diff options
| author | Jake Correnti <jcorrenti13@gmail.com> | 2022-06-03 11:25:45 -0400 |
|---|---|---|
| committer | Jake Correnti <jcorrenti13@gmail.com> | 2022-06-06 14:14:22 -0400 |
| commit | 8533ea000459403a9a708fe01f875509ed22ffe1 (patch) | |
| tree | c817ceeb84ab0682428db61ea12c3dceffe34bad /libpod | |
| parent | f5389dbb44d8d83c3af08b3b183c8e7805c99d88 (diff) | |
| download | podman-8533ea000459403a9a708fe01f875509ed22ffe1.tar.gz podman-8533ea000459403a9a708fe01f875509ed22ffe1.tar.bz2 podman-8533ea000459403a9a708fe01f875509ed22ffe1.zip | |
Privileged containers can now restart if the host devices change
If a privileged container is running, stops, and the devices on the host
change, such as a USB device is unplugged, then a container would no
longer start. Previously, the devices from the host were only being
added to the container once: when the container was created. Now, this
happens every time the container starts.
I did this by adding a boolean to the container config that indicates
whether to mount all of the devices or not, which can be set via an option.
During spec generation, if the `MountAllDevices` option is set in the
container config, all host devices are added to the container.
Additionally, a couple of functions from `pkg/specgen/generate/config_linux.go`
were moved into `pkg/util/utils_linux.go` as they were needed in
multiple packages.
Closes #13899
Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_config.go | 3 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 8 | ||||
| -rw-r--r-- | libpod/options.go | 14 |
3 files changed, 25 insertions, 0 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go index 30b84adcf..6558f3c89 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -412,6 +412,9 @@ type ContainerMiscConfig struct { InitContainerType string `json:"init_container_type,omitempty"` // PasswdEntry specifies arbitrary data to append to a file. PasswdEntry string `json:"passwd_entry,omitempty"` + // MountAllDevices is an option to indicate whether a privileged container + // will mount all the host's devices + MountAllDevices bool `json:"mountAllDevices"` } // InfraInherit contains the compatible options inheritable from the infra container diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index e19d75deb..67f813547 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -407,6 +407,14 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { //nolint:staticcheck g := generate.NewFromSpec(c.config.Spec) + // If the flag to mount all devices is set for a privileged container, add + // all the devices from the host's machine into the container + if c.config.MountAllDevices { + if err := util.AddPrivilegedDevices(&g); err != nil { + return nil, err + } + } + // If network namespace was requested, add it now if c.config.CreateNetNS { if c.config.PostConfigureNetNS { diff --git a/libpod/options.go b/libpod/options.go index a02c05537..b21310c4b 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -2159,3 +2159,17 @@ func WithPasswdEntry(passwdEntry string) CtrCreateOption { return nil } } + +// WithMountAllDevices sets the option to mount all of a privileged container's +// host devices +func WithMountAllDevices() CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + + ctr.config.MountAllDevices = true + + return nil + } +} |