As it turns out, we call this function every time someone calls `docker
info`, every time a contianer is created, and every time a container is
started.
Certainly this should be refactored as a whole, but for now, memoize the
seccomp value.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The package used a lot of string-formatting, followed by string-splitting.
This looked to originate from attempts to use templating to allow future
extensibility (9a3ab0358e).
Looking at the history of the package, only a single update was made to
these templates, 5 years go, which makes it unlikely that more templating
will be needed.
This patch simplifies the handling of arguments to use `[]string` instead
of a single `string` (and splitting to a `[]string`). This both simplifies
the code somewhat, and prevents user/group-names containing spaces to be
splitted (causing, e.g. `getent` to fail).
Note that user/group-names containing spaces are invalid (or at least
discouraged), there are situations where such names may be used, so we
should avoid breaking on such names.
Before this change, a user/group name with a space in its name would fail;
dockerd --userns-remap="user:domain users"
INFO[2020-08-19T10:26:59.288868661+02:00] Starting up
Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database
With this change:
# Add some possibly problematic usernames for testing
# need to do this manually, as `adduser` / `useradd` won't accept these names
echo 'user name❌1002:1002::/home/one:/bin/false' >> /etc/passwd; \
echo 'user name❌1002:' >> /etc/group; \
echo 'user name:1266401166:65536' >> /etc/subuid; \
echo 'user name:1266401153:65536' >> /etc/subgid; \
echo 'user$HOME❌1003:1003::/home/one:/bin/false' >> /etc/passwd; \
echo 'user$HOME❌1003:' >> /etc/group; \
echo 'user$HOME:1266401166:65536' >> /etc/subuid; \
echo 'user$HOME:1266401153:65536' >> /etc/subgid; \
echo 'user'"'"'name❌1004:1004::/home/one:/bin/false' >> /etc/passwd; \
echo 'user'"'"'name❌1004:' >> /etc/group; \
echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \
echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \
echo 'user"name❌1005:1005::/home/one:/bin/false' >> /etc/passwd; \
echo 'user"name❌1005:' >> /etc/group; \
echo 'user"name:1266401166:65536' >> /etc/subuid; \
echo 'user"name:1266401153:65536' >> /etc/subgid;
# Start the daemon using those users
dockerd --userns-remap="user name:user name"
dockerd --userns-remap='user$HOME:user$HOME'
dockerd --userns-remap="user'name":"user'name"
dockerd --userns-remap='user"name':'user"name'
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The CPU CFS cgroup-aware scheduler is one single kernel feature, not
two, so it does not make sense to have two separate booleans
(CPUCfsQuota and CPUCfsPeriod). Merge these into CPUCfs.
Same for CPU realtime.
For compatibility reasons, /info stays the same for now.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
update test to fix go 1.15 linting failure:
pkg/chrootarchive/archive_test.go:103:32: conversion from int to string yields a string of one rune
relates to golang/go 32479
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The implementation in libcontainer/system is quite complicated,
and we only use it to detect if user-namespaces are enabled.
In addition, the implementation in containerd uses a sync.Once,
so that detection (and reading/parsing `/proc/self/uid_map`) is
only performed once.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The implementation in libcontainer/system is quite complicated,
and we only use it to detect if user-namespaces are enabled.
In addition, the implementation in containerd uses a sync.Once,
so that detection (and reading/parsing `/proc/self/uid_map`) is
only performed once.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The implementation in libcontainer/system is quite complicated,
and we only use it to detect if user-namespaces are enabled.
In addition, the implementation in containerd uses a sync.Once,
so that detection (and reading/parsing `/proc/self/uid_map`) is
only performed once.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
NewIdentityMapping took group name as an argument, and used
the group name also to parse the /etc/sub{uid,gui}. But as per
linux man pages, the sub{uid,gid} file maps username or uid,
not a group name.
Therefore, all occurrences where mapping is used need to
consider only username and uid. Code trying to map using gid
and group name in the daemon is also removed.
Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
compile error the "stat.Rdev" variable and "s.Rdev" mismatched types on mips64el
convert "stat.Rdev" type to uint64 explicitly
Signed-off-by: Xiaodong Liu <liuxiaodong@loongson.cn>
For some reason, commit 69cf03700f chose not to use information
already fetched, and called cgroups.FindCgroupMountpoint() instead.
This is not a cheap call, as it has to parse the whole nine yards
of /proc/self/mountinfo, and the info which it tries to get (whether
the pids controller is present) is already available from cgMounts map.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
`func init()` is evil here, and the logrus calls are being made before
the logger is even setup.
It also means in order to use pigz you have to restart the daemon.
Instead this takes a small hit and resolves pigz on each extraction.
In the grand scheme of decompressing this is a very small hit.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
On macOS, unit tests were failing with
root@c4101a75c792:/go/src/github.com/docker/docker/pkg/authorization# go test .
--- FAIL: TestAuthZRequestPluginError (0.00s)
authz_unix_test.go:295: listen unix authz-test-plugin.sock: bind: file name too long
--- FAIL: TestAuthZRequestPlugin (0.00s)
authz_unix_test.go:295: listen unix authz-test-plugin.sock: bind: file name too long
--- FAIL: TestAuthZResponsePlugin (0.00s)
authz_unix_test.go:295: listen unix authz-test-plugin.sock: bind: file name too long
time="2020-04-07T10:07:04Z" level=warning msg="Request body is larger than: '1048576' skipping body"
--- FAIL: TestMiddlewareWrapHandler (0.00s)
authz_unix_test.go:295: listen unix authz-test-plugin.sock: bind: file name too long
FAIL
FAIL github.com/docker/docker/pkg/authorization 0.120s
This change moves the socket creation from a working test directory to a tmp directory,
so the path is shorter.
Change-type: patch
Signed-off-by: Roman Mazur <roman@balena.io>
We do our CI via golangci-lint, which understands nolint: annotations.
A standalone linter tool, golint, does not, and it insists on
documenting these:
> pkg/mount/deprecated.go:47:1: comment on exported var MergeTmpfsOptions should be of the form "MergeTmpfsOptions ..."
> pkg/mount/deprecated.go:51:1: comment on exported type FilterFunc should be of the form "FilterFunc ..." (with optional leading article)
> pkg/mount/deprecated.go:51:1: comment on exported type Info should be of the form "Info ..." (with optional leading article)
For `MergeTmpfsOptions`, the workaround is to put it inside a
`var ( ... )` block.
For the other two warnings, we have to provide the "actual"
documentation (or something that looks like it).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Add a deprecation/removal notice, pointing out to appropriate
replacement packages.
I was not sure if a package-level deprecation is enough, so
I also added notices around each block.
Note that `nolint:golint` annotations are left as is, otherwise
golint complains like this:
> pkg/mount/deprecated.go:45:1: comment on exported var `MergeTmpfsOptions` should be of the form `MergeTmpfsOptions ...` (golint)
> // Deprecated: use github.com/moby/sys/mount instead.
> ^
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Switch to moby/sys/mount and mountinfo. Keep the pkg/mount for potential
outside users.
This commit was generated by the following bash script:
```
set -e -u -o pipefail
for file in $(git grep -l 'docker/docker/pkg/mount"' | grep -v ^pkg/mount); do
sed -i -e 's#/docker/docker/pkg/mount"#/moby/sys/mount"#' \
-e 's#mount\.\(GetMounts\|Mounted\|Info\|[A-Za-z]*Filter\)#mountinfo.\1#g' \
$file
goimports -w $file
done
```
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Make pkg/mount a shallow package, relying on
github.com/moby/sys/mount and github.com/moby/sys/mountinfo
The plan is to
- switch the rest of this repo to use moby/sys directly
- add deprecation notice to pkg/mount
- (eventually) remove pkg/mount
The nolint:golint annotation is added to suppress warnings like
"exported XXX should have comment or be unexported".
The ForceMount function is deprecated (and is identical to Mount),
so let's not use it (but still provide an alias for those who do).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Currently, the escapeProxy works under the assumption that the
underlying reader will always return 1 byte at a time. Even though this
is usually true, it is not always the case, for example when using a pty
and writing multiple bytes to the master before flushing it.
In such cases the proxy reader doesn't work properly. For example with
an escape sequence being `ctrl-p,ctrl-q`, when the underlying reader
returns `ctrl-p,ctrl-q` at once, the escape sequence isn't detected.
This updates the reader to support this use-case and adds unit tests.
Signed-off-by: Bilal Amarni <bilal.amarni@gmail.com>
error log :
signal_test.go:20: assertion failed: error is not nil: Invalid signal: SIGEMT
signal_test.go:22: assertion failed:
When "ParseSignal" function parse sigStr from SignalMap, it find the signal object with key ("SIG"+sigStr). But EMT signal named "SIGEMT" in SignalMap structrue, so the real key is "SIGSIGEMT" , and cannot find the target signal.
modify "SIGEMT" to "EMT" in SignalMap structrue.
Signed-off-by: liuxiaodong <liuxiaodong@loongson.cn>
