Merge pull request containerd#5981 from scuzhanglei/release-1.5-privileged-device

fuweid · web-flow · commit 3f4f6bca98cf · 2021-09-20T09:11:56.000+08:00
diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
@@ -213,21 +213,17 @@ func (c *criService) containerSpec(
 		}
 	}
 
+	specOpts = append(specOpts, customopts.WithDevices(c.os, config),
+		customopts.WithCapabilities(securityContext, c.allCaps))
+
 	if securityContext.GetPrivileged() {
 		if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
 			return nil, errors.New("no privileged container allowed in sandbox")
 		}
 		specOpts = append(specOpts, oci.WithPrivileged)
 		if !ociRuntime.PrivilegedWithoutHostDevices {
 			specOpts = append(specOpts, oci.WithHostDevices, oci.WithAllDevicesAllowed)
-		} else {
-			// add requested devices by the config as host devices are not automatically added
-			specOpts = append(specOpts, customopts.WithDevices(c.os, config),
-				customopts.WithCapabilities(securityContext, c.allCaps))
 		}
-	} else { // not privileged
-		specOpts = append(specOpts, customopts.WithDevices(c.os, config),
-			customopts.WithCapabilities(securityContext, c.allCaps))
 	}
 
 	// Clear all ambient capabilities. The implication of non-root + caps

Original file line number	Diff line number	Diff line change
`@@ -213,21 +213,17 @@ func (c *criService) containerSpec(`
`213`	`213`	`}`
`214`	`214`	`}`
`215`	`215`
	`216`	`+ specOpts = append(specOpts, customopts.WithDevices(c.os, config),`
	`217`	`+ customopts.WithCapabilities(securityContext, c.allCaps))`
	`218`	`+`
`216`	`219`	`if securityContext.GetPrivileged() {`
`217`	`220`	`if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {`
`218`	`221`	`return nil, errors.New("no privileged container allowed in sandbox")`
`219`	`222`	`}`
`220`	`223`	`specOpts = append(specOpts, oci.WithPrivileged)`
`221`	`224`	`if !ociRuntime.PrivilegedWithoutHostDevices {`
`222`	`225`	`specOpts = append(specOpts, oci.WithHostDevices, oci.WithAllDevicesAllowed)`
`223`		`- } else {`
`224`		`- // add requested devices by the config as host devices are not automatically added`
`225`		`- specOpts = append(specOpts, customopts.WithDevices(c.os, config),`
`226`		`- customopts.WithCapabilities(securityContext, c.allCaps))`
`227`	`226`	`}`
`228`		`- } else { // not privileged`
`229`		`- specOpts = append(specOpts, customopts.WithDevices(c.os, config),`
`230`		`- customopts.WithCapabilities(securityContext, c.allCaps))`
`231`	`227`	`}`
`232`	`228`
`233`	`229`	`// Clear all ambient capabilities. The implication of non-root + caps`