): introduce date info for stacks (#4660) * feat(docker/stacks): add creation and update dates * feat(docker/stacks): put ownership column as the last column * feat(docker/stacks): fix the no stacks message * refactor(docker/stacks): make external stacks helpers more readable * feat(docker/stacks): add updated and created by * feat(docker/stacks): toggle updated column * refactor(datatable): create column visibility component Co-authored-by: alice groux <alice.grx@gmail.com>
4 years ago
portainer "github.com/portainer/portainer/api"
refactor(api): refactor base import path (#2788) * refactor(api): refactor base import path * fix(build-system): update build_binary_devops * fix(build-system): fix build_binary_devops for linux * fix(build-system): fix build_binary_devops for Windows
6 years ago
"github.com/portainer/portainer/api/filesystem"
"github.com/portainer/portainer/api/http/security"
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
)
fix(libcompose): apply same normalize name rule as libcompose on stack name (#3395)
5 years ago
// this is coming from libcompose
// https://github.com/portainer/libcompose/blob/master/project/context.go#L117-L120
func normalizeStackName(name string) string {
r := regexp.MustCompile("[^a-z0-9]+")
return r.ReplaceAllString(strings.ToLower(name), "")
}
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
type composeStackFromFileContentPayload struct {
Name string
StackFileContent string
feat(templates): support env variables in Compose stacks
6 years ago
Env []portainer.Pair
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
func (payload *composeStackFromFileContentPayload) Validate(r *http.Request) error {
if govalidator.IsNull(payload.Name) {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return errors.New("Invalid stack name")
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
fix(libcompose): apply same normalize name rule as libcompose on stack name (#3395)
5 years ago
payload.Name = normalizeStackName(payload.Name)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if govalidator.IsNull(payload.StackFileContent) {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return errors.New("Invalid stack file content")
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
return nil
}
feat(api): rewrite access control management in Docker (#3337) * feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster
5 years ago
func (handler *Handler) createComposeStackFromFileContent(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint, userID portainer.UserID) *httperror.HandlerError {
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
var payload composeStackFromFileContentPayload
err := request.DecodeAndValidateJSONPayload(r, &payload)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
}
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
stacks, err := handler.DataStore.Stack().Stacks()
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve stacks from the database", err}
}
for _, stack := range stacks {
if strings.EqualFold(stack.Name, payload.Name) {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return &httperror.HandlerError{http.StatusConflict, "A stack with this name already exists", errStackAlreadyExists}
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
}
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
stackID := handler.DataStore.Stack().GetNextIdentifier()
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
stack := &portainer.Stack{
feat(docker/stacks): introduce date info for stacks (#4660) * feat(docker/stacks): add creation and update dates * feat(docker/stacks): put ownership column as the last column * feat(docker/stacks): fix the no stacks message * refactor(docker/stacks): make external stacks helpers more readable * feat(docker/stacks): add updated and created by * feat(docker/stacks): toggle updated column * refactor(datatable): create column visibility component Co-authored-by: alice groux <alice.grx@gmail.com>
4 years ago
ID: portainer.StackID(stackID),
Name: payload.Name,
Type: portainer.DockerComposeStack,
EndpointID: endpoint.ID,
EntryPoint: filesystem.ComposeFileDefaultName,
Env: payload.Env,
Status: portainer.StackStatusActive,
CreationDate: time.Now().Unix(),
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
fix(stacks): fix an issue with stack update
7 years ago
stackFolder := strconv.Itoa(int(stack.ID))
projectPath, err := handler.FileService.StoreStackFileFromBytes(stackFolder, stack.EntryPoint, []byte(payload.StackFileContent))
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist Compose file on disk", err}
}
stack.ProjectPath = projectPath
doCleanUp := true
defer handler.cleanUp(stack, &doCleanUp)
config, configErr := handler.createComposeDeployConfig(r, stack, endpoint)
if configErr != nil {
return configErr
}
err = handler.deployComposeStack(config)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
}
feat(docker/stacks): introduce date info for stacks (#4660) * feat(docker/stacks): add creation and update dates * feat(docker/stacks): put ownership column as the last column * feat(docker/stacks): fix the no stacks message * refactor(docker/stacks): make external stacks helpers more readable * feat(docker/stacks): add updated and created by * feat(docker/stacks): toggle updated column * refactor(datatable): create column visibility component Co-authored-by: alice groux <alice.grx@gmail.com>
4 years ago
stack.CreatedBy = config.user.Username
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
err = handler.DataStore.Stack().CreateStack(stack)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
}
doCleanUp = false
feat(api): rewrite access control management in Docker (#3337) * feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster
5 years ago
return handler.decorateStackResponse(w, stack, userID)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
type composeStackFromGitRepositoryPayload struct {
Name string
RepositoryURL string
feat(stack-creation): add the ability to specify git reference (#1948) (#2063)
6 years ago
RepositoryReferenceName string
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
RepositoryAuthentication bool
RepositoryUsername string
RepositoryPassword string
ComposeFilePathInRepository string
feat(templates): support env variables in Compose stacks
6 years ago
Env []portainer.Pair
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
func (payload *composeStackFromGitRepositoryPayload) Validate(r *http.Request) error {
if govalidator.IsNull(payload.Name) {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return errors.New("Invalid stack name")
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
fix(libcompose): apply same normalize name rule as libcompose on stack name (#3395)
5 years ago
payload.Name = normalizeStackName(payload.Name)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if govalidator.IsNull(payload.RepositoryURL) || !govalidator.IsURL(payload.RepositoryURL) {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return errors.New("Invalid repository URL. Must correspond to a valid URL format")
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
if payload.RepositoryAuthentication && (govalidator.IsNull(payload.RepositoryUsername) || govalidator.IsNull(payload.RepositoryPassword)) {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return errors.New("Invalid repository credentials. Username and password must be specified when authentication is enabled")
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
if govalidator.IsNull(payload.ComposeFilePathInRepository) {
payload.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
}
return nil
}
feat(api): rewrite access control management in Docker (#3337) * feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster
5 years ago
func (handler *Handler) createComposeStackFromGitRepository(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint, userID portainer.UserID) *httperror.HandlerError {
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
var payload composeStackFromGitRepositoryPayload
err := request.DecodeAndValidateJSONPayload(r, &payload)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
}
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
stacks, err := handler.DataStore.Stack().Stacks()
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve stacks from the database", err}
}
for _, stack := range stacks {
if strings.EqualFold(stack.Name, payload.Name) {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return &httperror.HandlerError{http.StatusConflict, "A stack with this name already exists", errStackAlreadyExists}
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
}
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
stackID := handler.DataStore.Stack().GetNextIdentifier()
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
stack := &portainer.Stack{
feat(docker/stacks): introduce date info for stacks (#4660) * feat(docker/stacks): add creation and update dates * feat(docker/stacks): put ownership column as the last column * feat(docker/stacks): fix the no stacks message * refactor(docker/stacks): make external stacks helpers more readable * feat(docker/stacks): add updated and created by * feat(docker/stacks): toggle updated column * refactor(datatable): create column visibility component Co-authored-by: alice groux <alice.grx@gmail.com>
4 years ago
ID: portainer.StackID(stackID),
Name: payload.Name,
Type: portainer.DockerComposeStack,
EndpointID: endpoint.ID,
EntryPoint: payload.ComposeFilePathInRepository,
Env: payload.Env,
Status: portainer.StackStatusActive,
CreationDate: time.Now().Unix(),
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
fix(stack-creation): use numeric value for stack root folder name (#2000)
7 years ago
projectPath := handler.FileService.GetStackProjectPath(strconv.Itoa(int(stack.ID)))
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
stack.ProjectPath = projectPath
gitCloneParams := &cloneRepositoryParameters{
url: payload.RepositoryURL,
feat(stack-creation): add the ability to specify git reference (#1948) (#2063)
6 years ago
referenceName: payload.RepositoryReferenceName,
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
path: projectPath,
authentication: payload.RepositoryAuthentication,
username: payload.RepositoryUsername,
password: payload.RepositoryPassword,
}
feat(stack-creation): add the ability to specify git reference (#1948) (#2063)
6 years ago
doCleanUp := true
defer handler.cleanUp(stack, &doCleanUp)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
err = handler.cloneGitRepository(gitCloneParams)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to clone git repository", err}
}
config, configErr := handler.createComposeDeployConfig(r, stack, endpoint)
if configErr != nil {
return configErr
}
err = handler.deployComposeStack(config)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
}
feat(docker/stacks): introduce date info for stacks (#4660) * feat(docker/stacks): add creation and update dates * feat(docker/stacks): put ownership column as the last column * feat(docker/stacks): fix the no stacks message * refactor(docker/stacks): make external stacks helpers more readable * feat(docker/stacks): add updated and created by * feat(docker/stacks): toggle updated column * refactor(datatable): create column visibility component Co-authored-by: alice groux <alice.grx@gmail.com>
4 years ago
stack.CreatedBy = config.user.Username
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
err = handler.DataStore.Stack().CreateStack(stack)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
}
doCleanUp = false
feat(api): rewrite access control management in Docker (#3337) * feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster
5 years ago
return handler.decorateStackResponse(w, stack, userID)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
type composeStackFromFileUploadPayload struct {
Name string
StackFileContent []byte
feat(templates): support env variables in Compose stacks
6 years ago
Env []portainer.Pair
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
func (payload *composeStackFromFileUploadPayload) Validate(r *http.Request) error {
name, err := request.RetrieveMultiPartFormValue(r, "Name", false)
if err != nil {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return errors.New("Invalid stack name")
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
fix(libcompose): apply same normalize name rule as libcompose on stack name (#3395)
5 years ago
payload.Name = normalizeStackName(name)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
refactor(api): introduce libhttp usage (#2263)
6 years ago
composeFileContent, _, err := request.RetrieveMultiPartFormFile(r, "file")
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return errors.New("Invalid Compose file. Ensure that the Compose file is uploaded correctly")
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
payload.StackFileContent = composeFileContent
feat(templates): support env variables in Compose stacks
6 years ago
var env []portainer.Pair
err = request.RetrieveMultiPartFormJSONValue(r, "Env", &env, true)
if err != nil {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return errors.New("Invalid Env parameter")
feat(templates): support env variables in Compose stacks
6 years ago
}
payload.Env = env
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
return nil
}
feat(api): rewrite access control management in Docker (#3337) * feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster
5 years ago
func (handler *Handler) createComposeStackFromFileUpload(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint, userID portainer.UserID) *httperror.HandlerError {
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
payload := &composeStackFromFileUploadPayload{}
err := payload.Validate(r)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
}
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
stacks, err := handler.DataStore.Stack().Stacks()
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve stacks from the database", err}
}
for _, stack := range stacks {
if strings.EqualFold(stack.Name, payload.Name) {
refactor(errors): reorganize errors (#3938) * refactor(bolt): move ErrObjectNotFound to bolt * refactor(http): move ErrUnauthorized to http package * refactor(http): move ErrResourceAccessDenied to http errors * refactor(http): move security errors to package * refactor(users): move user errors to users package * refactor(errors): move single errors to their package * refactor(schedules): move schedule error to package * refactor(http): move endpoint error to http package * refactor(docker): move docker errors to package * refactor(filesystem): move filesystem errors to package * refactor(errors): remove portainer.Error * style(chisel): reorder imports * fix(stacks): remove portainer.Error
4 years ago
return &httperror.HandlerError{http.StatusConflict, "A stack with this name already exists", errStackAlreadyExists}
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
}
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
stackID := handler.DataStore.Stack().GetNextIdentifier()
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
stack := &portainer.Stack{
feat(docker/stacks): introduce date info for stacks (#4660) * feat(docker/stacks): add creation and update dates * feat(docker/stacks): put ownership column as the last column * feat(docker/stacks): fix the no stacks message * refactor(docker/stacks): make external stacks helpers more readable * feat(docker/stacks): add updated and created by * feat(docker/stacks): toggle updated column * refactor(datatable): create column visibility component Co-authored-by: alice groux <alice.grx@gmail.com>
4 years ago
ID: portainer.StackID(stackID),
Name: payload.Name,
Type: portainer.DockerComposeStack,
EndpointID: endpoint.ID,
EntryPoint: filesystem.ComposeFileDefaultName,
Env: payload.Env,
Status: portainer.StackStatusActive,
CreationDate: time.Now().Unix(),
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
fix(stacks): fix an issue with stack update
7 years ago
stackFolder := strconv.Itoa(int(stack.ID))
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)
5 years ago
projectPath, err := handler.FileService.StoreStackFileFromBytes(stackFolder, stack.EntryPoint, payload.StackFileContent)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist Compose file on disk", err}
}
stack.ProjectPath = projectPath
doCleanUp := true
defer handler.cleanUp(stack, &doCleanUp)
config, configErr := handler.createComposeDeployConfig(r, stack, endpoint)
if configErr != nil {
return configErr
}
err = handler.deployComposeStack(config)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
}
feat(docker/stacks): introduce date info for stacks (#4660) * feat(docker/stacks): add creation and update dates * feat(docker/stacks): put ownership column as the last column * feat(docker/stacks): fix the no stacks message * refactor(docker/stacks): make external stacks helpers more readable * feat(docker/stacks): add updated and created by * feat(docker/stacks): toggle updated column * refactor(datatable): create column visibility component Co-authored-by: alice groux <alice.grx@gmail.com>
4 years ago
stack.CreatedBy = config.user.Username
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
err = handler.DataStore.Stack().CreateStack(stack)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
}
doCleanUp = false
feat(api): rewrite access control management in Docker (#3337) * feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster
5 years ago
return handler.decorateStackResponse(w, stack, userID)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
type composeStackDeploymentConfig struct {
stack *portainer.Stack
endpoint *portainer.Endpoint
dockerhub *portainer.DockerHub
registries []portainer.Registry
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)
5 years ago
isAdmin bool
feat(containers): Ensure users cannot create privileged containers via the API (#3969) (#4077) * feat(containers): Ensure users cannot create privileged containers via the API * feat(containers): add rbac check in stack creation Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
4 years ago
user *portainer.User
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
func (handler *Handler) createComposeDeployConfig(r *http.Request, stack *portainer.Stack, endpoint *portainer.Endpoint) (*composeStackDeploymentConfig, *httperror.HandlerError) {
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
}
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
dockerhub, err := handler.DataStore.DockerHub().DockerHub()
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve DockerHub details from the database", err}
}
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
registries, err := handler.DataStore.Registry().Registries()
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve registries from the database", err}
}
filteredRegistries := security.FilterRegistries(registries, securityContext)
feat(containers): Ensure users cannot create privileged containers via the API (#3969) (#4077) * feat(containers): Ensure users cannot create privileged containers via the API * feat(containers): add rbac check in stack creation Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
4 years ago
user, err := handler.DataStore.User().User(securityContext.UserID)
if err != nil {
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to load user information from the database", err}
}
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
config := &composeStackDeploymentConfig{
stack: stack,
endpoint: endpoint,
dockerhub: dockerhub,
registries: filteredRegistries,
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)
5 years ago
isAdmin: securityContext.IsAdmin,
feat(containers): Ensure users cannot create privileged containers via the API (#3969) (#4077) * feat(containers): Ensure users cannot create privileged containers via the API * feat(containers): add rbac check in stack creation Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
4 years ago
user: user,
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
}
return config, nil
}
// TODO: libcompose uses credentials store into a config.json file to pull images from
// private registries. Right now the only solution is to re-use the embedded Docker binary
// to login/logout, which will generate the required data in the config.json file and then
// clean it. Hence the use of the mutex.
// We should contribute to libcompose to support authentication without using the config.json file.
func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig) error {
feat(api): introduce new datastore interface (#3802) * feat(api): introduce new datastore interface * refactor(api): refactor http and main layers * refactor(api): refactor http and bolt layers
5 years ago
settings, err := handler.DataStore.Settings().Settings()
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)
5 years ago
if err != nil {
return err
}
feat(containers): Ensure users cannot create privileged containers via the API (#3969) (#4077) * feat(containers): Ensure users cannot create privileged containers via the API * feat(containers): add rbac check in stack creation Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
4 years ago
isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
if err != nil {
return err
}
feat(containers): Prevent non-admin users from running containers using the host namespace pid (#4098) * feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970) * feat(containers): Prevent non-admin users from running containers using the host namespace pid * feat(containers): add rbac check for swarm stack too * feat(containers): remove forgotten conflict * feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action * feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html * feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers * feat(database): trigger migration for AllowHostNamespace * feat(containers): check container creation authorization Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
4 years ago
if (!settings.AllowBindMountsForRegularUsers ||
!settings.AllowPrivilegedModeForRegularUsers ||
feat(settings): add setting to disable device mapping for regular users (#4099) * feat(settings): add setting to disable device mapping for regular users * feat(settings): introduce device mapping service * feat(containers): hide devices field when setting is on * feat(containers): prevent passing of devices when not allowed * feat(stacks): prevent non admin from device mapping * feat(stacks): disallow swarm stack creation for user * refactor(settings): replace disableDeviceMapping with allow * fix(stacks): remove check for disable device mappings from swarm * feat(settings): rename field to disable * feat(settings): supply default value for disableDeviceMapping * feat(container): check for endpoint admin * style(server): sort imports
4 years ago
!settings.AllowHostNamespaceForRegularUsers ||
feat(settings): introduce setting to disable container caps for non-admins (#4109) * feat(settings): introduce settings to allow/disable * feat(settings): update the setting * feat(docker): prevent user from using caps if disabled * refactor(stacks): revert file * style(api): remove portainer ns
4 years ago
!settings.AllowDeviceMappingForRegularUsers ||
!settings.AllowContainerCapabilitiesForRegularUsers) &&
feat(containers): Prevent non-admin users from running containers using the host namespace pid (#4098) * feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970) * feat(containers): Prevent non-admin users from running containers using the host namespace pid * feat(containers): add rbac check for swarm stack too * feat(containers): remove forgotten conflict * feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action * feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html * feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers * feat(database): trigger migration for AllowHostNamespace * feat(containers): check container creation authorization Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
4 years ago
!isAdminOrEndpointAdmin {
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)
5 years ago
composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
stackContent, err := handler.FileService.GetFileContent(composeFilePath)
if err != nil {
return err
}
feat(containers): Ensure users cannot create privileged containers via the API (#3969) (#4077) * feat(containers): Ensure users cannot create privileged containers via the API * feat(containers): add rbac check in stack creation Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
4 years ago
err = handler.isValidStackFile(stackContent, settings)
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)
5 years ago
if err != nil {
return err
}
}
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
handler.stackCreationMutex.Lock()
defer handler.stackCreationMutex.Unlock()
handler.SwarmStackManager.Login(config.dockerhub, config.registries, config.endpoint)
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232)
5 years ago
err = handler.ComposeStackManager.Up(config.stack, config.endpoint)
feat(stacks): support compose v2.0 stack (#1963)
7 years ago
if err != nil {
return err
}
return handler.SwarmStackManager.Logout(config.endpoint)
}