rootless: bind mount devices instead of creating them

when running in rootless mode, --device creates a bind mount from the host instead of specifying the device in the OCI configuration. This is required as an unprivileged user cannot use mknod, even when root in a user namespace. Closes: https://github.com/containers/libpod/issues/3905 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
2025-08-03 01:37:51 +08:00 · 2019-08-29 22:47:15 +02:00
parent e5568d4acc
commit ba1c57030f
2 changed files with 26 additions and 10 deletions
--- a/pkg/spec/config_linux.go
+++ b/pkg/spec/config_linux.go
@ -98,6 +98,26 @@ func addDevice(g *generate.Generator, device string) error {
 	if err != nil {
 		return errors.Wrapf(err, "%s is not a valid device", src)
 	}
+	if rootless.IsRootless() {
+		if _, err := os.Stat(src); err != nil {
+			if os.IsNotExist(err) {
+				return errors.Wrapf(err, "the specified device %s doesn't exist", src)
+			}
+			return errors.Wrapf(err, "stat device %s exist", src)
+		}
+		perm := "ro"
+		if strings.Contains(permissions, "w") {
+			perm = "rw"
+		}
+		devMnt := spec.Mount{
+			Destination: dst,
+			Type:        TypeBind,
+			Source:      src,
+			Options:     []string{"slave", "nosuid", "noexec", perm, "rbind"},
+		}
+		g.Config.Mounts = append(g.Config.Mounts, devMnt)
+		return nil
+	}
 	dev.Path = dst
 	linuxdev := spec.LinuxDevice{
 		Path:     dev.Path,