mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Merge pull request #23182 from crosbymichael/maxkeys
Change root_maxkeys
This commit is contained in:
Sebastiaan van Stijn
GitHub
commit
8e8ef7c724
3 changed files with 72 additions and 0 deletions
|
|
@ -387,6 +387,11 @@ func (daemon *Daemon) IsSwarmCompatible() error {
|
||||||
func NewDaemon(config *Config, registryService registry.Service, containerdRemote libcontainerd.Remote) (daemon *Daemon, err error) {
|
func NewDaemon(config *Config, registryService registry.Service, containerdRemote libcontainerd.Remote) (daemon *Daemon, err error) {
|
||||||
setDefaultMtu(config)
|
setDefaultMtu(config)
|
||||||
|
|
||||||
|
// Ensure that we have a correct root key limit for launching containers.
|
||||||
|
if err := ModifyRootKeyLimit(); err != nil {
|
||||||
|
logrus.Warnf("unable to modify root key limit, number of containers could be limitied by this quota: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
// Ensure we have compatible and valid configuration options
|
// Ensure we have compatible and valid configuration options
|
||||||
if err := verifyDaemonSettings(config); err != nil {
|
if err := verifyDaemonSettings(config); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
||||||
59
daemon/keys.go
Normal file
59
daemon/keys.go
Normal file
|
|
@ -0,0 +1,59 @@
|
||||||
|
// +build linux
|
||||||
|
|
||||||
|
package daemon
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
rootKeyFile = "/proc/sys/kernel/keys/root_maxkeys"
|
||||||
|
rootBytesFile = "/proc/sys/kernel/keys/root_maxbytes"
|
||||||
|
rootKeyLimit = 1000000
|
||||||
|
// it is standard configuration to allocate 25 bytes per key
|
||||||
|
rootKeyByteMultiplier = 25
|
||||||
|
)
|
||||||
|
|
||||||
|
// ModifyRootKeyLimit checks to see if the root key limit is set to
|
||||||
|
// at least 1000000 and changes it to that limit along with the maxbytes
|
||||||
|
// allocated to the keys at a 25 to 1 multiplier.
|
||||||
|
func ModifyRootKeyLimit() error {
|
||||||
|
value, err := readRootKeyLimit(rootKeyFile)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if value < rootKeyLimit {
|
||||||
|
return setRootKeyLimit(rootKeyLimit)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func setRootKeyLimit(limit int) error {
|
||||||
|
keys, err := os.OpenFile(rootKeyFile, os.O_WRONLY, 0)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
defer keys.Close()
|
||||||
|
if _, err := fmt.Fprintf(keys, "%d", limit); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
bytes, err := os.OpenFile(rootBytesFile, os.O_WRONLY, 0)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
defer bytes.Close()
|
||||||
|
_, err = fmt.Fprintf(bytes, "%d", limit*rootKeyByteMultiplier)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func readRootKeyLimit(path string) (int, error) {
|
||||||
|
data, err := ioutil.ReadFile(path)
|
||||||
|
if err != nil {
|
||||||
|
return -1, err
|
||||||
|
}
|
||||||
|
return strconv.Atoi(strings.Trim(string(data), "\n"))
|
||||||
|
}
|
||||||
8
daemon/keys_unsupported.go
Normal file
8
daemon/keys_unsupported.go
Normal file
|
|
@ -0,0 +1,8 @@
|
||||||
|
// +build !linux
|
||||||
|
|
||||||
|
package daemon
|
||||||
|
|
||||||
|
// ModifyRootKeyLimit is an noop on unsupported platforms.
|
||||||
|
func ModifyRootKeyLimit() error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue