Allow rootless containers with privileged to mount devices that are accessible
(ignore permission errors in rootless mode).
This patch updates oci.getDevices() to ignore access denied errors on sub-
directories and files within the given path if the container is running with
userns enabled.
Note that these errors are _only_ ignored on paths _under_ the specified path,
and not the path itself, so if `HostDevices()` is used, and `/dev` itself is
not accessible, or `WithDevices()` is used to specify a device that is not
accessible, an error is still produced.
Tests were added, which includes a temporary workaround for compatibility
with Go 1.16 (we could decide to skip these tests on Go 1.16 instead).
To verify the patch in a container:
docker run --rm -v $(pwd):/go/src/github.com/containerd/containerd -w /go/src/github.com/containerd/containerd golang:1.17 sh -c 'go test -v -run TestHostDevices ./oci'
=== RUN TestHostDevicesOSReadDirFailure
--- PASS: TestHostDevicesOSReadDirFailure (0.00s)
=== RUN TestHostDevicesOSReadDirFailureInUserNS
--- PASS: TestHostDevicesOSReadDirFailureInUserNS (0.00s)
=== RUN TestHostDevicesDeviceFromPathFailure
--- PASS: TestHostDevicesDeviceFromPathFailure (0.00s)
=== RUN TestHostDevicesDeviceFromPathFailureInUserNS
--- PASS: TestHostDevicesDeviceFromPathFailureInUserNS (0.00s)
=== RUN TestHostDevicesAllValid
--- PASS: TestHostDevicesAllValid (0.00s)
PASS
ok github.com/containerd/containerd/oci 0.006s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This will help to reduce the amount of runc/libcontainer code that's used in
Moby / Docker Engine (in favor of using the containerd implementation).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This ports the changes of 95a59bf206
to this repository.
From that PR:
(mode&S_IFCHR == S_IFCHR) is the wrong way of checking the type of an
inode because the S_IF* bits are actually not a bitmask and instead must
be checked using S_IF*. This bug was neatly hidden behind a (major == 0)
sanity-check but that was removed by [1].
In addition, add a test that makes sure that HostDevices() doesn't give
rubbish results -- because we broke this and fixed this before[2].
[1]: 24388be71e ("configs: use different types for .Devices and .Resources.Devices")
[2]: 3ed492ad33 ("Handle non-devices correctly in DeviceFromPath")
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Looks like we had our own copy of the "getDevices" code already, so use
that code (which also matches the code that's used to _generate_ the spec,
so a better match).
Moving the code to a separate file, I also noticed that the _unix and _linux
code was _exactly_ the same (baring some `//nolint:` comments), so also
removing the duplicated code.
With this patch applied, we removed the dependency on the libcontainer/devices
package (leaving only libcontainer/user).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
