opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-21 01:19:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8799 from rhatdan/selinux

Browse Source 
Add Security information to podman info
This commit is contained in:
OpenShift Merge Robot
2020-12-22 10:23:58 -05:00
committed by GitHub
parent 182646b01a 04b43ccf64
commit 2d8b80232d
11 changed files with 123 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
docs/source/markdown/podman-info.1.md
View File

@ -31,17 +31,18 @@ Run podman info with plain text response:
$ podman info $ podman info
host: host:
arch: amd64 arch: amd64
buildahVersion: 1.15.0 buildahVersion: 1.19.0-dev
cgroupVersion: v1 cgroupManager: systemd
cgroupVersion: v2
conmon: conmon:
package: conmon-2.0.16-2.fc32.x86_64 package: conmon-2.0.22-2.fc33.x86_64
path: /usr/bin/conmon path: /usr/bin/conmon
version: 'conmon version 2.0.16, commit: 1044176f7dd177c100779d1c63931d6022e419bd' version: 'conmon version 2.0.22, commit: 1be6c73605006a85f7ed60b7f76a51e28eb67e01'
cpus: 8 cpus: 8
distribution: distribution:
distribution: fedora distribution: fedora
version: "32" version: "33"
eventLogger: file eventLogger: journald
hostname: localhost.localdomain hostname: localhost.localdomain
idMappings: idMappings:
gidmap: gidmap:
@ -58,33 +59,41 @@ host:
- container_id: 1 - container_id: 1
host_id: 100000 host_id: 100000
size: 65536 size: 65536
kernel: 5.6.11-300.fc32.x86_64 kernel: 5.9.11-200.fc33.x86_64
linkmode: dynamic linkmode: dynamic
memFree: 1401929728 memFree: 837505024
memTotal: 16416161792 memTotal: 16416481280
ociRuntime: ociRuntime:
name: runc name: crun
package: containerd.io-1.2.10-3.2.fc31.x86_64 package: crun-0.16-1.fc33.x86_64
path: /usr/bin/runc path: /usr/bin/crun
version: |- version: |-
runc version 1.0.0-rc8+dev crun version 0.16
commit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657 commit: eb0145e5ad4d8207e84a327248af76663d4e50dd
spec: 1.0.1-dev spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux os: linux
remoteSocket: remoteSocket:
exists: false exists: true
path: /run/user/1000/podman/podman.sock path: /run/user/3267/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true rootless: true
seccompEnabled: true
selinuxEnabled: true
slirp4netns: slirp4netns:
executable: /bin/slirp4netns executable: /bin/slirp4netns
package: slirp4netns-1.0.0-1.fc32.x86_64 package: slirp4netns-1.1.4-4.dev.giteecccdb.fc33.x86_64
version: |- version: |-
slirp4netns version 1.0.0 slirp4netns version 1.1.4+dev
commit: a3be729152a33e692cd28b52f664defbf2e7810a commit: eecccdb96f587b11d7764556ffacfeaffe4b6e11
libslirp: 4.2.0 libslirp: 4.3.1
swapFree: 8291610624 SLIRP_CONFIG_VERSION_MAX: 3
swapTotal: 8296329216 libseccomp: 2.5.0
uptime: 52h 29m 39.78s (Approximately 2.17 days) swapFree: 6509203456
swapTotal: 12591292416
uptime: 264h 14m 32.73s (Approximately 11.00 days)
registries: registries:
search: search:
- registry.fedoraproject.org - registry.fedoraproject.org
@ -94,19 +103,19 @@ registries:
store: store:
configFile: /home/dwalsh/.config/containers/storage.conf configFile: /home/dwalsh/.config/containers/storage.conf
containerStore: containerStore:
number: 2 number: 3
paused: 0 paused: 0
running: 0 running: 0
stopped: 2 stopped: 3
graphDriverName: overlay graphDriverName: overlay
graphOptions: graphOptions:
overlay.mount_program: overlay.mount_program:
Executable: /home/dwalsh/bin/fuse-overlayfs Executable: /home/dwalsh/bin/fuse-overlayfs
Package: Unknown Package: Unknown
Version: |- Version: |-
fusermount3 version: 3.9.1 fusermount3 version: 3.9.3
fuse-overlayfs: version 0.7.2 fuse-overlayfs: version 0.7.2
FUSE library version 3.9.1 FUSE library version 3.9.3
using FUSE kernel interface version 7.31 using FUSE kernel interface version 7.31
graphRoot: /home/dwalsh/.local/share/containers/storage graphRoot: /home/dwalsh/.local/share/containers/storage
graphStatus: graphStatus:
@ -115,36 +124,38 @@ store:
Supports d_type: "true" Supports d_type: "true"
Using metacopy: "false" Using metacopy: "false"
imageStore: imageStore:
number: 7 number: 77
runRoot: /run/user/3267/containers runRoot: /run/user/3267/containers
volumePath: /home/dwalsh/.local/share/containers/storage/volumes volumePath: /home/dwalsh/.local/share/containers/storage/volumes
version: version:
Built: 1589899246 APIVersion: 3.0.0
BuiltTime: Tue May 19 10:40:46 2020 Built: 1608562922
GitCommit: c3678ce3289f4195f3f16802411e795c6a587c9f-dirty BuiltTime: Mon Dec 21 10:02:02 2020
GoVersion: go1.14.2 GitCommit: d6925182cdaf94225908a386d02eae8fd3e01123-dirty
GoVersion: go1.15.5
OsArch: linux/amd64 OsArch: linux/amd64
APIVersion: 1 Version: 3.0.0-dev
Version: 2.0.0
``` ```
Run podman info with JSON formatted response: Run podman info with JSON formatted response:
``` ```
{ {
"host": { "host": {
"arch": "amd64", "arch": "amd64",
"buildahVersion": "1.15.0", "buildahVersion": "1.19.0-dev",
"cgroupVersion": "v1", "cgroupManager": "systemd",
"cgroupVersion": "v2",
"conmon": { "conmon": {
"package": "conmon-2.0.16-2.fc32.x86_64", "package": "conmon-2.0.22-2.fc33.x86_64",
"path": "/usr/bin/conmon", "path": "/usr/bin/conmon",
"version": "conmon version 2.0.16, commit: 1044176f7dd177c100779d1c63931d6022e419bd" "version": "conmon version 2.0.22, commit: 1be6c73605006a85f7ed60b7f76a51e28eb67e01"
}, },
"cpus": 8, "cpus": 8,
"distribution": { "distribution": {
"distribution": "fedora", "distribution": "fedora",
"version": "32" "version": "33"
}, },
"eventLogger": "file", "eventLogger": "journald",
"hostname": "localhost.localdomain", "hostname": "localhost.localdomain",
"idMappings": { "idMappings": {
"gidmap": [ "gidmap": [
@ -172,45 +183,51 @@ Run podman info with JSON formatted response:
} }
] ]
}, },
"kernel": "5.6.11-300.fc32.x86_64", "kernel": "5.9.11-200.fc33.x86_64",
"memFree": 1380356096, "memFree": 894574592,
"memTotal": 16416161792, "memTotal": 16416481280,
"ociRuntime": { "ociRuntime": {
"name": "runc", "name": "crun",
"package": "containerd.io-1.2.10-3.2.fc31.x86_64", "package": "crun-0.16-1.fc33.x86_64",
"path": "/usr/bin/runc", "path": "/usr/bin/crun",
"version": "runc version 1.0.0-rc8+dev\ncommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657\nspec: 1.0.1-dev" "version": "crun version 0.16\ncommit: eb0145e5ad4d8207e84a327248af76663d4e50dd\nspec: 1.0.0\n+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL"
}, },
"os": "linux", "os": "linux",
"remoteSocket": { "remoteSocket": {
"path": "/run/user/1000/podman/podman.sock", "path": "/run/user/3267/podman/podman.sock",
"exists": false "exists": true
}, },
"security": {
"apparmorEnabled": false,
"capabilities": "CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT",
"rootless": true, "rootless": true,
"seccompEnabled": true,
"selinuxEnabled": true
},
"slirp4netns": { "slirp4netns": {
"executable": "/bin/slirp4netns", "executable": "/bin/slirp4netns",
"package": "slirp4netns-1.0.0-1.fc32.x86_64", "package": "slirp4netns-1.1.4-4.dev.giteecccdb.fc33.x86_64",
"version": "slirp4netns version 1.0.0\ncommit: a3be729152a33e692cd28b52f664defbf2e7810a\nlibslirp: 4.2.0" "version": "slirp4netns version 1.1.4+dev\ncommit: eecccdb96f587b11d7764556ffacfeaffe4b6e11\nlibslirp: 4.3.1\nSLIRP_CONFIG_VERSION_MAX: 3\nlibseccomp: 2.5.0"
}, },
"swapFree": 8291610624, "swapFree": 6509203456,
"swapTotal": 8296329216, "swapTotal": 12591292416,
"uptime": "52h 27m 39.38s (Approximately 2.17 days)", "uptime": "264h 13m 12.39s (Approximately 11.00 days)",
"linkmode": "dynamic" "linkmode": "dynamic"
}, },
"store": { "store": {
"configFile": "/home/dwalsh/.config/containers/storage.conf", "configFile": "/home/dwalsh/.config/containers/storage.conf",
"containerStore": { "containerStore": {
"number": 2, "number": 3,
"paused": 0, "paused": 0,
"running": 0, "running": 0,
"stopped": 2 "stopped": 3
}, },
"graphDriverName": "overlay", "graphDriverName": "overlay",
"graphOptions": { "graphOptions": {
"overlay.mount_program": { "overlay.mount_program": {
"Executable": "/home/dwalsh/bin/fuse-overlayfs", "Executable": "/home/dwalsh/bin/fuse-overlayfs",
"Package": "Unknown", "Package": "Unknown",
"Version": "fusermount3 version: 3.9.1\nfuse-overlayfs: version 0.7.2\nFUSE library version 3.9.1\nusing FUSE kernel interface version 7.31" "Version": "fusermount3 version: 3.9.3\nfuse-overlayfs: version 0.7.2\nFUSE library version 3.9.3\nusing FUSE kernel interface version 7.31"
} }
}, },
"graphRoot": "/home/dwalsh/.local/share/containers/storage", "graphRoot": "/home/dwalsh/.local/share/containers/storage",
@ -221,7 +238,7 @@ Run podman info with JSON formatted response:
"Using metacopy": "false" "Using metacopy": "false"
}, },
"imageStore": { "imageStore": {
"number": 7 "number": 77
}, },
"runRoot": "/run/user/3267/containers", "runRoot": "/run/user/3267/containers",
"volumePath": "/home/dwalsh/.local/share/containers/storage/volumes" "volumePath": "/home/dwalsh/.local/share/containers/storage/volumes"
@ -235,12 +252,12 @@ Run podman info with JSON formatted response:
] ]
}, },
"version": { "version": {
"APIVersion": 1, "APIVersion": "3.0.0",
"Version": "2.0.0", "Version": "3.0.0-dev",
"GoVersion": "go1.14.2", "GoVersion": "go1.15.5",
"GitCommit": "c3678ce3289f4195f3f16802411e795c6a587c9f-dirty", "GitCommit": "d6925182cdaf94225908a386d02eae8fd3e01123-dirty",
"BuiltTime": "Tue May 19 10:40:46 2020", "BuiltTime": "Mon Dec 21 10:02:02 2020",
"Built": 1589899246, "Built": 1608562922,
"OsArch": "linux/amd64" "OsArch": "linux/amd64"
} }
} }

2
go.mod
View File

@ -11,7 +11,7 @@ require (
github.com/containernetworking/cni v0.8.0 github.com/containernetworking/cni v0.8.0
github.com/containernetworking/plugins v0.9.0 github.com/containernetworking/plugins v0.9.0
github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c
github.com/containers/common v0.31.1 github.com/containers/common v0.31.2
github.com/containers/conmon v2.0.20+incompatible github.com/containers/conmon v2.0.20+incompatible
github.com/containers/image/v5 v5.9.0 github.com/containers/image/v5 v5.9.0
github.com/containers/psgo v1.5.1 github.com/containers/psgo v1.5.1

4
go.sum
View File

@ -96,8 +96,8 @@ github.com/containernetworking/plugins v0.9.0/go.mod h1:dbWv4dI0QrBGuVgj+TuVQ6wJ
github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c h1:DnJiPjBKeoZbzjkUA6YMf/r5ShYpNacK+EcQ/ui1Mxo= github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c h1:DnJiPjBKeoZbzjkUA6YMf/r5ShYpNacK+EcQ/ui1Mxo=
github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c/go.mod h1:hvIoL3urgYPL0zX8XlK05aWP6qfUnBNqTrsedsYw6OY= github.com/containers/buildah v1.18.1-0.20201217112226-67470615779c/go.mod h1:hvIoL3urgYPL0zX8XlK05aWP6qfUnBNqTrsedsYw6OY=
github.com/containers/common v0.31.0/go.mod h1:yT4GTUHsKRmpaDb+mecXRnIMre7W3ZgwXqaYMywXlaA= github.com/containers/common v0.31.0/go.mod h1:yT4GTUHsKRmpaDb+mecXRnIMre7W3ZgwXqaYMywXlaA=
github.com/containers/common v0.31.1 h1:oBINnZpYZ2u90HPMnVCXOhm/TsTaTB7wU/56l05hq44= github.com/containers/common v0.31.2 h1:sNYwvLA4B7SpEiAWTUvkItPlCrUa2vcxh0FTKXKoC3Q=
github.com/containers/common v0.31.1/go.mod h1:Fehe82hQfJQvDspnRrV9rcdAWG3IalNHEt0F6QWNBHQ= github.com/containers/common v0.31.2/go.mod h1:Fehe82hQfJQvDspnRrV9rcdAWG3IalNHEt0F6QWNBHQ=
github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
github.com/containers/image/v5 v5.8.1/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ= github.com/containers/image/v5 v5.8.1/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ=

11
libpod/define/info.go
View File

@ -11,6 +11,15 @@ type Info struct {
Version Version `json:"version"` Version Version `json:"version"`
} }
//HostInfo describes the libpod host
type SecurityInfo struct {
AppArmorEnabled bool `json:"apparmorEnabled"`
DefaultCapabilities string `json:"capabilities"`
Rootless bool `json:"rootless"`
SECCOMPEnabled bool `json:"seccompEnabled"`
SELinuxEnabled bool `json:"selinuxEnabled"`
}
//HostInfo describes the libpod host //HostInfo describes the libpod host
type HostInfo struct { type HostInfo struct {
Arch string `json:"arch"` Arch string `json:"arch"`
@ -29,8 +38,8 @@ type HostInfo struct {
OCIRuntime *OCIRuntimeInfo `json:"ociRuntime"` OCIRuntime *OCIRuntimeInfo `json:"ociRuntime"`
OS string `json:"os"` OS string `json:"os"`
RemoteSocket *RemoteSocket `json:"remoteSocket,omitempty"` RemoteSocket *RemoteSocket `json:"remoteSocket,omitempty"`
Rootless bool `json:"rootless"`
RuntimeInfo map[string]interface{} `json:"runtimeInfo,omitempty"` RuntimeInfo map[string]interface{} `json:"runtimeInfo,omitempty"`
Security SecurityInfo `json:"security"`
Slirp4NetNS SlirpInfo `json:"slirp4netns,omitempty"` Slirp4NetNS SlirpInfo `json:"slirp4netns,omitempty"`
SwapFree int64 `json:"swapFree"` SwapFree int64 `json:"swapFree"`
SwapTotal int64 `json:"swapTotal"` SwapTotal int64 `json:"swapTotal"`

9
libpod/info.go
View File

@ -13,6 +13,8 @@ import (
"time" "time"
"github.com/containers/buildah" "github.com/containers/buildah"
"github.com/containers/common/pkg/apparmor"
"github.com/containers/common/pkg/seccomp"
"github.com/containers/podman/v2/libpod/define" "github.com/containers/podman/v2/libpod/define"
"github.com/containers/podman/v2/libpod/linkmode" "github.com/containers/podman/v2/libpod/linkmode"
"github.com/containers/podman/v2/pkg/cgroups" "github.com/containers/podman/v2/pkg/cgroups"
@ -20,6 +22,7 @@ import (
"github.com/containers/podman/v2/pkg/rootless" "github.com/containers/podman/v2/pkg/rootless"
"github.com/containers/storage" "github.com/containers/storage"
"github.com/containers/storage/pkg/system" "github.com/containers/storage/pkg/system"
"github.com/opencontainers/selinux/go-selinux"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
@ -98,7 +101,13 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) {
MemFree: mi.MemFree, MemFree: mi.MemFree,
MemTotal: mi.MemTotal, MemTotal: mi.MemTotal,
OS: runtime.GOOS, OS: runtime.GOOS,
Security: define.SecurityInfo{
AppArmorEnabled: apparmor.IsEnabled(),
DefaultCapabilities: strings.Join(r.config.Containers.DefaultCapabilities, ","),
Rootless: rootless.IsRootless(), Rootless: rootless.IsRootless(),
SECCOMPEnabled: seccomp.IsEnabled(),
SELinuxEnabled: selinux.GetEnabled(),
},
Slirp4NetNS: define.SlirpInfo{}, Slirp4NetNS: define.SlirpInfo{},
SwapFree: mi.SwapFree, SwapFree: mi.SwapFree,
SwapTotal: mi.SwapTotal, SwapTotal: mi.SwapTotal,

2
vendor/github.com/containers/common/pkg/config/containers.conf generated vendored
View File

@ -380,7 +380,7 @@ default_sysctls = [
# Directory for temporary files. Must be tmpfs (wiped after reboot) # Directory for temporary files. Must be tmpfs (wiped after reboot)
# #
# tmp_dir = "/var/run/libpod" # tmp_dir = "/run/libpod"
# Directory for libpod named volumes. # Directory for libpod named volumes.
# By default, this will be configured relative to where containers/storage # By default, this will be configured relative to where containers/storage

2
vendor/github.com/containers/common/pkg/config/default.go generated vendored
View File

@ -320,7 +320,7 @@ func defaultConfigFromMemory() (*EngineConfig, error) {
func defaultTmpDir() (string, error) { func defaultTmpDir() (string, error) {
if !unshare.IsRootless() { if !unshare.IsRootless() {
return "/var/run/libpod", nil return "/run/libpod", nil
} }
runtimeDir, err := getRuntimeDir() runtimeDir, err := getRuntimeDir()

8
vendor/github.com/containers/common/pkg/seccomp/seccomp_unsupported.go generated vendored
View File

@ -1,4 +1,4 @@
// +build !seccomp // +build !linux !seccomp
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
@ -38,3 +38,9 @@ func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSe
func IsEnabled() bool { func IsEnabled() bool {
return false return false
} }
// IsSupported returns true if the system has been configured to support
// seccomp.
func IsSupported() bool {
return false
}

2
vendor/github.com/containers/common/pkg/seccomp/supported.go generated vendored
View File

@ -1,4 +1,4 @@
// +build !windows // +build linux,seccomp
package seccomp package seccomp

2
vendor/github.com/containers/common/version/version.go generated vendored
View File

@ -1,4 +1,4 @@
package version package version
// Version is the version of the build. // Version is the version of the build.
const Version = "0.31.2-dev" const Version = "0.31.2"

2
vendor/modules.txt vendored
View File

@ -86,7 +86,7 @@ github.com/containers/buildah/pkg/parse
github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/rusage
github.com/containers/buildah/pkg/supplemented github.com/containers/buildah/pkg/supplemented
github.com/containers/buildah/util github.com/containers/buildah/util
# github.com/containers/common v0.31.1 # github.com/containers/common v0.31.2
github.com/containers/common/pkg/apparmor github.com/containers/common/pkg/apparmor
github.com/containers/common/pkg/apparmor/internal/supported github.com/containers/common/pkg/apparmor/internal/supported
github.com/containers/common/pkg/auth github.com/containers/common/pkg/auth