Skip to content

Commit 7252086

Browse files
authored
Merge pull request #2165 from docker/ssh_protocol_support
SSH protocol support
2 parents c9bee77 + f302756 commit 7252086

16 files changed

+290
-108
lines changed

docker/api/client.py

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,11 @@
3939
except ImportError:
4040
pass
4141

42+
try:
43+
from ..transport import SSHAdapter
44+
except ImportError:
45+
pass
46+
4247

4348
class APIClient(
4449
requests.Session,
@@ -141,6 +146,18 @@ def __init__(self, base_url=None, version=None,
141146
)
142147
self.mount('http+docker://', self._custom_adapter)
143148
self.base_url = 'http+docker://localnpipe'
149+
elif base_url.startswith('ssh://'):
150+
try:
151+
self._custom_adapter = SSHAdapter(
152+
base_url, timeout, pool_connections=num_pools
153+
)
154+
except NameError:
155+
raise DockerException(
156+
'Install paramiko package to enable ssh:// support'
157+
)
158+
self.mount('http+docker://ssh', self._custom_adapter)
159+
self._unmount('http://', 'https://')
160+
self.base_url = 'http+docker://ssh'
144161
else:
145162
# Use SSLAdapter for the ability to specify SSL version
146163
if isinstance(tls, TLSConfig):
@@ -279,6 +296,8 @@ def _get_raw_response_socket(self, response):
279296
self._raise_for_status(response)
280297
if self.base_url == "http+docker://localnpipe":
281298
sock = response.raw._fp.fp.raw.sock
299+
elif self.base_url.startswith('http+docker://ssh'):
300+
sock = response.raw._fp.fp.channel
282301
elif six.PY3:
283302
sock = response.raw._fp.fp.raw
284303
if self.base_url.startswith("https://"):

docker/transport/__init__.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,3 +6,8 @@
66
from .npipesocket import NpipeSocket
77
except ImportError:
88
pass
9+
10+
try:
11+
from .sshconn import SSHAdapter
12+
except ImportError:
13+
pass

docker/transport/npipesocket.py

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -87,10 +87,6 @@ def detach(self):
8787
def dup(self):
8888
return NpipeSocket(self._handle)
8989

90-
@check_closed
91-
def fileno(self):
92-
return int(self._handle)
93-
9490
def getpeername(self):
9591
return self._address
9692

docker/transport/sshconn.py

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
import paramiko
2+
import requests.adapters
3+
import six
4+
5+
from .. import constants
6+
7+
if six.PY3:
8+
import http.client as httplib
9+
else:
10+
import httplib
11+
12+
try:
13+
import requests.packages.urllib3 as urllib3
14+
except ImportError:
15+
import urllib3
16+
17+
RecentlyUsedContainer = urllib3._collections.RecentlyUsedContainer
18+
19+
20+
class SSHConnection(httplib.HTTPConnection, object):
21+
def __init__(self, ssh_transport, timeout=60):
22+
super(SSHConnection, self).__init__(
23+
'localhost', timeout=timeout
24+
)
25+
self.ssh_transport = ssh_transport
26+
self.timeout = timeout
27+
28+
def connect(self):
29+
sock = self.ssh_transport.open_session()
30+
sock.settimeout(self.timeout)
31+
sock.exec_command('docker system dial-stdio')
32+
self.sock = sock
33+
34+
35+
class SSHConnectionPool(urllib3.connectionpool.HTTPConnectionPool):
36+
scheme = 'ssh'
37+
38+
def __init__(self, ssh_client, timeout=60, maxsize=10):
39+
super(SSHConnectionPool, self).__init__(
40+
'localhost', timeout=timeout, maxsize=maxsize
41+
)
42+
self.ssh_transport = ssh_client.get_transport()
43+
self.timeout = timeout
44+
45+
def _new_conn(self):
46+
return SSHConnection(self.ssh_transport, self.timeout)
47+
48+
# When re-using connections, urllib3 calls fileno() on our
49+
# SSH channel instance, quickly overloading our fd limit. To avoid this,
50+
# we override _get_conn
51+
def _get_conn(self, timeout):
52+
conn = None
53+
try:
54+
conn = self.pool.get(block=self.block, timeout=timeout)
55+
56+
except AttributeError: # self.pool is None
57+
raise urllib3.exceptions.ClosedPoolError(self, "Pool is closed.")
58+
59+
except six.moves.queue.Empty:
60+
if self.block:
61+
raise urllib3.exceptions.EmptyPoolError(
62+
self,
63+
"Pool reached maximum size and no more "
64+
"connections are allowed."
65+
)
66+
pass # Oh well, we'll create a new connection then
67+
68+
return conn or self._new_conn()
69+
70+
71+
class SSHAdapter(requests.adapters.HTTPAdapter):
72+
73+
__attrs__ = requests.adapters.HTTPAdapter.__attrs__ + [
74+
'pools', 'timeout', 'ssh_client',
75+
]
76+
77+
def __init__(self, base_url, timeout=60,
78+
pool_connections=constants.DEFAULT_NUM_POOLS):
79+
self.ssh_client = paramiko.SSHClient()
80+
self.ssh_client.load_system_host_keys()
81+
82+
parsed = six.moves.urllib_parse.urlparse(base_url)
83+
self.ssh_client.connect(
84+
parsed.hostname, parsed.port, parsed.username,
85+
)
86+
self.timeout = timeout
87+
self.pools = RecentlyUsedContainer(
88+
pool_connections, dispose_func=lambda p: p.close()
89+
)
90+
super(SSHAdapter, self).__init__()
91+
92+
def get_connection(self, url, proxies=None):
93+
with self.pools.lock:
94+
pool = self.pools.get(url)
95+
if pool:
96+
return pool
97+
98+
pool = SSHConnectionPool(
99+
self.ssh_client, self.timeout
100+
)
101+
self.pools[url] = pool
102+
103+
return pool
104+
105+
def close(self):
106+
self.pools.clear()
107+
self.ssh_client.close()

docker/types/daemon.py

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@
55
except ImportError:
66
import urllib3
77

8+
from ..errors import DockerException
9+
810

911
class CancellableStream(object):
1012
"""
@@ -55,9 +57,17 @@ def close(self):
5557
elif hasattr(sock_raw, '_sock'):
5658
sock = sock_raw._sock
5759

60+
elif hasattr(sock_fp, 'channel'):
61+
# We're working with a paramiko (SSH) channel, which doesn't
62+
# support cancelable streams with the current implementation
63+
raise DockerException(
64+
'Cancellable streams not supported for the SSH protocol'
65+
)
5866
else:
5967
sock = sock_fp._sock
60-
if isinstance(sock, urllib3.contrib.pyopenssl.WrappedSocket):
68+
69+
if hasattr(urllib3.contrib, 'pyopenssl') and isinstance(
70+
sock, urllib3.contrib.pyopenssl.WrappedSocket):
6171
sock = sock.socket
6272

6373
sock.shutdown(socket.SHUT_RDWR)

docker/utils/utils.py

Lines changed: 75 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
11
import base64
2+
import json
23
import os
34
import os.path
4-
import json
55
import shlex
6-
from distutils.version import StrictVersion
6+
import string
77
from datetime import datetime
8+
from distutils.version import StrictVersion
89

910
import six
1011

@@ -13,11 +14,12 @@
1314

1415
if six.PY2:
1516
from urllib import splitnport
17+
from urlparse import urlparse
1618
else:
17-
from urllib.parse import splitnport
19+
from urllib.parse import splitnport, urlparse
1820

1921
DEFAULT_HTTP_HOST = "127.0.0.1"
20-
DEFAULT_UNIX_SOCKET = "http+unix://var/run/docker.sock"
22+
DEFAULT_UNIX_SOCKET = "http+unix:///var/run/docker.sock"
2123
DEFAULT_NPIPE = 'npipe:////./pipe/docker_engine'
2224

2325
BYTE_UNITS = {
@@ -212,75 +214,93 @@ def parse_repository_tag(repo_name):
212214
return repo_name, None
213215

214216

215-
# Based on utils.go:ParseHost http://tinyurl.com/nkahcfh
216-
# fd:// protocol unsupported (for obvious reasons)
217-
# Added support for http and https
218-
# Protocol translation: tcp -> http, unix -> http+unix
219217
def parse_host(addr, is_win32=False, tls=False):
220-
proto = "http+unix"
221-
port = None
222218
path = ''
219+
port = None
220+
host = None
223221

222+
# Sensible defaults
224223
if not addr and is_win32:
225-
addr = DEFAULT_NPIPE
226-
224+
return DEFAULT_NPIPE
227225
if not addr or addr.strip() == 'unix://':
228226
return DEFAULT_UNIX_SOCKET
229227

230228
addr = addr.strip()
231-
if addr.startswith('http://'):
232-
addr = addr.replace('http://', 'tcp://')
233-
if addr.startswith('http+unix://'):
234-
addr = addr.replace('http+unix://', 'unix://')
235229

236-
if addr == 'tcp://':
230+
parsed_url = urlparse(addr)
231+
proto = parsed_url.scheme
232+
if not proto or any([x not in string.ascii_letters + '+' for x in proto]):
233+
# https://bugs.python.org/issue754016
234+
parsed_url = urlparse('//' + addr, 'tcp')
235+
proto = 'tcp'
236+
237+
if proto == 'fd':
238+
raise errors.DockerException('fd protocol is not implemented')
239+
240+
# These protos are valid aliases for our library but not for the
241+
# official spec
242+
if proto == 'http' or proto == 'https':
243+
tls = proto == 'https'
244+
proto = 'tcp'
245+
elif proto == 'http+unix':
246+
proto = 'unix'
247+
248+
if proto not in ('tcp', 'unix', 'npipe', 'ssh'):
237249
raise errors.DockerException(
238-
"Invalid bind address format: {0}".format(addr)
250+
"Invalid bind address protocol: {}".format(addr)
251+
)
252+
253+
if proto == 'tcp' and not parsed_url.netloc:
254+
# "tcp://" is exceptionally disallowed by convention;
255+
# omitting a hostname for other protocols is fine
256+
raise errors.DockerException(
257+
'Invalid bind address format: {}'.format(addr)
239258
)
240-
elif addr.startswith('unix://'):
241-
addr = addr[7:]
242-
elif addr.startswith('tcp://'):
243-
proto = 'http{0}'.format('s' if tls else '')
244-
addr = addr[6:]
245-
elif addr.startswith('https://'):
246-
proto = "https"
247-
addr = addr[8:]
248-
elif addr.startswith('npipe://'):
249-
proto = 'npipe'
250-
addr = addr[8:]
251-
elif addr.startswith('fd://'):
252-
raise errors.DockerException("fd protocol is not implemented")
253-
else:
254-
if "://" in addr:
255-
raise errors.DockerException(
256-
"Invalid bind address protocol: {0}".format(addr)
257-
)
258-
proto = "https" if tls else "http"
259259

260-
if proto in ("http", "https"):
261-
address_parts = addr.split('/', 1)
262-
host = address_parts[0]
263-
if len(address_parts) == 2:
264-
path = '/' + address_parts[1]
265-
host, port = splitnport(host)
260+
if any([
261+
parsed_url.params, parsed_url.query, parsed_url.fragment,
262+
parsed_url.password
263+
]):
264+
raise errors.DockerException(
265+
'Invalid bind address format: {}'.format(addr)
266+
)
266267

267-
if port is None:
268-
raise errors.DockerException(
269-
"Invalid port: {0}".format(addr)
270-
)
268+
if parsed_url.path and proto == 'ssh':
269+
raise errors.DockerException(
270+
'Invalid bind address format: no path allowed for this protocol:'
271+
' {}'.format(addr)
272+
)
273+
else:
274+
path = parsed_url.path
275+
if proto == 'unix' and parsed_url.hostname is not None:
276+
# For legacy reasons, we consider unix://path
277+
# to be valid and equivalent to unix:///path
278+
path = '/'.join((parsed_url.hostname, path))
279+
280+
if proto in ('tcp', 'ssh'):
281+
# parsed_url.hostname strips brackets from IPv6 addresses,
282+
# which can be problematic hence our use of splitnport() instead.
283+
host, port = splitnport(parsed_url.netloc)
284+
if port is None or port < 0:
285+
if proto != 'ssh':
286+
raise errors.DockerException(
287+
'Invalid bind address format: port is required:'
288+
' {}'.format(addr)
289+
)
290+
port = 22
271291

272292
if not host:
273293
host = DEFAULT_HTTP_HOST
274-
else:
275-
host = addr
276294

277-
if proto in ("http", "https") and port == -1:
278-
raise errors.DockerException(
279-
"Bind address needs a port: {0}".format(addr))
295+
# Rewrite schemes to fit library internals (requests adapters)
296+
if proto == 'tcp':
297+
proto = 'http{}'.format('s' if tls else '')
298+
elif proto == 'unix':
299+
proto = 'http+unix'
280300

281-
if proto == "http+unix" or proto == 'npipe':
282-
return "{0}://{1}".format(proto, host).rstrip('/')
283-
return "{0}://{1}:{2}{3}".format(proto, host, port, path).rstrip('/')
301+
if proto in ('http+unix', 'npipe'):
302+
return "{}://{}".format(proto, path).rstrip('/')
303+
return '{0}://{1}:{2}{3}'.format(proto, host, port, path).rstrip('/')
284304

285305

286306
def parse_devices(devices):

requirements.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ enum34==1.1.6
99
idna==2.5
1010
ipaddress==1.0.18
1111
packaging==16.8
12+
paramiko==2.4.2
1213
pycparser==2.17
1314
pyOpenSSL==18.0.0
1415
pyparsing==2.2.0

setup.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,9 @@
4242
# 'requests[security] >= 2.5.2, != 2.11.0, != 2.12.2'
4343
'tls': ['pyOpenSSL>=17.5.0', 'cryptography>=1.3.4', 'idna>=2.0.0'],
4444

45+
# Only required when connecting using the ssh:// protocol
46+
'ssh': ['paramiko>=2.4.2'],
47+
4548
}
4649

4750
version = None

0 commit comments

Comments
 (0)