diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2021-07-09 16:01:35 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-07-21 16:10:09 -0400 |
commit | 3e79296a81ad723c6c3e8ea7d9ca142dfa8fbdf3 (patch) | |
tree | e8bd1f72e0f4a3fdaf290375e75b31e00bab8d56 /pkg | |
parent | 6370622444676db812cbc54aef56e691ea7788d0 (diff) | |
download | podman-3e79296a81ad723c6c3e8ea7d9ca142dfa8fbdf3.tar.gz podman-3e79296a81ad723c6c3e8ea7d9ca142dfa8fbdf3.tar.bz2 podman-3e79296a81ad723c6c3e8ea7d9ca142dfa8fbdf3.zip |
Support DeviceCgroupRules to actually get added.
Fixes: https://github.com/containers/podman/issues/10302
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/specgen/generate/oci.go | 4 | ||||
-rw-r--r-- | pkg/specgen/specgen.go | 3 |
2 files changed, 7 insertions, 0 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index bf8d44ed6..6e310d8a6 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -321,6 +321,10 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } } + for _, dev := range s.DeviceCGroupRule { + g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access) + } + BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), s.Mask, s.Unmask, &g) for name, val := range s.Env { diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index c5cc726d7..7eec48a55 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -239,6 +239,9 @@ type ContainerStorageConfig struct { // Devices are devices that will be added to the container. // Optional. Devices []spec.LinuxDevice `json:"devices,omitempty"` + // DeviceCGroupRule are device cgroup rules that allow containers + // to use additional types of devices. + DeviceCGroupRule []spec.LinuxDeviceCgroup `json:"device_cgroup_rule,omitempty"` // IpcNS is the container's IPC namespace. // Default is private. // Conflicts with ShmSize if not set to private. |