Skip to content

Commit a6d3f4d

Browse files
crosbymichaelcrosbymichael
committed
Add device opts to ctr --privileged
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
1 parent 25947db commit a6d3f4d

File tree

4 files changed

+59
-5
lines changed

4 files changed

+59
-5
lines changed

cmd/ctr/commands/run/run_unix.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -125,7 +125,7 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
125125
opts = append(opts, oci.WithTTY)
126126
}
127127
if context.Bool("privileged") {
128-
opts = append(opts, oci.WithPrivileged)
128+
opts = append(opts, oci.WithPrivileged, oci.WithAllDevicesAllowed, oci.WithHostDevices)
129129
}
130130
if context.Bool("net-host") {
131131
opts = append(opts, oci.WithHostNamespace(specs.NetworkNamespace), oci.WithHostHostsFile, oci.WithHostResolvconf)

oci/spec_opts.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1115,7 +1115,6 @@ func WithDefaultUnixDevices(_ context.Context, _ Client, _ *containers.Container
11151115
}
11161116

11171117
// WithPrivileged sets up options for a privileged container
1118-
// TODO(justincormack) device handling
11191118
var WithPrivileged = Compose(
11201119
WithAllCapabilities,
11211120
WithMaskedPaths(nil),

oci/spec_opts_linux.go

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,9 +37,7 @@ func WithHostDevices(_ context.Context, _ Client, _ *containers.Container, s *Sp
3737
if err != nil {
3838
return err
3939
}
40-
for _, d := range devs {
41-
s.Linux.Devices = append(s.Linux.Devices, d)
42-
}
40+
s.Linux.Devices = append(s.Linux.Devices, devs...)
4341
return nil
4442
}
4543

oci/spec_opts_unix.go

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,12 +19,69 @@
1919
package oci
2020

2121
import (
22+
"context"
23+
"io/ioutil"
2224
"os"
25+
"path/filepath"
2326

27+
"github.com/containerd/containerd/containers"
2428
specs "github.com/opencontainers/runtime-spec/specs-go"
2529
"golang.org/x/sys/unix"
2630
)
2731

32+
// WithHostDevices adds all the hosts device nodes to the container's spec
33+
func WithHostDevices(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
34+
setLinux(s)
35+
36+
devs, err := getDevices("/dev")
37+
if err != nil {
38+
return err
39+
}
40+
s.Linux.Devices = append(s.Linux.Devices, devs...)
41+
return nil
42+
}
43+
44+
func getDevices(path string) ([]specs.LinuxDevice, error) {
45+
files, err := ioutil.ReadDir(path)
46+
if err != nil {
47+
return nil, err
48+
}
49+
var out []specs.LinuxDevice
50+
for _, f := range files {
51+
switch {
52+
case f.IsDir():
53+
switch f.Name() {
54+
// ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825
55+
// ".udev" added to address https://github.com/opencontainers/runc/issues/2093
56+
case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev":
57+
continue
58+
default:
59+
sub, err := getDevices(filepath.Join(path, f.Name()))
60+
if err != nil {
61+
return nil, err
62+
}
63+
64+
out = append(out, sub...)
65+
continue
66+
}
67+
case f.Name() == "console":
68+
continue
69+
}
70+
device, err := deviceFromPath(filepath.Join(path, f.Name()), "rwm")
71+
if err != nil {
72+
if err == ErrNotADevice {
73+
continue
74+
}
75+
if os.IsNotExist(err) {
76+
continue
77+
}
78+
return nil, err
79+
}
80+
out = append(out, *device)
81+
}
82+
return out, nil
83+
}
84+
2885
func deviceFromPath(path, permissions string) (*specs.LinuxDevice, error) {
2986
var stat unix.Stat_t
3087
if err := unix.Lstat(path, &stat); err != nil {

0 commit comments

Comments
 (0)