package sysinfo import ( "fmt" "io/ioutil" "os" "path" "strings" "syscall" "github.com/Sirupsen/logrus" "github.com/opencontainers/runc/libcontainer/cgroups" ) const ( // SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. SeccompModeFilter = uintptr(2) ) func findCgroupMountpoints() (map[string]string, error) { cgMounts, err := cgroups.GetCgroupMounts() if err != nil { return nil, fmt.Errorf("Failed to parse cgroup information: %v", err) } mps := make(map[string]string) for _, m := range cgMounts { for _, ss := range m.Subsystems { mps[ss] = m.Mountpoint } } return mps, nil } // New returns a new SysInfo, using the filesystem to detect which features // the kernel supports. If `quiet` is `false` warnings are printed in logs // whenever an error occurs or misconfigurations are present. func New(quiet bool) *SysInfo { sysInfo := &SysInfo{} cgMounts, err := findCgroupMountpoints() if err != nil { logrus.Warnf("Failed to parse cgroup information: %v", err) } else { sysInfo.cgroupMemInfo = checkCgroupMem(cgMounts, quiet) sysInfo.cgroupCPUInfo = checkCgroupCPU(cgMounts, quiet) sysInfo.cgroupBlkioInfo = checkCgroupBlkioInfo(cgMounts, quiet) sysInfo.cgroupCpusetInfo = checkCgroupCpusetInfo(cgMounts, quiet) sysInfo.cgroupPids = checkCgroupPids(quiet) } _, ok := cgMounts["devices"] sysInfo.CgroupDevicesEnabled = ok sysInfo.IPv4ForwardingDisabled = !readProcBool("/proc/sys/net/ipv4/ip_forward") sysInfo.BridgeNFCallIPTablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-iptables") sysInfo.BridgeNFCallIP6TablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-ip6tables") // Check if AppArmor is supported. if _, err := os.Stat("/sys/kernel/security/apparmor"); !os.IsNotExist(err) { sysInfo.AppArmor = true } // Check if Seccomp is supported, via CONFIG_SECCOMP. if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { // Make sure the kernel has CONFIG_SECCOMP_FILTER. if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL { sysInfo.Seccomp = true } } return sysInfo } // checkCgroupMem reads the memory information from the memory cgroup mount point. func checkCgroupMem(cgMounts map[string]string, quiet bool) cgroupMemInfo { mountPoint, ok := cgMounts["memory"] if !ok { if !quiet { logrus.Warnf("Your kernel does not support cgroup memory limit") } return cgroupMemInfo{} } swapLimit := cgroupEnabled(mountPoint, "memory.memsw.limit_in_bytes") if !quiet && !swapLimit { logrus.Warn("Your kernel does not support swap memory limit.") } memoryReservation := cgroupEnabled(mountPoint, "memory.soft_limit_in_bytes") if !quiet && !memoryReservation { logrus.Warn("Your kernel does not support memory reservation.") } oomKillDisable := cgroupEnabled(mountPoint, "memory.oom_control") if !quiet && !oomKillDisable { logrus.Warnf("Your kernel does not support oom control.") } memorySwappiness := cgroupEnabled(mountPoint, "memory.swappiness") if !quiet && !memorySwappiness { logrus.Warnf("Your kernel does not support memory swappiness.") } kernelMemory := cgroupEnabled(mountPoint, "memory.kmem.limit_in_bytes") if !quiet && !kernelMemory { logrus.Warnf("Your kernel does not support kernel memory limit.") } return cgroupMemInfo{ MemoryLimit: true, SwapLimit: swapLimit, MemoryReservation: memoryReservation, OomKillDisable: oomKillDisable, MemorySwappiness: memorySwappiness, KernelMemory: kernelMemory, } } // checkCgroupCPU reads the cpu information from the cpu cgroup mount point. func checkCgroupCPU(cgMounts map[string]string, quiet bool) cgroupCPUInfo { mountPoint, ok := cgMounts["cpu"] if !ok { if !quiet { logrus.Warnf("Unable to find cpu cgroup in mounts") } return cgroupCPUInfo{} } cpuShares := cgroupEnabled(mountPoint, "cpu.shares") if !quiet && !cpuShares { logrus.Warn("Your kernel does not support cgroup cpu shares") } cpuCfsPeriod := cgroupEnabled(mountPoint, "cpu.cfs_period_us") if !quiet && !cpuCfsPeriod { logrus.Warn("Your kernel does not support cgroup cfs period") } cpuCfsQuota := cgroupEnabled(mountPoint, "cpu.cfs_quota_us") if !quiet && !cpuCfsQuota { logrus.Warn("Your kernel does not support cgroup cfs quotas") } return cgroupCPUInfo{ CPUShares: cpuShares, CPUCfsPeriod: cpuCfsPeriod, CPUCfsQuota: cpuCfsQuota, } } // checkCgroupBlkioInfo reads the blkio information from the blkio cgroup mount point. func checkCgroupBlkioInfo(cgMounts map[string]string, quiet bool) cgroupBlkioInfo { mountPoint, ok := cgMounts["blkio"] if !ok { if !quiet { logrus.Warnf("Unable to find blkio cgroup in mounts") } return cgroupBlkioInfo{} } weight := cgroupEnabled(mountPoint, "blkio.weight") if !quiet && !weight { logrus.Warn("Your kernel does not support cgroup blkio weight") } weightDevice := cgroupEnabled(mountPoint, "blkio.weight_device") if !quiet && !weightDevice { logrus.Warn("Your kernel does not support cgroup blkio weight_device") } readBpsDevice := cgroupEnabled(mountPoint, "blkio.throttle.read_bps_device") if !quiet && !readBpsDevice { logrus.Warn("Your kernel does not support cgroup blkio throttle.read_bps_device") } writeBpsDevice := cgroupEnabled(mountPoint, "blkio.throttle.write_bps_device") if !quiet && !writeBpsDevice { logrus.Warn("Your kernel does not support cgroup blkio throttle.write_bps_device") } readIOpsDevice := cgroupEnabled(mountPoint, "blkio.throttle.read_iops_device") if !quiet && !readIOpsDevice { logrus.Warn("Your kernel does not support cgroup blkio throttle.read_iops_device") } writeIOpsDevice := cgroupEnabled(mountPoint, "blkio.throttle.write_iops_device") if !quiet && !writeIOpsDevice { logrus.Warn("Your kernel does not support cgroup blkio throttle.write_iops_device") } return cgroupBlkioInfo{ BlkioWeight: weight, BlkioWeightDevice: weightDevice, BlkioReadBpsDevice: readBpsDevice, BlkioWriteBpsDevice: writeBpsDevice, BlkioReadIOpsDevice: readIOpsDevice, BlkioWriteIOpsDevice: writeIOpsDevice, } } // checkCgroupCpusetInfo reads the cpuset information from the cpuset cgroup mount point. func checkCgroupCpusetInfo(cgMounts map[string]string, quiet bool) cgroupCpusetInfo { mountPoint, ok := cgMounts["cpuset"] if !ok { if !quiet { logrus.Warnf("Unable to find cpuset cgroup in mounts") } return cgroupCpusetInfo{} } cpus, err := ioutil.ReadFile(path.Join(mountPoint, "cpuset.cpus")) if err != nil { return cgroupCpusetInfo{} } mems, err := ioutil.ReadFile(path.Join(mountPoint, "cpuset.mems")) if err != nil { return cgroupCpusetInfo{} } return cgroupCpusetInfo{ Cpuset: true, Cpus: strings.TrimSpace(string(cpus)), Mems: strings.TrimSpace(string(mems)), } } // checkCgroupPids reads the pids information from the pids cgroup mount point. func checkCgroupPids(quiet bool) cgroupPids { _, err := cgroups.FindCgroupMountpoint("pids") if err != nil { if !quiet { logrus.Warn(err) } return cgroupPids{} } return cgroupPids{ PidsLimit: true, } } func cgroupEnabled(mountPoint, name string) bool { _, err := os.Stat(path.Join(mountPoint, name)) return err == nil } func readProcBool(path string) bool { val, err := ioutil.ReadFile(path) if err != nil { return false } return strings.TrimSpace(string(val)) == "1" }