Merge pull request #8799 from rhatdan/selinux

Add Security information to podman info
This commit is contained in:
OpenShift Merge Robot
2020-12-22 10:23:58 -05:00
committed by GitHub
11 changed files with 123 additions and 82 deletions

View File

@ -31,17 +31,18 @@ Run podman info with plain text response:
$ podman info $ podman info
host: host:
arch: amd64 arch: amd64
buildahVersion: 1.15.0 buildahVersion: 1.19.0-dev
cgroupVersion: v1 cgroupManager: systemd
cgroupVersion: v2
conmon: conmon:
package: conmon-2.0.16-2.fc32.x86_64 package: conmon-2.0.22-2.fc33.x86_64
path: /usr/bin/conmon path: /usr/bin/conmon
version: 'conmon version 2.0.16, commit: 1044176f7dd177c100779d1c63931d6022e419bd' version: 'conmon version 2.0.22, commit: 1be6c73605006a85f7ed60b7f76a51e28eb67e01'
cpus: 8 cpus: 8
distribution: distribution:
distribution: fedora distribution: fedora
version: "32" version: "33"
eventLogger: file eventLogger: journald
hostname: localhost.localdomain hostname: localhost.localdomain
idMappings: idMappings:
gidmap: gidmap:
@ -58,33 +59,41 @@ host:
- container_id: 1 - container_id: 1
host_id: 100000 host_id: 100000
size: 65536 size: 65536
kernel: 5.6.11-300.fc32.x86_64 kernel: 5.9.11-200.fc33.x86_64
linkmode: dynamic linkmode: dynamic
memFree: 1401929728 memFree: 837505024
memTotal: 16416161792 memTotal: 16416481280
ociRuntime: ociRuntime:
name: runc name: crun
package: containerd.io-1.2.10-3.2.fc31.x86_64 package: crun-0.16-1.fc33.x86_64
path: /usr/bin/runc path: /usr/bin/crun
version: |- version: |-
runc version 1.0.0-rc8+dev crun version 0.16
commit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657 commit: eb0145e5ad4d8207e84a327248af76663d4e50dd
spec: 1.0.1-dev spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux os: linux
remoteSocket: remoteSocket:
exists: false exists: true
path: /run/user/1000/podman/podman.sock path: /run/user/3267/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true rootless: true
seccompEnabled: true
selinuxEnabled: true
slirp4netns: slirp4netns:
executable: /bin/slirp4netns executable: /bin/slirp4netns
package: slirp4netns-1.0.0-1.fc32.x86_64 package: slirp4netns-1.1.4-4.dev.giteecccdb.fc33.x86_64
version: |- version: |-
slirp4netns version 1.0.0 slirp4netns version 1.1.4+dev
commit: a3be729152a33e692cd28b52f664defbf2e7810a commit: eecccdb96f587b11d7764556ffacfeaffe4b6e11
libslirp: 4.2.0 libslirp: 4.3.1
swapFree: 8291610624 SLIRP_CONFIG_VERSION_MAX: 3
swapTotal: 8296329216 libseccomp: 2.5.0
uptime: 52h 29m 39.78s (Approximately 2.17 days) swapFree: 6509203456
swapTotal: 12591292416
uptime: 264h 14m 32.73s (Approximately 11.00 days)
registries: registries:
search: search:
- registry.fedoraproject.org - registry.fedoraproject.org
@ -94,19 +103,19 @@ registries:
store: store:
configFile: /home/dwalsh/.config/containers/storage.conf configFile: /home/dwalsh/.config/containers/storage.conf
containerStore: containerStore:
number: 2 number: 3
paused: 0 paused: 0
running: 0 running: 0
stopped: 2 stopped: 3
graphDriverName: overlay graphDriverName: overlay
graphOptions: graphOptions:
overlay.mount_program: overlay.mount_program:
Executable: /home/dwalsh/bin/fuse-overlayfs Executable: /home/dwalsh/bin/fuse-overlayfs
Package: Unknown Package: Unknown
Version: |- Version: |-
fusermount3 version: 3.9.1 fusermount3 version: 3.9.3
fuse-overlayfs: version 0.7.2 fuse-overlayfs: version 0.7.2
FUSE library version 3.9.1 FUSE library version 3.9.3
using FUSE kernel interface version 7.31 using FUSE kernel interface version 7.31
graphRoot: /home/dwalsh/.local/share/containers/storage graphRoot: /home/dwalsh/.local/share/containers/storage
graphStatus: graphStatus:
@ -115,36 +124,38 @@ store:
Supports d_type: "true" Supports d_type: "true"
Using metacopy: "false" Using metacopy: "false"
imageStore: imageStore:
number: 7 number: 77
runRoot: /run/user/3267/containers runRoot: /run/user/3267/containers
volumePath: /home/dwalsh/.local/share/containers/storage/volumes volumePath: /home/dwalsh/.local/share/containers/storage/volumes
version: version:
Built: 1589899246 APIVersion: 3.0.0
BuiltTime: Tue May 19 10:40:46 2020 Built: 1608562922
GitCommit: c3678ce3289f4195f3f16802411e795c6a587c9f-dirty BuiltTime: Mon Dec 21 10:02:02 2020
GoVersion: go1.14.2 GitCommit: d6925182cdaf94225908a386d02eae8fd3e01123-dirty
GoVersion: go1.15.5
OsArch: linux/amd64 OsArch: linux/amd64
APIVersion: 1 Version: 3.0.0-dev
Version: 2.0.0
``` ```
Run podman info with JSON formatted response: Run podman info with JSON formatted response:
``` ```
{ {
"host": { "host": {
"arch": "amd64", "arch": "amd64",
"buildahVersion": "1.15.0", "buildahVersion": "1.19.0-dev",
"cgroupVersion": "v1", "cgroupManager": "systemd",
"cgroupVersion": "v2",
"conmon": { "conmon": {
"package": "conmon-2.0.16-2.fc32.x86_64", "package": "conmon-2.0.22-2.fc33.x86_64",
"path": "/usr/bin/conmon", "path": "/usr/bin/conmon",
"version": "conmon version 2.0.16, commit: 1044176f7dd177c100779d1c63931d6022e419bd" "version": "conmon version 2.0.22, commit: 1be6c73605006a85f7ed60b7f76a51e28eb67e01"
}, },
"cpus": 8, "cpus": 8,
"distribution": { "distribution": {
"distribution": "fedora", "distribution": "fedora",
"version": "32" "version": "33"
}, },
"eventLogger": "file", "eventLogger": "journald",
"hostname": "localhost.localdomain", "hostname": "localhost.localdomain",
"idMappings": { "idMappings": {
"gidmap": [ "gidmap": [
@ -172,45 +183,51 @@ Run podman info with JSON formatted response:
} }
] ]
}, },
"kernel": "5.6.11-300.fc32.x86_64", "kernel": "5.9.11-200.fc33.x86_64",
"memFree": 1380356096, "memFree": 894574592,
"memTotal": 16416161792, "memTotal": 16416481280,
"ociRuntime": { "ociRuntime": {
"name": "runc", "name": "crun",
"package": "containerd.io-1.2.10-3.2.fc31.x86_64", "package": "crun-0.16-1.fc33.x86_64",
"path": "/usr/bin/runc", "path": "/usr/bin/crun",
"version": "runc version 1.0.0-rc8+dev\ncommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657\nspec: 1.0.1-dev" "version": "crun version 0.16\ncommit: eb0145e5ad4d8207e84a327248af76663d4e50dd\nspec: 1.0.0\n+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL"
}, },
"os": "linux", "os": "linux",
"remoteSocket": { "remoteSocket": {
"path": "/run/user/1000/podman/podman.sock", "path": "/run/user/3267/podman/podman.sock",
"exists": false "exists": true
}, },
"security": {
"apparmorEnabled": false,
"capabilities": "CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT",
"rootless": true, "rootless": true,
"seccompEnabled": true,
"selinuxEnabled": true
},
"slirp4netns": { "slirp4netns": {
"executable": "/bin/slirp4netns", "executable": "/bin/slirp4netns",
"package": "slirp4netns-1.0.0-1.fc32.x86_64", "package": "slirp4netns-1.1.4-4.dev.giteecccdb.fc33.x86_64",
"version": "slirp4netns version 1.0.0\ncommit: a3be729152a33e692cd28b52f664defbf2e7810a\nlibslirp: 4.2.0" "version": "slirp4netns version 1.1.4+dev\ncommit: eecccdb96f587b11d7764556ffacfeaffe4b6e11\nlibslirp: 4.3.1\nSLIRP_CONFIG_VERSION_MAX: 3\nlibseccomp: 2.5.0"
}, },
"swapFree": 8291610624, "swapFree": 6509203456,
"swapTotal": 8296329216, "swapTotal": 12591292416,
"uptime": "52h 27m 39.38s (Approximately 2.17 days)", "uptime": "264h 13m 12.39s (Approximately 11.00 days)",
"linkmode": "dynamic" "linkmode": "dynamic"
}, },
"store": { "store": {
"configFile": "/home/dwalsh/.config/containers/storage.conf", "configFile": "/home/dwalsh/.config/containers/storage.conf",
"containerStore": { "containerStore": {
"number": 2, "number": 3,
"paused": 0, "paused": 0,
"running": 0, "running": 0,
"stopped": 2 "stopped": 3
}, },
"graphDriverName": "overlay", "graphDriverName": "overlay",
"graphOptions": { "graphOptions": {
"overlay.mount_program": { "overlay.mount_program": {
"Executable": "/home/dwalsh/bin/fuse-overlayfs", "Executable": "/home/dwalsh/bin/fuse-overlayfs",
"Package": "Unknown", "Package": "Unknown",
"Version": "fusermount3 version: 3.9.1\nfuse-overlayfs: version 0.7.2\nFUSE library version 3.9.1\nusing FUSE kernel interface version 7.31" "Version": "fusermount3 version: 3.9.3\nfuse-overlayfs: version 0.7.2\nFUSE library version 3.9.3\nusing FUSE kernel interface version 7.31"
} }
}, },
"graphRoot": "/home/dwalsh/.local/share/containers/storage", "graphRoot": "/home/dwalsh/.local/share/containers/storage",
@ -221,7 +238,7 @@ Run podman info with JSON formatted response:
"Using metacopy": "false" "Using metacopy": "false"
}, },
"imageStore": { "imageStore": {
"number": 7 "number": 77
}, },
"runRoot": "/run/user/3267/containers", "runRoot": "/run/user/3267/containers",
"volumePath": "/home/dwalsh/.local/share/containers/storage/volumes" "volumePath": "/home/dwalsh/.local/share/containers/storage/volumes"
@ -235,12 +252,12 @@ Run podman info with JSON formatted response:
] ]
}, },
"version": { "version": {
"APIVersion": 1, "APIVersion": "3.0.0",
"Version": "2.0.0", "Version": "3.0.0-dev",
"GoVersion": "go1.14.2", "GoVersion": "go1.15.5",
"GitCommit": "c3678ce3289f4195f3f16802411e795c6a587c9f-dirty", "GitCommit": "d6925182cdaf94225908a386d02eae8fd3e01123-dirty",
"BuiltTime": "Tue May 19 10:40:46 2020", "BuiltTime": "Mon Dec 21 10:02:02 2020",
"Built": 1589899246, "Built": 1608562922,
"OsArch": "linux/amd64" "OsArch": "linux/amd64"
} }
} }

2
go.mod
View File

@ -11,7 +11,7 @@ require (
github.com/containernetworking/cni v0.8.0 github.com/containernetworking/cni v0.8.0
github.com/containernetworking/plugins v0.9.0 github.com/containernetworking/plugins v0.9.0
github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c
github.com/containers/common v0.31.1 github.com/containers/common v0.31.2
github.com/containers/conmon v2.0.20+incompatible github.com/containers/conmon v2.0.20+incompatible
github.com/containers/image/v5 v5.9.0 github.com/containers/image/v5 v5.9.0
github.com/containers/psgo v1.5.1 github.com/containers/psgo v1.5.1

4
go.sum
View File

@ -96,8 +96,8 @@ github.com/containernetworking/plugins v0.9.0/go.mod h1:dbWv4dI0QrBGuVgj+TuVQ6wJ
github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c h1:DnJiPjBKeoZbzjkUA6YMf/r5ShYpNacK+EcQ/ui1Mxo= github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c h1:DnJiPjBKeoZbzjkUA6YMf/r5ShYpNacK+EcQ/ui1Mxo=
github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c/go.mod h1:hvIoL3urgYPL0zX8XlK05aWP6qfUnBNqTrsedsYw6OY= github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c/go.mod h1:hvIoL3urgYPL0zX8XlK05aWP6qfUnBNqTrsedsYw6OY=
github.com/containers/common v0.31.0/go.mod h1:yT4GTUHsKRmpaDb+mecXRnIMre7W3ZgwXqaYMywXlaA= github.com/containers/common v0.31.0/go.mod h1:yT4GTUHsKRmpaDb+mecXRnIMre7W3ZgwXqaYMywXlaA=
github.com/containers/common v0.31.1 h1:oBINnZpYZ2u90HPMnVCXOhm/TsTaTB7wU/56l05hq44= github.com/containers/common v0.31.2 h1:sNYwvLA4B7SpEiAWTUvkItPlCrUa2vcxh0FTKXKoC3Q=
github.com/containers/common v0.31.1/go.mod h1:Fehe82hQfJQvDspnRrV9rcdAWG3IalNHEt0F6QWNBHQ= github.com/containers/common v0.31.2/go.mod h1:Fehe82hQfJQvDspnRrV9rcdAWG3IalNHEt0F6QWNBHQ=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/image/v5 v5.8.1/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ= github.com/containers/image/v5 v5.8.1/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ=

View File

@ -11,6 +11,15 @@ type Info struct {
Version Version `json:"version"` Version Version `json:"version"`
} }
//HostInfo describes the libpod host
type SecurityInfo struct {
AppArmorEnabled bool `json:"apparmorEnabled"`
DefaultCapabilities string `json:"capabilities"`
Rootless bool `json:"rootless"`
SECCOMPEnabled bool `json:"seccompEnabled"`
SELinuxEnabled bool `json:"selinuxEnabled"`
}
//HostInfo describes the libpod host //HostInfo describes the libpod host
type HostInfo struct { type HostInfo struct {
Arch string `json:"arch"` Arch string `json:"arch"`
@ -29,8 +38,8 @@ type HostInfo struct {
OCIRuntime *OCIRuntimeInfo `json:"ociRuntime"` OCIRuntime *OCIRuntimeInfo `json:"ociRuntime"`
OS string `json:"os"` OS string `json:"os"`
RemoteSocket *RemoteSocket `json:"remoteSocket,omitempty"` RemoteSocket *RemoteSocket `json:"remoteSocket,omitempty"`
Rootless bool `json:"rootless"`
RuntimeInfo map[string]interface{} `json:"runtimeInfo,omitempty"` RuntimeInfo map[string]interface{} `json:"runtimeInfo,omitempty"`
Security SecurityInfo `json:"security"`
Slirp4NetNS SlirpInfo `json:"slirp4netns,omitempty"` Slirp4NetNS SlirpInfo `json:"slirp4netns,omitempty"`
SwapFree int64 `json:"swapFree"` SwapFree int64 `json:"swapFree"`
SwapTotal int64 `json:"swapTotal"` SwapTotal int64 `json:"swapTotal"`

View File

@ -13,6 +13,8 @@ import (
"time" "time"
"github.com/containers/buildah" "github.com/containers/buildah"
"github.com/containers/common/pkg/apparmor"
"github.com/containers/common/pkg/seccomp"
"github.com/containers/podman/v2/libpod/define" "github.com/containers/podman/v2/libpod/define"
"github.com/containers/podman/v2/libpod/linkmode" "github.com/containers/podman/v2/libpod/linkmode"
"github.com/containers/podman/v2/pkg/cgroups" "github.com/containers/podman/v2/pkg/cgroups"
@ -20,6 +22,7 @@ import (
"github.com/containers/podman/v2/pkg/rootless" "github.com/containers/podman/v2/pkg/rootless"
"github.com/containers/storage" "github.com/containers/storage"
"github.com/containers/storage/pkg/system" "github.com/containers/storage/pkg/system"
"github.com/opencontainers/selinux/go-selinux"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
@ -98,7 +101,13 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) {
MemFree: mi.MemFree, MemFree: mi.MemFree,
MemTotal: mi.MemTotal, MemTotal: mi.MemTotal,
OS: runtime.GOOS, OS: runtime.GOOS,
Security: define.SecurityInfo{
AppArmorEnabled: apparmor.IsEnabled(),
DefaultCapabilities: strings.Join(r.config.Containers.DefaultCapabilities, ","),
Rootless: rootless.IsRootless(), Rootless: rootless.IsRootless(),
SECCOMPEnabled: seccomp.IsEnabled(),
SELinuxEnabled: selinux.GetEnabled(),
},
Slirp4NetNS: define.SlirpInfo{}, Slirp4NetNS: define.SlirpInfo{},
SwapFree: mi.SwapFree, SwapFree: mi.SwapFree,
SwapTotal: mi.SwapTotal, SwapTotal: mi.SwapTotal,

View File

@ -380,7 +380,7 @@ default_sysctls = [
# Directory for temporary files. Must be tmpfs (wiped after reboot) # Directory for temporary files. Must be tmpfs (wiped after reboot)
# #
# tmp_dir = "/var/run/libpod" # tmp_dir = "/run/libpod"
# Directory for libpod named volumes. # Directory for libpod named volumes.
# By default, this will be configured relative to where containers/storage # By default, this will be configured relative to where containers/storage

View File

@ -320,7 +320,7 @@ func defaultConfigFromMemory() (*EngineConfig, error) {
func defaultTmpDir() (string, error) { func defaultTmpDir() (string, error) {
if !unshare.IsRootless() { if !unshare.IsRootless() {
return "/var/run/libpod", nil return "/run/libpod", nil
} }
runtimeDir, err := getRuntimeDir() runtimeDir, err := getRuntimeDir()

View File

@ -1,4 +1,4 @@
// +build !seccomp // +build !linux !seccomp
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
@ -38,3 +38,9 @@ func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSe
func IsEnabled() bool { func IsEnabled() bool {
return false return false
} }
// IsSupported returns true if the system has been configured to support
// seccomp.
func IsSupported() bool {
return false
}

View File

@ -1,4 +1,4 @@
// +build !windows // +build linux,seccomp
package seccomp package seccomp

View File

@ -1,4 +1,4 @@
package version package version
// Version is the version of the build. // Version is the version of the build.
const Version = "0.31.2-dev" const Version = "0.31.2"

2
vendor/modules.txt vendored
View File

@ -86,7 +86,7 @@ github.com/containers/buildah/pkg/parse
github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/pkg/supplemented github.com/containers/buildah/pkg/supplemented
github.com/containers/buildah/util github.com/containers/buildah/util
# github.com/containers/common v0.31.1 # github.com/containers/common v0.31.2
github.com/containers/common/pkg/apparmor github.com/containers/common/pkg/apparmor
github.com/containers/common/pkg/apparmor/internal/supported github.com/containers/common/pkg/apparmor/internal/supported
github.com/containers/common/pkg/auth github.com/containers/common/pkg/auth