github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #2549 from crosbymichael/default-devices

Browse Source 
Add opt for default unix device permissions
This commit is contained in:
Derek McGowan 2018-08-15 11:57:38 -07:00 committed by GitHub
commit 0ffb948270
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 105 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/ctr/commands/run/run_unix.go
View File

@ -56,7 +56,7 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli
if context.IsSet("config") { if context.IsSet("config") {
opts = append(opts, oci.WithSpecFromFile(context.String("config"))) opts = append(opts, oci.WithSpecFromFile(context.String("config")))
} else { } else {
opts = append(opts, oci.WithDefaultSpec()) opts = append(opts, oci.WithDefaultSpec(), oci.WithDefaultUnixDevices)
} }
opts = append(opts, oci.WithEnv(context.StringSlice("env"))) opts = append(opts, oci.WithEnv(context.StringSlice("env")))

104
oci/spec_opts_unix.go
View File

@ -602,6 +602,110 @@ func WithSeccompUnconfined(_ context.Context, _ Client, _ *containers.Container,
return nil return nil
} }
// WithParentCgroupDevices uses the default cgroup setup to inherit the container's parent cgroup's
// allowed and denied devices
func WithParentCgroupDevices(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
setLinux(s)
if s.Linux.Resources == nil {
s.Linux.Resources = &specs.LinuxResources{}
}
s.Linux.Resources.Devices = nil
return nil
}
// WithDefaultUnixDevices adds the default devices for unix such as /dev/null, /dev/random to
// the container's resource cgroup spec
func WithDefaultUnixDevices(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
setLinux(s)
if s.Linux.Resources == nil {
s.Linux.Resources = &specs.LinuxResources{}
}
intptr := func(i int64) *int64 {
return &i
}
s.Linux.Resources.Devices = append(s.Linux.Resources.Devices, []specs.LinuxDeviceCgroup{
{
// "/dev/null",
Type: "c",
Major: intptr(1),
Minor: intptr(3),
Access: rwm,
Allow: true,
},
{
// "/dev/random",
Type: "c",
Major: intptr(1),
Minor: intptr(8),
Access: rwm,
Allow: true,
},
{
// "/dev/full",
Type: "c",
Major: intptr(1),
Minor: intptr(7),
Access: rwm,
Allow: true,
},
{
// "/dev/tty",
Type: "c",
Major: intptr(5),
Minor: intptr(0),
Access: rwm,
Allow: true,
},
{
// "/dev/zero",
Type: "c",
Major: intptr(1),
Minor: intptr(5),
Access: rwm,
Allow: true,
},
{
// "/dev/urandom",
Type: "c",
Major: intptr(1),
Minor: intptr(9),
Access: rwm,
Allow: true,
},
{
// "/dev/console",
Type: "c",
Major: intptr(5),
Minor: intptr(1),
Access: rwm,
Allow: true,
},
// /dev/pts/ - pts namespaces are "coming soon"
{
Type: "c",
Major: intptr(136),
Access: rwm,
Allow: true,
},
{
Type: "c",
Major: intptr(5),
Minor: intptr(2),
Access: rwm,
Allow: true,
},
{
// tuntap
Type: "c",
Major: intptr(10),
Minor: intptr(200),
Access: rwm,
Allow: true,
},
}...)
return nil
}
// WithPrivileged sets up options for a privileged container // WithPrivileged sets up options for a privileged container
// TODO(justincormack) device handling // TODO(justincormack) device handling
var WithPrivileged = Compose( var WithPrivileged = Compose(