moby/daemon/info_unix.go
Sebastiaan van Stijn 20a1d23b39
Merge pull request #45320 from akerouanton/info-no-new-privileges
Add no-new-privileges to SecurityOptions returned by /info
2023-04-18 14:37:15 +02:00

375 lines
12 KiB
Go

//go:build !windows
// +build !windows
package daemon // import "github.com/docker/docker/daemon"
import (
"context"
"fmt"
"os/exec"
"path/filepath"
"strings"
"github.com/docker/docker/api/types"
containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/pkg/rootless"
"github.com/docker/docker/pkg/sysinfo"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
// fillPlatformInfo fills the platform related info.
func (daemon *Daemon) fillPlatformInfo(v *types.Info, sysInfo *sysinfo.SysInfo) {
v.CgroupDriver = daemon.getCgroupDriver()
v.CgroupVersion = "1"
if sysInfo.CgroupUnified {
v.CgroupVersion = "2"
}
if v.CgroupDriver != cgroupNoneDriver {
v.MemoryLimit = sysInfo.MemoryLimit
v.SwapLimit = sysInfo.SwapLimit
v.KernelMemory = sysInfo.KernelMemory
v.KernelMemoryTCP = sysInfo.KernelMemoryTCP
v.OomKillDisable = sysInfo.OomKillDisable
v.CPUCfsPeriod = sysInfo.CPUCfs
v.CPUCfsQuota = sysInfo.CPUCfs
v.CPUShares = sysInfo.CPUShares
v.CPUSet = sysInfo.Cpuset
v.PidsLimit = sysInfo.PidsLimit
}
v.Runtimes = daemon.configStore.GetAllRuntimes()
v.DefaultRuntime = daemon.configStore.GetDefaultRuntimeName()
v.RuncCommit.ID = "N/A"
v.ContainerdCommit.ID = "N/A"
v.InitCommit.ID = "N/A"
if rt := daemon.configStore.GetRuntime(v.DefaultRuntime); rt != nil {
if rv, err := exec.Command(rt.Path, "--version").Output(); err == nil {
if _, _, commit, err := parseRuntimeVersion(string(rv)); err != nil {
logrus.Warnf("failed to parse %s version: %v", rt.Path, err)
} else {
v.RuncCommit.ID = commit
}
} else {
logrus.Warnf("failed to retrieve %s version: %v", rt.Path, err)
}
}
if rv, err := daemon.containerd.Version(context.Background()); err == nil {
v.ContainerdCommit.ID = rv.Revision
} else {
logrus.Warnf("failed to retrieve containerd version: %v", err)
}
v.InitBinary = daemon.configStore.GetInitPath()
if initBinary, err := daemon.configStore.LookupInitPath(); err != nil {
logrus.Warnf("failed to find docker-init: %s", err)
} else if rv, err := exec.Command(initBinary, "--version").Output(); err == nil {
if _, commit, err := parseInitVersion(string(rv)); err != nil {
logrus.Warnf("failed to parse %s version: %s", initBinary, err)
} else {
v.InitCommit.ID = commit
}
} else {
logrus.Warnf("failed to retrieve %s version: %s", initBinary, err)
}
// Set expected and actual commits to the same value to prevent the client
// showing that the version does not match the "expected" version/commit.
v.RuncCommit.Expected = v.RuncCommit.ID
v.ContainerdCommit.Expected = v.ContainerdCommit.ID
v.InitCommit.Expected = v.InitCommit.ID
if v.CgroupDriver == cgroupNoneDriver {
if v.CgroupVersion == "2" {
v.Warnings = append(v.Warnings, "WARNING: Running in rootless-mode without cgroups. Systemd is required to enable cgroups in rootless-mode.")
} else {
v.Warnings = append(v.Warnings, "WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.")
}
} else {
if !v.MemoryLimit {
v.Warnings = append(v.Warnings, "WARNING: No memory limit support")
}
if !v.SwapLimit {
v.Warnings = append(v.Warnings, "WARNING: No swap limit support")
}
if !v.KernelMemoryTCP && v.CgroupVersion == "1" {
// kernel memory is not available for cgroup v2.
// Warning is not printed on cgroup v2, because there is no action user can take.
v.Warnings = append(v.Warnings, "WARNING: No kernel memory TCP limit support")
}
if !v.OomKillDisable && v.CgroupVersion == "1" {
// oom kill disable is not available for cgroup v2.
// Warning is not printed on cgroup v2, because there is no action user can take.
v.Warnings = append(v.Warnings, "WARNING: No oom kill disable support")
}
if !v.CPUCfsQuota {
v.Warnings = append(v.Warnings, "WARNING: No cpu cfs quota support")
}
if !v.CPUCfsPeriod {
v.Warnings = append(v.Warnings, "WARNING: No cpu cfs period support")
}
if !v.CPUShares {
v.Warnings = append(v.Warnings, "WARNING: No cpu shares support")
}
if !v.CPUSet {
v.Warnings = append(v.Warnings, "WARNING: No cpuset support")
}
// TODO add fields for these options in types.Info
if !sysInfo.BlkioWeight && v.CgroupVersion == "2" {
// blkio weight is not available on cgroup v1 since kernel 5.0.
// Warning is not printed on cgroup v1, because there is no action user can take.
// On cgroup v2, blkio weight is implemented using io.weight
v.Warnings = append(v.Warnings, "WARNING: No io.weight support")
}
if !sysInfo.BlkioWeightDevice && v.CgroupVersion == "2" {
v.Warnings = append(v.Warnings, "WARNING: No io.weight (per device) support")
}
if !sysInfo.BlkioReadBpsDevice {
if v.CgroupVersion == "2" {
v.Warnings = append(v.Warnings, "WARNING: No io.max (rbps) support")
} else {
v.Warnings = append(v.Warnings, "WARNING: No blkio throttle.read_bps_device support")
}
}
if !sysInfo.BlkioWriteBpsDevice {
if v.CgroupVersion == "2" {
v.Warnings = append(v.Warnings, "WARNING: No io.max (wbps) support")
} else {
v.Warnings = append(v.Warnings, "WARNING: No blkio throttle.write_bps_device support")
}
}
if !sysInfo.BlkioReadIOpsDevice {
if v.CgroupVersion == "2" {
v.Warnings = append(v.Warnings, "WARNING: No io.max (riops) support")
} else {
v.Warnings = append(v.Warnings, "WARNING: No blkio throttle.read_iops_device support")
}
}
if !sysInfo.BlkioWriteIOpsDevice {
if v.CgroupVersion == "2" {
v.Warnings = append(v.Warnings, "WARNING: No io.max (wiops) support")
} else {
v.Warnings = append(v.Warnings, "WARNING: No blkio throttle.write_iops_device support")
}
}
}
if !v.IPv4Forwarding {
v.Warnings = append(v.Warnings, "WARNING: IPv4 forwarding is disabled")
}
if !v.BridgeNfIptables {
v.Warnings = append(v.Warnings, "WARNING: bridge-nf-call-iptables is disabled")
}
if !v.BridgeNfIP6tables {
v.Warnings = append(v.Warnings, "WARNING: bridge-nf-call-ip6tables is disabled")
}
if daemon.configStore.OOMScoreAdjust != 0 {
v.Warnings = append(v.Warnings, `DEPRECATED: The "oom-score-adjust" config parameter and the dockerd "--oom-score-adjust" option will be removed in the next release`)
}
}
func (daemon *Daemon) fillPlatformVersion(v *types.Version) {
if rv, err := daemon.containerd.Version(context.Background()); err == nil {
v.Components = append(v.Components, types.ComponentVersion{
Name: "containerd",
Version: rv.Version,
Details: map[string]string{
"GitCommit": rv.Revision,
},
})
}
defaultRuntime := daemon.configStore.GetDefaultRuntimeName()
if rt := daemon.configStore.GetRuntime(defaultRuntime); rt != nil {
if rv, err := exec.Command(rt.Path, "--version").Output(); err == nil {
if _, ver, commit, err := parseRuntimeVersion(string(rv)); err != nil {
logrus.Warnf("failed to parse %s version: %v", rt.Path, err)
} else {
v.Components = append(v.Components, types.ComponentVersion{
Name: defaultRuntime,
Version: ver,
Details: map[string]string{
"GitCommit": commit,
},
})
}
} else {
logrus.Warnf("failed to retrieve %s version: %v", rt.Path, err)
}
}
if initBinary, err := daemon.configStore.LookupInitPath(); err != nil {
logrus.Warnf("failed to find docker-init: %s", err)
} else if rv, err := exec.Command(initBinary, "--version").Output(); err == nil {
if ver, commit, err := parseInitVersion(string(rv)); err != nil {
logrus.Warnf("failed to parse %s version: %s", initBinary, err)
} else {
v.Components = append(v.Components, types.ComponentVersion{
Name: filepath.Base(initBinary),
Version: ver,
Details: map[string]string{
"GitCommit": commit,
},
})
}
} else {
logrus.Warnf("failed to retrieve %s version: %s", initBinary, err)
}
daemon.fillRootlessVersion(v)
}
func (daemon *Daemon) fillRootlessVersion(v *types.Version) {
if !rootless.RunningWithRootlessKit() {
return
}
rlc, err := rootless.GetRootlessKitClient()
if err != nil {
logrus.Warnf("failed to create RootlessKit client: %v", err)
return
}
rlInfo, err := rlc.Info(context.TODO())
if err != nil {
logrus.Warnf("failed to retrieve RootlessKit version: %v", err)
return
}
v.Components = append(v.Components, types.ComponentVersion{
Name: "rootlesskit",
Version: rlInfo.Version,
Details: map[string]string{
"ApiVersion": rlInfo.APIVersion,
"StateDir": rlInfo.StateDir,
"NetworkDriver": rlInfo.NetworkDriver.Driver,
"PortDriver": rlInfo.PortDriver.Driver,
},
})
switch rlInfo.NetworkDriver.Driver {
case "slirp4netns":
if rv, err := exec.Command("slirp4netns", "--version").Output(); err == nil {
if _, ver, commit, err := parseRuntimeVersion(string(rv)); err != nil {
logrus.Warnf("failed to parse slirp4netns version: %v", err)
} else {
v.Components = append(v.Components, types.ComponentVersion{
Name: "slirp4netns",
Version: ver,
Details: map[string]string{
"GitCommit": commit,
},
})
}
} else {
logrus.Warnf("failed to retrieve slirp4netns version: %v", err)
}
case "vpnkit":
if rv, err := exec.Command("vpnkit", "--version").Output(); err == nil {
v.Components = append(v.Components, types.ComponentVersion{
Name: "vpnkit",
Version: strings.TrimSpace(string(rv)),
})
} else {
logrus.Warnf("failed to retrieve vpnkit version: %v", err)
}
}
}
func fillDriverWarnings(v *types.Info) {
for _, pair := range v.DriverStatus {
if pair[0] == "Data loop file" {
msg := fmt.Sprintf("WARNING: %s: usage of loopback devices is "+
"strongly discouraged for production use.\n "+
"Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.", v.Driver)
v.Warnings = append(v.Warnings, msg)
continue
}
if pair[0] == "Supports d_type" && pair[1] == "false" {
backingFs := getBackingFs(v)
msg := fmt.Sprintf("WARNING: %s: the backing %s filesystem is formatted without d_type support, which leads to incorrect behavior.\n", v.Driver, backingFs)
if backingFs == "xfs" {
msg += " Reformat the filesystem with ftype=1 to enable d_type support.\n"
}
msg += " Running without d_type support will not be supported in future releases."
v.Warnings = append(v.Warnings, msg)
continue
}
}
}
func getBackingFs(v *types.Info) string {
for _, pair := range v.DriverStatus {
if pair[0] == "Backing Filesystem" {
return pair[1]
}
}
return ""
}
// parseInitVersion parses a Tini version string, and extracts the "version"
// and "git commit" from the output.
//
// Output example from `docker-init --version`:
//
// tini version 0.18.0 - git.fec3683
func parseInitVersion(v string) (version string, commit string, err error) {
parts := strings.Split(v, " - ")
if len(parts) >= 2 {
gitParts := strings.Split(strings.TrimSpace(parts[1]), ".")
if len(gitParts) == 2 && gitParts[0] == "git" {
commit = gitParts[1]
}
}
parts[0] = strings.TrimSpace(parts[0])
if strings.HasPrefix(parts[0], "tini version ") {
version = strings.TrimPrefix(parts[0], "tini version ")
}
if version == "" && commit == "" {
err = errors.Errorf("unknown output format: %s", v)
}
return version, commit, err
}
// parseRuntimeVersion parses the output of `[runtime] --version` and extracts the
// "name", "version" and "git commit" from the output.
//
// Output example from `runc --version`:
//
// runc version 1.0.0-rc5+dev
// commit: 69663f0bd4b60df09991c08812a60108003fa340
// spec: 1.0.0
func parseRuntimeVersion(v string) (runtime string, version string, commit string, err error) {
lines := strings.Split(strings.TrimSpace(v), "\n")
for _, line := range lines {
if strings.Contains(line, "version") {
s := strings.Split(line, "version")
runtime = strings.TrimSpace(s[0])
version = strings.TrimSpace(s[len(s)-1])
continue
}
if strings.HasPrefix(line, "commit:") {
commit = strings.TrimSpace(strings.TrimPrefix(line, "commit:"))
continue
}
}
if version == "" && commit == "" {
err = errors.Errorf("unknown output format: %s", v)
}
return runtime, version, commit, err
}
func (daemon *Daemon) cgroupNamespacesEnabled(sysInfo *sysinfo.SysInfo) bool {
return sysInfo.CgroupNamespaces && containertypes.CgroupnsMode(daemon.configStore.CgroupNamespaceMode).IsPrivate()
}
// Rootless returns true if daemon is running in rootless mode
func (daemon *Daemon) Rootless() bool {
return daemon.configStore.Rootless
}
func (daemon *Daemon) noNewPrivileges() bool {
return daemon.configStore.NoNewPrivileges
}