aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2021-12-16 15:15:49 +0100
committerGitHub <noreply@github.com>2021-12-16 15:15:49 +0100
commitd1c91c128ea32dae3e9c56c657ea57dfed9f6ad4 (patch)
tree49d510d1e2c069766633367204e97c0475097abf
parent91e55e263e860af24f176c5e62405a54ef7356de (diff)
parent4243ca93a42c3ed977662c570302be8a7dc5c5ca (diff)
downloadpodman-d1c91c128ea32dae3e9c56c657ea57dfed9f6ad4.tar.gz
podman-d1c91c128ea32dae3e9c56c657ea57dfed9f6ad4.tar.bz2
podman-d1c91c128ea32dae3e9c56c657ea57dfed9f6ad4.zip
Merge pull request #12618 from giuseppe/dev-cgroup-add-default-devices
oci: configure the devices cgroup with default devices
-rw-r--r--pkg/specgen/generate/oci.go8
-rw-r--r--test/e2e/run_device_test.go7
2 files changed, 13 insertions, 2 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 9f8807915..efac53104 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -325,8 +325,12 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
}
s.HostDeviceList = s.Devices
- for _, dev := range s.DeviceCGroupRule {
- g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
+ // set the devices cgroup when not running in a user namespace
+ if !inUserNS && !s.Privileged {
+ g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
+ for _, dev := range s.DeviceCGroupRule {
+ g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
+ }
}
for k, v := range s.WeightDevice {
diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go
index 08905aed2..fbf1eb791 100644
--- a/test/e2e/run_device_test.go
+++ b/test/e2e/run_device_test.go
@@ -119,4 +119,11 @@ var _ = Describe("Podman run device", func() {
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
})
+
+ It("podman run cannot access non default devices", func() {
+ session := podmanTest.Podman([]string{"run", "-v /dev:/dev-host", ALPINE, "head", "-1", "/dev-host/kmsg"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Not(Exit(0)))
+ })
+
})