New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oci/caps: refactor, remove unused code, and improved error messages #41459
Conversation
8606000
to
d099749
Compare
@kolyshkin @AkihiroSuda ptal |
@cpuguy83 @tonistiigi ptal 🤗 |
oci/caps/utils.go
Outdated
allCaps = make([]string, capability.CAP_LAST_CAP+1) | ||
capabilityList = make(map[string]*capability.Cap, len(capability.List())) | ||
for i, c := range capability.List() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The implementation of capability.List()
appears to generate/return a new slice of the full list, so it seems a tiny bit wasteful to call twice -- should probably go into a variable for len()
vs for
?
allCaps = make([]string, capability.CAP_LAST_CAP+1) | |
capabilityList = make(map[string]*capability.Cap, len(capability.List())) | |
for i, c := range capability.List() { | |
allCaps = make([]string, capability.CAP_LAST_CAP+1) | |
rawCaps := capability.List() | |
capabilityList = make(map[string]*capability.Cap, len(rawCaps)) | |
for i, c := range rawCaps { |
Does it also make sense to use len(rawCaps)
for the size of allCaps
, given that we do allCaps[i] = ...
below, which will be based on the number of capabilities total, not on the maximum value? (or is that an implementation bug that should've been allCaps[c]
instead? Looking at how it gets used/returned, it doesn't seem like a bug so it looks like we're allocating more space than we actually need here. 😅)
allCaps = make([]string, capability.CAP_LAST_CAP+1) | |
capabilityList = make(map[string]*capability.Cap, len(capability.List())) | |
for i, c := range capability.List() { | |
rawCaps := capability.List() | |
allCaps = make([]string, len(rawCaps)) | |
capabilityList = make(map[string]*capability.Cap, len(rawCaps)) | |
for i, c := range rawCaps { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at how it gets used/returned, it doesn't seem like a bug so it looks like we're allocating more space than we actually need here
Hmmm good point, so I don't think it's a bug (but I do take advantage of the fact that all the caps are in sequential order as proxy for "length") as CAP_LAST_CAP
should be <= len(capability.List()
;
f, err := os.Open("/proc/sys/kernel/cap_last_cap") |
Hmmm... although
- it's initially set to
Cap(63)
, and will be if the code above check fails - newer kernels may support more capabilities than what the library supports, so we should check something like
math.Min(len(rawCaps), CAP_LAST_CAP+1)
capName := "CAP_" + strings.ToUpper(c.String()) | ||
if c > capability.CAP_LAST_CAP { | ||
capabilityList[capName] = nil | ||
continue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we reach CAP_LAST_CAP
we continue here, so allCaps
will no longer get more capabilities after that
c349a56
to
9c80d4b
Compare
@tianon updated; let me know if this is what you meant/pointed out |
9c80d4b
to
22717a8
Compare
9cf208d
to
06d1bb2
Compare
e7f4fb4
to
ab249cd
Compare
We no longer support these kernels, so we can remove the workaround Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
A capability can either be invalid, or not supported by the kernel on which we're running. This patch changes the error message produced to reflect if the capability is invalid/unknown, or a known capability, but not supported by the kernel version. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `CapabilityMapping` and `Capabilities` types appeared to be only used locally, and added unneeded complexity. This patch removes those types, and simplifies the logic to use a map that maps names to `capability.Cap`s Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
ab249cd
to
58c4c12
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
A capability can either be invalid, or not supported by the kernel on which we're running. This patch changes the error message produced to reflect if the capability is invalid/unknown, or a known capability, but not supported by the kernel version.
GetCapability()
andValidateCapabilities()
The
CapabilityMapping
andCapabilities
types appeared to be only used locally, and added unneeded complexity. This patch removes those types, and simplifies the logic to use a map that maps names tocapability.Cap
sWe no longer support these kernels, so we can remove the workaround