93 lines
2.4 KiB
Diff
93 lines
2.4 KiB
Diff
From 62cc623c6c6f7ae344b3ac3ce2f9fb7b3d16303b Mon Sep 17 00:00:00 2001
|
|
From: zhangsong34 <zhangsong34@huawei.com>
|
|
Date: Mon, 15 Jul 2019 14:47:05 +0800
|
|
Subject: [PATCH] runc: do not override devices.allow content when set
|
|
device cgroup
|
|
|
|
reason:docker update will call runc device cgroup set function which
|
|
will refresh container's devices to devices.allow cgroup file, this
|
|
action will override devices.allow content even through some existed
|
|
devices in container are not added by --device, for example by docker-tools.
|
|
|
|
Change-Id: Ib353437a1d55de260f7724b3b8e085d08c7a3248
|
|
Signed-off-by: zhangsong34 <zhangsong34@huawei.com>
|
|
---
|
|
libcontainer/cgroups/fs/devices.go | 39 ++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 39 insertions(+)
|
|
|
|
diff --git a/libcontainer/cgroups/fs/devices.go b/libcontainer/cgroups/fs/devices.go
|
|
index 0ac5b4e..0ffc2b3 100644
|
|
--- a/libcontainer/cgroups/fs/devices.go
|
|
+++ b/libcontainer/cgroups/fs/devices.go
|
|
@@ -3,9 +3,13 @@
|
|
package fs
|
|
|
|
import (
|
|
+ "bufio"
|
|
"github.com/opencontainers/runc/libcontainer/cgroups"
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
|
"github.com/opencontainers/runc/libcontainer/system"
|
|
+ "io"
|
|
+ "os"
|
|
+ "path/filepath"
|
|
)
|
|
|
|
type DevicesGroup struct {
|
|
@@ -25,11 +29,38 @@ func (s *DevicesGroup) Apply(d *cgroupData) error {
|
|
return nil
|
|
}
|
|
|
|
+func readCgroupDeviceMap(dir string) (map[string]bool, error) {
|
|
+ res := make(map[string]bool)
|
|
+ fi, err := os.Open(filepath.Join(dir, "devices.list"))
|
|
+ if err != nil {
|
|
+ return nil, err
|
|
+ }
|
|
+ defer fi.Close()
|
|
+ br := bufio.NewReader(fi)
|
|
+ for {
|
|
+ item, err := br.ReadString('\n')
|
|
+ if err != nil {
|
|
+ if err == io.EOF {
|
|
+ break
|
|
+ } else {
|
|
+ return nil, err
|
|
+ }
|
|
+ }
|
|
+ res[item] = true
|
|
+ }
|
|
+ return res, nil
|
|
+}
|
|
+
|
|
func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
|
|
if system.RunningInUserNS() {
|
|
return nil
|
|
}
|
|
|
|
+ deviceMap, err := readCgroupDeviceMap(path)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+
|
|
devices := cgroup.Resources.Devices
|
|
if len(devices) > 0 {
|
|
for _, dev := range devices {
|
|
@@ -40,6 +71,14 @@ func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
|
|
if err := writeFile(path, file, dev.CgroupString()); err != nil {
|
|
return err
|
|
}
|
|
+ delete(deviceMap, dev.CgroupString())
|
|
+ }
|
|
+ for item, _ := range deviceMap {
|
|
+ if item[0] == 'b' || item[0] == 'c' {
|
|
+ if err := writeFile(path, "devices.allow", item); err != nil {
|
|
+ return err
|
|
+ }
|
|
+ }
|
|
}
|
|
return nil
|
|
}
|
|
--
|
|
1.8.3.1
|
|
|