containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12618 from giuseppe/dev-cgroup-add-default-devices 

oci: configure the devices cgroup with default devices
This commit is contained in:
OpenShift Merge Robot 2021-12-16 15:15:49 +01:00 committed by GitHub
parent 91e55e263e 4243ca93a4
commit d1c91c128e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/specgen/generate/oci.go
View File

@ -325,8 +325,12 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
} }
s.HostDeviceList = s.Devices s.HostDeviceList = s.Devices
for _, dev := range s.DeviceCGroupRule { // set the devices cgroup when not running in a user namespace
g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access) if !inUserNS && !s.Privileged {
g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
for _, dev := range s.DeviceCGroupRule {
g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
}
} }
for k, v := range s.WeightDevice { for k, v := range s.WeightDevice {

7
test/e2e/run_device_test.go
View File

@ -119,4 +119,11 @@ var _ = Describe("Podman run device", func() {
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0)) Expect(session).Should(Exit(0))
}) })
It("podman run cannot access non default devices", func() {
session := podmanTest.Podman([]string{"run", "-v /dev:/dev-host", ALPINE, "head", "-1", "/dev-host/kmsg"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Not(Exit(0)))
})
}) })