It provides an ASLR-bypassing target with usable ROP gadgets.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
(cherry picked from commit 49dcce7ba0)
Signed-off-by: Victor Vieux <vieux@docker.com>
Chosing LEGACY_VSYSCALL_NONE (over NATIVE or EMULATE) will mean that binaries
using eglibc <= 2.13 will not run (segfault).
Fixes#28705.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
(cherry picked from commit 163db04452)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
DEVPTS_MULTIPLE_INSTANCES is no longer an option, it is always set, so
do not check for this post 4.8.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 228ee16df3)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Although primarily a human readable script, it is quite useful
to return success or failure from this script so it can be used
as a basic test.
Fail if any check fails, including some that are optional,
other than the storage driver tests, where only one needs to
succeed, so the system has at least one workable storage driver.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Many distributions now use ext4 to provide ext2 and ext3 support,
so do not warn about possibly missing ext3 support if the config
option is used.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This appears to be missing. NAT (via iptables) is required in order to
setup Docker networking.
Signed-off-by: Charlie Drage <charlie@charliedrage.com>
docker is trying to set system.posix_acl_access but using BTRFS this fails if
CONFIG_BTRFS_FS_POSIX_ACL is not activated.
Signed-off-by: Andrei Gherzan <andrei@resin.io>
This commit add DUMMY and IPVLAN to check-config.sh
because they are need for ipvlan and macvlan network
driver.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Initially this checks the kernel's maxkeys setting which is
low in some older distribution kernels, such that only 200 containers
can be created, reported in #22865.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
CONFIG_MEMCG_KMEM is removed since 4.6, it's accounted by default
since 4.6, so it's merged to CONFIG_MEMCG.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Add a check in `check-config.sh` to see if we are running on a RHEL7 or
CentOS7 system, which may report that CONFIG_USERNS is OK/enabled, but
user namespaces still won't work because of the experimental feature
flag added by Redhat.
This will add a warning if it is actually disabled and notes what has to
be added to the grub/boot command line to enable it.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Currently check-config.sh just said enable or missing, when I used
a fresh kernel, made check-config.sh happy, still can't start
container. It take me days debuging kernel and Docker and finally
found it's because I enabled some CONFIGs as modules and never
loaded these modules.
So I think it's necessary to let check-config.sh told users which
configs are enabled as modules.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
See also https://bugs.gentoo.org/show_bug.cgi?id=536546:
```console
$ docker run learn/tutorial echo "hello world"
FATA[0001] Error response from daemon: Cannot start container 1d0c0ca5cc7f39a271ec40c1479a80bffb7190fab97392b3453a1fc0b2dc8e78: mountpoint for cpuset not found
```
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Since Linux 3.18-rc6, overlayfs has been renamed overlay.
This change was introduced by the following commit in linux.git:
ef94b1864d1ed5be54376404bb23d22ed0481feb ovl: rename filesystem type to "overlay"
Signed-off-by: Lénaïc Huard <lhuard@amadeus.com>
If AppArmor is enabled on the current system, but "apparmor_parser" isn't installed, it causes all kinds of issues.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)