5a922dc162
The `oom-score-adjust` option was added ina894aec8d8
, to prevent the daemon from being OOM-killed before other processes. This option was mostly added as a "convenience", as running the daemon as a systemd unit was not yet common. Having the daemon set its own limits is not best-practice, and something better handled by the process-manager starting the daemon. Commitcf7a5be0f2
fixed this option to allow disabling it, and2b8e68ef06
removed the default score adjust. This patch deprecates the option altogether, recommending users to set these limits through the process manager used, such as the "OOMScoreAdjust" option in systemd units. With this patch: dockerd --oom-score-adjust=-500 --validate Flag --oom-score-adjust has been deprecated, and will be removed in the next release. configuration OK echo '{"oom-score-adjust":-500}' > /etc/docker/daemon.json dockerd INFO[2023-04-12T21:34:51.133389627Z] Starting up INFO[2023-04-12T21:34:51.135607544Z] containerd not running, starting managed containerd WARN[2023-04-12T21:34:51.135629086Z] DEPRECATED: The "oom-score-adjust" config parameter and the dockerd "--oom-score-adjust" option will be removed in the next release. docker info Client: Context: default Debug Mode: false ... DEPRECATED: The "oom-score-adjust" config parameter and the dockerd "--oom-score-adjust" option will be removed in the next release Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
241 lines
8.6 KiB
Go
241 lines
8.6 KiB
Go
package config // import "github.com/docker/docker/daemon/config"
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"os/exec"
|
|
"path/filepath"
|
|
|
|
"github.com/containerd/cgroups/v3"
|
|
"github.com/docker/docker/api/types"
|
|
"github.com/docker/docker/api/types/container"
|
|
"github.com/docker/docker/opts"
|
|
"github.com/docker/docker/pkg/homedir"
|
|
"github.com/docker/docker/pkg/rootless"
|
|
units "github.com/docker/go-units"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
const (
|
|
// DefaultIpcMode is default for container's IpcMode, if not set otherwise
|
|
DefaultIpcMode = container.IPCModePrivate
|
|
|
|
// DefaultCgroupNamespaceMode is the default mode for containers cgroup namespace when using cgroups v2.
|
|
DefaultCgroupNamespaceMode = container.CgroupnsModePrivate
|
|
|
|
// DefaultCgroupV1NamespaceMode is the default mode for containers cgroup namespace when using cgroups v1.
|
|
DefaultCgroupV1NamespaceMode = container.CgroupnsModeHost
|
|
|
|
// StockRuntimeName is the reserved name/alias used to represent the
|
|
// OCI runtime being shipped with the docker daemon package.
|
|
StockRuntimeName = "runc"
|
|
)
|
|
|
|
// BridgeConfig stores all the bridge driver specific
|
|
// configuration.
|
|
type BridgeConfig struct {
|
|
commonBridgeConfig
|
|
|
|
// Fields below here are platform specific.
|
|
DefaultIP net.IP `json:"ip,omitempty"`
|
|
IP string `json:"bip,omitempty"`
|
|
DefaultGatewayIPv4 net.IP `json:"default-gateway,omitempty"`
|
|
DefaultGatewayIPv6 net.IP `json:"default-gateway-v6,omitempty"`
|
|
InterContainerCommunication bool `json:"icc,omitempty"`
|
|
|
|
EnableIPv6 bool `json:"ipv6,omitempty"`
|
|
EnableIPTables bool `json:"iptables,omitempty"`
|
|
EnableIP6Tables bool `json:"ip6tables,omitempty"`
|
|
EnableIPForward bool `json:"ip-forward,omitempty"`
|
|
EnableIPMasq bool `json:"ip-masq,omitempty"`
|
|
EnableUserlandProxy bool `json:"userland-proxy,omitempty"`
|
|
UserlandProxyPath string `json:"userland-proxy-path,omitempty"`
|
|
FixedCIDRv6 string `json:"fixed-cidr-v6,omitempty"`
|
|
}
|
|
|
|
// Config defines the configuration of a docker daemon.
|
|
// It includes json tags to deserialize configuration from a file
|
|
// using the same names that the flags in the command line uses.
|
|
type Config struct {
|
|
CommonConfig
|
|
|
|
// Fields below here are platform specific.
|
|
Runtimes map[string]types.Runtime `json:"runtimes,omitempty"`
|
|
DefaultInitBinary string `json:"default-init,omitempty"`
|
|
CgroupParent string `json:"cgroup-parent,omitempty"`
|
|
EnableSelinuxSupport bool `json:"selinux-enabled,omitempty"`
|
|
RemappedRoot string `json:"userns-remap,omitempty"`
|
|
Ulimits map[string]*units.Ulimit `json:"default-ulimits,omitempty"`
|
|
CPURealtimePeriod int64 `json:"cpu-rt-period,omitempty"`
|
|
CPURealtimeRuntime int64 `json:"cpu-rt-runtime,omitempty"`
|
|
OOMScoreAdjust int `json:"oom-score-adjust,omitempty"` // Deprecated: configure the daemon's oom-score-adjust using a process manager instead.
|
|
Init bool `json:"init,omitempty"`
|
|
InitPath string `json:"init-path,omitempty"`
|
|
SeccompProfile string `json:"seccomp-profile,omitempty"`
|
|
ShmSize opts.MemBytes `json:"default-shm-size,omitempty"`
|
|
NoNewPrivileges bool `json:"no-new-privileges,omitempty"`
|
|
IpcMode string `json:"default-ipc-mode,omitempty"`
|
|
CgroupNamespaceMode string `json:"default-cgroupns-mode,omitempty"`
|
|
// ResolvConf is the path to the configuration of the host resolver
|
|
ResolvConf string `json:"resolv-conf,omitempty"`
|
|
Rootless bool `json:"rootless,omitempty"`
|
|
}
|
|
|
|
// GetRuntime returns the runtime path and arguments for a given
|
|
// runtime name
|
|
func (conf *Config) GetRuntime(name string) *types.Runtime {
|
|
conf.Lock()
|
|
defer conf.Unlock()
|
|
if rt, ok := conf.Runtimes[name]; ok {
|
|
return &rt
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// GetAllRuntimes returns a copy of the runtimes map
|
|
func (conf *Config) GetAllRuntimes() map[string]types.Runtime {
|
|
conf.Lock()
|
|
rts := conf.Runtimes
|
|
conf.Unlock()
|
|
return rts
|
|
}
|
|
|
|
// GetExecRoot returns the user configured Exec-root
|
|
func (conf *Config) GetExecRoot() string {
|
|
return conf.ExecRoot
|
|
}
|
|
|
|
// GetInitPath returns the configured docker-init path
|
|
func (conf *Config) GetInitPath() string {
|
|
conf.Lock()
|
|
defer conf.Unlock()
|
|
if conf.InitPath != "" {
|
|
return conf.InitPath
|
|
}
|
|
if conf.DefaultInitBinary != "" {
|
|
return conf.DefaultInitBinary
|
|
}
|
|
return DefaultInitBinary
|
|
}
|
|
|
|
// LookupInitPath returns an absolute path to the "docker-init" binary by searching relevant "libexec" directories (per FHS 3.0 & 2.3) followed by PATH
|
|
func (conf *Config) LookupInitPath() (string, error) {
|
|
binary := conf.GetInitPath()
|
|
if filepath.IsAbs(binary) {
|
|
return binary, nil
|
|
}
|
|
|
|
for _, dir := range []string{
|
|
// FHS 3.0: "/usr/libexec includes internal binaries that are not intended to be executed directly by users or shell scripts. Applications may use a single subdirectory under /usr/libexec."
|
|
// https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html
|
|
"/usr/local/libexec/docker",
|
|
"/usr/libexec/docker",
|
|
|
|
// FHS 2.3: "/usr/lib includes object files, libraries, and internal binaries that are not intended to be executed directly by users or shell scripts."
|
|
// https://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html#USRLIBLIBRARIESFORPROGRAMMINGANDPA
|
|
"/usr/local/lib/docker",
|
|
"/usr/lib/docker",
|
|
} {
|
|
// exec.LookPath has a fast-path short-circuit for paths that contain "/" (skipping the PATH lookup) that then verifies whether the given path is likely to be an actual executable binary (so we invoke that instead of reimplementing the same checks)
|
|
if file, err := exec.LookPath(filepath.Join(dir, binary)); err == nil {
|
|
return file, nil
|
|
}
|
|
}
|
|
|
|
// if we checked all the "libexec" directories and found no matches, fall back to PATH
|
|
return exec.LookPath(binary)
|
|
}
|
|
|
|
// GetResolvConf returns the appropriate resolv.conf
|
|
// Check setupResolvConf on how this is selected
|
|
func (conf *Config) GetResolvConf() string {
|
|
return conf.ResolvConf
|
|
}
|
|
|
|
// IsSwarmCompatible defines if swarm mode can be enabled in this config
|
|
func (conf *Config) IsSwarmCompatible() error {
|
|
if conf.LiveRestoreEnabled {
|
|
return fmt.Errorf("--live-restore daemon configuration is incompatible with swarm mode")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func verifyDefaultIpcMode(mode string) error {
|
|
const hint = `use "shareable" or "private"`
|
|
|
|
dm := container.IpcMode(mode)
|
|
if !dm.Valid() {
|
|
return fmt.Errorf("default IPC mode setting (%v) is invalid; "+hint, dm)
|
|
}
|
|
if dm != "" && !dm.IsPrivate() && !dm.IsShareable() {
|
|
return fmt.Errorf(`IPC mode "%v" is not supported as default value; `+hint, dm)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func verifyDefaultCgroupNsMode(mode string) error {
|
|
cm := container.CgroupnsMode(mode)
|
|
if !cm.Valid() {
|
|
return fmt.Errorf(`default cgroup namespace mode (%v) is invalid; use "host" or "private"`, cm)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ValidatePlatformConfig checks if any platform-specific configuration settings are invalid.
|
|
func (conf *Config) ValidatePlatformConfig() error {
|
|
if err := verifyDefaultIpcMode(conf.IpcMode); err != nil {
|
|
return err
|
|
}
|
|
|
|
return verifyDefaultCgroupNsMode(conf.CgroupNamespaceMode)
|
|
}
|
|
|
|
// IsRootless returns conf.Rootless on Linux but false on Windows
|
|
func (conf *Config) IsRootless() bool {
|
|
return conf.Rootless
|
|
}
|
|
|
|
func setPlatformDefaults(cfg *Config) error {
|
|
cfg.Ulimits = make(map[string]*units.Ulimit)
|
|
cfg.ShmSize = opts.MemBytes(DefaultShmSize)
|
|
cfg.SeccompProfile = SeccompProfileDefault
|
|
cfg.IpcMode = string(DefaultIpcMode)
|
|
cfg.Runtimes = make(map[string]types.Runtime)
|
|
|
|
if cgroups.Mode() != cgroups.Unified {
|
|
cfg.CgroupNamespaceMode = string(DefaultCgroupV1NamespaceMode)
|
|
} else {
|
|
cfg.CgroupNamespaceMode = string(DefaultCgroupNamespaceMode)
|
|
}
|
|
|
|
if rootless.RunningWithRootlessKit() {
|
|
cfg.Rootless = true
|
|
|
|
var err error
|
|
// use rootlesskit-docker-proxy for exposing the ports in RootlessKit netns to the initial namespace.
|
|
cfg.BridgeConfig.UserlandProxyPath, err = exec.LookPath(rootless.RootlessKitDockerProxyBinary)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "running with RootlessKit, but %s not installed", rootless.RootlessKitDockerProxyBinary)
|
|
}
|
|
|
|
dataHome, err := homedir.GetDataHome()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
runtimeDir, err := homedir.GetRuntimeDir()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
cfg.Root = filepath.Join(dataHome, "docker")
|
|
cfg.ExecRoot = filepath.Join(runtimeDir, "docker")
|
|
cfg.Pidfile = filepath.Join(runtimeDir, "docker.pid")
|
|
} else {
|
|
cfg.Root = "/var/lib/docker"
|
|
cfg.ExecRoot = "/var/run/docker"
|
|
cfg.Pidfile = "/var/run/docker.pid"
|
|
}
|
|
|
|
return nil
|
|
}
|