Merge pull request #1 from greenbaum/static_addresses

Static addresses: fix make check

.eslintrc

@@ -0,0 +1,46 @@
+{
+    "plugins": [ "joyent" ],
+    "extends": [
+        "eslint:recommended",
+        "plugin:joyent/style",
+        "plugin:joyent/lint"
+    ],
+    "parserOptions": {
+        "ecmaVersion": 6,
+        "sourceType": "script",
+        "ecmaFeatures": {
+        }
+    },
+    "env": {
+        "node": true,
+        "es6": true
+    },
+    "rules": {
+        // Local rule configuration
+        "no-unused-vars": [
+            "error",
+            {
+                // Track all unused identifiers
+                "vars": "all",
+                "args": "all",
+                "caughtErrors": "all",
+                // Don't warn on args that start with _, res or req.
+                // Added stdout and stderr to the standard joyent set.
+                "argsIgnorePattern": "^(_|res|req|stdout|stderr)",
+                // Don't warn on catch or var identifiers that start with _
+                "caughtIgnorePattern": "^_",
+                "varsIgnorePattern": "^(_|res|req|stdout|stderr)"
+            }
+        ],
+        "max-len": [
+            "error",
+            80,
+            {
+                "tabWidth": 8,
+                "ignoreComments": false,
+                "ignoreTrailingComments": false,
+                "ignoreUrls": true
+            }
+        ],
+    }
+}

.gitmodules

@@ -1,6 +1,3 @@
-[submodule "deps/javascriptlint"]
-	path = deps/javascriptlint
-	url = https://github.com/joyent/javascriptlint.git
 [submodule "deps/jsstyle"]
 	path = deps/jsstyle
 	url = https://github.com/joyent/jsstyle.git

Jenkinsfile

@@ -5,15 +5,15 @@
  */
 
 /*
- * Copyright 2020 Joyent, Inc.
+ * Copyright 2021 Joyent, Inc.
  */
 
-@Library('jenkins-joylib@v1.0.6') _
+@Library('jenkins-joylib@v1.0.8') _
 
 pipeline {
 
     agent {
-        label joyCommonLabels(image_ver: '15.4.1')
+        label joyCommonLabels(image_ver: '19.4.0')
     }
 
     options {
@@ -54,7 +54,7 @@ pipeline {
 
     post {
         always {
-            joyMattermostNotification(channel: 'jenkins')
+            joySlackNotifications(channel: 'jenkins')
         }
     }
 

Makefile

@@ -5,7 +5,7 @@
 #
 
 #
-# Copyright (c) 2019, Joyent, Inc.
+# Copyright 2021 Joyent, Inc.
 #
 
 NAME:=docker
@@ -17,18 +17,16 @@ RESTDOWN_FLAGS   = --brand-dir=deps/restdown-brand-remora
 TAPE	:= ./node_modules/.bin/tape
 
 JS_FILES	:= $(shell find lib plugins test -name '*.js' | grep -v '/tmp/')
-JSL_CONF_NODE	 = tools/jsl.node.conf
-JSL_FILES_NODE	 = $(JS_FILES)
+ESLINT_FILES	 = $(JS_FILES)
 JSSTYLE_FILES	 = $(JS_FILES)
 JSSTYLE_FLAGS	 = -f tools/jsstyle.conf
 SMF_MANIFESTS_IN = smf/manifests/docker.xml.in
 CLEAN_FILES += ./node_modules
 
-NODE_PREBUILT_VERSION=v4.9.0
+NODE_PREBUILT_VERSION=v6.17.1
 ifeq ($(shell uname -s),SunOS)
-	NODE_PREBUILT_TAG=zone
-	# Allow building on other than image sdc-minimal-multiarch-lts@15.4.1.
-	NODE_PREBUILT_IMAGE=18b094b0-eb01-11e5-80c1-175dac7ddf02
+	NODE_PREBUILT_TAG=zone64
+	NODE_PREBUILT_IMAGE=5417ab20-3156-11ea-8b19-2b66f5e7a439
 endif
 
 ENGBLD_USE_BUILDIMAGE	= true
@@ -55,7 +53,8 @@ RELSTAGEDIR:=/tmp/$(NAME)-$(STAMP)
 
 COAL ?= 10.99.99.7
 
-BASE_IMAGE_UUID = 04a48d7d-6bb5-4e83-8c3b-e60a99e0f48f
+# triton-origin-x86_64-19.4.0
+BASE_IMAGE_UUID = 59ba2e5e-976f-4e09-8aac-a4a7ef0395f5
 BUILDIMAGE_NAME = $(NAME)
 BUILDIMAGE_DESC	= SDC Docker Engine
 AGENTS		= amon config registrar

docs/guide/README.md

@@ -44,7 +44,7 @@ The Docker Engine for SDC is currently in alpha and under heavy development.
 The current focus is on stabilization and filling out support for *building* and
 *running* Docker containers.
 Please [report issues](https://github.com/joyent/sdc-docker/issues),
-give us feedback or discuss on [#joyent IRC on freenode.net](irc://freenode.net/#joyent).
+give us feedback or discuss on [#joyent IRC on libera.chat](irc://libera.chat/#joyent).
 
 ### 3. sdc-docker-setup.sh
 

lib/auth.js

@@ -5,7 +5,8 @@
  */
 
 /*
- * Copyright (c) 2016, Joyent, Inc.
+ * Copyright 2021 Joyent, Inc.
+ * Copyright 2021 Alex Wilson
  */
 
 /*
@@ -110,13 +111,14 @@ function authTls(req, res, next) {
 
     var account;
     var ufdsKey;
+    var adminRoleMembers;
     var login = cert.subjects[0].cn;
-    var authFunctions = [ getMainAccount ];
+    var authFunctions = [ getMainAccount, getAdminRole ];
 
     if (authCache.get(login) && authCache.get(login) === peerKeyFp) {
         log.debug('Cached authentication found token for %s', login);
     } else {
-        authFunctions.push(getKey, verifyKey);
+        authFunctions.push(getKey, getAdminRoleKeys, verifyKey);
     }
 
     // No support for account subusers at the moment
@@ -138,20 +140,83 @@ function authTls(req, res, next) {
         });
     }
 
+    function getAdminRole(_, cb) {
+        var roleFilter = '(&(objectclass=sdcaccountrole)(name=administrator))';
+        ufds.listRoles(account.uuid, roleFilter, function (err, rs) {
+            if (err) {
+                cb();
+                return;
+            }
+
+            var adminRole = rs[0];
+            if (!adminRole || !adminRole.uniquememberdefault) {
+                cb();
+                return;
+            }
+
+            var members = adminRole.uniquememberdefault;
+            if (!Array.isArray(members)) {
+                members = [members];
+            }
+
+            adminRoleMembers = members;
+            cb();
+        });
+    }
+
     function getKey(_, cb) {
         ufds.getKey(account, lookupFp, function (err, key) {
             if (err) {
                 log.info({err: err, login: login, authn: true},
                     'ufds.getKey err');
-                cb(new errors.UnauthorizedError(err));
+                cb();
                 return;
             }
             ufdsKey = key;
             cb();
         });
     }
 
+    function getAdminRoleKeys(_, cb) {
+        if (ufdsKey) {
+            cb();
+            return;
+        }
+
+        vasync.forEachParallel({
+            func: getUserKey,
+            inputs: adminRoleMembers
+        }, cb);
+
+        function getUserKey(dn, ccb) {
+            /*
+             * Note scope: one not sub, the DN might be an account rather
+             * than a sub-user, and we don't want its sub-user's keys.
+             */
+            ufds.search(dn, {
+                scope: 'one',
+                filter: '(&(fingerprint=' + lookupFp + ')'
+                    + '(objectclass=sdckey))'
+            }, function (err2, userKeys) {
+                if (err2) {
+                    ccb(err2);
+                    return;
+                }
+                if (userKeys[0] && userKeys[0].pkcs) {
+                    ufdsKey = userKeys[0];
+                }
+                ccb();
+            });
+        }
+    }
+
     function verifyKey(_, cb) {
+        if (!ufdsKey) {
+            log.info({login: login, authn: true}, 'key not found');
+            cb(new errors.UnauthorizedError());
+            return;
+        }
+
         var key;
         try {
             key = sshpk.parseKey(ufdsKey.pkcs);

lib/backends/sdc/networks.js

@@ -5,7 +5,7 @@
  */
 
 /*
- * Copyright (c) 2017, Joyent, Inc.
+ * Copyright 2021 Joyent, Inc.
  */
 
 /*
@@ -789,11 +789,16 @@ function addNetworksToContainerPayload(opts, container, payload, callback) {
                         next(findErr);
                         return;
                     }
-                    payload.networks = [ {ipv4_uuid: network.uuid, primary: true} ];
-                    if (container.NetworkingConfig.EndpointsConfig[networkMode] != undefined) {
-                        var ipv4Addr = container.NetworkingConfig.EndpointsConfig[networkMode].IPAMConfig.IPv4Address;
+                    payload.networks =
+                        [ {ipv4_uuid: network.uuid, primary: true} ];
+                    if (container.NetworkingConfig.EndpointsConfig[networkMode]
+                            != undefined) {
+                        var ipv4Addr =
+                            container.NetworkingConfig.
+                                EndpointsConfig[networkMode].IPAMConfig.
+                                    IPv4Address;
                         if (ipv4Addr) {
-                          payload.networks[0].ipv4_ips = [ ipv4Addr ];
+                            payload.networks[0].ipv4_ips = [ ipv4Addr ];
                         }
                     }
 
@@ -824,11 +829,10 @@ function addNetworksToContainerPayload(opts, container, payload, callback) {
 
        /*
         * We need to verify that if a user passed in networks with IPs that none
-        * of the IPs are considered "managed".  NAPI will handle other validations
-        * for us.
+        * of the IPs are considered "managed".  NAPI will handle other
+        * validations for us.
         */
         function verifyNetworkIPs(_, next) {
-            var pipeline = [];
             var napi = getNapiClient(opts.config.napi);
             var networksWithIps = [];
             payload.networks.forEach(function forEachNetwork(net) {
@@ -839,31 +843,33 @@ function addNetworksToContainerPayload(opts, container, payload, callback) {
                 }
             });
 
-	    vasync.forEachPipeline({
-		'func': function validateIp(network, done) {
-		    napi.getIP(network.ipv4_uuid, network.ipv4_ips[0],
-			function napiGetIp(err, ip) {
-			    if (err) {
-				done(err);
-				return;
-			}
-			if (ip.belongs_to_type === 'other' ||
-			    ip.owner_uuid === opts.config.adminUuid) {
-				done(new errors.InternalError('Cannot use Managed IP'));
-				return;
-			}
-			done(null, ip);
-		    });
-		},
-	        'inputs': networksWithIps
-	    }, function (err) {
-		if (err) {
-		  next(err);
-		  return;
-		}
-		next()
-		return
-            });
+            vasync.forEachPipeline({
+                'func': function validateIp(network, done) {
+                    napi.getIP(network.ipv4_uuid, network.ipv4_ips[0],
+                        function napiGetIp(err, ip)
+                    {
+                        if (err) {
+                            done(err);
+                            return;
+                        }
+                        if (ip.belongs_to_type === 'other'
+                                || ip.owner_uuid === opts.config.adminUuid) {
+                            done(new errors.InternalError(
+                                'Cannot use Managed IP'));
+                            return;
+                        }
+                        done(null, ip);
+                    });
+                },
+                'inputs': networksWithIps
+                }, function (err) {
+                    if (err) {
+                        next(err);
+                        return;
+                    }
+                    next();
+                    return;
+                });
         },
 
         function runModifyProvisionNetworksPlugins(_, next) {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdc-docker",
-  "version": "0.7.3",
+  "version": "0.7.4",
   "author": "Joyent (joyent.com)",
   "private": true,
   "dependencies": {
@@ -28,7 +28,7 @@
     "strsplit": "1.0.0",
     "tape": "^4.4.0",
     "trace-event": "1.2.0",
-    "triton-tags": "1.3.0",
+    "triton-tags": "1.4.0",
     "ufds": "1.2.0",
     "vasync": "2.1.0",
     "verror": "1.9.0",