package com.yahoo.vespa.hosted.node.admin.docker;

import com.google.common.net.InetAddresses;
import com.yahoo.config.provision.DockerImage;
import com.yahoo.config.provision.HostName;
import com.yahoo.config.provision.NodeType;
import com.yahoo.config.provision.SystemName;
import com.yahoo.vespa.hosted.dockerapi.Container;
import com.yahoo.vespa.hosted.dockerapi.ContainerResources;
import com.yahoo.vespa.hosted.dockerapi.ContainerStats;
import com.yahoo.vespa.hosted.dockerapi.Docker;
import com.yahoo.vespa.hosted.dockerapi.ProcessResult;
import com.yahoo.vespa.hosted.node.admin.nodeadmin.ConvergenceException;
import com.yahoo.vespa.hosted.node.admin.nodeagent.ContainerData;
import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext;
import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixPath;
import com.yahoo.vespa.hosted.node.admin.task.util.network.IPAddresses;
import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion;
import com.yahoo.vespa.hosted.node.admin.task.util.process.CommandResult;
import com.yahoo.vespa.hosted.node.admin.task.util.process.Terminal;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.nio.file.FileSystem;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.time.Duration;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.OptionalLong;
import java.util.Random;
import java.util.Set;
import java.util.logging.Logger;
import java.util.stream.Stream;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl.class */
public class DockerOperationsImpl implements DockerOperations {
    private static final String MANAGER_NAME = "node-admin";
    private static final String ETC_MACHINE_ID = "/etc/machine-id";
    private final Docker docker;
    private final Terminal terminal;
    private final IPAddresses ipAddresses;
    private final FileSystem fileSystem;
    private static final Logger logger = Logger.getLogger(DockerOperationsImpl.class.getName());
    private static final InetAddress IPV6_NPT_PREFIX = InetAddresses.forString("fd00::");
    private static final InetAddress IPV4_NPT_PREFIX = InetAddresses.forString("172.17.0.0");
    private static final Random random = new Random(System.nanoTime());

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/docker/DockerOperationsImpl$VolumeHelper.class */
    public static class VolumeHelper {
        private final NodeAgentContext context;
        private final Docker.CreateContainerCommand command;

        public VolumeHelper(NodeAgentContext nodeAgentContext, Docker.CreateContainerCommand createContainerCommand) {
            this.context = nodeAgentContext;
            this.command = createContainerCommand;
        }

        public void addPrivateVolumes(String... strArr) {
            Stream.of((Object[]) strArr).forEach(str -> {
                Path resolveNodePath = resolveNodePath(str);
                this.command.withVolume(this.context.pathOnHostFromPathInNode(resolveNodePath), this.context.rewritePathInNodeForWantedDockerImage(resolveNodePath));
            });
        }

        public void addSharedVolumeMap(String str, String str2) {
            this.command.withSharedVolume(resolveNodePath(str), resolveNodePath(str2));
        }

        private Path resolveNodePath(String str) {
            Path path = this.context.fileSystem().getPath(str, new String[0]);
            return path.isAbsolute() ? path : this.context.pathInNodeUnderVespaHome(path);
        }
    }

    public DockerOperationsImpl(Docker docker, Terminal terminal, IPAddresses iPAddresses, FileSystem fileSystem) {
        this.docker = docker;
        this.terminal = terminal;
        this.ipAddresses = iPAddresses;
        this.fileSystem = fileSystem;
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public void createContainer(NodeAgentContext nodeAgentContext, ContainerData containerData, ContainerResources containerResources) {
        nodeAgentContext.log(logger, "Creating container");
        Docker.CreateContainerCommand withAddCapability = this.docker.createContainerCommand(nodeAgentContext.node().wantedDockerImage().get(), nodeAgentContext.containerName()).withHostName(nodeAgentContext.node().hostname()).withResources(containerResources).withManagedBy(MANAGER_NAME).withDnsOption("inet6").withUlimit("nofile", 262144, 262144).withUlimit("nproc", 409600, 409600).withUlimit("core", -1, -1).withAddCapability("SYS_PTRACE").withAddCapability("SYS_ADMIN").withAddCapability("SYS_NICE");
        if (nodeAgentContext.nodeType() != NodeType.proxy && nodeAgentContext.nodeType() != NodeType.controller) {
            withAddCapability.withSecurityOpt("no-new-privileges");
        }
        if (((Boolean) nodeAgentContext.node().membership().map(nodeMembership -> {
            return Boolean.valueOf(nodeMembership.type().isContent());
        }).orElse(false)).booleanValue()) {
            withAddCapability.withSecurityOpt("seccomp=unconfined");
        }
        DockerNetworking dockerNetworking = nodeAgentContext.dockerNetworking();
        withAddCapability.withNetworkMode(dockerNetworking.getDockerNetworkMode());
        if (dockerNetworking == DockerNetworking.NPT) {
            Optional<Inet4Address> iPv4Address = this.ipAddresses.getIPv4Address(nodeAgentContext.node().hostname());
            Optional<Inet6Address> iPv6Address = this.ipAddresses.getIPv6Address(nodeAgentContext.node().hostname());
            assertEqualIpAddresses(nodeAgentContext.hostname(), iPv4Address, nodeAgentContext.node().ipAddresses(), IPVersion.IPv4);
            assertEqualIpAddresses(nodeAgentContext.hostname(), iPv6Address, nodeAgentContext.node().ipAddresses(), IPVersion.IPv6);
            if (iPv4Address.isEmpty() && iPv6Address.isEmpty()) {
                throw new ConvergenceException("Container " + nodeAgentContext.node().hostname() + " with " + dockerNetworking + " networking must have at least 1 IP address, but found none");
            }
            Optional<? extends InetAddress> map = iPv6Address.map(inetAddress -> {
                return IPAddresses.prefixTranslate(inetAddress, IPV6_NPT_PREFIX, 8);
            });
            Objects.requireNonNull(withAddCapability);
            map.ifPresent(withAddCapability::withIpAddress);
            Optional<? extends InetAddress> map2 = iPv4Address.map(inetAddress2 -> {
                return IPAddresses.prefixTranslate(inetAddress2, IPV4_NPT_PREFIX, 2);
            });
            Objects.requireNonNull(withAddCapability);
            map2.ifPresent(withAddCapability::withIpAddress);
            addEtcHosts(containerData, nodeAgentContext.node().hostname(), map2, map);
        } else if (dockerNetworking == DockerNetworking.LOCAL) {
            withAddCapability.withIpAddress(this.ipAddresses.getIPv4Address(nodeAgentContext.node().hostname()).orElseThrow(() -> {
                return new IllegalArgumentException("No IPv4 address could be resolved from '" + nodeAgentContext.hostname() + "'");
            }));
        }
        UnixPath unixPath = new UnixPath(nodeAgentContext.pathOnHostFromPathInNode(ETC_MACHINE_ID));
        if (!unixPath.exists()) {
            String format = String.format("%16x%16x\n", Long.valueOf(random.nextLong()), Long.valueOf(random.nextLong()));
            unixPath.createParents().writeUtf8File(format, new OpenOption[0]);
            nodeAgentContext.log(logger, "Wrote " + format + " to " + unixPath);
        }
        addMounts(nodeAgentContext, withAddCapability);
        logger.info("Creating new container with args: " + withAddCapability);
        withAddCapability.create();
    }

    private static void assertEqualIpAddresses(HostName hostName, Optional<? extends InetAddress> optional, Set<String> set, IPVersion iPVersion) {
        Stream<R> map = set.stream().map(InetAddresses::forString);
        Objects.requireNonNull(iPVersion);
        Optional findFirst = map.filter(iPVersion::match).findFirst();
        if (!optional.equals(findFirst)) {
            throw new ConvergenceException(String.format("IP address (%s) resolved from %s  does not match IP address (%s) in node-repo", optional.map(InetAddresses::toAddrString).orElse("[none]"), hostName, findFirst.map(InetAddresses::toAddrString).orElse("[none]")));
        }
    }

    void addEtcHosts(ContainerData containerData, String str, Optional<? extends InetAddress> optional, Optional<? extends InetAddress> optional2) {
        StringBuilder sb = new StringBuilder("# This file was generated by " + DockerOperationsImpl.class.getName() + "\n127.0.0.1\tlocalhost\n::1\tlocalhost ip6-localhost ip6-loopback\nfe00::0\tip6-localnet\nff00::0\tip6-mcastprefix\nff02::1\tip6-allnodes\nff02::2\tip6-allrouters\n");
        optional2.ifPresent(inetAddress -> {
            sb.append(inetAddress.getHostAddress()).append('\t').append(str).append('\n');
        });
        optional.ifPresent(inetAddress2 -> {
            sb.append(inetAddress2.getHostAddress()).append('\t').append(str).append('\n');
        });
        containerData.addFile(this.fileSystem.getPath("/etc/hosts", new String[0]), sb.toString());
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public void startContainer(NodeAgentContext nodeAgentContext) {
        nodeAgentContext.log(logger, "Starting container");
        this.docker.startContainer(nodeAgentContext.containerName());
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public void removeContainer(NodeAgentContext nodeAgentContext, Container container) {
        if (container.state.isRunning()) {
            nodeAgentContext.log(logger, "Stopping container");
            this.docker.stopContainer(nodeAgentContext.containerName());
        }
        nodeAgentContext.log(logger, "Deleting container");
        this.docker.deleteContainer(nodeAgentContext.containerName());
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public void updateContainer(NodeAgentContext nodeAgentContext, ContainerResources containerResources) {
        this.docker.updateContainer(nodeAgentContext.containerName(), containerResources);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public Optional<Container> getContainer(NodeAgentContext nodeAgentContext) {
        return this.docker.getContainer(nodeAgentContext.containerName());
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public boolean pullImageAsyncIfNeeded(DockerImage dockerImage) {
        return this.docker.pullImageAsyncIfNeeded(dockerImage);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public ProcessResult executeCommandInContainerAsRoot(NodeAgentContext nodeAgentContext, Long l, String... strArr) {
        return this.docker.executeInContainerAsUser(nodeAgentContext.containerName(), "root", OptionalLong.of(l.longValue()), strArr);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public ProcessResult executeCommandInContainerAsRoot(NodeAgentContext nodeAgentContext, String... strArr) {
        return this.docker.executeInContainerAsUser(nodeAgentContext.containerName(), "root", OptionalLong.empty(), strArr);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public CommandResult executeCommandInNetworkNamespace(NodeAgentContext nodeAgentContext, String... strArr) {
        return this.terminal.newCommandLine(nodeAgentContext).add("nsenter", String.format("--net=/proc/%d/ns/net", Integer.valueOf(((Container) this.docker.getContainer(nodeAgentContext.containerName()).filter(container -> {
            return container.state.isRunning();
        }).orElseThrow(() -> {
            return new RuntimeException("Found no running container named " + nodeAgentContext.containerName().asString());
        })).pid)), "--").add(strArr).executeSilently();
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public void resumeNode(NodeAgentContext nodeAgentContext) {
        executeNodeCtlInContainer(nodeAgentContext, "resume");
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public void suspendNode(NodeAgentContext nodeAgentContext) {
        executeNodeCtlInContainer(nodeAgentContext, "suspend");
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public void restartVespa(NodeAgentContext nodeAgentContext) {
        executeNodeCtlInContainer(nodeAgentContext, "restart-vespa");
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public void startServices(NodeAgentContext nodeAgentContext) {
        executeNodeCtlInContainer(nodeAgentContext, "start");
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public void stopServices(NodeAgentContext nodeAgentContext) {
        executeNodeCtlInContainer(nodeAgentContext, "stop");
    }

    ProcessResult executeNodeCtlInContainer(NodeAgentContext nodeAgentContext, String str) {
        String[] strArr = {nodeAgentContext.pathInNodeUnderVespaHome("bin/vespa-nodectl").toString(), str};
        ProcessResult executeCommandInContainerAsRoot = executeCommandInContainerAsRoot(nodeAgentContext, strArr);
        if (executeCommandInContainerAsRoot.isSuccess()) {
            return executeCommandInContainerAsRoot;
        }
        throw new RuntimeException("Container " + nodeAgentContext.containerName().asString() + ": command " + Arrays.toString(strArr) + " failed: " + executeCommandInContainerAsRoot);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public Optional<ContainerStats> getContainerStats(NodeAgentContext nodeAgentContext) {
        return this.docker.getContainerStats(nodeAgentContext.containerName());
    }

    private void addMounts(NodeAgentContext nodeAgentContext, Docker.CreateContainerCommand createContainerCommand) {
        VolumeHelper volumeHelper = new VolumeHelper(nodeAgentContext, createContainerCommand);
        volumeHelper.addPrivateVolumes(ETC_MACHINE_ID, "/etc/vespa/flags", "/etc/yamas-agent", "/opt/splunkforwarder/var/log", "/var/log", "/var/log/journal", "/var/spool/postfix/maildrop", "logs/vespa", "logs/ysar", "tmp", "var/crash", "var/container-data", "var/db/vespa", "var/jdisc_container", "var/vespa", "var/yca", "var/zookeeper");
        if (nodeAgentContext.nodeType() == NodeType.proxy) {
            volumeHelper.addPrivateVolumes("logs/nginx", "var/vespa-hosted/routing");
        } else if (nodeAgentContext.nodeType() == NodeType.tenant) {
            volumeHelper.addPrivateVolumes("/var/lib/sia");
        }
        if (isInfrastructureHost(nodeAgentContext.nodeType())) {
            volumeHelper.addSharedVolumeMap("/var/lib/sia", "/var/lib/sia");
        }
        if ((nodeAgentContext.zone().getSystemName() == SystemName.cd || nodeAgentContext.zone().getSystemName() == SystemName.main) && nodeAgentContext.nodeType() == NodeType.tenant) {
            volumeHelper.addSharedVolumeMap("/var/zpe", "var/zpe");
        }
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public boolean noManagedContainersRunning() {
        return this.docker.noManagedContainersRunning(MANAGER_NAME);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.docker.DockerOperations
    public boolean deleteUnusedDockerImages(List<DockerImage> list, Duration duration) {
        return this.docker.deleteUnusedDockerImages(list, duration);
    }

    private static boolean isInfrastructureHost(NodeType nodeType) {
        return nodeType == NodeType.config || nodeType == NodeType.proxy || nodeType == NodeType.controller;
    }
}
