2021-08-23 09:14:53 -04:00
|
|
|
//go:build linux
|
2016-06-01 20:29:06 -04:00
|
|
|
// +build linux
|
|
|
|
|
2018-02-05 16:05:59 -05:00
|
|
|
package daemon // import "github.com/docker/docker/daemon"
|
2016-06-01 20:29:06 -04:00
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"os"
|
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
rootKeyFile = "/proc/sys/kernel/keys/root_maxkeys"
|
|
|
|
rootBytesFile = "/proc/sys/kernel/keys/root_maxbytes"
|
|
|
|
rootKeyLimit = 1000000
|
|
|
|
// it is standard configuration to allocate 25 bytes per key
|
|
|
|
rootKeyByteMultiplier = 25
|
|
|
|
)
|
|
|
|
|
2020-11-09 09:34:26 -05:00
|
|
|
// modifyRootKeyLimit checks to see if the root key limit is set to
|
2016-06-01 20:29:06 -04:00
|
|
|
// at least 1000000 and changes it to that limit along with the maxbytes
|
|
|
|
// allocated to the keys at a 25 to 1 multiplier.
|
2020-11-09 09:34:26 -05:00
|
|
|
func modifyRootKeyLimit() error {
|
2016-06-01 20:29:06 -04:00
|
|
|
value, err := readRootKeyLimit(rootKeyFile)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if value < rootKeyLimit {
|
|
|
|
return setRootKeyLimit(rootKeyLimit)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func setRootKeyLimit(limit int) error {
|
|
|
|
keys, err := os.OpenFile(rootKeyFile, os.O_WRONLY, 0)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer keys.Close()
|
|
|
|
if _, err := fmt.Fprintf(keys, "%d", limit); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
bytes, err := os.OpenFile(rootBytesFile, os.O_WRONLY, 0)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer bytes.Close()
|
|
|
|
_, err = fmt.Fprintf(bytes, "%d", limit*rootKeyByteMultiplier)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
func readRootKeyLimit(path string) (int, error) {
|
2021-08-24 06:10:50 -04:00
|
|
|
data, err := os.ReadFile(path)
|
2016-06-01 20:29:06 -04:00
|
|
|
if err != nil {
|
|
|
|
return -1, err
|
|
|
|
}
|
|
|
|
return strconv.Atoi(strings.Trim(string(data), "\n"))
|
|
|
|
}
|