From 5d7bd738e456e83dae36f689e2cffd85e8fe2ef6 Mon Sep 17 00:00:00 2001 From: bpopovschi Date: Tue, 3 Dec 2019 17:53:29 +0200 Subject: [PATCH] Use containerD WithHostDevices Signed-off-by: bpopovschi --- pkg/containerd/opts/spec_unix.go | 36 ----------------------------- pkg/server/container_create_unix.go | 2 +- 2 files changed, 1 insertion(+), 37 deletions(-) diff --git a/pkg/containerd/opts/spec_unix.go b/pkg/containerd/opts/spec_unix.go index ef0822248..3bfeb0703 100644 --- a/pkg/containerd/opts/spec_unix.go +++ b/pkg/containerd/opts/spec_unix.go @@ -277,42 +277,6 @@ func ensureSharedOrSlave(path string, lookupMount func(string) (mount.Info, erro return errors.Errorf("path %q is mounted on %q but it is not a shared or slave mount", path, mountInfo.Mountpoint) } -// WithPrivilegedDevices allows all host devices inside the container -func WithPrivilegedDevices(_ context.Context, _ oci.Client, _ *containers.Container, s *runtimespec.Spec) error { - if s.Linux == nil { - s.Linux = &runtimespec.Linux{} - } - if s.Linux.Resources == nil { - s.Linux.Resources = &runtimespec.LinuxResources{} - } - hostDevices, err := devices.HostDevices() - if err != nil { - return err - } - for _, hostDevice := range hostDevices { - rd := runtimespec.LinuxDevice{ - Path: hostDevice.Path, - Type: string(hostDevice.Type), - Major: hostDevice.Major, - Minor: hostDevice.Minor, - UID: &hostDevice.Uid, - GID: &hostDevice.Gid, - } - if hostDevice.Major == 0 && hostDevice.Minor == 0 { - // Invalid device, most likely a symbolic link, skip it. - continue - } - addDevice(s, rd) - } - s.Linux.Resources.Devices = []runtimespec.LinuxDeviceCgroup{ - { - Allow: true, - Access: "rwm", - }, - } - return nil -} - func addDevice(s *runtimespec.Spec, rd runtimespec.LinuxDevice) { for i, dev := range s.Linux.Devices { if dev.Path == rd.Path { diff --git a/pkg/server/container_create_unix.go b/pkg/server/container_create_unix.go index d7993bf63..6f3b8963f 100644 --- a/pkg/server/container_create_unix.go +++ b/pkg/server/container_create_unix.go @@ -170,7 +170,7 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3 } specOpts = append(specOpts, oci.WithPrivileged) if !ociRuntime.PrivilegedWithoutHostDevices { - specOpts = append(specOpts, customopts.WithPrivilegedDevices) + specOpts = append(specOpts, oci.WithHostDevices) } } else { // not privileged specOpts = append(specOpts, customopts.WithDevices(c.os, config), customopts.WithCapabilities(securityContext))