moby--moby/rootless/specconv/specconv_linux.go

package specconv // import "github.com/docker/docker/rootless/specconv"

import (
	"io/ioutil"
	"strconv"

	specs "github.com/opencontainers/runtime-spec/specs-go"
)

// ToRootless converts spec to be compatible with "rootless" runc.
// * Remove non-supported cgroups
// * Fix up OOMScoreAdj
//
// v2Controllers should be non-nil only if running with v2 and systemd.
func ToRootless(spec *specs.Spec, v2Controllers []string) error {
	return toRootless(spec, v2Controllers, getCurrentOOMScoreAdj())
}

func getCurrentOOMScoreAdj() int {
	b, err := ioutil.ReadFile("/proc/self/oom_score_adj")
	if err != nil {
		return 0
	}
	i, err := strconv.Atoi(string(b))
	if err != nil {
		return 0
	}
	return i
}

func toRootless(spec *specs.Spec, v2Controllers []string, currentOOMScoreAdj int) error {
	if len(v2Controllers) == 0 {
		// Remove cgroup settings.
		spec.Linux.Resources = nil
		spec.Linux.CgroupsPath = ""
	} else {
		if spec.Linux.Resources != nil {
			m := make(map[string]struct{})
			for _, s := range v2Controllers {
				m[s] = struct{}{}
			}
			// Remove devices: https://github.com/containers/crun/issues/255
			spec.Linux.Resources.Devices = nil
			if _, ok := m["memory"]; !ok {
				spec.Linux.Resources.Memory = nil
			}
			if _, ok := m["cpu"]; !ok {
				spec.Linux.Resources.CPU = nil
			}
			if _, ok := m["cpuset"]; !ok {
				if spec.Linux.Resources.CPU != nil {
					spec.Linux.Resources.CPU.Cpus = ""
					spec.Linux.Resources.CPU.Mems = ""
				}
			}
			if _, ok := m["pids"]; !ok {
				spec.Linux.Resources.Pids = nil
			}
			if _, ok := m["io"]; !ok {
				spec.Linux.Resources.BlockIO = nil
			}
			if _, ok := m["rdma"]; !ok {
				spec.Linux.Resources.Rdma = nil
			}
			spec.Linux.Resources.HugepageLimits = nil
			spec.Linux.Resources.Network = nil
		}
	}

	if spec.Process.OOMScoreAdj != nil && *spec.Process.OOMScoreAdj < currentOOMScoreAdj {
		*spec.Process.OOMScoreAdj = currentOOMScoreAdj
	}
	return nil
}
Add more import comments Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-04-10 10:59:33 -04:00			`package specconv // import "github.com/docker/docker/rootless/specconv"`
allow running `dockerd` in an unprivileged user namespace (rootless mode) Please refer to `docs/rootless.md`. TLDR: * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you * `dockerd-rootless.sh --experimental` * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...` Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2018-10-15 03:52:53 -04:00
			`import (`
			`"io/ioutil"`
			`"strconv"`

goimports: fix imports Format the source according to latest goimports. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2019-08-05 10:37:47 -04:00			`specs "github.com/opencontainers/runtime-spec/specs-go"`
allow running `dockerd` in an unprivileged user namespace (rootless mode) Please refer to `docs/rootless.md`. TLDR: * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you * `dockerd-rootless.sh --experimental` * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...` Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2018-10-15 03:52:53 -04:00			`)`

			`// ToRootless converts spec to be compatible with "rootless" runc.`
rootless: support `--exec-opt native.cgroupdriver=systemd` Support cgroup as in Rootless Podman. Requires cgroup v2 host with crun. Tested with Ubuntu 19.10 (kernel 5.3, systemd 242), crun v0.12.1. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 2020-02-10 00:37:22 -05:00			`// * Remove non-supported cgroups`
allow running `dockerd` in an unprivileged user namespace (rootless mode) Please refer to `docs/rootless.md`. TLDR: * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you * `dockerd-rootless.sh --experimental` * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...` Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2018-10-15 03:52:53 -04:00			`// * Fix up OOMScoreAdj`
rootless: support `--exec-opt native.cgroupdriver=systemd` Support cgroup as in Rootless Podman. Requires cgroup v2 host with crun. Tested with Ubuntu 19.10 (kernel 5.3, systemd 242), crun v0.12.1. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 2020-02-10 00:37:22 -05:00			`//`
			`// v2Controllers should be non-nil only if running with v2 and systemd.`
			`func ToRootless(spec *specs.Spec, v2Controllers []string) error {`
			`return toRootless(spec, v2Controllers, getCurrentOOMScoreAdj())`
allow running `dockerd` in an unprivileged user namespace (rootless mode) Please refer to `docs/rootless.md`. TLDR: * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you * `dockerd-rootless.sh --experimental` * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...` Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2018-10-15 03:52:53 -04:00			`}`

			`func getCurrentOOMScoreAdj() int {`
			`b, err := ioutil.ReadFile("/proc/self/oom_score_adj")`
			`if err != nil {`
			`return 0`
			`}`
			`i, err := strconv.Atoi(string(b))`
			`if err != nil {`
			`return 0`
			`}`
			`return i`
			`}`

rootless: support `--exec-opt native.cgroupdriver=systemd` Support cgroup as in Rootless Podman. Requires cgroup v2 host with crun. Tested with Ubuntu 19.10 (kernel 5.3, systemd 242), crun v0.12.1. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 2020-02-10 00:37:22 -05:00			`func toRootless(spec *specs.Spec, v2Controllers []string, currentOOMScoreAdj int) error {`
			`if len(v2Controllers) == 0 {`
			`// Remove cgroup settings.`
			`spec.Linux.Resources = nil`
			`spec.Linux.CgroupsPath = ""`
			`} else {`
			`if spec.Linux.Resources != nil {`
			`m := make(map[string]struct{})`
			`for _, s := range v2Controllers {`
			`m[s] = struct{}{}`
			`}`
			`// Remove devices: https://github.com/containers/crun/issues/255`
			`spec.Linux.Resources.Devices = nil`
			`if _, ok := m["memory"]; !ok {`
			`spec.Linux.Resources.Memory = nil`
			`}`
			`if _, ok := m["cpu"]; !ok {`
			`spec.Linux.Resources.CPU = nil`
			`}`
			`if _, ok := m["cpuset"]; !ok {`
			`if spec.Linux.Resources.CPU != nil {`
			`spec.Linux.Resources.CPU.Cpus = ""`
			`spec.Linux.Resources.CPU.Mems = ""`
			`}`
			`}`
			`if _, ok := m["pids"]; !ok {`
			`spec.Linux.Resources.Pids = nil`
			`}`
			`if _, ok := m["io"]; !ok {`
			`spec.Linux.Resources.BlockIO = nil`
			`}`
			`if _, ok := m["rdma"]; !ok {`
			`spec.Linux.Resources.Rdma = nil`
			`}`
			`spec.Linux.Resources.HugepageLimits = nil`
			`spec.Linux.Resources.Network = nil`
			`}`
			`}`
allow running `dockerd` in an unprivileged user namespace (rootless mode) Please refer to `docs/rootless.md`. TLDR: * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you * `dockerd-rootless.sh --experimental` * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...` Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> 2018-10-15 03:52:53 -04:00
			`if spec.Process.OOMScoreAdj != nil && *spec.Process.OOMScoreAdj < currentOOMScoreAdj {`
			`*spec.Process.OOMScoreAdj = currentOOMScoreAdj`
			`}`
			`return nil`
			`}`