Merge pull request #23133 from Luap99/device-validation

specgen: parse devices even with privileged set
2025-07-02 00:30:00 +08:00 · 2024-07-01 10:47:11 +00:00
parent 94ebb12bcf 9814ed40c7
commit 672c6c8702
4 changed files with 28 additions and 19 deletions
--- a/docs/source/markdown/options/network.md
+++ b/docs/source/markdown/options/network.md
@ -17,7 +17,7 @@ Valid _mode_ values are:
    For example, to set a static ipv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`.
- _\<network name or ID\>_**[:OPTIONS,...]**: Connect to a user-defined network; this is the network name or ID from a network created by **[podman network create](podman-network-create.1.md)**. Using the network name implies the bridge network mode. It is possible to specify the same options described under the bridge mode above. Use the **--network** option multiple times to specify additional networks. \
+- _\<network name or ID\>_**[:OPTIONS,...]**: Connect to a user-defined network; this is the network name or ID from a network created by **[podman network create](podman-network-create.1.md)**. It is possible to specify the same options described under the bridge mode above. Use the **--network** option multiple times to specify additional networks. \
  For backwards compatibility it is also possible to specify comma-separated networks on the first **--network** argument, however this prevents you from using the options described under the bridge section above.
 - **none**: Create a network namespace for the container but do not configure network interfaces for it, thus the container has no network connectivity.
--- a/pkg/specgen/generate/oci_linux.go
+++ b/pkg/specgen/generate/oci_linux.go
@ -254,8 +254,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	}
 	var userDevices []spec.LinuxDevice
 	if !s.IsPrivileged() {
 	// add default devices from containers.conf
 	for _, device := range rtc.Containers.Devices.Get() {
 		if err = DevicesFromPath(&g, device); err != nil {
@ -273,7 +271,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 			return nil, err
 		}
 	}
 	}
 	s.HostDeviceList = userDevices
 	// set the devices cgroup when not running in a user namespace
--- a/pkg/util/utils_linux.go
+++ b/pkg/util/utils_linux.go
@ -106,7 +106,6 @@ func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
 	if err != nil {
 		return err
 	}
 	g.ClearLinuxDevices()
 	if rootless.IsRootless() {
 		mounts := make(map[string]interface{})
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@ -1687,6 +1687,19 @@ VOLUME %s`, ALPINE, volPath, volPath)
 		Expect(session).Should(ExitCleanly())
 	})
 	It("podman run --device and --privileged", func() {
 		session := podmanTest.Podman([]string{"run", "--device", "/dev/null:/dev/testdevice", "--privileged", ALPINE, "ls", "/dev"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())
 		Expect(session.OutputToString()).To(ContainSubstring(" testdevice "), "our custom device")
 		// assumes that /dev/mem always exists
 		Expect(session.OutputToString()).To(ContainSubstring(" mem "), "privileged device")
 		session = podmanTest.Podman([]string{"run", "--device", "invalid-device", "--privileged", ALPINE, "ls", "/dev"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitWithError(125, "stat invalid-device: no such file or directory"))
 	})
 	It("podman run --replace", func() {
 		// Make sure we error out with --name.
 		session := podmanTest.Podman([]string{"create", "--replace", ALPINE, "/bin/sh"})