mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
f8e876d761
Using a value such as `--cpuset-mems=1-9223372036854775807` would cause `dockerd` to run out of memory allocating a map of the values in the validation code. Set limits to the normal limit of the number of CPUs, and improve the error handling. Reported by Huawei PSIRT. Signed-off-by: Justin Cormack <justin.cormack@docker.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
152 lines
4 KiB
Go
152 lines
4 KiB
Go
package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
|
|
|
|
import "github.com/docker/docker/pkg/parsers"
|
|
|
|
// SysInfo stores information about which features a kernel supports.
|
|
// TODO Windows: Factor out platform specific capabilities.
|
|
type SysInfo struct {
|
|
// Whether the kernel supports AppArmor or not
|
|
AppArmor bool
|
|
// Whether the kernel supports Seccomp or not
|
|
Seccomp bool
|
|
|
|
cgroupMemInfo
|
|
cgroupCPUInfo
|
|
cgroupBlkioInfo
|
|
cgroupCpusetInfo
|
|
cgroupPids
|
|
|
|
// Whether IPv4 forwarding is supported or not, if this was disabled, networking will not work
|
|
IPv4ForwardingDisabled bool
|
|
|
|
// Whether bridge-nf-call-iptables is supported or not
|
|
BridgeNFCallIPTablesDisabled bool
|
|
|
|
// Whether bridge-nf-call-ip6tables is supported or not
|
|
BridgeNFCallIP6TablesDisabled bool
|
|
|
|
// Whether the cgroup has the mountpoint of "devices" or not
|
|
CgroupDevicesEnabled bool
|
|
}
|
|
|
|
type cgroupMemInfo struct {
|
|
// Whether memory limit is supported or not
|
|
MemoryLimit bool
|
|
|
|
// Whether swap limit is supported or not
|
|
SwapLimit bool
|
|
|
|
// Whether soft limit is supported or not
|
|
MemoryReservation bool
|
|
|
|
// Whether OOM killer disable is supported or not
|
|
OomKillDisable bool
|
|
|
|
// Whether memory swappiness is supported or not
|
|
MemorySwappiness bool
|
|
|
|
// Whether kernel memory limit is supported or not
|
|
KernelMemory bool
|
|
}
|
|
|
|
type cgroupCPUInfo struct {
|
|
// Whether CPU shares is supported or not
|
|
CPUShares bool
|
|
|
|
// Whether CPU CFS(Completely Fair Scheduler) period is supported or not
|
|
CPUCfsPeriod bool
|
|
|
|
// Whether CPU CFS(Completely Fair Scheduler) quota is supported or not
|
|
CPUCfsQuota bool
|
|
|
|
// Whether CPU real-time period is supported or not
|
|
CPURealtimePeriod bool
|
|
|
|
// Whether CPU real-time runtime is supported or not
|
|
CPURealtimeRuntime bool
|
|
}
|
|
|
|
type cgroupBlkioInfo struct {
|
|
// Whether Block IO weight is supported or not
|
|
BlkioWeight bool
|
|
|
|
// Whether Block IO weight_device is supported or not
|
|
BlkioWeightDevice bool
|
|
|
|
// Whether Block IO read limit in bytes per second is supported or not
|
|
BlkioReadBpsDevice bool
|
|
|
|
// Whether Block IO write limit in bytes per second is supported or not
|
|
BlkioWriteBpsDevice bool
|
|
|
|
// Whether Block IO read limit in IO per second is supported or not
|
|
BlkioReadIOpsDevice bool
|
|
|
|
// Whether Block IO write limit in IO per second is supported or not
|
|
BlkioWriteIOpsDevice bool
|
|
}
|
|
|
|
type cgroupCpusetInfo struct {
|
|
// Whether Cpuset is supported or not
|
|
Cpuset bool
|
|
|
|
// Available Cpuset's cpus
|
|
Cpus string
|
|
|
|
// Available Cpuset's memory nodes
|
|
Mems string
|
|
}
|
|
|
|
type cgroupPids struct {
|
|
// Whether Pids Limit is supported or not
|
|
PidsLimit bool
|
|
}
|
|
|
|
// IsCpusetCpusAvailable returns `true` if the provided string set is contained
|
|
// in cgroup's cpuset.cpus set, `false` otherwise.
|
|
// If error is not nil a parsing error occurred.
|
|
func (c cgroupCpusetInfo) IsCpusetCpusAvailable(provided string) (bool, error) {
|
|
return isCpusetListAvailable(provided, c.Cpus)
|
|
}
|
|
|
|
// IsCpusetMemsAvailable returns `true` if the provided string set is contained
|
|
// in cgroup's cpuset.mems set, `false` otherwise.
|
|
// If error is not nil a parsing error occurred.
|
|
func (c cgroupCpusetInfo) IsCpusetMemsAvailable(provided string) (bool, error) {
|
|
return isCpusetListAvailable(provided, c.Mems)
|
|
}
|
|
|
|
func isCpusetListAvailable(provided, available string) (bool, error) {
|
|
parsedAvailable, err := parsers.ParseUintList(available)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
// 8192 is the normal maximum number of CPUs in Linux, so accept numbers up to this
|
|
// or more if we actually have more CPUs.
|
|
max := 8192
|
|
for m := range parsedAvailable {
|
|
if m > max {
|
|
max = m
|
|
}
|
|
}
|
|
parsedProvided, err := parsers.ParseUintListMaximum(provided, max)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
for k := range parsedProvided {
|
|
if !parsedAvailable[k] {
|
|
return false, nil
|
|
}
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
// Returns bit count of 1, used by NumCPU
|
|
func popcnt(x uint64) (n byte) {
|
|
x -= (x >> 1) & 0x5555555555555555
|
|
x = (x>>2)&0x3333333333333333 + x&0x3333333333333333
|
|
x += x >> 4
|
|
x &= 0x0f0f0f0f0f0f0f0f
|
|
x *= 0x0101010101010101
|
|
return byte(x >> 56)
|
|
}
|