From 98f8ec4995d688db3d62d265f298d3183e3d49f9 Mon Sep 17 00:00:00 2001
From: Thibaut Collet <thibaut.collet@6wind.com>
Date: Tue, 21 Apr 2020 09:31:52 +0200
Subject: [PATCH] fix incomplete host device for PrivilegedWithoutHostDevices

For a privilege pods with PrivilegedWithoutHostDevices set to true
host device specified in the config are not provided (whereas it is done for
non privilege pods or privilege pods with PrivilegedWithoutHostDevices set
to false as all devices are included).

Add them in this case.

Fixes: 3353ab76d922 ("Add flag to overload default privileged host device behaviour")
Signed-off-by: Thibaut Collet <thibaut.collet@6wind.com>
---
 pkg/server/container_create_unix.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/server/container_create_unix.go b/pkg/server/container_create_unix.go
index 94c6045aa..6630162b0 100644
--- a/pkg/server/container_create_unix.go
+++ b/pkg/server/container_create_unix.go
@@ -172,6 +172,9 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 		specOpts = append(specOpts, oci.WithPrivileged)
 		if !ociRuntime.PrivilegedWithoutHostDevices {
 			specOpts = append(specOpts, oci.WithHostDevices, oci.WithAllDevicesAllowed)
+		} else {
+			// add requested devices by the config as host devices are not automatically added
+			specOpts = append(specOpts, customopts.WithDevices(c.os, config), customopts.WithCapabilities(securityContext))
 		}
 	} else { // not privileged
 		specOpts = append(specOpts, customopts.WithDevices(c.os, config), customopts.WithCapabilities(securityContext))