From ae74092e450f1f2665b90257b65513cc0c19702f Mon Sep 17 00:00:00 2001 From: Phil Estes Date: Fri, 28 Oct 2016 00:35:51 +0200 Subject: [PATCH] Add "userns" to `docker info` security options output If user namespaces is enabled on the daemon, reveal that via docker info by adding "userns" to the list of security options reported by the info endpoint. Signed-off-by: Phil Estes --- daemon/info.go | 4 ++++ docs/reference/api/docker_remote_api.md | 2 +- docs/reference/api/docker_remote_api_v1.25.md | 3 ++- docs/reference/commandline/dockerd.md | 5 +++++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/daemon/info.go b/daemon/info.go index d57616a3d5..00ecebf438 100644 --- a/daemon/info.go +++ b/daemon/info.go @@ -78,6 +78,10 @@ func (daemon *Daemon) SystemInfo() (*types.Info, error) { if selinuxEnabled() { securityOptions = append(securityOptions, "selinux") } + uid, gid := daemon.GetRemappedUIDGID() + if uid != 0 || gid != 0 { + securityOptions = append(securityOptions, "userns") + } v := &types.Info{ ID: daemon.ID, diff --git a/docs/reference/api/docker_remote_api.md b/docs/reference/api/docker_remote_api.md index d3b6cb08a5..cd17625698 100644 --- a/docs/reference/api/docker_remote_api.md +++ b/docs/reference/api/docker_remote_api.md @@ -161,7 +161,7 @@ This section lists each version from latest to oldest. Each listing includes a * `POST /networks/prune` prunes unused networks. * Every API response now includes a `Docker-Experimental` header specifying if experimental features are enabled (value can be `true` or `false`). * The `hostConfig` option now accepts the fields `CpuRealtimePeriod` and `CpuRtRuntime` to allocate cpu runtime to rt tasks when `CONFIG_RT_GROUP_SCHED` is enabled in the kernel. - +* The `SecurityOptions` field within the `GET /info` response now includes `userns` if user namespaces are enabled in the daemon. ### v1.24 API changes diff --git a/docs/reference/api/docker_remote_api_v1.25.md b/docs/reference/api/docker_remote_api_v1.25.md index 824a4c2b51..7b758db7d9 100644 --- a/docs/reference/api/docker_remote_api_v1.25.md +++ b/docs/reference/api/docker_remote_api_v1.25.md @@ -2503,7 +2503,8 @@ Display system-wide information "SecurityOptions": [ "apparmor", "seccomp", - "selinux" + "selinux", + "userns" ], "ServerVersion": "1.9.0", "SwapLimit": false, diff --git a/docs/reference/commandline/dockerd.md b/docs/reference/commandline/dockerd.md index b894af4d20..cabcea24e3 100644 --- a/docs/reference/commandline/dockerd.md +++ b/docs/reference/commandline/dockerd.md @@ -986,6 +986,11 @@ If you have a group that doesn't match the username, you may provide the `gid` or group name as well; otherwise the username will be used as the group name when querying the system for the subordinate group ID range. +The output of `docker info` can be used to determine if the daemon is running +with user namespaces enabled or not. If the daemon is configured with user +namespaces, the Security Options entry in the response will list "userns" as +one of the enabled security features. + ### Detailed information on `subuid`/`subgid` ranges Given potential advanced use of the subordinate ID ranges by power users, the