Merge pull request #11882 from hqhq/hq_warn_device_cg

add devices cgroup check as hard requirement

pkg/sysinfo/sysinfo.go

@@ -23,20 +23,16 @@ func New(quiet bool) *SysInfo {
 	sysInfo := &SysInfo{}
 	if cgroupMemoryMountpoint, err := cgroups.FindCgroupMountpoint("memory"); err != nil {
 		if !quiet {
-			logrus.Warnf("%v", err)
+			logrus.Warnf("Your kernel does not support cgroup memory limit: %v", err)
 		}
 	} else {
-		_, err1 := ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.limit_in_bytes"))
-		_, err2 := ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.soft_limit_in_bytes"))
-		sysInfo.MemoryLimit = err1 == nil && err2 == nil
-		if !sysInfo.MemoryLimit && !quiet {
-			logrus.Warn("Your kernel does not support cgroup memory limit.")
-		}
+		// If memory cgroup is mounted, MemoryLimit is always enabled.
+		sysInfo.MemoryLimit = true
 
-		_, err = ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.memsw.limit_in_bytes"))
-		sysInfo.SwapLimit = err == nil
+		_, err1 := ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.memsw.limit_in_bytes"))
+		sysInfo.SwapLimit = err1 == nil
 		if !sysInfo.SwapLimit && !quiet {
-			logrus.Warn("Your kernel does not support cgroup swap limit.")
+			logrus.Warn("Your kernel does not support swap memory limit.")
 		}
 	}
 
@@ -58,5 +54,11 @@ func New(quiet bool) *SysInfo {
 	} else {
 		sysInfo.AppArmor = true
 	}
+
+	// Check if Devices cgroup is mounted, it is hard requirement for container security.
+	if _, err := cgroups.FindCgroupMountpoint("devices"); err != nil {
+		logrus.Fatalf("Error mounting devices cgroup: %v", err)
+	}
+
 	return sysInfo
 }