105 lines
5.2 KiB
Diff
105 lines
5.2 KiB
Diff
From 7a965f7491e5f60e27ce1f6c052aa139f80e0744 Mon Sep 17 00:00:00 2001
|
|
From: lujingxiao <lujingxiao@huawei.com>
|
|
Date: Sat, 19 Jan 2019 11:14:42 +0800
|
|
Subject: [PATCH 008/111] filelimit: Ignore host kernel whether suport
|
|
files limit when run a secure container
|
|
|
|
reason:Ignore host kernel whether suport files limit when run a secure
|
|
container.
|
|
|
|
Change-Id: Iabd2c54492465a8df53375206d5ff600d9da7f6e
|
|
Signed-off-by: yangshukui <yangshukui@huawei.com>
|
|
Signed-off-by: lujingxiao <lujingxiao@huawei.com>
|
|
---
|
|
components/engine/daemon/container.go | 2 +-
|
|
components/engine/daemon/daemon_unix.go | 15 +++++++++------
|
|
components/engine/daemon/daemon_windows.go | 6 +++---
|
|
3 files changed, 13 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/components/engine/daemon/container.go b/components/engine/daemon/container.go
|
|
index c8e2053970..bd96de2571 100644
|
|
--- a/components/engine/daemon/container.go
|
|
+++ b/components/engine/daemon/container.go
|
|
@@ -348,7 +348,7 @@ func (daemon *Daemon) verifyContainerSettings(platform string, hostConfig *conta
|
|
warnings []string
|
|
)
|
|
// Now do platform-specific verification
|
|
- if warnings, err = verifyPlatformContainerSettings(daemon, hostConfig, config, update); err != nil {
|
|
+ if warnings, err = daemon.verifyPlatformContainerSettings(hostConfig, config, update); err != nil {
|
|
return warnings, err
|
|
}
|
|
if hostConfig.NetworkMode.IsHost() && len(hostConfig.PortBindings) > 0 {
|
|
diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
|
|
index 138b8ac544..f4b75055f5 100644
|
|
--- a/components/engine/daemon/daemon_unix.go
|
|
+++ b/components/engine/daemon/daemon_unix.go
|
|
@@ -350,8 +350,9 @@ func adaptSharedNamespaceContainer(daemon containerGetter, hostConfig *container
|
|
}
|
|
}
|
|
|
|
-func verifyContainerResources(resources *containertypes.Resources, sysInfo *sysinfo.SysInfo, update bool) ([]string, error) {
|
|
+func (daemon *Daemon) verifyContainerResources(hostConfig *containertypes.HostConfig, sysInfo *sysinfo.SysInfo, update bool) ([]string, error) {
|
|
warnings := []string{}
|
|
+ resources := &hostConfig.Resources
|
|
fixMemorySwappiness(resources)
|
|
|
|
// memory subsystem checks and adjustments
|
|
@@ -426,9 +427,11 @@ func verifyContainerResources(resources *containertypes.Resources, sysInfo *sysi
|
|
}
|
|
|
|
if resources.FilesLimit != 0 && !sysInfo.FilesLimit {
|
|
- warnings = append(warnings, "Your kernel does not support files limit capabilities, files limit discarded.")
|
|
- logrus.Warnf("Your kernel does not support files limit capabilities, files limit discarded.")
|
|
- resources.FilesLimit = 0
|
|
+ if daemon.IsNativeRuntime(hostConfig.Runtime) {
|
|
+ warnings = append(warnings, "Your kernel does not support files limit capabilities, files limit discarded.")
|
|
+ logrus.Warnf("Your kernel does not support files limit capabilities, files limit discarded.")
|
|
+ resources.FilesLimit = 0
|
|
+ }
|
|
}
|
|
|
|
// cpu subsystem checks and adjustments
|
|
@@ -580,11 +583,11 @@ func UsingSystemd(config *config.Config) bool {
|
|
|
|
// verifyPlatformContainerSettings performs platform-specific validation of the
|
|
// hostconfig and config structures.
|
|
-func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) ([]string, error) {
|
|
+func (daemon *Daemon) verifyPlatformContainerSettings(hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) ([]string, error) {
|
|
var warnings []string
|
|
sysInfo := sysinfo.New(true)
|
|
|
|
- w, err := verifyContainerResources(&hostConfig.Resources, sysInfo, update)
|
|
+ w, err := daemon.verifyContainerResources(hostConfig, sysInfo, update)
|
|
|
|
// no matter err is nil or not, w could have data in itself.
|
|
warnings = append(warnings, w...)
|
|
diff --git a/components/engine/daemon/daemon_windows.go b/components/engine/daemon/daemon_windows.go
|
|
index 04d3de9924..4812236bc2 100644
|
|
--- a/components/engine/daemon/daemon_windows.go
|
|
+++ b/components/engine/daemon/daemon_windows.go
|
|
@@ -75,7 +75,7 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf
|
|
return nil
|
|
}
|
|
|
|
-func verifyContainerResources(resources *containertypes.Resources, isHyperv bool) ([]string, error) {
|
|
+func (daemon *Daemon) verifyContainerResources(resources *containertypes.Resources, isHyperv bool) ([]string, error) {
|
|
warnings := []string{}
|
|
fixMemorySwappiness(resources)
|
|
if !isHyperv {
|
|
@@ -191,10 +191,10 @@ func verifyContainerResources(resources *containertypes.Resources, isHyperv bool
|
|
|
|
// verifyPlatformContainerSettings performs platform-specific validation of the
|
|
// hostconfig and config structures.
|
|
-func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) ([]string, error) {
|
|
+func (daemon *Daemon) verifyPlatformContainerSettings(hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) ([]string, error) {
|
|
warnings := []string{}
|
|
|
|
- hyperv := daemon.runAsHyperVContainer(hostConfig)
|
|
+ hyperv := daemon.daemon.runAsHyperVContainer(hostConfig)
|
|
if !hyperv && system.IsWindowsClient() && !system.IsIoTCore() {
|
|
// @engine maintainers. This block should not be removed. It partially enforces licensing
|
|
// restrictions on Windows. Ping @jhowardmsft if there are concerns or PRs to change this.
|
|
--
|
|
2.17.1
|
|
|