k3s/vendor/github.com/rootless-containers/rootlesskit/pkg/parent/warn.go

60 lines
2.1 KiB
Go

package parent
import (
"io/ioutil"
"strconv"
"strings"
"github.com/moby/sys/mountinfo"
"github.com/sirupsen/logrus"
)
func warnPropagation(propagation string) {
mounts, err := mountinfo.GetMounts(mountinfo.SingleEntryFilter("/"))
if err != nil || len(mounts) < 1 {
logrus.WithError(err).Warn("Failed to parse mountinfo")
return
}
root := mounts[0]
// 1. When running on a "sane" host, root.Optional is like "shared:1". ("shared" in findmnt(8) output)
// 2. When running inside a container, root.Optional is like "master:363". ("private, slave" in findmnt(8) output)
//
// Setting non-private propagation is supported for 1, unsupported for 2.
if !strings.Contains(propagation, "private") && !strings.Contains(root.Optional, "shared") {
logrus.Warnf("The host root filesystem is mounted as %q. Setting child propagation to %q is not supported.",
root.Optional, propagation)
}
}
// warnSysctl verifies /proc/sys/kernel/unprivileged_userns_clone and /proc/sys/user/max_user_namespaces
func warnSysctl() {
uuc, err := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
// The file exists only on distros with the "add sysctl to disallow unprivileged CLONE_NEWUSER by default" patch.
// (e.g. Debian and Arch)
if err == nil {
s := strings.TrimSpace(string(uuc))
i, err := strconv.ParseInt(s, 10, 64)
if err != nil {
logrus.WithError(err).Warnf("Failed to parse /proc/sys/kernel/unprivileged_userns_clone (%q)", s)
} else if i == 0 {
logrus.Warn("/proc/sys/kernel/unprivileged_userns_clone needs to be set to 1.")
}
}
mun, err := ioutil.ReadFile("/proc/sys/user/max_user_namespaces")
if err == nil {
s := strings.TrimSpace(string(mun))
i, err := strconv.ParseInt(strings.TrimSpace(string(mun)), 10, 64)
if err != nil {
logrus.WithError(err).Warnf("Failed to parse /proc/sys/user/max_user_namespaces (%q)", s)
} else if i == 0 {
logrus.Warn("/proc/sys/user/max_user_namespaces needs to be set to non-zero.")
} else {
threshold := int64(1024)
if i < threshold {
logrus.Warnf("/proc/sys/user/max_user_namespaces=%d may be low. Consider setting to >= %d.", i, threshold)
}
}
}
}