Merge pull request #27840 from estesp/add-userns-status-to-info

Add "userns" to `docker info` security options output
2022-11-09 12:21:53 -05:00 · 2016-10-29 02:58:34 +02:00 · 2016-10-29 02:58:34 +02:00 · 1fb9c4e891
commit 1fb9c4e891
parent cff976a0b8 ae74092e45
4 changed files with 12 additions and 2 deletions
--- a/daemon/info.go
+++ b/daemon/info.go
@ -78,6 +78,10 @@ func (daemon *Daemon) SystemInfo() (*types.Info, error) {
 	if selinuxEnabled() {
 		securityOptions = append(securityOptions, "selinux")
 	}
+	uid, gid := daemon.GetRemappedUIDGID()
+	if uid != 0 || gid != 0 {
+		securityOptions = append(securityOptions, "userns")
+	}

 	v := &types.Info{
 		ID:                 daemon.ID,
--- a/docs/reference/api/docker_remote_api.md
+++ b/docs/reference/api/docker_remote_api.md
@ -161,7 +161,7 @@ This section lists each version from latest to oldest.  Each listing includes a
 * `POST /networks/prune` prunes unused networks.
 * Every API response now includes a `Docker-Experimental` header specifying if experimental features are enabled (value can be `true` or `false`).
 * The `hostConfig` option now accepts the fields `CpuRealtimePeriod` and `CpuRtRuntime` to allocate cpu runtime to rt tasks when `CONFIG_RT_GROUP_SCHED` is enabled in the kernel.
-
+* The `SecurityOptions` field within the `GET /info` response now includes `userns` if user namespaces are enabled in the daemon.

 ### v1.24 API changes

--- a/docs/reference/api/docker_remote_api_v1.25.md
+++ b/docs/reference/api/docker_remote_api_v1.25.md
@ -2507,7 +2507,8 @@ Display system-wide information
        "SecurityOptions": [
            "apparmor",
            "seccomp",
-            "selinux"
+            "selinux",
+            "userns"
        ],
        "ServerVersion": "1.9.0",
        "SwapLimit": false,
--- a/docs/reference/commandline/dockerd.md
+++ b/docs/reference/commandline/dockerd.md
@ -986,6 +986,11 @@ If you have a group that doesn't match the username, you may provide the `gid`
 or group name as well; otherwise the username will be used as the group name
 when querying the system for the subordinate group ID range.

+The output of `docker info` can be used to determine if the daemon is running
+with user namespaces enabled or not. If the daemon is configured with user
+namespaces, the Security Options entry in the response will list "userns" as
+one of the enabled security features.
+
 ### Detailed information on `subuid`/`subgid` ranges

 Given potential advanced use of the subordinate ID ranges by power users, the