Merge pull request #27071 from rhvgoyal/docker-overlay-error

Warn if kernel does not support overlay with selinux
This commit is contained in:
Alexander Morozov 2017-01-31 13:41:02 -08:00 committed by GitHub
commit ebaf1ced72

View file

@ -3,6 +3,7 @@
package daemon
import (
"bufio"
"bytes"
"fmt"
"io/ioutil"
@ -647,11 +648,56 @@ func configureMaxThreads(config *Config) error {
return nil
}
func overlaySupportsSelinux() (bool, error) {
f, err := os.Open("/proc/kallsyms")
if err != nil {
if os.IsNotExist(err) {
return false, nil
}
return false, err
}
defer f.Close()
var symAddr, symType, symName, text string
s := bufio.NewScanner(f)
for s.Scan() {
if err := s.Err(); err != nil {
return false, err
}
text = s.Text()
if _, err := fmt.Sscanf(text, "%s %s %s", &symAddr, &symType, &symName); err != nil {
return false, fmt.Errorf("Scanning '%s' failed: %s", text, err)
}
// Check for presence of symbol security_inode_copy_up.
if symName == "security_inode_copy_up" {
return true, nil
}
}
return false, nil
}
// configureKernelSecuritySupport configures and validates security support for the kernel
func configureKernelSecuritySupport(config *Config, driverName string) error {
if config.EnableSelinuxSupport {
if !selinuxEnabled() {
logrus.Warn("Docker could not enable SELinux on the host system")
return nil
}
if driverName == "overlay" || driverName == "overlay2" {
// If driver is overlay or overlay2, make sure kernel
// supports selinux with overlay.
supported, err := overlaySupportsSelinux()
if err != nil {
return err
}
if !supported {
logrus.Warnf("SELinux is not supported with the %s graph driver on this kernel", driverName)
}
}
} else {
selinuxSetDisabled()