containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13421 from hshiina/device-rule 

Set default rule at the head of device configuration
This commit is contained in:
OpenShift Merge Robot 2022-03-09 10:28:24 -05:00 committed by GitHub
parent ea4248dc26 d2f77c2568
commit 418ab2e5e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/specgen/generate/oci.go
View File

@ -332,6 +332,11 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
} }
// Devices // Devices
// set the default rule at the beginning of device configuration
if !inUserNS && !s.Privileged {
g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
}
var userDevices []spec.LinuxDevice var userDevices []spec.LinuxDevice
if s.Privileged { if s.Privileged {
// If privileged, we need to add all the host devices to the // If privileged, we need to add all the host devices to the
@ -363,7 +368,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
// set the devices cgroup when not running in a user namespace // set the devices cgroup when not running in a user namespace
if !inUserNS && !s.Privileged { if !inUserNS && !s.Privileged {
g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
for _, dev := range s.DeviceCgroupRule { for _, dev := range s.DeviceCgroupRule {
g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access) g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
} }

5
test/e2e/run_device_test.go
View File

@ -44,6 +44,11 @@ var _ = Describe("Podman run device", func() {
session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg", ALPINE, "test", "-c", "/dev/kmsg"}) session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg", ALPINE, "test", "-c", "/dev/kmsg"})
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0)) Expect(session).Should(Exit(0))
if !isRootless() {
session = podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg", "--cap-add", "SYS_ADMIN", ALPINE, "head", "-n", "1", "/dev/kmsg"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
}
}) })
It("podman run device rename test", func() { It("podman run device rename test", func() {