opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-30 07:26:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3593 from giuseppe/rootless-privileged-devices

Browse Source 
rootless: add host devices with --privileged
This commit is contained in:
OpenShift Merge Robot
2019-07-18 19:50:22 +02:00
committed by GitHub
parent 1065548f91 350ede1eeb
commit 2254a35d3a
3 changed files with 50 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
pkg/spec/config_linux.go
View File

@ -8,6 +8,7 @@ import (
"path/filepath" "path/filepath"
"strings" "strings"
"github.com/containers/libpod/pkg/rootless"
"github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/runc/libcontainer/devices"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
@ -118,9 +119,45 @@ func (c *CreateConfig) addPrivilegedDevices(g *generate.Generator) error {
return err return err
} }
g.ClearLinuxDevices() g.ClearLinuxDevices()
if rootless.IsRootless() {
mounts := make(map[string]interface{})
for _, m := range g.Mounts() {
mounts[m.Destination] = true
}
newMounts := []spec.Mount{}
for _, d := range hostDevices {
devMnt := spec.Mount{
Destination: d.Path,
Type: TypeBind,
Source: d.Path,
Options: []string{"slave", "nosuid", "noexec", "rw", "rbind"},
}
if d.Path == "/dev/ptmx" || strings.HasPrefix(d.Path, "/dev/tty") {
continue
}
if _, found := mounts[d.Path]; found {
continue
}
st, err := os.Stat(d.Path)
if err != nil {
if err == unix.EPERM {
continue
}
return errors.Wrapf(err, "stat %s", d.Path)
}
// Skip devices that the user has not access to.
if st.Mode()&0007 == 0 {
continue
}
newMounts = append(newMounts, devMnt)
}
g.Config.Mounts = append(newMounts, g.Config.Mounts...)
} else {
for _, d := range hostDevices { for _, d := range hostDevices {
g.AddDevice(Device(d)) g.AddDevice(Device(d))
} }
}
// Add resources device - need to clear the existing one first. // Add resources device - need to clear the existing one first.
g.Spec().Linux.Resources.Devices = nil g.Spec().Linux.Resources.Devices = nil

2
pkg/spec/spec.go
View File

@ -264,11 +264,9 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
// If privileged, we need to add all the host devices to the // If privileged, we need to add all the host devices to the
// spec. We do not add the user provided ones because we are // spec. We do not add the user provided ones because we are
// already adding them all. // already adding them all.
if !rootless.IsRootless() {
if err := config.AddPrivilegedDevices(&g); err != nil { if err := config.AddPrivilegedDevices(&g); err != nil {
return nil, err return nil, err
} }
}
} else { } else {
for _, devicePath := range config.Devices { for _, devicePath := range config.Devices {
if err := devicesFromPath(&g, devicePath); err != nil { if err := devicesFromPath(&g, devicePath); err != nil {

9
test/e2e/run_device_test.go
View File

@ -85,4 +85,13 @@ var _ = Describe("Podman run device", func() {
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0)) Expect(session.ExitCode()).To(Equal(0))
}) })
It("podman run device host device with --privileged", func() {
if _, err := os.Stat("/dev/kvm"); err != nil {
Skip("/dev/kvm not available")
}
session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "ls", "/dev/kvm"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
})
}) })