From fdff11def3438382f7fb3d94291a009f64c21687 Mon Sep 17 00:00:00 2001 From: bin liu Date: Fri, 26 Aug 2022 15:56:01 +0800 Subject: [PATCH] ctr: add privileged-without-host-devices for run command For Kata Containers, starting a privileged container will fail if passing all host devices to container due to the permission issue, like the `privileged_without_host_devices` for CRI service, add a `privileged-without-host-devices` to `ctr run` command will disable passing all host devices to containers. Signed-off-by: bin liu --- cmd/ctr/commands/run/run_unix.go | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/cmd/ctr/commands/run/run_unix.go b/cmd/ctr/commands/run/run_unix.go index 58acc2201..ef0aa2266 100644 --- a/cmd/ctr/commands/run/run_unix.go +++ b/cmd/ctr/commands/run/run_unix.go @@ -70,6 +70,10 @@ var platformRunFlags = []cli.Flag{ Name: "remap-labels", Usage: "provide the user namespace ID remapping to the snapshotter via label options; requires snapshotter support", }, + cli.BoolFlag{ + Name: "privileged-without-host-devices", + Usage: "don't pass all host devices to privileged container", + }, cli.Float64Flag{ Name: "cpus", Usage: "set the CFS cpu quota", @@ -202,9 +206,20 @@ func NewContainer(ctx gocontext.Context, client *containerd.Client, context *cli if context.Bool("tty") { opts = append(opts, oci.WithTTY) } - if context.Bool("privileged") { - opts = append(opts, oci.WithPrivileged, oci.WithAllDevicesAllowed, oci.WithHostDevices) + + privileged := context.Bool("privileged") + privilegedWithoutHostDevices := context.Bool("privileged-without-host-devices") + if privilegedWithoutHostDevices && !privileged { + return nil, fmt.Errorf("can't use 'privileged-without-host-devices' without 'privileged' specified") } + if privileged { + if privilegedWithoutHostDevices { + opts = append(opts, oci.WithPrivileged) + } else { + opts = append(opts, oci.WithPrivileged, oci.WithAllDevicesAllowed, oci.WithHostDevices) + } + } + if context.Bool("net-host") { hostname, err := os.Hostname() if err != nil {