We use cookies to ensure you get the best experience on our website
Startseite Erkunden Hilfe
Registrieren Anmelden
0ct0pu5
/
moby
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

Add "userns" to `docker info` security options output

If user namespaces is enabled on the daemon, reveal that via docker info
by adding "userns" to the list of security options reported by the
info endpoint.

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Phil Estes vor 8 Jahren
Ursprung
2428534998
Commit
ae74092e45
4 geänderte Dateien mit 12 neuen und 2 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 4 0
      daemon/info.go
  2. 1 1
      docs/reference/api/docker_remote_api.md
  3. 2 1
      docs/reference/api/docker_remote_api_v1.25.md
  4. 5 0
      docs/reference/commandline/dockerd.md

+ 4 - 0
daemon/info.go
Datei anzeigen 

@@ -78,6 +78,10 @@ func (daemon *Daemon) SystemInfo() (*types.Info, error) {
 
 	if selinuxEnabled() {
 
 		securityOptions = append(securityOptions, "selinux")
 
 	}
 
+	uid, gid := daemon.GetRemappedUIDGID()
 
+	if uid != 0 || gid != 0 {
 
+		securityOptions = append(securityOptions, "userns")
 
+	}
 
 
 	v := &types.Info{
 
 		ID:                 daemon.ID,

+ 1 - 1
docs/reference/api/docker_remote_api.md
Datei anzeigen 

@@ -161,7 +161,7 @@ This section lists each version from latest to oldest.  Each listing includes a
 
 * `POST /networks/prune` prunes unused networks.
 
 * Every API response now includes a `Docker-Experimental` header specifying if experimental features are enabled (value can be `true` or `false`).
 
 * The `hostConfig` option now accepts the fields `CpuRealtimePeriod` and `CpuRtRuntime` to allocate cpu runtime to rt tasks when `CONFIG_RT_GROUP_SCHED` is enabled in the kernel.
 
-
 
+* The `SecurityOptions` field within the `GET /info` response now includes `userns` if user namespaces are enabled in the daemon.
 
 
 ### v1.24 API changes

+ 2 - 1
docs/reference/api/docker_remote_api_v1.25.md
Datei anzeigen 

@@ -2503,7 +2503,8 @@ Display system-wide information
 
         "SecurityOptions": [
 
             "apparmor",
 
             "seccomp",
 
-            "selinux"
 
+            "selinux",
 
+            "userns"
 
         ],
 
         "ServerVersion": "1.9.0",
 
         "SwapLimit": false,

+ 5 - 0
docs/reference/commandline/dockerd.md
Datei anzeigen 

@@ -986,6 +986,11 @@ If you have a group that doesn't match the username, you may provide the `gid`
 
 or group name as well; otherwise the username will be used as the group name
 
 when querying the system for the subordinate group ID range.
 
 
+The output of `docker info` can be used to determine if the daemon is running
 
+with user namespaces enabled or not. If the daemon is configured with user
 
+namespaces, the Security Options entry in the response will list "userns" as
 
+one of the enabled security features.
 
+
 
 ### Detailed information on `subuid`/`subgid` ranges
 
 
 Given potential advanced use of the subordinate ID ranges by power users, the

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5