mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Verify cgroup-parent name for systemd cgroup
Fixes: #17126 Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This commit is contained in:
Qiang Huang
Tibor Vass
parent
a5fc987d2e
commit
6934594ae0
4 changed files with 38 additions and 17 deletions
|
|
@ -21,7 +21,6 @@ import (
|
||||||
"github.com/docker/docker/pkg/fileutils"
|
"github.com/docker/docker/pkg/fileutils"
|
||||||
"github.com/docker/docker/pkg/idtools"
|
"github.com/docker/docker/pkg/idtools"
|
||||||
"github.com/docker/docker/pkg/mount"
|
"github.com/docker/docker/pkg/mount"
|
||||||
"github.com/docker/docker/pkg/parsers"
|
|
||||||
"github.com/docker/docker/pkg/stringid"
|
"github.com/docker/docker/pkg/stringid"
|
||||||
"github.com/docker/docker/runconfig"
|
"github.com/docker/docker/runconfig"
|
||||||
containertypes "github.com/docker/engine-api/types/container"
|
containertypes "github.com/docker/engine-api/types/container"
|
||||||
|
|
@ -249,17 +248,9 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro
|
||||||
defaultCgroupParent := "/docker"
|
defaultCgroupParent := "/docker"
|
||||||
if daemon.configStore.CgroupParent != "" {
|
if daemon.configStore.CgroupParent != "" {
|
||||||
defaultCgroupParent = daemon.configStore.CgroupParent
|
defaultCgroupParent = daemon.configStore.CgroupParent
|
||||||
} else {
|
} else if daemon.usingSystemd() {
|
||||||
for _, option := range daemon.configStore.ExecOptions {
|
|
||||||
key, val, err := parsers.ParseKeyValueOpt(option)
|
|
||||||
if err != nil || !strings.EqualFold(key, "native.cgroupdriver") {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if val == "systemd" {
|
|
||||||
defaultCgroupParent = "system.slice"
|
defaultCgroupParent = "system.slice"
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
|
||||||
c.Command = &execdriver.Command{
|
c.Command = &execdriver.Command{
|
||||||
CommonCommand: execdriver.CommonCommand{
|
CommonCommand: execdriver.CommonCommand{
|
||||||
ID: c.ID,
|
ID: c.ID,
|
||||||
|
|
|
||||||
|
|
@ -595,8 +595,8 @@ func (daemon *Daemon) registerLink(parent, child *container.Container, alias str
|
||||||
func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemon, err error) {
|
func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemon, err error) {
|
||||||
setDefaultMtu(config)
|
setDefaultMtu(config)
|
||||||
|
|
||||||
// Ensure we have compatible configuration options
|
// Ensure we have compatible and valid configuration options
|
||||||
if err := checkConfigOptions(config); err != nil {
|
if err := verifyDaemonSettings(config); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@ import (
|
||||||
"github.com/docker/docker/image"
|
"github.com/docker/docker/image"
|
||||||
"github.com/docker/docker/layer"
|
"github.com/docker/docker/layer"
|
||||||
"github.com/docker/docker/pkg/idtools"
|
"github.com/docker/docker/pkg/idtools"
|
||||||
|
"github.com/docker/docker/pkg/parsers"
|
||||||
"github.com/docker/docker/pkg/parsers/kernel"
|
"github.com/docker/docker/pkg/parsers/kernel"
|
||||||
"github.com/docker/docker/pkg/sysinfo"
|
"github.com/docker/docker/pkg/sysinfo"
|
||||||
"github.com/docker/docker/reference"
|
"github.com/docker/docker/reference"
|
||||||
|
|
@ -361,6 +362,24 @@ func verifyContainerResources(resources *containertypes.Resources) ([]string, er
|
||||||
return warnings, nil
|
return warnings, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func usingSystemd(config *Config) bool {
|
||||||
|
for _, option := range config.ExecOptions {
|
||||||
|
key, val, err := parsers.ParseKeyValueOpt(option)
|
||||||
|
if err != nil || !strings.EqualFold(key, "native.cgroupdriver") {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if val == "systemd" {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func (daemon *Daemon) usingSystemd() bool {
|
||||||
|
return usingSystemd(daemon.configStore)
|
||||||
|
}
|
||||||
|
|
||||||
// verifyPlatformContainerSettings performs platform-specific validation of the
|
// verifyPlatformContainerSettings performs platform-specific validation of the
|
||||||
// hostconfig and config structures.
|
// hostconfig and config structures.
|
||||||
func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.HostConfig, config *containertypes.Config) ([]string, error) {
|
func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.HostConfig, config *containertypes.Config) ([]string, error) {
|
||||||
|
|
@ -407,11 +426,17 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.
|
||||||
return warnings, fmt.Errorf("Cannot use the --read-only option when user namespaces are enabled.")
|
return warnings, fmt.Errorf("Cannot use the --read-only option when user namespaces are enabled.")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if hostConfig.CgroupParent != "" && daemon.usingSystemd() {
|
||||||
|
// CgroupParent for systemd cgroup should be named as "xxx.slice"
|
||||||
|
if len(hostConfig.CgroupParent) <= 6 || !strings.HasSuffix(hostConfig.CgroupParent, ".slice") {
|
||||||
|
return warnings, fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")
|
||||||
|
}
|
||||||
|
}
|
||||||
return warnings, nil
|
return warnings, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// checkConfigOptions checks for mutually incompatible config options
|
// verifyDaemonSettings performs validation of daemon config struct
|
||||||
func checkConfigOptions(config *Config) error {
|
func verifyDaemonSettings(config *Config) error {
|
||||||
// Check for mutually incompatible config options
|
// Check for mutually incompatible config options
|
||||||
if config.bridgeConfig.Iface != "" && config.bridgeConfig.IP != "" {
|
if config.bridgeConfig.Iface != "" && config.bridgeConfig.IP != "" {
|
||||||
return fmt.Errorf("You specified -b & --bip, mutually exclusive options. Please specify only one.")
|
return fmt.Errorf("You specified -b & --bip, mutually exclusive options. Please specify only one.")
|
||||||
|
|
@ -422,6 +447,11 @@ func checkConfigOptions(config *Config) error {
|
||||||
if !config.bridgeConfig.EnableIPTables && config.bridgeConfig.EnableIPMasq {
|
if !config.bridgeConfig.EnableIPTables && config.bridgeConfig.EnableIPMasq {
|
||||||
config.bridgeConfig.EnableIPMasq = false
|
config.bridgeConfig.EnableIPMasq = false
|
||||||
}
|
}
|
||||||
|
if config.CgroupParent != "" && usingSystemd(config) {
|
||||||
|
if len(config.CgroupParent) <= 6 || !strings.HasSuffix(config.CgroupParent, ".slice") {
|
||||||
|
return fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")
|
||||||
|
}
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -88,8 +88,8 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// checkConfigOptions checks for mutually incompatible config options
|
// verifyDaemonSettings performs validation of daemon config struct
|
||||||
func checkConfigOptions(config *Config) error {
|
func verifyDaemonSettings(config *Config) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue