github.com/rawahars/moby@v24.0.4+incompatible/daemon/config/config_linux.go (about) 1 package config // import "github.com/docker/docker/daemon/config" 2 3 import ( 4 "fmt" 5 "net" 6 "os/exec" 7 "path/filepath" 8 9 "github.com/containerd/cgroups/v3" 10 "github.com/docker/docker/api/types" 11 "github.com/docker/docker/api/types/container" 12 "github.com/docker/docker/opts" 13 "github.com/docker/docker/pkg/homedir" 14 "github.com/docker/docker/pkg/rootless" 15 units "github.com/docker/go-units" 16 "github.com/pkg/errors" 17 ) 18 19 const ( 20 // DefaultIpcMode is default for container's IpcMode, if not set otherwise 21 DefaultIpcMode = container.IPCModePrivate 22 23 // DefaultCgroupNamespaceMode is the default mode for containers cgroup namespace when using cgroups v2. 24 DefaultCgroupNamespaceMode = container.CgroupnsModePrivate 25 26 // DefaultCgroupV1NamespaceMode is the default mode for containers cgroup namespace when using cgroups v1. 27 DefaultCgroupV1NamespaceMode = container.CgroupnsModeHost 28 29 // StockRuntimeName is the reserved name/alias used to represent the 30 // OCI runtime being shipped with the docker daemon package. 31 StockRuntimeName = "runc" 32 ) 33 34 // BridgeConfig stores all the bridge driver specific 35 // configuration. 36 type BridgeConfig struct { 37 commonBridgeConfig 38 39 // Fields below here are platform specific. 40 DefaultIP net.IP `json:"ip,omitempty"` 41 IP string `json:"bip,omitempty"` 42 DefaultGatewayIPv4 net.IP `json:"default-gateway,omitempty"` 43 DefaultGatewayIPv6 net.IP `json:"default-gateway-v6,omitempty"` 44 InterContainerCommunication bool `json:"icc,omitempty"` 45 46 EnableIPv6 bool `json:"ipv6,omitempty"` 47 EnableIPTables bool `json:"iptables,omitempty"` 48 EnableIP6Tables bool `json:"ip6tables,omitempty"` 49 EnableIPForward bool `json:"ip-forward,omitempty"` 50 EnableIPMasq bool `json:"ip-masq,omitempty"` 51 EnableUserlandProxy bool `json:"userland-proxy,omitempty"` 52 UserlandProxyPath string `json:"userland-proxy-path,omitempty"` 53 FixedCIDRv6 string `json:"fixed-cidr-v6,omitempty"` 54 } 55 56 // Config defines the configuration of a docker daemon. 57 // It includes json tags to deserialize configuration from a file 58 // using the same names that the flags in the command line uses. 59 type Config struct { 60 CommonConfig 61 62 // Fields below here are platform specific. 63 Runtimes map[string]types.Runtime `json:"runtimes,omitempty"` 64 DefaultInitBinary string `json:"default-init,omitempty"` 65 CgroupParent string `json:"cgroup-parent,omitempty"` 66 EnableSelinuxSupport bool `json:"selinux-enabled,omitempty"` 67 RemappedRoot string `json:"userns-remap,omitempty"` 68 Ulimits map[string]*units.Ulimit `json:"default-ulimits,omitempty"` 69 CPURealtimePeriod int64 `json:"cpu-rt-period,omitempty"` 70 CPURealtimeRuntime int64 `json:"cpu-rt-runtime,omitempty"` 71 OOMScoreAdjust int `json:"oom-score-adjust,omitempty"` // Deprecated: configure the daemon's oom-score-adjust using a process manager instead. 72 Init bool `json:"init,omitempty"` 73 InitPath string `json:"init-path,omitempty"` 74 SeccompProfile string `json:"seccomp-profile,omitempty"` 75 ShmSize opts.MemBytes `json:"default-shm-size,omitempty"` 76 NoNewPrivileges bool `json:"no-new-privileges,omitempty"` 77 IpcMode string `json:"default-ipc-mode,omitempty"` 78 CgroupNamespaceMode string `json:"default-cgroupns-mode,omitempty"` 79 // ResolvConf is the path to the configuration of the host resolver 80 ResolvConf string `json:"resolv-conf,omitempty"` 81 Rootless bool `json:"rootless,omitempty"` 82 } 83 84 // GetRuntime returns the runtime path and arguments for a given 85 // runtime name 86 func (conf *Config) GetRuntime(name string) *types.Runtime { 87 conf.Lock() 88 defer conf.Unlock() 89 if rt, ok := conf.Runtimes[name]; ok { 90 return &rt 91 } 92 return nil 93 } 94 95 // GetAllRuntimes returns a copy of the runtimes map 96 func (conf *Config) GetAllRuntimes() map[string]types.Runtime { 97 conf.Lock() 98 rts := conf.Runtimes 99 conf.Unlock() 100 return rts 101 } 102 103 // GetExecRoot returns the user configured Exec-root 104 func (conf *Config) GetExecRoot() string { 105 return conf.ExecRoot 106 } 107 108 // GetInitPath returns the configured docker-init path 109 func (conf *Config) GetInitPath() string { 110 conf.Lock() 111 defer conf.Unlock() 112 if conf.InitPath != "" { 113 return conf.InitPath 114 } 115 if conf.DefaultInitBinary != "" { 116 return conf.DefaultInitBinary 117 } 118 return DefaultInitBinary 119 } 120 121 // LookupInitPath returns an absolute path to the "docker-init" binary by searching relevant "libexec" directories (per FHS 3.0 & 2.3) followed by PATH 122 func (conf *Config) LookupInitPath() (string, error) { 123 binary := conf.GetInitPath() 124 if filepath.IsAbs(binary) { 125 return binary, nil 126 } 127 128 for _, dir := range []string{ 129 // FHS 3.0: "/usr/libexec includes internal binaries that are not intended to be executed directly by users or shell scripts. Applications may use a single subdirectory under /usr/libexec." 130 // https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html 131 "/usr/local/libexec/docker", 132 "/usr/libexec/docker", 133 134 // FHS 2.3: "/usr/lib includes object files, libraries, and internal binaries that are not intended to be executed directly by users or shell scripts." 135 // https://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html#USRLIBLIBRARIESFORPROGRAMMINGANDPA 136 "/usr/local/lib/docker", 137 "/usr/lib/docker", 138 } { 139 // exec.LookPath has a fast-path short-circuit for paths that contain "/" (skipping the PATH lookup) that then verifies whether the given path is likely to be an actual executable binary (so we invoke that instead of reimplementing the same checks) 140 if file, err := exec.LookPath(filepath.Join(dir, binary)); err == nil { 141 return file, nil 142 } 143 } 144 145 // if we checked all the "libexec" directories and found no matches, fall back to PATH 146 return exec.LookPath(binary) 147 } 148 149 // GetResolvConf returns the appropriate resolv.conf 150 // Check setupResolvConf on how this is selected 151 func (conf *Config) GetResolvConf() string { 152 return conf.ResolvConf 153 } 154 155 // IsSwarmCompatible defines if swarm mode can be enabled in this config 156 func (conf *Config) IsSwarmCompatible() error { 157 if conf.LiveRestoreEnabled { 158 return fmt.Errorf("--live-restore daemon configuration is incompatible with swarm mode") 159 } 160 return nil 161 } 162 163 func verifyDefaultIpcMode(mode string) error { 164 const hint = `use "shareable" or "private"` 165 166 dm := container.IpcMode(mode) 167 if !dm.Valid() { 168 return fmt.Errorf("default IPC mode setting (%v) is invalid; "+hint, dm) 169 } 170 if dm != "" && !dm.IsPrivate() && !dm.IsShareable() { 171 return fmt.Errorf(`IPC mode "%v" is not supported as default value; `+hint, dm) 172 } 173 return nil 174 } 175 176 func verifyDefaultCgroupNsMode(mode string) error { 177 cm := container.CgroupnsMode(mode) 178 if !cm.Valid() { 179 return fmt.Errorf(`default cgroup namespace mode (%v) is invalid; use "host" or "private"`, cm) 180 } 181 182 return nil 183 } 184 185 // ValidatePlatformConfig checks if any platform-specific configuration settings are invalid. 186 func (conf *Config) ValidatePlatformConfig() error { 187 if err := verifyDefaultIpcMode(conf.IpcMode); err != nil { 188 return err 189 } 190 191 return verifyDefaultCgroupNsMode(conf.CgroupNamespaceMode) 192 } 193 194 // IsRootless returns conf.Rootless on Linux but false on Windows 195 func (conf *Config) IsRootless() bool { 196 return conf.Rootless 197 } 198 199 func setPlatformDefaults(cfg *Config) error { 200 cfg.Ulimits = make(map[string]*units.Ulimit) 201 cfg.ShmSize = opts.MemBytes(DefaultShmSize) 202 cfg.SeccompProfile = SeccompProfileDefault 203 cfg.IpcMode = string(DefaultIpcMode) 204 cfg.Runtimes = make(map[string]types.Runtime) 205 206 if cgroups.Mode() != cgroups.Unified { 207 cfg.CgroupNamespaceMode = string(DefaultCgroupV1NamespaceMode) 208 } else { 209 cfg.CgroupNamespaceMode = string(DefaultCgroupNamespaceMode) 210 } 211 212 if rootless.RunningWithRootlessKit() { 213 cfg.Rootless = true 214 215 var err error 216 // use rootlesskit-docker-proxy for exposing the ports in RootlessKit netns to the initial namespace. 217 cfg.BridgeConfig.UserlandProxyPath, err = exec.LookPath(rootless.RootlessKitDockerProxyBinary) 218 if err != nil { 219 return errors.Wrapf(err, "running with RootlessKit, but %s not installed", rootless.RootlessKitDockerProxyBinary) 220 } 221 222 dataHome, err := homedir.GetDataHome() 223 if err != nil { 224 return err 225 } 226 runtimeDir, err := homedir.GetRuntimeDir() 227 if err != nil { 228 return err 229 } 230 231 cfg.Root = filepath.Join(dataHome, "docker") 232 cfg.ExecRoot = filepath.Join(runtimeDir, "docker") 233 cfg.Pidfile = filepath.Join(runtimeDir, "docker.pid") 234 } else { 235 cfg.Root = "/var/lib/docker" 236 cfg.ExecRoot = "/var/run/docker" 237 cfg.Pidfile = "/var/run/docker.pid" 238 } 239 240 return nil 241 }