daemon/keys.go
//go:build linux
package daemon // import "github.com/docker/docker/daemon"
import (
"os"
"strconv"
"strings"
)
const (
rootKeyFile = "/proc/sys/kernel/keys/root_maxkeys"
rootBytesFile = "/proc/sys/kernel/keys/root_maxbytes"
rootKeyLimit = 1000000
// it is standard configuration to allocate 25 bytes per key
rootKeyByteMultiplier = 25
)
// modifyRootKeyLimit checks to see if the root key limit is set to
// at least 1000000 and changes it to that limit along with the maxbytes
// allocated to the keys at a 25 to 1 multiplier.
func modifyRootKeyLimit() error {
value, err := readRootKeyLimit(rootKeyFile)
if err != nil {
return err
}
if value < rootKeyLimit {
return setRootKeyLimit(rootKeyLimit)
}
return nil
}
func setRootKeyLimit(limit int) error {
keys, err := os.OpenFile(rootKeyFile, os.O_WRONLY, 0)
if err != nil {
return err
}
defer keys.Close()
_, err = keys.WriteString(strconv.Itoa(limit))
if err != nil {
return err
}
bytes, err := os.OpenFile(rootBytesFile, os.O_WRONLY, 0)
if err != nil {
return err
}
defer bytes.Close()
_, err = bytes.WriteString(strconv.Itoa(limit * rootKeyByteMultiplier))
return err
}
func readRootKeyLimit(path string) (int, error) {
data, err := os.ReadFile(path)
if err != nil {
return -1, err
}
return strconv.Atoi(strings.Trim(string(data), "\n"))
}