Show "seccomp" in docker info (#20909). #21172
Conversation
icecrime
added
the
status/failing-ci
|
Sorry haven't had a chance to review this yet, will do soon. |
|
Seccomp is a security option like AppArmor and SELinux. Neither of them have a specific output in info, why should we differ with that? I think it would be more useful to have a "SecurityOptions" section that shows whatever the user configured. |
|
Also, changes in |
|
For diagnosing issues it is useful to know what is configured, we did discuss in #20909 how to display it. I think a line |
|
Thanks @calavera @justincormack for the feedback. Let me update the pull request accordingly. |
yongtang
force-pushed
the
20909-seccomp-in-docker-info
branch
from
21fa2d4
to
6f4585e
Compare
yongtang
force-pushed
the
20909-seccomp-in-docker-info
branch
from
6f4585e
to
b453c2a
Compare
This PR updates vendored engine-api to e37a82dfcea64559ca6a581776253c01d83357d9 in order to support `SecurityOptions` in `Info`. See moby#20909, moby#21172 for details related to `SecurityOptions`. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
yongtang
force-pushed
the
20909-seccomp-in-docker-info
branch
2 times, most recently
from
5e638d5
to
e8ebb43
Compare
This pull request added a `SecurityOptions` field in the `GET /info` output to show if there is `apparmor`, `seccomp`, or `selinux` suport. The API changes are updated in the documentation and the update in `GET /info` is covered by the test case in `TestInfoApi`. This pull request fixes moby#20909. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
yongtang
force-pushed
the
20909-seccomp-in-docker-info
branch
from
e8ebb43
to
190654a
Compare
|
Hi @justincormack @calavera @thaJeztah the Jenkins CI finally passed all tests for this PR (SecurityOptions - seccomp/apparmor/selinux). Let me know if there are any changes I need to make and any comments would be appreciated. |
vdemeester
removed
the
status/failing-ci
| securityOptions = append(securityOptions, "apparmor") | ||
| } | ||
| if sysInfo.Seccomp { | ||
| securityOptions = append(securityOptions, "seccomp") |
There was a problem hiding this comment.
seccomp and apparmor (?) can have a custom profile loaded. I don't see why this is useful w/o showing what's there. This output is just basically telling me that I have seccomp|apparmor|selinux on my system :| I find this superfluous
There was a problem hiding this comment.
i.e. we have a bug report mentioning it's using seccomp but we don't have the profile (if it isn't the default)
There was a problem hiding this comment.
The main aim is so when triaging issues we know what a user has installed, which is very hard to find now.
For seccomp the profile is per container run, so the daemon cannot print it. For apparmor it could be useful, but we dont want to always print it I dont think, it is large.
|
LGTM |
|
LGTM 🐮 |
|
LGTM. Moving to docs review. |
|
Docs LGTM |
|
Docs LGTM 🐯 |
The security infomation has already been added to `GET /info` in moby#21172. However, it is not part of the output of `docker info` yet. This fix adds the security information to `docker info`. Additional tests has been added to cover changes. This fix fixes moby#23500. This fix is related to moby#20909, moby#21172. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
|
relates to #21172 |
The security infomation has already been added to `GET /info` in moby#21172. However, it is not part of the output of `docker info` yet. This fix adds the security information to `docker info`. Additional tests has been added to cover changes. This fix fixes moby#23500. This fix is related to moby#20909, moby#21172. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> (cherry picked from commit eee20b5)
This pull request added a
SecurityOptionsfield in theGET /infooutput to show if there is apparmor, seccomp, or selinux suport.The API changes are updated in the documentation and the update in
GET /infois covered by the test case inTestInfoApi.This pull request fixes #20909.
Note: a pull request in https://github.com/docker/engine-api will be opened separately.
Signed-off-by: Yong Tang yong.tang.github@outlook.com