Merge pull request #27071 from rhvgoyal/docker-overlay-error
Warn if kernel does not support overlay with selinux
This commit is contained in:
commit
ebaf1ced72
1 changed files with 46 additions and 0 deletions
|
@ -3,6 +3,7 @@
|
|||
package daemon
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
|
@ -647,11 +648,56 @@ func configureMaxThreads(config *Config) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func overlaySupportsSelinux() (bool, error) {
|
||||
f, err := os.Open("/proc/kallsyms")
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
var symAddr, symType, symName, text string
|
||||
|
||||
s := bufio.NewScanner(f)
|
||||
for s.Scan() {
|
||||
if err := s.Err(); err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
text = s.Text()
|
||||
if _, err := fmt.Sscanf(text, "%s %s %s", &symAddr, &symType, &symName); err != nil {
|
||||
return false, fmt.Errorf("Scanning '%s' failed: %s", text, err)
|
||||
}
|
||||
|
||||
// Check for presence of symbol security_inode_copy_up.
|
||||
if symName == "security_inode_copy_up" {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// configureKernelSecuritySupport configures and validates security support for the kernel
|
||||
func configureKernelSecuritySupport(config *Config, driverName string) error {
|
||||
if config.EnableSelinuxSupport {
|
||||
if !selinuxEnabled() {
|
||||
logrus.Warn("Docker could not enable SELinux on the host system")
|
||||
return nil
|
||||
}
|
||||
|
||||
if driverName == "overlay" || driverName == "overlay2" {
|
||||
// If driver is overlay or overlay2, make sure kernel
|
||||
// supports selinux with overlay.
|
||||
supported, err := overlaySupportsSelinux()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if !supported {
|
||||
logrus.Warnf("SELinux is not supported with the %s graph driver on this kernel", driverName)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
selinuxSetDisabled()
|
||||
|
|
Loading…
Reference in a new issue