Skip to content

Commit

Permalink
device: Ease device access for rootfs device to allow node creation
Browse files Browse the repository at this point in the history 
For docker in docker scenario, the nested container created
has entry "b *:* m" in the list of devices it is allowed to access
under /sys/fs/cgroup/devices/docker/{ctrid}/devices.list.

This entry was causing issues while starting a nested container
as we were denying "m" access to the rootfs block devices.
With this change we add back "m" access, the container would be
allowed to create a device node for the rootfs device but will
 not have read-write access to the created device node.
This fixes the docker in docker use case while still making sure
the container is not allowed read/write access to the rootfs.
Note, this could also be fixed by simply skipping {"Type : "b"}
while creating the device cgroup with libcontainer.
But this seems to be undocumented behaviour at this point,
hence refrained from taking this approach.

Fixes kata-containers#806

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
  • Loading branch information
@amshinde
amshinde committed Jul 17, 2020
1 parent e01f289 commit 5dc7ae4
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion device.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -496,7 +496,7 @@ func updateDeviceCgroupForGuestRootfs(spec *pb.Spec) {
Major: devMajor,
Minor: devMinor,
Type: "b",
Access: "rwm",
Access: "rw",
}

spec.Linux.Resources.Devices = append(spec.Linux.Resources.Devices, nvdimmCg)
Expand Down

0 comments on commit 5dc7ae4

Please sign in to comment.