/usr/bin/lxc-checkconfig

#!/bin/sh

# Allow environment variables to override config
: ${CONFIG:=/proc/config.gz}
: ${MODNAME:=configs}

CAT="cat"

if [ -t 1 ]; then
    SETCOLOR_SUCCESS="printf \\033[1;32m"
    SETCOLOR_FAILURE="printf \\033[1;31m"
    SETCOLOR_WARNING="printf \\033[1;33m"
    SETCOLOR_NORMAL="printf \\033[0;39m"
else
    SETCOLOR_SUCCESS=":"
    SETCOLOR_FAILURE=":"
    SETCOLOR_WARNING=":"
    SETCOLOR_NORMAL=":"
fi

is_set() {
    $CAT $CONFIG | grep "$1=[y|m]" > /dev/null
    return $?
}

is_enabled() {
    mandatory=$2

    is_set $1
    RES=$?
    RET=1
    if [ $RES -eq 0 ]; then
        $SETCOLOR_SUCCESS && echo -n "enabled" && $SETCOLOR_NORMAL
        RET=0
    else
        if [ ! -z "$mandatory" ] && [ "$mandatory" = yes ]; then
            $SETCOLOR_FAILURE && echo -n "required" && $SETCOLOR_NORMAL
        else
            $SETCOLOR_WARNING && echo -n "missing" && $SETCOLOR_NORMAL
        fi
    fi
    return $RET
}

is_probed() {
    lsmod | grep $1 > /dev/null
    if [ $? -eq 0 ]; then
        echo -n ", loaded"
    else
        echo -n ", not loaded"
    fi
}

if [ ! -f $CONFIG ]; then
    echo "Kernel configuration not found at $CONFIG; searching..."
    KVER="`uname -r`"
    HEADERS_CONFIG="/lib/modules/$KVER/build/.config"
    BOOT_CONFIG="/boot/config-$KVER"
    [ -f "${HEADERS_CONFIG}" ] && CONFIG=${HEADERS_CONFIG}
    [ -f "${BOOT_CONFIG}" ] && CONFIG=${BOOT_CONFIG}
    if [ ! -f "$CONFIG" ]; then
        MODULEFILE=$(modinfo -k $KVER -n $MODNAME 2> /dev/null)
        # don't want to modprobe, so give user a hint
        # although scripts/extract-ikconfig could be used to extract contents without loading kernel module
        # http://svn.pld-linux.org/trac/svn/browser/geninitrd/trunk/geninitrd?rev=12696#L327
    fi
    if [ ! -f $CONFIG ]; then
        echo "$(basename $0): unable to retrieve kernel configuration" >&2
        echo >&2
        if [ -f "$MODULEFILE" ]; then
            echo "Try modprobe $MODNAME module, or" >&2
        fi
        echo "Try recompiling with IKCONFIG_PROC, installing the kernel headers," >&2
        echo "or specifying the kernel configuration path with:" >&2
        echo "  CONFIG=<path> $(basename $0)" >&2
        exit 1
    else
        echo "Kernel configuration found at $CONFIG"
    fi
fi

if gunzip -tq < $CONFIG 2>/dev/null; then
    CAT="zcat"
fi

KVER_MAJOR=$($CAT $CONFIG | grep '^# Linux.*Kernel Configuration' | \
    sed -r 's/.* ([0-9])\.[0-9]{1,2}\.[0-9]{1,3}.*/\1/')
if [ "$KVER_MAJOR" = "2" ]; then
KVER_MINOR=$($CAT $CONFIG | grep '^# Linux.*Kernel Configuration' | \
    sed -r 's/.* 2.6.([0-9]{2}).*/\1/')
else
KVER_MINOR=$($CAT $CONFIG | grep '^# Linux.*Kernel Configuration' | \
    sed -r 's/.* [0-9]\.([0-9]{1,3})\.[0-9]{1,3}.*/\1/')
fi

echo "--- Namespaces ---"
echo -n "Namespaces: " && is_enabled CONFIG_NAMESPACES yes
echo
echo -n "Utsname namespace: " && is_enabled CONFIG_UTS_NS
echo
echo -n "Ipc namespace: " && is_enabled CONFIG_IPC_NS yes
echo
echo -n "Pid namespace: " && is_enabled CONFIG_PID_NS yes
echo
echo -n "User namespace: " && is_enabled CONFIG_USER_NS
echo
if is_set CONFIG_USER_NS; then
	if which newuidmap > /dev/null 2>&1; then
		f=`which newuidmap`
		if [ ! -u "${f}" ]; then
			echo "Warning: newuidmap is not setuid-root"
		fi
	else
		echo "newuidmap is not installed"
	fi
	if which newgidmap > /dev/null 2>&1; then
		f=`which newgidmap`
		if [ ! -u "${f}" ]; then
			echo "Warning: newgidmap is not setuid-root"
		fi
	else
		echo "newgidmap is not installed"
	fi
fi
echo -n "Network namespace: " && is_enabled CONFIG_NET_NS
echo
if ([ $KVER_MAJOR -lt 4 ]) || ([ $KVER_MAJOR -eq 4 ] && [ $KVER_MINOR -lt 7 ]); then
	echo -n "Multiple /dev/pts instances: " && is_enabled DEVPTS_MULTIPLE_INSTANCES
	echo
fi
echo

echo "--- Control groups ---"

echo -n "Cgroups: " && is_enabled CONFIG_CGROUPS
echo

print_cgroups() {
  # print all mountpoints for cgroup filesystems
  awk '$1 !~ /#/ && $3 == mp { print $2; } ; END { exit(0); } '  "mp=$1" "$2" ;
}

CGROUP_V1_MNTS=`print_cgroups cgroup /proc/self/mounts`
echo
echo "Cgroup v1 mount points: "
echo "$CGROUP_V1_MNTS"
echo

CGROUP_V2_MNTS=`print_cgroups cgroup2 /proc/self/mounts`
echo "Cgroup v2 mount points: "
echo "$CGROUP_V2_MNTS"
echo

CGROUP_SYSTEMD_MNTPT=`echo "$CGROUP_V1_MNTS" | grep "/systemd"`
if [ -z "$CGROUP_SYSTEMD_MNTPT" ]; then
    echo -n "Cgroup v1 systemd controller: "
    $SETCOLOR_FAILURE && echo -n "missing" && $SETCOLOR_NORMAL
    echo
fi

CGROUP_FREEZER_MNTPT=`echo "$CGROUP_V1_MNTS" | grep "/freezer"`
if [ -z "$CGROUP_FREEZER_MNTPT" ]; then
    echo -n "Cgroup v1 freezer controller: "
    $SETCOLOR_FAILURE && echo -n "missing" && $SETCOLOR_NORMAL
    echo
fi

CGROUP_MNT_PATH=`echo "$CGROUP_V1_MNTS" | head -n 1`
if [ -f $CGROUP_MNT_PATH/cgroup.clone_children ]; then
    echo -n "Cgroup v1 clone_children flag: " &&
    $SETCOLOR_SUCCESS && echo "enabled" && $SETCOLOR_NORMAL
else
    echo -n "Cgroup namespace: " && is_enabled CONFIG_CGROUP_NS yes
    echo
fi

echo -n "Cgroup device: " && is_enabled CONFIG_CGROUP_DEVICE
echo

echo -n "Cgroup sched: " && is_enabled CONFIG_CGROUP_SCHED
echo

echo -n "Cgroup cpu account: " && is_enabled CONFIG_CGROUP_CPUACCT
echo

echo -n "Cgroup memory controller: "
if ([ $KVER_MAJOR -ge 3 ] && [ $KVER_MINOR -ge 6 ]) || ([ $KVER_MAJOR -gt 3 ]); then
    is_enabled CONFIG_MEMCG
else
    is_enabled CONFIG_CGROUP_MEM_RES_CTLR
fi
echo

is_set CONFIG_SMP && echo -n "Cgroup cpuset: " && is_enabled CONFIG_CPUSETS && echo
echo

echo "--- Misc ---"
echo -n "Veth pair device: " && is_enabled CONFIG_VETH && is_probed veth
echo
echo -n "Macvlan: " && is_enabled CONFIG_MACVLAN && is_probed macvlan
echo
echo -n "Vlan: " && is_enabled CONFIG_VLAN_8021Q && is_probed 8021q
echo
echo -n "Bridges: " && is_enabled CONFIG_BRIDGE && is_probed bridge
echo
echo -n "Advanced netfilter: " && is_enabled CONFIG_NETFILTER_ADVANCED && is_probed nf_tables
echo
echo -n "CONFIG_NF_NAT_IPV4: " && is_enabled CONFIG_NF_NAT_IPV4 && is_probed nf_nat_ipv4
echo
echo -n "CONFIG_NF_NAT_IPV6: " && is_enabled CONFIG_NF_NAT_IPV6 && is_probed nf_nat_ipv6
echo
echo -n "CONFIG_IP_NF_TARGET_MASQUERADE: " && is_enabled CONFIG_IP_NF_TARGET_MASQUERADE && is_probed nf_nat_masquerade_ipv4
echo
echo -n "CONFIG_IP6_NF_TARGET_MASQUERADE: " && is_enabled CONFIG_IP6_NF_TARGET_MASQUERADE && is_probed nf_nat_masquerade_ipv6
echo
echo -n "CONFIG_NETFILTER_XT_TARGET_CHECKSUM: " && is_enabled CONFIG_NETFILTER_XT_TARGET_CHECKSUM && is_probed xt_CHECKSUM
echo
echo -n "CONFIG_NETFILTER_XT_MATCH_COMMENT: " && is_enabled CONFIG_NETFILTER_XT_MATCH_COMMENT && is_probed xt_comment
echo
echo -n "FUSE (for use with lxcfs): " && is_enabled CONFIG_FUSE_FS && is_probed fuse
echo

echo
echo "--- Checkpoint/Restore ---"
echo -n "checkpoint restore: " && is_enabled CONFIG_CHECKPOINT_RESTORE
echo
echo -n "CONFIG_FHANDLE: " && is_enabled CONFIG_FHANDLE
echo
echo -n "CONFIG_EVENTFD: " && is_enabled CONFIG_EVENTFD
echo
echo -n "CONFIG_EPOLL: " && is_enabled CONFIG_EPOLL
echo
echo -n "CONFIG_UNIX_DIAG: " && is_enabled CONFIG_UNIX_DIAG
echo
echo -n "CONFIG_INET_DIAG: " && is_enabled CONFIG_INET_DIAG
echo
echo -n "CONFIG_PACKET_DIAG: " && is_enabled CONFIG_PACKET_DIAG
echo
echo -n "CONFIG_NETLINK_DIAG: " && is_enabled CONFIG_NETLINK_DIAG
echo
echo -n "File capabilities: " && \
    ( [ "${KVER_MAJOR}" = 2 ] && [ ${KVER_MINOR} -lt 33 ] && \
       is_enabled CONFIG_SECURITY_FILE_CAPABILITIES; echo ) || \
    ( ( [ "${KVER_MAJOR}" = "2" ] && [ ${KVER_MINOR} -gt 32 ] ) || \
         [ ${KVER_MAJOR} -gt 2 ] && $SETCOLOR_SUCCESS && \
         echo "enabled" && $SETCOLOR_NORMAL )

echo
echo "Note : Before booting a new kernel, you can check its configuration"
echo "usage : CONFIG=/path/to/config $0"
echo
lxc-utils 3.0.0-0ubuntu2 / usr / bin / lxc-checkconfig
