mirror of https://github.com/k3s-io/k3s
60 lines
2.1 KiB
Go
60 lines
2.1 KiB
Go
package parent
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/moby/sys/mountinfo"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
func warnPropagation(propagation string) {
|
|
mounts, err := mountinfo.GetMounts(mountinfo.SingleEntryFilter("/"))
|
|
if err != nil || len(mounts) < 1 {
|
|
logrus.WithError(err).Warn("Failed to parse mountinfo")
|
|
return
|
|
}
|
|
root := mounts[0]
|
|
// 1. When running on a "sane" host, root.Optional is like "shared:1". ("shared" in findmnt(8) output)
|
|
// 2. When running inside a container, root.Optional is like "master:363". ("private, slave" in findmnt(8) output)
|
|
//
|
|
// Setting non-private propagation is supported for 1, unsupported for 2.
|
|
if !strings.Contains(propagation, "private") && !strings.Contains(root.Optional, "shared") {
|
|
logrus.Warnf("The host root filesystem is mounted as %q. Setting child propagation to %q is not supported.",
|
|
root.Optional, propagation)
|
|
}
|
|
}
|
|
|
|
// warnSysctl verifies /proc/sys/kernel/unprivileged_userns_clone and /proc/sys/user/max_user_namespaces
|
|
func warnSysctl() {
|
|
uuc, err := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
|
|
// The file exists only on distros with the "add sysctl to disallow unprivileged CLONE_NEWUSER by default" patch.
|
|
// (e.g. Debian and Arch)
|
|
if err == nil {
|
|
s := strings.TrimSpace(string(uuc))
|
|
i, err := strconv.ParseInt(s, 10, 64)
|
|
if err != nil {
|
|
logrus.WithError(err).Warnf("Failed to parse /proc/sys/kernel/unprivileged_userns_clone (%q)", s)
|
|
} else if i == 0 {
|
|
logrus.Warn("/proc/sys/kernel/unprivileged_userns_clone needs to be set to 1.")
|
|
}
|
|
}
|
|
|
|
mun, err := ioutil.ReadFile("/proc/sys/user/max_user_namespaces")
|
|
if err == nil {
|
|
s := strings.TrimSpace(string(mun))
|
|
i, err := strconv.ParseInt(strings.TrimSpace(string(mun)), 10, 64)
|
|
if err != nil {
|
|
logrus.WithError(err).Warnf("Failed to parse /proc/sys/user/max_user_namespaces (%q)", s)
|
|
} else if i == 0 {
|
|
logrus.Warn("/proc/sys/user/max_user_namespaces needs to be set to non-zero.")
|
|
} else {
|
|
threshold := int64(1024)
|
|
if i < threshold {
|
|
logrus.Warnf("/proc/sys/user/max_user_namespaces=%d may be low. Consider setting to >= %d.", i, threshold)
|
|
}
|
|
}
|
|
}
|
|
}
|