github.com/gravitational/moby@v1.13.1/daemon/keys.go (about) 1 // +build linux 2 3 package daemon 4 5 import ( 6 "fmt" 7 "io/ioutil" 8 "os" 9 "strconv" 10 "strings" 11 ) 12 13 const ( 14 rootKeyFile = "/proc/sys/kernel/keys/root_maxkeys" 15 rootBytesFile = "/proc/sys/kernel/keys/root_maxbytes" 16 rootKeyLimit = 1000000 17 // it is standard configuration to allocate 25 bytes per key 18 rootKeyByteMultiplier = 25 19 ) 20 21 // ModifyRootKeyLimit checks to see if the root key limit is set to 22 // at least 1000000 and changes it to that limit along with the maxbytes 23 // allocated to the keys at a 25 to 1 multiplier. 24 func ModifyRootKeyLimit() error { 25 value, err := readRootKeyLimit(rootKeyFile) 26 if err != nil { 27 return err 28 } 29 if value < rootKeyLimit { 30 return setRootKeyLimit(rootKeyLimit) 31 } 32 return nil 33 } 34 35 func setRootKeyLimit(limit int) error { 36 keys, err := os.OpenFile(rootKeyFile, os.O_WRONLY, 0) 37 if err != nil { 38 return err 39 } 40 defer keys.Close() 41 if _, err := fmt.Fprintf(keys, "%d", limit); err != nil { 42 return err 43 } 44 bytes, err := os.OpenFile(rootBytesFile, os.O_WRONLY, 0) 45 if err != nil { 46 return err 47 } 48 defer bytes.Close() 49 _, err = fmt.Fprintf(bytes, "%d", limit*rootKeyByteMultiplier) 50 return err 51 } 52 53 func readRootKeyLimit(path string) (int, error) { 54 data, err := ioutil.ReadFile(path) 55 if err != nil { 56 return -1, err 57 } 58 return strconv.Atoi(strings.Trim(string(data), "\n")) 59 }