Browse Source

Merge pull request #23182 from crosbymichael/maxkeys

Change root_maxkeys
Sebastiaan van Stijn 9 năm trước cách đây
mục cha
commit
8e8ef7c724
3 tập tin đã thay đổi với 72 bổ sung0 xóa
  1. 5 0
      daemon/daemon.go
  2. 59 0
      daemon/keys.go
  3. 8 0
      daemon/keys_unsupported.go

+ 5 - 0
daemon/daemon.go

@@ -387,6 +387,11 @@ func (daemon *Daemon) IsSwarmCompatible() error {
 func NewDaemon(config *Config, registryService registry.Service, containerdRemote libcontainerd.Remote) (daemon *Daemon, err error) {
 	setDefaultMtu(config)
 
+	// Ensure that we have a correct root key limit for launching containers.
+	if err := ModifyRootKeyLimit(); err != nil {
+		logrus.Warnf("unable to modify root key limit, number of containers could be limitied by this quota: %v", err)
+	}
+
 	// Ensure we have compatible and valid configuration options
 	if err := verifyDaemonSettings(config); err != nil {
 		return nil, err

+ 59 - 0
daemon/keys.go

@@ -0,0 +1,59 @@
+// +build linux
+
+package daemon
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strconv"
+	"strings"
+)
+
+const (
+	rootKeyFile   = "/proc/sys/kernel/keys/root_maxkeys"
+	rootBytesFile = "/proc/sys/kernel/keys/root_maxbytes"
+	rootKeyLimit  = 1000000
+	// it is standard configuration to allocate 25 bytes per key
+	rootKeyByteMultiplier = 25
+)
+
+// ModifyRootKeyLimit checks to see if the root key limit is set to
+// at least 1000000 and changes it to that limit along with the maxbytes
+// allocated to the keys at a 25 to 1 multiplier.
+func ModifyRootKeyLimit() error {
+	value, err := readRootKeyLimit(rootKeyFile)
+	if err != nil {
+		return err
+	}
+	if value < rootKeyLimit {
+		return setRootKeyLimit(rootKeyLimit)
+	}
+	return nil
+}
+
+func setRootKeyLimit(limit int) error {
+	keys, err := os.OpenFile(rootKeyFile, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	defer keys.Close()
+	if _, err := fmt.Fprintf(keys, "%d", limit); err != nil {
+		return err
+	}
+	bytes, err := os.OpenFile(rootBytesFile, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	defer bytes.Close()
+	_, err = fmt.Fprintf(bytes, "%d", limit*rootKeyByteMultiplier)
+	return err
+}
+
+func readRootKeyLimit(path string) (int, error) {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		return -1, err
+	}
+	return strconv.Atoi(strings.Trim(string(data), "\n"))
+}

+ 8 - 0
daemon/keys_unsupported.go

@@ -0,0 +1,8 @@
+// +build !linux
+
+package daemon
+
+// ModifyRootKeyLimit is an noop on unsupported platforms.
+func ModifyRootKeyLimit() error {
+	return nil
+}