Improve Docker tunnel start & stop process

pimterry · pimterry · commit b16c03ce9737 · 2021-11-04T13:03:08.000+01:00
This avoids unnecessary pulls (very slow, it turns out), stops the
tunnel from being created before it's needed, and ensures it's
properly cleaned up (wasn't before, due to a missing 'await')
diff --git a/src/interceptors/docker/docker-commands.ts b/src/interceptors/docker/docker-commands.ts
@@ -70,6 +70,12 @@ export const getDockerHostIp = (
     }
 }
 
+export function isImageAvailable(docker: Docker, name: string) {
+    return docker.getImage(name).inspect()
+        .then(() => true)
+        .catch(() => false);
+}
+
 export function isInterceptedContainer(container: Docker.ContainerInspectInfo, port: string | number) {
     return container.Config.Labels[DOCKER_CONTAINER_LABEL] === port.toString();
 }
diff --git a/src/interceptors/docker/docker-interception-services.ts b/src/interceptors/docker/docker-interception-services.ts
@@ -36,6 +36,9 @@ export async function startDockerInterceptionServices(
     httpsConfig: { certPath: string, certContent: string },
     ruleParameters: { [key: `docker-tunnel-proxy-${number}`]: ProxySettingCallback }
 ) {
+    // Prepare (pull) the tunnel image, but we don't actually start the tunnel itself until some
+    // Docker interception happens while HTTP Toolkit is running - e.g. proxy use, container attach,
+    // or an intercepted container connecting to a network.
     prepareDockerTunnel();
     const networkMonitor = monitorDockerNetworkAliases(proxyPort);
 
diff --git a/src/interceptors/docker/docker-networking.ts b/src/interceptors/docker/docker-networking.ts
@@ -8,7 +8,7 @@ import { reportError } from '../../error-tracking';
 
 import { DOCKER_HOST_HOSTNAME, isInterceptedContainer } from './docker-commands';
 import { isDockerAvailable } from './docker-interception-services';
-import { ensureDockerTunnelRunning, updateDockerTunnelledNetworks } from './docker-tunnel-proxy';
+import { updateDockerTunnelledNetworks } from './docker-tunnel-proxy';
 import { getDnsServer } from '../../dns-server';
 
 interface DockerEvent {
@@ -93,16 +93,19 @@ export async function monitorDockerNetworkAliases(proxyPort: number): Promise<Do
             reportError(e);
         });
 
-        ensureDockerTunnelRunning(proxyPort);
         const dnsServer = await getDnsServer(proxyPort);
 
         const networkMonitor = new DockerNetworkMonitor(docker, proxyPort, stream);
-        mobx.autorun(() =>
-            updateDockerTunnelledNetworks(proxyPort, networkMonitor.interceptedNetworks)
-            .catch(console.warn)
-        );
-        mobx.autorun(() =>
-            dnsServer.setHosts(networkMonitor.aliasIpMap)
+
+        // We update DNS immediately, and on all changes:
+        mobx.autorun(() => dnsServer.setHosts(networkMonitor.aliasIpMap));
+
+        // We update tunnel _only_ once something is actually intercepted - once interceptedNetworks changes.
+        // We don't want to create the tunnel container unless Docker interception is actually used.
+        mobx.reaction(
+            () => networkMonitor.interceptedNetworks,
+            (interceptedNetworks) => updateDockerTunnelledNetworks(proxyPort, interceptedNetworks)
+                .catch(console.warn)
         );
 
         dockerNetworkMonitors[proxyPort] = networkMonitor;
diff --git a/src/interceptors/docker/docker-tunnel-proxy.ts b/src/interceptors/docker/docker-tunnel-proxy.ts
@@ -3,7 +3,7 @@ import * as Docker from 'dockerode';
 import * as semver from 'semver';
 import { Mutex } from 'async-mutex';
 
-import { DOCKER_HOST_HOSTNAME } from './docker-commands';
+import { DOCKER_HOST_HOSTNAME, isImageAvailable } from './docker-commands';
 import { isDockerAvailable } from './docker-interception-services';
 
 const DOCKER_TUNNEL_IMAGE = "httptoolkit/docker-socks-tunnel:v1.1.0";
@@ -22,7 +22,8 @@ export async function prepareDockerTunnel() {
 
     await containerMutex.runExclusive(async () => {
         const docker = new Docker();
-        await docker.pull(DOCKER_TUNNEL_IMAGE).catch(console.warn);
+        if (await isImageAvailable(docker, DOCKER_TUNNEL_IMAGE)) return;
+        else await docker.pull(DOCKER_TUNNEL_IMAGE).catch(console.warn);
     });
 }
 
@@ -234,7 +235,7 @@ export async function refreshDockerTunnelPortCache(proxyPort: number): Promise<n
 export async function stopDockerTunnel(proxyPort: number | 'all'): Promise<void> {
     const docker = new Docker();
 
-    containerMutex.runExclusive(async () => {
+    await containerMutex.runExclusive(async () => {
         const containers = await docker.listContainers({
             all: true,
             filters: JSON.stringify({
diff --git a/test/interceptors/docker-terminal-interception.spec.ts b/test/interceptors/docker-terminal-interception.spec.ts
@@ -8,6 +8,7 @@ import { expect } from 'chai';
 
 import { setupTest } from './interceptor-test-utils';
 import { spawnToResult } from '../../src/util/process-management';
+import { delay } from '../../src/util/promise';
 
 import { getTerminalEnvVars } from '../../src/interceptors/terminal/terminal-env-overrides';
 
@@ -325,12 +326,53 @@ Successfully built <hash>
 
         await stopDockerInterceptionServices(server.port, ruleParams);
 
+        // Intercepted container is removed:
         const inspectResultAfterShutdown: unknown = await docker.getContainer(interceptedContainerId).inspect().catch(e => e);
         expect(inspectResultAfterShutdown).to.be.instanceOf(Error)
         expect((inspectResultAfterShutdown as Error).message).to.include("no such container");
 
+        // Unintercepted container is not touched:
         const uninterceptedContainerAfterShutdown = await docker.getContainer(uninterceptedContainerId).inspect();
         expect(uninterceptedContainerAfterShutdown.Config.Image).to.equal('node:14');
     });
 
+    it("should start & clean up tunnel automatically", async () => {
+        const { server, httpsConfig } = await testSetup;
+        const docker = new Docker();
+
+        const terminalEnvOverrides = getTerminalEnvVars(server.port, httpsConfig, process.env, {}, {
+            dockerEnabled: true
+        });
+
+        // Tunnel doesn't start preemptively:
+        await delay(500);
+        let tunnel = await docker.getContainer(`httptoolkit-docker-tunnel-${server.port}`).inspect().catch(e => e);
+        expect(tunnel).to.be.instanceOf(Error)
+        expect((tunnel as Error).message).to.include("no such container");
+
+        // Then launch an intercepted container:
+        const interceptedResult = await spawnToResult(
+            'docker', ['create', 'node:14'],
+            { env: { ...process.env, ...terminalEnvOverrides } },
+            true
+        );
+
+        expect(interceptedResult.exitCode).to.equal(0);
+        expect(interceptedResult.stderr).to.equal('');
+
+        await delay(100); // There can be a brief delay in CI in starting the tunnel itself
+
+        // Tunnel is now running:
+        tunnel = await docker.getContainer(`httptoolkit-docker-tunnel-${server.port}`).inspect();
+        expect(tunnel.Config.Image.split(':')[0]).to.equal('httptoolkit/docker-socks-tunnel');
+
+        // Then shut everything down:
+        await stopDockerInterceptionServices(server.port, ruleParams);
+
+        // Tunnel is automatically removed:
+        tunnel = await docker.getContainer(`httptoolkit-docker-tunnel-${server.port}`).inspect().catch(e => e);
+        expect(tunnel).to.be.instanceOf(Error)
+        expect((tunnel as Error).message).to.include("no such container");
+    });
+
 });

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,12 @@ export const getDockerHostIp = (`
`70`	`70`	`}`
`71`	`71`	`}`
`72`	`72`
	`73`	`+export function isImageAvailable(docker: Docker, name: string) {`
	`74`	`+ return docker.getImage(name).inspect()`
	`75`	`+ .then(() => true)`
	`76`	`+ .catch(() => false);`
	`77`	`+}`
	`78`	`+`
`73`	`79`	`export function isInterceptedContainer(container: Docker.ContainerInspectInfo, port: string \| number) {`
`74`	`80`	`return container.Config.Labels[DOCKER_CONTAINER_LABEL] === port.toString();`
`75`	`81`	`}`