Browse code
daemon: allow `RawSysInfo` to return an error
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Akihiro Suda authored on 2026/06/11 17:39:03Showing 8 changed files
- daemon/container_linux.go
- daemon/daemon.go
- daemon/daemon_unix.go
- daemon/info.go
- daemon/oci_linux.go
- daemon/seccomp_linux.go
- daemon/server/router/container/backend.go
- daemon/server/router/container/container_routes.go
| ... | ... |
@@ -10,7 +10,11 @@ import ( |
| 10 | 10 |
func (daemon *Daemon) saveAppArmorConfig(container *container.Container) error {
|
| 11 | 11 |
container.AppArmorProfile = "" // reset; parseSecurityOpt re-derives it from HostConfig.SecurityOpt. |
| 12 | 12 |
|
| 13 |
- if !daemon.RawSysInfo().AppArmor {
|
|
| 13 |
+ sysInfo, err := daemon.RawSysInfo() |
|
| 14 |
+ if err != nil {
|
|
| 15 |
+ return errdefs.System(err) |
|
| 16 |
+ } |
|
| 17 |
+ if !sysInfo.AppArmor {
|
|
| 14 | 18 |
return nil // if apparmor is disabled there is nothing to do here. |
| 15 | 19 |
} |
| 16 | 20 |
|
| ... | ... |
@@ -1872,7 +1872,7 @@ func (daemon *Daemon) BuilderBackend() builder.Backend {
|
| 1872 | 1872 |
} |
| 1873 | 1873 |
|
| 1874 | 1874 |
// RawSysInfo returns *sysinfo.SysInfo . |
| 1875 |
-func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo {
|
|
| 1875 |
+func (daemon *Daemon) RawSysInfo() (*sysinfo.SysInfo, error) {
|
|
| 1876 | 1876 |
daemon.sysInfoOnce.Do(func() {
|
| 1877 | 1877 |
// We check if sysInfo is not set here, to allow some test to |
| 1878 | 1878 |
// override the actual sysInfo. |
| ... | ... |
@@ -1881,7 +1881,7 @@ func (daemon *Daemon) RawSysInfo() *sysinfo.SysInfo {
|
| 1881 | 1881 |
} |
| 1882 | 1882 |
}) |
| 1883 | 1883 |
|
| 1884 |
- return daemon.sysInfo |
|
| 1884 |
+ return daemon.sysInfo, nil |
|
| 1885 | 1885 |
} |
| 1886 | 1886 |
|
| 1887 | 1887 |
// imageBackend is used to satisfy the [executorpkg.ImageBackend] and |
| ... | ... |
@@ -631,7 +631,10 @@ func verifyPlatformContainerSettings(daemon *Daemon, daemonCfg *configStore, hos |
| 631 | 631 |
if hostConfig == nil {
|
| 632 | 632 |
return nil, nil |
| 633 | 633 |
} |
| 634 |
- sysInfo := daemon.RawSysInfo() |
|
| 634 |
+ sysInfo, err := daemon.RawSysInfo() |
|
| 635 |
+ if err != nil {
|
|
| 636 |
+ return nil, err |
|
| 637 |
+ } |
|
| 635 | 638 |
|
| 636 | 639 |
w, err := verifyPlatformContainerResources(&hostConfig.Resources, sysInfo, update) |
| 637 | 640 |
|
| ... | ... |
@@ -44,7 +44,10 @@ func doWithTrace[T any](ctx context.Context, name string, f func() T) T {
|
| 44 | 44 |
func (daemon *Daemon) SystemInfo(ctx context.Context) (*system.Info, error) {
|
| 45 | 45 |
defer metrics.StartTimer(metrics.HostInfoFunctions.WithValues("system_info"))()
|
| 46 | 46 |
|
| 47 |
- sysInfo := daemon.RawSysInfo() |
|
| 47 |
+ sysInfo, err := daemon.RawSysInfo() |
|
| 48 |
+ if err != nil {
|
|
| 49 |
+ return nil, err |
|
| 50 |
+ } |
|
| 48 | 51 |
cfg := daemon.config() |
| 49 | 52 |
|
| 50 | 53 |
v := &system.Info{
|
| ... | ... |
@@ -272,7 +272,11 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
| 272 | 272 |
|
| 273 | 273 |
// Remove time-namespace if not supported. We can remove this once we |
| 274 | 274 |
// drop support for kernel < 5.6. |
| 275 |
- if !daemon.RawSysInfo().TimeNamespaces {
|
|
| 275 |
+ sysInfo, err := daemon.RawSysInfo() |
|
| 276 |
+ if err != nil {
|
|
| 277 |
+ return errdefs.System(err) |
|
| 278 |
+ } |
|
| 279 |
+ if !sysInfo.TimeNamespaces {
|
|
| 276 | 280 |
oci.RemoveNamespace(s, specs.TimeNamespace) |
| 277 | 281 |
} |
| 278 | 282 |
|
| ... | ... |
@@ -28,7 +28,11 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
| 28 | 28 |
} |
| 29 | 29 |
return err |
| 30 | 30 |
} |
| 31 |
- if !daemon.RawSysInfo().Seccomp {
|
|
| 31 |
+ sysInfo, err := daemon.RawSysInfo() |
|
| 32 |
+ if err != nil {
|
|
| 33 |
+ return err |
|
| 34 |
+ } |
|
| 35 |
+ if !sysInfo.Seccomp {
|
|
| 32 | 36 |
if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileDefault {
|
| 33 | 37 |
return errors.New("seccomp is not enabled in your kernel, cannot run a custom seccomp profile")
|
| 34 | 38 |
} |
| ... | ... |
@@ -39,7 +43,6 @@ func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
| 39 | 39 |
if s.Linux == nil {
|
| 40 | 40 |
s.Linux = &specs.Linux{}
|
| 41 | 41 |
} |
| 42 |
- var err error |
|
| 43 | 42 |
switch {
|
| 44 | 43 |
case c.SeccompProfile == dconfig.SeccompProfileDefault: |
| 45 | 44 |
s.Linux.Seccomp, err = seccomp.GetDefaultProfile(s) |
| ... | ... |
@@ -71,7 +71,7 @@ type commitBackend interface {
|
| 71 | 71 |
} |
| 72 | 72 |
|
| 73 | 73 |
type sysInfoProvider interface {
|
| 74 |
- RawSysInfo() *sysinfo.SysInfo |
|
| 74 |
+ RawSysInfo() (*sysinfo.SysInfo, error) |
|
| 75 | 75 |
} |
| 76 | 76 |
|
| 77 | 77 |
// Backend is all the methods that need to be implemented to provide container specific functionality. |
| ... | ... |
@@ -557,7 +557,11 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo |
| 557 | 557 |
rdr := io.TeeReader(r.Body, &requestBody) |
| 558 | 558 |
|
| 559 | 559 |
// TODO(thaJeztah): do we prefer [backend.ContainerCreateConfig] here? |
| 560 |
- req, err := runconfig.DecodeCreateRequest(rdr, c.backend.RawSysInfo()) |
|
| 560 |
+ sysInfo, err := c.backend.RawSysInfo() |
|
| 561 |
+ if err != nil {
|
|
| 562 |
+ return err |
|
| 563 |
+ } |
|
| 564 |
+ req, err := runconfig.DecodeCreateRequest(rdr, sysInfo) |
|
| 561 | 565 |
if err != nil {
|
| 562 | 566 |
return err |
| 563 | 567 |
} |
| ... | ... |
@@ -598,7 +602,7 @@ func (c *containerRouter) postContainersCreate(ctx context.Context, w http.Respo |
| 598 | 598 |
|
| 599 | 599 |
if versions.LessThan(version, "1.41") {
|
| 600 | 600 |
// Older clients expect the default to be "host" on cgroup v1 hosts |
| 601 |
- if hostConfig.CgroupnsMode.IsEmpty() && !c.backend.RawSysInfo().CgroupUnified {
|
|
| 601 |
+ if hostConfig.CgroupnsMode.IsEmpty() && !sysInfo.CgroupUnified {
|
|
| 602 | 602 |
hostConfig.CgroupnsMode = container.CgroupnsModeHost |
| 603 | 603 |
} |
| 604 | 604 |
} |