Commit graph

57 commits

Author SHA1 Message Date
Ian Campbell
c84f43d63f Caution against the use of CONFIG_LEGACY_VSYSCALL_NATIVE
It provides an ASLR-bypassing target with usable ROP gadgets.

Signed-off-by: Ian Campbell <ian.campbell@docker.com>
(cherry picked from commit 49dcce7ba0)
Signed-off-by: Victor Vieux <vieux@docker.com>
2016-12-09 14:11:46 -08:00
Ian Campbell
3d27cb3d6f Check for LEGACY_VSYSCALL_* options
Chosing LEGACY_VSYSCALL_NONE (over NATIVE or EMULATE) will mean that binaries
using eglibc <= 2.13 will not run (segfault).

Fixes #28705.

Signed-off-by: Ian Campbell <ian.campbell@docker.com>
(cherry picked from commit 163db04452)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
2016-11-28 11:21:53 -08:00
Justin Cormack
c125c131d7 Fix check config script on 4.8 kernels
DEVPTS_MULTIPLE_INSTANCES is no longer an option, it is always set, so
do not check for this post 4.8.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 228ee16df3)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
2016-11-18 13:26:03 -08:00
Justin Cormack
6d116ffbbb Make the check-config script return success or failure
Although primarily a human readable script, it is quite useful
to return success or failure from this script so it can be used
as a basic test.

Fail if any check fails, including some that are optional,
other than the storage driver tests, where only one needs to
succeed, so the system has at least one workable storage driver.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-11-02 23:23:52 +00:00
Justin Cormack
b28619046a Do not warn in check-config script about ext3 if provided by ext4
Many distributions now use ext4 to provide ext2 and ext3 support,
so do not warn about possibly missing ext3 support if the config
option is used.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-10-28 12:51:09 +01:00
Alessandro Boch
275013ce8b Update required modules for overlay dataplane encryption
Signed-off-by: Alessandro Boch <aboch@docker.com>
2016-10-11 14:06:55 -07:00
Charlie Drage
2fb2361b29 Add check for CONFIG_IP_NF_NAT to kernel check
This appears to be missing. NAT (via iptables) is required in order to
setup Docker networking.

Signed-off-by: Charlie Drage <charlie@charliedrage.com>
2016-10-04 12:14:45 -04:00
alexchen
4c74469d30 add check flag for CONFIG_NETFILTER_XT_MATCH_IPVS CONFIG_IP_VS_NFCT CONFIG_IP_VS_RR in contrib/check-config.sh
Signed-off-by: alexchen <alexchenunix@gmail.com>
2016-10-01 09:50:17 +08:00
Andrei Gherzan
1c886a70df check-config.sh: Add check for CONFIG_BTRFS_FS_POSIX_ACL
docker is trying to set system.posix_acl_access but using BTRFS this fails if
CONFIG_BTRFS_FS_POSIX_ACL is not activated.

Signed-off-by: Andrei Gherzan <andrei@resin.io>
2016-08-25 13:20:18 +01:00
Lei Jitang
f5940ef725 Add IPVLAN and DUMMY to check-config.sh
This commit add DUMMY and IPVLAN to check-config.sh
because they are need for ipvlan and macvlan network
driver.

Signed-off-by: Lei Jitang <leijitang@huawei.com>
2016-07-07 21:21:57 -04:00
Brian Goff
9e14002ced Add ip_vs to check-config script
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2016-06-28 13:42:38 -04:00
Alessandro Boch
c355e059cc Add modules for secure overlay network to check-config.sh
Signed-off-by: Alessandro Boch <aboch@docker.com>
2016-06-22 10:51:13 -07:00
Justin Cormack
4e2d98761d Begin a section in the check-config script to check limits
Initially this checks the kernel's maxkeys setting which is
low in some older distribution kernels, such that only 200 containers
can be created, reported in #22865.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-20 16:05:25 -07:00
Qiang Huang
27d7b135d4 Update check_config for MEMCG_KMEM
CONFIG_MEMCG_KMEM is removed since 4.6, it's accounted by default
since 4.6, so it's merged to CONFIG_MEMCG.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-16 13:55:24 +08:00
Qiang Huang
192387198d Add CONFIG_CFQ_GROUP_IOSCHED check
blkio.weight depends on this config.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-25 14:08:29 +08:00
Tianon Gravi
c082dad637 Add "VXLAN" to check-config.sh
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2016-04-11 16:42:53 -07:00
Jessica Frazelle
69cf03700f
pids limit support
update bash commpletion for pids limit

update check config for kernel

add docs for pids limit

add pids stats

add stats to docker client

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-03-08 07:55:01 -08:00
Alexander Morozov
f5b4e1be6b Fix CONFIG_KEYS check in contrib/check-config.sh
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-03-01 10:01:12 -08:00
Alexander Morozov
c1996c9245 Add CONFIG_KEYS to check-config.sh
We need this after opencontainers/runc#488

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-02-26 23:40:35 -08:00
Phil Estes
2355151556 Add check for RHEL7/CentOS7 experimental userns disabled
Add a check in `check-config.sh` to see if we are running on a RHEL7 or
CentOS7 system, which may report that CONFIG_USERNS is OK/enabled, but
user namespaces still won't work because of the experimental feature
flag added by Redhat.

This will add a warning if it is actually disabled and notes what has to
be added to the grub/boot command line to enable it.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2016-02-23 23:28:24 -06:00
Tianon Gravi
5c161f4e1a Update check-config.sh to use "case" instead of an associative array
This fixes Bash 3.x compatibility (where associative arrays are not available).

Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2016-01-12 20:57:56 -08:00
Jessica Frazelle
cde9e8bc83
update packagers.md and kernel config check
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-12-03 16:30:50 -08:00
Lei Jitang
d475c4ddc1 Add user namespace check to check-chonfig.sh
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-10-11 17:26:34 +08:00
Lei Jitang
cbb69531a8 Add CONFIG_BLK_DEV_THROTTLING to check-config.sh
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-08-19 15:11:04 +08:00
Qiang Huang
6c4d4c70c6 Adapt CONFIG_NETPRIO_CGROUP in check-config.sh
Fixes: #15572

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-08-14 14:38:48 +08:00
Qiang Huang
fb85a99f58 Add some cgroup related config check
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-06-19 13:47:48 +08:00
Qiang Huang
0c4c830289 Add check config for ext3 file system
Some distros still use ext3 as default file system, we should check
these configs as well.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-06-19 13:45:07 +08:00
Qiang Huang
8bfc8102be Don't check RESOURCE_COUNTERS in new kernel
Closes: #13543

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-06-03 17:26:39 +08:00
Alexander Morozov
6cc4cf7c0c Add BRIDGE_NETFILTER to check-config.sh
It is needed to use network with --userland-proxy=false and for
--icc=false

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-05-22 10:46:55 -07:00
Alexander Morozov
ceca037d05 Add optional CONFIG_BLK_CGROUP and CONFIG_IOSCHED_CFQ to check-config.sh
It is needed for blkio.weight support

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-05-22 10:41:29 -07:00
Qiang Huang
6e19912df9 Enhance check-config.sh
Currently check-config.sh just said enable or missing, when I used
a fresh kernel, made check-config.sh happy, still can't start
container. It take me days debuging kernel and Docker and finally
found it's because I enabled some CONFIGs as modules and never
loaded these modules.

So I think it's necessary to let check-config.sh told users which
configs are enabled as modules.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-05-15 10:20:31 +08:00
Jörg Thalheim
d5151ca8ab Implement Docker on ZFS
Signed-off-by: Arthur Gautier <baloo@gandi.net>
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
2015-05-08 17:48:20 +02:00
Evan Hazlett
3509132a6e Merge pull request #12301 from ewindisch/https_links
Use HTTPS links for URLs in READMEs / comments / docs
2015-04-13 14:30:53 -04:00
Eric Windisch
df9ee6d656 Link to HTTPS urls in contrib comments/maintainers
Updates comments and dockerfile maintainer lines
to use HTTPS urls where applicable.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-04-11 13:35:08 -04:00
Lei Jitang
d2d583c53b Add CFS_BANDWIDTH to check-config
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-04-11 11:39:47 +08:00
Lei Jitang
a9588158b5 Add MEMCG_SWAP_ENABLED to check-config.sh
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-04-02 08:38:39 +08:00
Tianon Gravi
03de73a5e0 Add CONFIG_CPUSETS to check-config.sh
See also https://bugs.gentoo.org/show_bug.cgi?id=536546:

```console
$ docker run learn/tutorial echo "hello world"
FATA[0001] Error response from daemon: Cannot start container 1d0c0ca5cc7f39a271ec40c1479a80bffb7190fab97392b3453a1fc0b2dc8e78: mountpoint for cpuset not found
```

Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2015-03-13 09:18:10 -06:00
Jessie Frazelle
55566f2f8f Merge pull request #10418 from bobrik/overlay-kernel-checks
Checking EXT4_FS_SECURITY for overlay
2015-02-19 14:29:17 -08:00
Lei Jitang
82fda400b8 Fix check-config.sh usage
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-02-13 19:52:11 +08:00
Ian Babrou
a6c6d8bb91 Checking EXT4_FS_SECURITY and EXT4_FS_POSIX_ACL for overlay
Signed-off-by: Ian Babrou <ibobrik@gmail.com>
2015-02-05 17:41:13 +03:00
Qiang Huang
aac6090f2d add args support for check-config.sh
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-01-23 16:36:55 +08:00
Tianon Gravi
8803174e4f Add CONFIG_POSIX_MQUEUE to check-config.sh
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2014-12-26 14:59:25 -07:00
Lénaïc Huard
d680ca5c96 Rename the overlay storage driver
so that docker is started with `docker -d -s overlay` instead of `docker -d -s overlayfs`

Signed-off-by: Lénaïc Huard <lhuard@amadeus.com>
2014-12-03 13:57:23 +01:00
Lénaïc Huard
c57317893a Rename overlayfs to overlay
Since Linux 3.18-rc6, overlayfs has been renamed overlay.

This change was introduced by the following commit in linux.git:
ef94b1864d1ed5be54376404bb23d22ed0481feb ovl: rename filesystem type to "overlay"

Signed-off-by: Lénaïc Huard <lhuard@amadeus.com>
2014-12-02 10:02:59 +01:00
Tianon Gravi
54a6e6d122 Add CONFIG_OVERLAYFS_FS to check-config.sh
Also, added some slight adjustment to the AUFS_FS output/note to make it more clear what it applies to.

Example output:
```console
$ ./contrib/check-config.sh
info: reading kernel config from /proc/config.gz ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_DEVPTS_MULTIPLE_INSTANCES: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_MACVLAN: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_NF_NAT_IPV4: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_NF_NAT_NEEDED: enabled

Optional Features:
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_RESOURCE_COUNTERS: enabled
- CONFIG_CGROUP_PERF: missing
- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: missing
      (note that some kernels include AUFS patches but not the AUFS_FS flag)
    - CONFIG_EXT4_FS_POSIX_ACL: enabled
    - CONFIG_EXT4_FS_SECURITY: enabled
  - "btrfs":
    - CONFIG_BTRFS_FS: enabled
  - "devicemapper":
    - CONFIG_BLK_DEV_DM: enabled
    - CONFIG_DM_THIN_PROVISIONING: enabled
    - CONFIG_EXT4_FS: enabled
    - CONFIG_EXT4_FS_POSIX_ACL: enabled
    - CONFIG_EXT4_FS_SECURITY: enabled
  - "overlayfs":
    - CONFIG_OVERLAYFS_FS: missing
```

Signed-off-by: Andrew Page <admwiggin@gmail.com>
2014-11-18 12:20:49 -07:00
Alexandr Morozov
e621f99923 Add check for IP_NF_FILTER
Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-11-04 14:47:13 -08:00
Sven Dowideit
b7259dc6d4 It seems that we need these 2 options enabled for both aufs and devicemapper drivers when running on EXT4 - so test for them
Docker-DCO-1.1-Signed-off-by: Sven Dowideit <SvenDowideit@docker.com> (github: SvenDowideit)
2014-09-17 17:03:58 +10:00
Erik Hollensbe
ce3c1f376c fix check-config.sh to check for CGROUP_PERF
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-08-20 13:37:39 +00:00
Tianon Gravi
75ba7a9b32 Add "apparmor_parser" warning to check-config.sh
If AppArmor is enabled on the current system, but "apparmor_parser" isn't installed, it causes all kinds of issues.

Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-07-22 10:34:28 -06:00
Tianon Gravi
a59e1949b5 Update contrib/check-config.sh to check for CGROUP_FREEZER (which is newly required), and to use /proc/mounts for checking if we have a cgroup hierarchy instead of using /proc/$$/mountinfo (which on systemd might not list the cgroup hierarchy)
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-06-07 08:43:40 -06:00