Merge pull request #184 from jsturtevant/windows-part1

Windows part 1

Author: AkihiroSuda

Makefile

@@ -19,7 +19,10 @@
 # -----------------------------------------------------------------------------
 
 GO ?= go
-
+GOOS ?= $(shell go env GOOS)
+ifeq ($(GOOS),windows)
+	BIN_EXT := .exe
+endif
 
 PACKAGE := github.com/containerd/nerdctl
 BINDIR ?= /usr/local/bin
@@ -28,7 +31,7 @@ VERSION=$(shell git describe --match 'v[0-9]*' --dirty='.m' --always --tags)
 VERSION_TRIMMED := $(VERSION:v%=%)
 REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
 
-export GO_BUILD=GO111MODULE=on CGO_ENABLED=0 $(GO) build -ldflags "-s -w -X $(PACKAGE)/pkg/version.Version=$(VERSION) -X $(PACKAGE)/pkg/version.Revision=$(REVISION)"
+export GO_BUILD=GO111MODULE=on CGO_ENABLED=0 GOOS=$(GOOS) $(GO) build -ldflags "-s -w -X $(PACKAGE)/pkg/version.Version=$(VERSION) -X $(PACKAGE)/pkg/version.Revision=$(REVISION)"
 
 all: binaries
 
@@ -40,7 +43,7 @@ help:
 	@echo " * 'clean' - Clean artifacts."
 
 nerdctl:
-	$(GO_BUILD) -o $(CURDIR)/_output/nerdctl $(PACKAGE)
+	$(GO_BUILD) -o $(CURDIR)/_output/nerdctl$(BIN_EXT) $(PACKAGE)
 
 clean:
 	find . -name \*~ -delete
@@ -72,6 +75,9 @@ artifacts: clean
 	GOOS=linux GOARCH=s390x       make -C $(CURDIR) binaries
 	tar $(TAR_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-linux-s390x.tar.gz   _output/nerdctl extras/rootless/*
 
+	GOOS=windows GOARCH=amd64       make -C $(CURDIR) binaries
+	tar $(TAR_FLAGS) -czvf $(CURDIR)/_output/nerdctl-$(VERSION_TRIMMED)-windows-amd64.tar.gz _output/nerdctl
+
 	rm -f $(CURDIR)/_output/nerdctl
 
 	DOCKER_BUILDKIT=1 docker build --output type=tar,dest=$(CURDIR)/_output/nerdctl-full-$(VERSION_TRIMMED)-linux-amd64.tar --target out-full $(CURDIR)

client.go

@@ -20,14 +20,15 @@ import (
 	"context"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 
+	"github.com/pkg/errors"
+
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
-	"golang.org/x/sys/unix"
 )
 
 func newClient(clicontext *cli.Context) (*containerd.Client, context.Context, context.CancelFunc, error) {
@@ -54,15 +55,6 @@ func newClient(clicontext *cli.Context) (*containerd.Client, context.Context, co
 	return client, ctx, cancel, nil
 }
 
-func isSocketAccessible(s string) error {
-	abs, err := filepath.Abs(s)
-	if err != nil {
-		return err
-	}
-	// set AT_EACCESS to allow running nerdctl as a setuid binary
-	return unix.Faccessat(-1, abs, unix.R_OK|unix.W_OK, unix.AT_EACCESS)
-}
-
 // getDataStore returns a string like "/var/lib/nerdctl/1935db59".
 // "1935db9" is from `$(echo -n "/run/containerd/containerd.sock" | sha256sum | cut -c1-8)``
 func getDataStore(clicontext *cli.Context) (string, error) {
@@ -84,7 +76,10 @@ func getDataStore(clicontext *cli.Context) (string, error) {
 func getAddrHash(addr string) (string, error) {
 	const addrHashLen = 8
 
-	addr = strings.TrimPrefix(addr, "unix://")
+	if runtime.GOOS != "windows" {
+		addr = strings.TrimPrefix(addr, "unix://")
+	}
+
 	var err error
 	addr, err = filepath.EvalSymlinks(addr)
 	if err != nil {

client_linux.go

@@ -0,0 +1,32 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"path/filepath"
+
+	"golang.org/x/sys/unix"
+)
+
+func isSocketAccessible(s string) error {
+	abs, err := filepath.Abs(s)
+	if err != nil {
+		return err
+	}
+	// set AT_EACCESS to allow running nerdctl as a setuid binary
+	return unix.Faccessat(-1, abs, unix.R_OK|unix.W_OK, unix.AT_EACCESS)
+}

client_windows.go

@@ -0,0 +1,30 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"time"
+
+	"github.com/Microsoft/go-winio"
+)
+
+func isSocketAccessible(s string) error {
+	// test if we can access the pipe
+	timeout := 2 * time.Second
+	_, err := winio.DialPipe(s, &timeout)
+	return err
+}

exec.go

@@ -26,7 +26,6 @@ import (
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/cmd/ctr/commands"
 	"github.com/containerd/containerd/cmd/ctr/commands/tasks"
-	"github.com/containerd/containerd/pkg/cap"
 	"github.com/containerd/nerdctl/pkg/idgen"
 	"github.com/containerd/nerdctl/pkg/idutil/containerwalker"
 	"github.com/containerd/nerdctl/pkg/strutil"
@@ -224,21 +223,10 @@ func generateExecProcessSpec(ctx context.Context, clicontext *cli.Context, conta
 	}
 
 	if clicontext.Bool("privileged") {
-		if pspec.Capabilities == nil {
-			pspec.Capabilities = &specs.LinuxCapabilities{}
-		}
-		allCaps, err := cap.Current()
+		err = setExecCapabilities(pspec)
 		if err != nil {
 			return nil, err
 		}
-		pspec.Capabilities.Bounding = allCaps
-		pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
-		pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
-		pspec.Capabilities.Effective = pspec.Capabilities.Bounding
-
-		// https://github.com/moby/moby/pull/36466/files
-		// > `docker exec --privileged` does not currently disable AppArmor
-		// > profiles. Privileged configuration of the container is inherited
 	}
 
 	return pspec, nil

exec_linux.go

@@ -0,0 +1,41 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/containerd/containerd/pkg/cap"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func setExecCapabilities(pspec *specs.Process) error {
+	if pspec.Capabilities == nil {
+		pspec.Capabilities = &specs.LinuxCapabilities{}
+	}
+	allCaps, err := cap.Current()
+	if err != nil {
+		return err
+	}
+	pspec.Capabilities.Bounding = allCaps
+	pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
+	pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
+	pspec.Capabilities.Effective = pspec.Capabilities.Bounding
+
+	// https://github.com/moby/moby/pull/36466/files
+	// > `docker exec --privileged` does not currently disable AppArmor
+	// > profiles. Privileged configuration of the container is inherited
+	return nil
+}

exec_windows.go

@@ -0,0 +1,26 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func setExecCapabilities(pspec *specs.Process) error {
+	//no op windows
+	return nil
+}

go.mod

@@ -3,6 +3,7 @@ module github.com/containerd/nerdctl
 go 1.16
 
 require (
+	github.com/Microsoft/go-winio v0.4.17
 	github.com/compose-spec/compose-go v0.0.0-20210420125800-01e9e6b4c64c
 	github.com/containerd/cgroups v1.0.0
 	github.com/containerd/console v1.0.2

login.go

@@ -20,10 +20,8 @@ import (
 	"context"
 	"fmt"
 	"io/ioutil"
-	"os"
 	"runtime"
 	"strings"
-	"syscall"
 
 	"github.com/containerd/nerdctl/pkg/version"
 	dockercliconfig "github.com/docker/cli/cli/config"
@@ -35,7 +33,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
-	"golang.org/x/term"
 )
 
 type loginOptions struct {
@@ -210,22 +207,11 @@ func ConfigureAuthentification(clicontext *cli.Context, authConfig *types.AuthCo
 	if options.password == "" {
 
 		fmt.Print("Enter Password: ")
-		var fd int
-		if term.IsTerminal(syscall.Stdin) {
-			fd = syscall.Stdin
-		} else {
-			tty, err := os.Open("/dev/tty")
-			if err != nil {
-				return errors.Wrap(err, "error allocating terminal")
-			}
-			defer tty.Close()
-			fd = int(tty.Fd())
-		}
-		bytePassword, err := term.ReadPassword(fd)
+		pwd, err := readPassword()
 		if err != nil {
-			return errors.Wrap(err, "error reading password")
+			return err
 		}
-		options.password = string(bytePassword)
+		options.password = pwd
 	}
 
 	if options.password == "" {

login_linux.go

@@ -0,0 +1,45 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/pkg/errors"
+	"golang.org/x/term"
+)
+
+func readPassword() (string, error) {
+	var fd int
+	if term.IsTerminal(syscall.Stdin) {
+		fd = syscall.Stdin
+	} else {
+		tty, err := os.Open("/dev/tty")
+		if err != nil {
+			return "", errors.Wrap(err, "error allocating terminal")
+		}
+		defer tty.Close()
+		fd = int(tty.Fd())
+	}
+	bytePassword, err := term.ReadPassword(fd)
+	if err != nil {
+		return "", errors.Wrap(err, "error reading password")
+	}
+
+	return string(bytePassword), nil
+}

login_windows.go

@@ -0,0 +1,40 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"syscall"
+
+	"github.com/pkg/errors"
+	"golang.org/x/term"
+)
+
+func readPassword() (string, error) {
+	var fd int
+	if term.IsTerminal(int(syscall.Stdin)) {
+		fd = int(syscall.Stdin)
+	} else {
+		return "", fmt.Errorf("error allocating terminal")
+	}
+	bytePassword, err := term.ReadPassword(fd)
+	if err != nil {
+		return "", errors.Wrap(err, "error reading password")
+	}
+
+	return string(bytePassword), nil
+}