New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show "seccomp" in docker info (#20909). #21172
Conversation
Sorry haven't had a chance to review this yet, will do soon. |
Seccomp is a security option like AppArmor and SELinux. Neither of them have a specific output in info, why should we differ with that? I think it would be more useful to have a "SecurityOptions" section that shows whatever the user configured. |
Also, changes in |
For diagnosing issues it is useful to know what is configured, we did discuss in #20909 how to display it. I think a line |
Thanks @calavera @justincormack for the feedback. Let me update the pull request accordingly. |
21fa2d4
to
6f4585e
Compare
6f4585e
to
b453c2a
Compare
This PR updates vendored engine-api to e37a82dfcea64559ca6a581776253c01d83357d9 in order to support `SecurityOptions` in `Info`. See moby#20909, moby#21172 for details related to `SecurityOptions`. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
5e638d5
to
e8ebb43
Compare
This pull request added a `SecurityOptions` field in the `GET /info` output to show if there is `apparmor`, `seccomp`, or `selinux` suport. The API changes are updated in the documentation and the update in `GET /info` is covered by the test case in `TestInfoApi`. This pull request fixes moby#20909. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
e8ebb43
to
190654a
Compare
Hi @justincormack @calavera @thaJeztah the Jenkins CI finally passed all tests for this PR (SecurityOptions - seccomp/apparmor/selinux). Let me know if there are any changes I need to make and any comments would be appreciated. |
securityOptions = append(securityOptions, "apparmor") | ||
} | ||
if sysInfo.Seccomp { | ||
securityOptions = append(securityOptions, "seccomp") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seccomp and apparmor (?) can have a custom profile loaded. I don't see why this is useful w/o showing what's there. This output is just basically telling me that I have seccomp|apparmor|selinux on my system :| I find this superfluous
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i.e. we have a bug report mentioning it's using seccomp but we don't have the profile (if it isn't the default)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The main aim is so when triaging issues we know what a user has installed, which is very hard to find now.
For seccomp the profile is per container run, so the daemon cannot print it. For apparmor it could be useful, but we dont want to always print it I dont think, it is large.
LGTM |
LGTM 🐮 |
LGTM. Moving to docs review. |
Docs LGTM |
Docs LGTM 🐯 |
The security infomation has already been added to `GET /info` in moby#21172. However, it is not part of the output of `docker info` yet. This fix adds the security information to `docker info`. Additional tests has been added to cover changes. This fix fixes moby#23500. This fix is related to moby#20909, moby#21172. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
relates to #21172 |
The security infomation has already been added to `GET /info` in moby#21172. However, it is not part of the output of `docker info` yet. This fix adds the security information to `docker info`. Additional tests has been added to cover changes. This fix fixes moby#23500. This fix is related to moby#20909, moby#21172. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> (cherry picked from commit eee20b5)
This pull request added a
SecurityOptions
field in theGET /info
output to show if there is apparmor, seccomp, or selinux suport.The API changes are updated in the documentation and the update in
GET /info
is covered by the test case inTestInfoApi
.This pull request fixes #20909.
Note: a pull request in https://github.com/docker/engine-api will be opened separately.
Signed-off-by: Yong Tang yong.tang.github@outlook.com