fix(container/network): recreate container changes static IP [EE-5448] (#8960)

Co-authored-by: Chaim Lev-Ari <chaim.levi-ari@portainer.io>
2025-07-25 00:09:40 +02:00 · 2023-05-30 09:36:10 +12:00 · 2023-05-30 09:36:10 +12:00 · 96de026eba
commit 96de026eba
parent d340c4ea96
35 changed files with 1651 additions and 491 deletions
--- a/api/http/handler/docker/containers/handler.go
+++ b/api/http/handler/docker/containers/handler.go
@ -5,27 +5,35 @@ import (

 	"github.com/gorilla/mux"
 	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/docker"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/security"
 )

 type Handler struct {
 	*mux.Router
-	dockerClientFactory *docker.ClientFactory
+	dockerClientFactory *dockerclient.ClientFactory
+	dataStore           dataservices.DataStore
+	containerService    *docker.ContainerService
+	bouncer             *security.RequestBouncer
 }

 // NewHandler creates a handler to process non-proxied requests to docker APIs directly.
-func NewHandler(routePrefix string, bouncer *security.RequestBouncer, dockerClientFactory *docker.ClientFactory) *Handler {
+func NewHandler(routePrefix string, bouncer *security.RequestBouncer, dataStore dataservices.DataStore, dockerClientFactory *dockerclient.ClientFactory, containerService *docker.ContainerService) *Handler {
 	h := &Handler{
-		Router: mux.NewRouter(),
-
+		Router:              mux.NewRouter(),
+		dataStore:           dataStore,
 		dockerClientFactory: dockerClientFactory,
+		containerService:    containerService,
+		bouncer:             bouncer,
 	}

 	router := h.PathPrefix(routePrefix).Subrouter()
 	router.Use(bouncer.AuthenticatedAccess)

 	router.Handle("/{containerId}/gpus", httperror.LoggerHandler(h.containerGpusInspect)).Methods(http.MethodGet)
+	router.Handle("/{containerId}/recreate", httperror.LoggerHandler(h.recreate)).Methods(http.MethodPost)

 	return h
 }
--- a/api/http/handler/docker/containers/recreate.go
+++ b/api/http/handler/docker/containers/recreate.go
@ -0,0 +1,97 @@
+package containers
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/docker/consts"
+	"github.com/portainer/portainer/api/docker/images"
+	"github.com/portainer/portainer/api/http/middlewares"
+	"github.com/portainer/portainer/api/internal/authorization"
+	"github.com/rs/zerolog/log"
+)
+
+type RecreatePayload struct {
+	// PullImage if true will pull the image
+	PullImage bool `json:"PullImage"`
+}
+
+func (r RecreatePayload) Validate(request *http.Request) error {
+	return nil
+}
+
+func (handler *Handler) recreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	containerID, err := request.RetrieveRouteVariableValue(r, "containerId")
+	if err != nil {
+		return httperror.BadRequest("Invalid containerId", err)
+	}
+
+	var payload RecreatePayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return httperror.BadRequest("Invalid request payload", err)
+	}
+
+	endpoint, err := middlewares.FetchEndpoint(r)
+	if err != nil {
+		return httperror.NotFound("Unable to find an environment on request context", err)
+	}
+
+	err = handler.bouncer.AuthorizedEndpointOperation(r, endpoint)
+	if err != nil {
+		return httperror.Forbidden("Permission denied to force update service", err)
+	}
+
+	agentTargetHeader := r.Header.Get(portainer.PortainerAgentTargetHeader)
+
+	newContainer, err := handler.containerService.Recreate(r.Context(), endpoint, containerID, payload.PullImage, "", agentTargetHeader)
+	if err != nil {
+		return httperror.InternalServerError("Error recreating container", err)
+	}
+
+	handler.updateWebhook(containerID, newContainer.ID)
+	handler.createResourceControl(containerID, newContainer.ID)
+
+	go func() {
+		images.EvictImageStatus(containerID)
+		images.EvictImageStatus(newContainer.Config.Labels[consts.ComposeStackNameLabel])
+		images.EvictImageStatus(newContainer.Config.Labels[consts.SwarmServiceIdLabel])
+	}()
+	return response.JSON(w, newContainer)
+}
+
+func (handler *Handler) createResourceControl(oldContainerId string, newContainerId string) {
+	resourceControls, err := handler.dataStore.ResourceControl().ResourceControls()
+	if err != nil {
+		log.Error().Err(err).Msg("Exporting Resource Controls")
+		return
+	}
+
+	resourceControl := authorization.GetResourceControlByResourceIDAndType(oldContainerId, portainer.ContainerResourceControl, resourceControls)
+	if resourceControl == nil {
+		return
+	}
+	resourceControl.ResourceID = newContainerId
+	err = handler.dataStore.ResourceControl().Create(resourceControl)
+	if err != nil {
+		log.Error().Err(err).Str("containerId", newContainerId).Msg("Failed to create new resource control for container")
+		return
+	}
+}
+
+func (handler *Handler) updateWebhook(oldContainerId string, newContainerId string) {
+	webhook, err := handler.dataStore.Webhook().WebhookByResourceID(oldContainerId)
+	if err != nil {
+		log.Error().Err(err).Str("containerId", oldContainerId).Msg("cannot find webhook by containerId")
+		return
+	}
+
+	webhook.ResourceID = newContainerId
+	err = handler.dataStore.Webhook().UpdateWebhook(webhook.ID, webhook)
+	if err != nil {
+		log.Error().Err(err).Int("webhookId", int(webhook.ID)).Msg("cannot update webhook")
+	}
+}
--- a/api/http/handler/docker/handler.go
+++ b/api/http/handler/docker/handler.go
@ -5,6 +5,7 @@ import (
 	"net/http"

 	"github.com/portainer/portainer/api/docker"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/internal/endpointutils"

 	"github.com/gorilla/mux"
@ -21,18 +22,20 @@ type Handler struct {
 	*mux.Router
 	requestBouncer       *security.RequestBouncer
 	dataStore            dataservices.DataStore
-	dockerClientFactory  *docker.ClientFactory
+	dockerClientFactory  *dockerclient.ClientFactory
 	authorizationService *authorization.Service
+	containerService     *docker.ContainerService
 }

 // NewHandler creates a handler to process non-proxied requests to docker APIs directly.
-func NewHandler(bouncer *security.RequestBouncer, authorizationService *authorization.Service, dataStore dataservices.DataStore, dockerClientFactory *docker.ClientFactory) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, authorizationService *authorization.Service, dataStore dataservices.DataStore, dockerClientFactory *dockerclient.ClientFactory, containerService *docker.ContainerService) *Handler {
 	h := &Handler{
 		Router:               mux.NewRouter(),
 		requestBouncer:       bouncer,
 		authorizationService: authorizationService,
 		dataStore:            dataStore,
 		dockerClientFactory:  dockerClientFactory,
+		containerService:     containerService,
 	}

 	// endpoints
@ -40,7 +43,7 @@ func NewHandler(bouncer *security.RequestBouncer, authorizationService *authoriz
 	endpointRouter.Use(middlewares.WithEndpoint(dataStore.Endpoint(), "id"))
 	endpointRouter.Use(dockerOnlyMiddleware)

-	containersHandler := containers.NewHandler("/{id}/containers", bouncer, dockerClientFactory)
+	containersHandler := containers.NewHandler("/{id}/containers", bouncer, dataStore, dockerClientFactory, containerService)
 	endpointRouter.PathPrefix("/containers").Handler(containersHandler)
 	return h
 }
--- a/api/http/handler/hostmanagement/openamt/handler.go
+++ b/api/http/handler/hostmanagement/openamt/handler.go
@ -8,7 +8,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/docker"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/security"
 )

@ -17,7 +17,7 @@ type Handler struct {
 	*mux.Router
 	OpenAMTService      portainer.OpenAMTService
 	DataStore           dataservices.DataStore
-	DockerClientFactory *docker.ClientFactory
+	DockerClientFactory *dockerclient.ClientFactory
 }

 // NewHandler returns a new Handler
--- a/api/http/handler/stacks/handler.go
+++ b/api/http/handler/stacks/handler.go
@ -13,7 +13,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/docker"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/internal/endpointutils"
@ -30,7 +30,7 @@ type Handler struct {
 	requestBouncer     *security.RequestBouncer
 	*mux.Router
 	DataStore               dataservices.DataStore
-	DockerClientFactory     *docker.ClientFactory
+	DockerClientFactory     *dockerclient.ClientFactory
 	FileService             portainer.FileService
 	GitService              portainer.GitService
 	SwarmStackManager       portainer.SwarmStackManager
--- a/api/http/handler/webhooks/handler.go
+++ b/api/http/handler/webhooks/handler.go
@ -4,9 +4,9 @@ import (
 	"net/http"

 	"github.com/portainer/portainer/api/dataservices"
+	dockerclient "github.com/portainer/portainer/api/docker/client"

 	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/http/security"

 	"github.com/gorilla/mux"
@ -17,7 +17,7 @@ type Handler struct {
 	*mux.Router
 	requestBouncer      *security.RequestBouncer
 	DataStore           dataservices.DataStore
-	DockerClientFactory *docker.ClientFactory
+	DockerClientFactory *dockerclient.ClientFactory
 }

 // NewHandler creates a handler to manage webhooks operations.
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@ -15,7 +15,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/docker"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
@ -34,7 +34,7 @@ type (
 		dataStore            dataservices.DataStore
 		signatureService     portainer.DigitalSignatureService
 		reverseTunnelService portainer.ReverseTunnelService
-		dockerClientFactory  *docker.ClientFactory
+		dockerClientFactory  *dockerclient.ClientFactory
 		gitService           portainer.GitService
 	}

@ -44,7 +44,7 @@ type (
 		DataStore            dataservices.DataStore
 		SignatureService     portainer.DigitalSignatureService
 		ReverseTunnelService portainer.ReverseTunnelService
-		DockerClientFactory  *docker.ClientFactory
+		DockerClientFactory  *dockerclient.ClientFactory
 	}

 	restrictedDockerOperationContext struct {
--- a/api/http/proxy/factory/factory.go
+++ b/api/http/proxy/factory/factory.go
@ -5,11 +5,10 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"

 	"github.com/portainer/portainer/api/kubernetes/cli"
-
-	"github.com/portainer/portainer/api/docker"
 )

 const azureAPIBaseURL = "https://management.azure.com"
@ -20,7 +19,7 @@ type (
 		dataStore                   dataservices.DataStore
 		signatureService            portainer.DigitalSignatureService
 		reverseTunnelService        portainer.ReverseTunnelService
-		dockerClientFactory         *docker.ClientFactory
+		dockerClientFactory         *dockerclient.ClientFactory
 		kubernetesClientFactory     *cli.ClientFactory
 		kubernetesTokenCacheManager *kubernetes.TokenCacheManager
 		gitService                  portainer.GitService
@ -28,7 +27,7 @@ type (
 )

 // NewProxyFactory returns a pointer to a new instance of a ProxyFactory
-func NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *docker.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService) *ProxyFactory {
+func NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService) *ProxyFactory {
 	return &ProxyFactory{
 		dataStore:                   dataStore,
 		signatureService:            signatureService,
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@ -5,13 +5,13 @@ import (
 	"net/http"

 	"github.com/portainer/portainer/api/dataservices"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"

 	cmap "github.com/orcaman/concurrent-map"
 	"github.com/portainer/portainer/api/kubernetes/cli"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/http/proxy/factory"
 )

@ -25,7 +25,7 @@ type (
 )

 // NewManager initializes a new proxy Service
-func NewManager(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *docker.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService) *Manager {
+func NewManager(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService) *Manager {
 	return &Manager{
 		endpointProxies:  cmap.New(),
 		k8sClientFactory: kubernetesClientFactory,
--- a/api/http/server.go
+++ b/api/http/server.go
@ -14,6 +14,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/docker"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/handler"
 	"github.com/portainer/portainer/api/http/handler/auth"
 	"github.com/portainer/portainer/api/http/handler/backup"
@ -96,7 +97,7 @@ type Server struct {
 	KubeClusterAccessService    k8s.KubeClusterAccessService
 	Handler                     *handler.Handler
 	SSLService                  *ssl.Service
-	DockerClientFactory         *docker.ClientFactory
+	DockerClientFactory         *dockerclient.ClientFactory
 	KubernetesClientFactory     *cli.ClientFactory
 	KubernetesDeployer          portainer.KubernetesDeployer
 	HelmPackageManager          libhelm.HelmPackageManager
@ -189,7 +190,9 @@ func (server *Server) Start() error {

 	var kubernetesHandler = kubehandler.NewHandler(requestBouncer, server.AuthorizationService, server.DataStore, server.JWTService, server.KubeClusterAccessService, server.KubernetesClientFactory, nil)

-	var dockerHandler = dockerhandler.NewHandler(requestBouncer, server.AuthorizationService, server.DataStore, server.DockerClientFactory)
+	containerService := docker.NewContainerService(server.DockerClientFactory, server.DataStore)
+
+	var dockerHandler = dockerhandler.NewHandler(requestBouncer, server.AuthorizationService, server.DataStore, server.DockerClientFactory, containerService)

 	var fileHandler = file.NewHandler(filepath.Join(server.AssetsPath, "public"), adminMonitor.WasInstanceDisabled)