diff options
-rw-r--r-- | docs/source/markdown/podman-create.1.md | 1 | ||||
-rw-r--r-- | docs/source/markdown/podman-run.1.md | 1 | ||||
-rw-r--r-- | go.mod | 1 | ||||
-rw-r--r-- | go.sum | 2 | ||||
-rw-r--r-- | libpod/container_config.go | 2 | ||||
-rw-r--r-- | libpod/container_internal_linux.go | 8 | ||||
-rw-r--r-- | libpod/options.go | 11 | ||||
-rw-r--r-- | libpod/runtime.go | 12 | ||||
-rw-r--r-- | pkg/domain/infra/abi/system.go | 7 | ||||
-rw-r--r-- | pkg/rootless/rootless_linux.go | 65 | ||||
-rw-r--r-- | pkg/specgen/generate/container_create.go | 33 | ||||
-rw-r--r-- | test/e2e/cdi/device.json | 14 | ||||
-rw-r--r-- | test/e2e/run_device_test.go | 19 | ||||
-rw-r--r-- | vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE | 201 | ||||
-rw-r--r-- | vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go | 180 | ||||
-rw-r--r-- | vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go | 50 | ||||
-rw-r--r-- | vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go | 104 | ||||
-rw-r--r-- | vendor/modules.txt | 3 |
18 files changed, 702 insertions, 12 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 1ea9d1ea6..229bb82f5 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -1365,6 +1365,7 @@ $ podman create --name container1 -t -i fedora bash $ podman create --name container2 -t -i fedora bash $ podman create --name container3 --requires container1,container2 -t -i fedora bash $ podman start --attach container3 +``` ### Configure keep supplemental groups for access to volume diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 3a2651f98..2e6d97a05 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -1719,6 +1719,7 @@ Multiple containers can be required. $ podman create --name container1 -t -i fedora bash $ podman create --name container2 -t -i fedora bash $ podman run --name container3 --requires container1,container2 -t -i fedora bash +``` ### Configure keep supplemental groups for access to volume @@ -8,6 +8,7 @@ require ( github.com/buger/goterm v0.0.0-20181115115552-c206103e1f37 github.com/checkpoint-restore/checkpointctl v0.0.0-20210301084134-a2024f5584e7 github.com/checkpoint-restore/go-criu v0.0.0-20190109184317-bdb7599cd87b + github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 github.com/containernetworking/cni v0.8.1 github.com/containernetworking/plugins v0.9.1 github.com/containers/buildah v1.20.1-0.20210402144408-36a37402d0c8 @@ -120,6 +120,8 @@ github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 h1:Kn0s9/APRtr5dk/83aXj97WX0+PYnJK9BO8g0Xclm0I= +github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9/go.mod h1:eQt66kIaJpUhCrjCtBFQGQxGLbAUl0OuuwjTH16ON4s= github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU= github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU= diff --git a/libpod/container_config.go b/libpod/container_config.go index e6c3be1bd..d0572fbc2 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -366,4 +366,6 @@ type ContainerMiscConfig struct { Umask string `json:"umask,omitempty"` // PidFile is the file that saves the pid of the container process PidFile string `json:"pid_file,omitempty"` + // CDIDevices contains devices that use the CDI + CDIDevices []string `json:"cdiDevices,omitempty"` } diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 1986f7438..f4762b5ff 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -20,6 +20,7 @@ import ( "time" metadata "github.com/checkpoint-restore/checkpointctl/lib" + cdi "github.com/container-orchestrated-devices/container-device-interface/pkg" cnitypes "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/plugins/pkg/ns" "github.com/containers/buildah/pkg/chrootuser" @@ -704,6 +705,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } g.SetLinuxCgroupsPath(cgroupPath) + // Warning: CDI may alter g.Config in place. + if len(c.config.CDIDevices) > 0 { + if err = cdi.UpdateOCISpecForDevices(g.Config, c.config.CDIDevices); err != nil { + return nil, errors.Wrapf(err, "error setting up CDI devices") + } + } + // Mounts need to be sorted so paths will not cover other paths mounts := sortMounts(g.Mounts()) g.ClearMounts() diff --git a/libpod/options.go b/libpod/options.go index 5cd0f7b88..103a9a80a 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -293,6 +293,17 @@ func WithHooksDir(hooksDirs ...string) RuntimeOption { } } +// WithCDI sets the devices to check for for CDI configuration. +func WithCDI(devices []string) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + ctr.config.CDIDevices = devices + return nil + } +} + // WithDefaultMountsFile sets the file to look at for default mounts (mainly // secrets). // Note we are not saving this in the database as it is for testing purposes diff --git a/libpod/runtime.go b/libpod/runtime.go index dc53d5ef1..3518ed25a 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -29,6 +29,7 @@ import ( "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/util" "github.com/containers/storage" + "github.com/containers/storage/pkg/unshare" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/docker/docker/pkg/namesgenerator" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -338,9 +339,16 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { } logrus.Debugf("Set libpod namespace to %q", runtime.config.Engine.Namespace) + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return err + } + + needsUserns := !hasCapSysAdmin + // Set up containers/storage var store storage.Store - if os.Geteuid() != 0 { + if needsUserns { logrus.Debug("Not configuring container store") } else if runtime.noStore { logrus.Debug("No store required. Not opening container store.") @@ -480,7 +488,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { // If we need to refresh, then it is safe to assume there are // no containers running. Create immediately a namespace, as // we will need to access the storage. - if os.Geteuid() != 0 { + if needsUserns { aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec. pausePid, err := util.GetRootlessPauseProcessPidPathGivenDir(runtime.config.Engine.TmpDir) if err != nil { diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index 6319c1ab1..9bba0fa6c 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -21,6 +21,7 @@ import ( "github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/utils" "github.com/containers/storage" + "github.com/containers/storage/pkg/unshare" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -58,7 +59,11 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) { func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) error { // do it only after podman has already re-execed and running with uid==0. - if os.Geteuid() == 0 { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return err + } + if hasCapSysAdmin { ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup() if err != nil { logrus.Infof("Failed to detect the owner for the current cgroup: %v", err) diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index dda230dbc..fdfeed854 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -4,6 +4,7 @@ package rootless import ( "bufio" + "bytes" "fmt" "io" "io/ioutil" @@ -18,6 +19,7 @@ import ( "github.com/containers/podman/v3/pkg/errorhandling" "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/unshare" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -67,6 +69,15 @@ func IsRootless() bool { } } isRootless = os.Geteuid() != 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" + if !isRootless { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + logrus.Warnf("failed to read CAP_SYS_ADMIN presence for the current process") + } + if err == nil && !hasCapSysAdmin { + isRootless = true + } + } }) return isRootless } @@ -142,8 +153,12 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err // namespace of the specified PID without looking up its parent. Useful to join directly // the conmon process. func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) { - if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { - return false, -1, nil + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return false, 0, err + } + if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { + return false, 0, nil } cPausePid := C.CString(pausePid) @@ -180,8 +195,11 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { } mappings, err := idtools.NewIDMappings(username, username) if err != nil { - logrus.Errorf( - "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err) + logLevel := logrus.ErrorLevel + if os.Geteuid() == 0 && GetRootlessUID() == 0 { + logLevel = logrus.DebugLevel + } + logrus.StandardLogger().Logf(logLevel, "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err) } else { uids = mappings.UIDs() gids = mappings.GIDs() @@ -189,8 +207,28 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { return uids, gids, nil } +func copyMappings(from, to string) error { + content, err := ioutil.ReadFile(from) + if err != nil { + return err + } + // Both runc and crun check whether the current process is in a user namespace + // by looking up 4294967295 in /proc/self/uid_map. If the mappings would be + // copied as they are, the check in the OCI runtimes would fail. So just split + // it in two different ranges. + if bytes.Contains(content, []byte("4294967295")) { + content = []byte("0 0 1\n1 1 4294967294\n") + } + return ioutil.WriteFile(to, content, 0600) +} + func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ bool, _ int, retErr error) { - if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return false, 0, err + } + + if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { if os.Getenv("_CONTAINERS_USERNS_CONFIGURED") == "init" { return false, 0, runInUser() } @@ -247,8 +285,16 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo return false, -1, err } + uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) + gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) + uidsMapped := false - if uids != nil { + + if err := copyMappings("/proc/self/uid_map", uidMap); err == nil { + uidsMapped = true + } + + if uids != nil && !uidsMapped { err := tryMappingTool(true, pid, os.Geteuid(), uids) // If some mappings were specified, do not ignore the error if err != nil && len(uids) > 0 { @@ -265,7 +311,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo } logrus.Debugf("write setgroups file exited with 0") - uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Geteuid())), 0666) if err != nil { return false, -1, errors.Wrapf(err, "cannot write uid_map") @@ -274,7 +319,10 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo } gidsMapped := false - if gids != nil { + if err := copyMappings("/proc/self/gid_map", gidMap); err == nil { + gidsMapped = true + } + if gids != nil && !gidsMapped { err := tryMappingTool(false, pid, os.Getegid(), gids) // If some mappings were specified, do not ignore the error if err != nil && len(gids) > 0 { @@ -283,7 +331,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo gidsMapped = err == nil } if !gidsMapped { - gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getegid())), 0666) if err != nil { return false, -1, errors.Wrapf(err, "cannot write gid_map") diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 13d4b4926..2f623bf10 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -6,12 +6,14 @@ import ( "path/filepath" "strings" + cdi "github.com/container-orchestrated-devices/container-device-interface/pkg" "github.com/containers/common/pkg/config" "github.com/containers/podman/v3/libpod" "github.com/containers/podman/v3/libpod/image" "github.com/containers/podman/v3/pkg/specgen" "github.com/containers/podman/v3/pkg/util" "github.com/containers/storage/types" + spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -136,6 +138,11 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener options = append(options, libpod.WithNetworkAliases(s.Aliases)) } + if len(s.Devices) > 0 { + opts = extractCDIDevices(s) + options = append(options, opts...) + } + runtimeSpec, err := SpecGenToOCI(ctx, s, rt, rtc, newImage, finalMounts, pod, command) if err != nil { return nil, err @@ -143,6 +150,32 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener return rt.NewContainer(ctx, runtimeSpec, options...) } +func extractCDIDevices(s *specgen.SpecGenerator) []libpod.CtrCreateOption { + devs := make([]spec.LinuxDevice, 0, len(s.Devices)) + var cdiDevs []string + var options []libpod.CtrCreateOption + + for _, device := range s.Devices { + isCDIDevice, err := cdi.HasDevice(device.Path) + if err != nil { + logrus.Debugf("CDI HasDevice Error: %v", err) + } + if err == nil && isCDIDevice { + cdiDevs = append(cdiDevs, device.Path) + continue + } + + devs = append(devs, device) + } + + s.Devices = devs + if len(cdiDevs) > 0 { + options = append(options, libpod.WithCDI(cdiDevs)) + } + + return options +} + func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGenerator, pod *libpod.Pod, volumes []*specgen.NamedVolume, overlays []*specgen.OverlayVolume, img *image.Image, command []string) ([]libpod.CtrCreateOption, error) { var options []libpod.CtrCreateOption var err error diff --git a/test/e2e/cdi/device.json b/test/e2e/cdi/device.json new file mode 100644 index 000000000..f49470c88 --- /dev/null +++ b/test/e2e/cdi/device.json @@ -0,0 +1,14 @@ +{ + "cdiVersion": "0.2.0", + "kind": "vendor.com/device", + "devices": [ + { + "name": "myKmsg", + "containerEdits": { + "mounts": [ + {"hostPath": "/dev/kmsg", "containerPath": "/dev/kmsg1", "options": ["rw", "rprivate", "rbind"]} + ] + } + } + ] +} diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go index 5a32ed827..3137e3fe4 100644 --- a/test/e2e/run_device_test.go +++ b/test/e2e/run_device_test.go @@ -2,6 +2,7 @@ package integration import ( "os" + "os/exec" . "github.com/containers/podman/v3/test/utils" . "github.com/onsi/ginkgo" @@ -94,4 +95,22 @@ var _ = Describe("Podman run device", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) }) + + It("podman run CDI device test", func() { + SkipIfRootless("Rootless will not be able to create files/folders in /etc") + cdiDir := "/etc/cdi" + if _, err := os.Stat(cdiDir); os.IsNotExist(err) { + Expect(os.MkdirAll(cdiDir, os.ModePerm)).To(BeNil()) + } + defer os.RemoveAll(cdiDir) + + cmd := exec.Command("cp", "cdi/device.json", cdiDir) + err = cmd.Run() + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "myKmsg", ALPINE, "ls", "--color=never", "/dev/kmsg1"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal("/dev/kmsg1")) + }) }) diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE b/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go new file mode 100644 index 000000000..e66fd36c0 --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go @@ -0,0 +1,180 @@ +package pkg + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "strings" + + cdispec "github.com/container-orchestrated-devices/container-device-interface/specs-go" + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +const ( + root = "/etc/cdi" +) + +func collectCDISpecs() (map[string]*cdispec.Spec, error) { + var files []string + vendor := make(map[string]*cdispec.Spec) + + err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error { + if info == nil || info.IsDir() { + return nil + } + + if filepath.Ext(path) != ".json" { + return nil + } + + files = append(files, path) + return nil + }) + + if err != nil { + return nil, err + } + + for _, path := range files { + spec, err := loadCDIFile(path) + if err != nil { + continue + } + + if _, ok := vendor[spec.Kind]; ok { + continue + } + + vendor[spec.Kind] = spec + } + + return vendor, nil +} + +// TODO: Validate (e.g: duplicate device names) +func loadCDIFile(path string) (*cdispec.Spec, error) { + file, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + + var spec *cdispec.Spec + err = json.Unmarshal([]byte(file), &spec) + if err != nil { + return nil, err + } + + return spec, nil +} + +/* +* Pattern "vendor.com/device=myDevice" with the vendor being optional + */ +func extractVendor(dev string) (string, string) { + if strings.IndexByte(dev, '=') == -1 { + return "", dev + } + + split := strings.SplitN(dev, "=", 2) + return split[0], split[1] +} + +// GetCDIForDevice returns the CDI specification that matches the device name the user provided. +func GetCDIForDevice(dev string, specs map[string]*cdispec.Spec) (*cdispec.Spec, error) { + vendor, device := extractVendor(dev) + + if vendor != "" { + s, ok := specs[vendor] + if !ok { + return nil, fmt.Errorf("Could not find vendor %q for device %q", vendor, device) + } + + for _, d := range s.Devices { + if d.Name != device { + continue + } + + return s, nil + } + + return nil, fmt.Errorf("Could not find device %q for vendor %q", device, vendor) + } + + var found []*cdispec.Spec + var vendors []string + for vendor, spec := range specs { + + for _, d := range spec.Devices { + if d.Name != device { + continue + } + + found = append(found, spec) + vendors = append(vendors, vendor) + } + } + + if len(found) > 1 { + return nil, fmt.Errorf("%q is ambiguous and currently refers to multiple devices from different vendors: %q", dev, vendors) + } + + if len(found) == 1 { + return found[0], nil + } + + return nil, fmt.Errorf("Could not find device %q", dev) +} + +// HasDevice returns true if a device is a CDI device +// an error may be returned in cases where permissions may be required +func HasDevice(dev string) (bool, error) { + specs, err := collectCDISpecs() + if err != nil { + return false, err + } + + d, err := GetCDIForDevice(dev, specs) + if err != nil { + return false, err + } + + return d != nil, nil +} + +// UpdateOCISpecForDevices updates the given OCI spec based on the requested CDI devices +func UpdateOCISpecForDevices(ociconfig *spec.Spec, devs []string) error { + specs, err := collectCDISpecs() + if err != nil { + return err + } + + return UpdateOCISpecForDevicesWithSpec(ociconfig, devs, specs) +} + +// UpdateOCISpecForDevicesWithLoggerAndSpecs is mainly used for testing +func UpdateOCISpecForDevicesWithSpec(ociconfig *spec.Spec, devs []string, specs map[string]*cdispec.Spec) error { + edits := make(map[string]*cdispec.Spec) + + for _, d := range devs { + spec, err := GetCDIForDevice(d, specs) + if err != nil { + return err + } + + edits[spec.Kind] = spec + err = cdispec.ApplyOCIEditsForDevice(ociconfig, spec, d) + if err != nil { + return err + } + } + + for _, spec := range edits { + if err := cdispec.ApplyOCIEdits(ociconfig, spec); err != nil { + return err + } + } + + return nil +} diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go new file mode 100644 index 000000000..0223bb703 --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go @@ -0,0 +1,50 @@ +package specs + +// Spec is the base configuration for CDI +type Spec struct { + Version string `json:"cdiVersion"` + Kind string `json:"kind"` + KindShort []string `json:"kindShort,omitempty"` + ContainerRuntime []string `json:"containerRuntime,omitempty"` + + Devices []Devices `json:"devices"` + ContainerEdits ContainerEdits `json:"containerEdits,omitempty"` +} + +// Devices is a "Device" a container runtime can add to a container +type Devices struct { + Name string `json:"name"` + NameShort []string `json:"nameShort"` + ContainerEdits ContainerEdits `json:"containerEdits"` +} + +// ContainerEdits are edits a container runtime must make to the OCI spec to expose the device. +type ContainerEdits struct { + Env []string `json:"env,omitempty"` + DeviceNodes []*DeviceNode `json:"deviceNodes,omitempty"` + Hooks []*Hook `json:"hooks,omitempty"` + Mounts []*Mount `json:"mounts,omitempty"` +} + +// DeviceNode represents a device node that needs to be added to the OCI spec. +type DeviceNode struct { + HostPath string `json:"hostPath"` + ContainerPath string `json:"containerPath"` + Permissions []string `json:"permissions,omitempty"` +} + +// Mount represents a mount that needs to be added to the OCI spec. +type Mount struct { + HostPath string `json:"hostPath"` + ContainerPath string `json:"containerPath"` + Options []string `json:"options,omitempty"` +} + +// Hook represents a hook that needs to be added to the OCI spec. +type Hook struct { + HookName string `json:"hookName"` + Path string `json:"path"` + Args []string `json:"args,omitempty"` + Env []string `json:"env,omitempty"` + Timeout *int `json:"timeout,omitempty"` +} diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go new file mode 100644 index 000000000..c59cda55d --- /dev/null +++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go @@ -0,0 +1,104 @@ +package specs + +import ( + "errors" + "fmt" + + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +// ApplyOCIEditsForDevice applies devices OCI edits, in other words +// it finds the device in the CDI spec and applies the OCI patches that device +// requires to the OCI specification. +func ApplyOCIEditsForDevice(config *spec.Spec, cdi *Spec, dev string) error { + for _, d := range cdi.Devices { + if d.Name != dev { + continue + } + + return ApplyEditsToOCISpec(config, &d.ContainerEdits) + } + + return fmt.Errorf("CDI: device %q not found for spec %q", dev, cdi.Kind) +} + +// ApplyOCIEdits applies the OCI edits the CDI spec declares globablly +func ApplyOCIEdits(config *spec.Spec, cdi *Spec) error { + return ApplyEditsToOCISpec(config, &cdi.ContainerEdits) +} + +// ApplyEditsToOCISpec applies the specified edits to the OCI spec. +func ApplyEditsToOCISpec(config *spec.Spec, edits *ContainerEdits) error { + if config == nil { + return errors.New("spec is nil") + } + if edits == nil { + return nil + } + + if len(edits.Env) > 0 { + + if config.Process == nil { + config.Process = &spec.Process{} + } + + config.Process.Env = append(config.Process.Env, edits.Env...) + } + + for _, d := range edits.DeviceNodes { + config.Mounts = append(config.Mounts, toOCIDevice(d)) + } + + for _, m := range edits.Mounts { + config.Mounts = append(config.Mounts, toOCIMount(m)) + } + + for _, h := range edits.Hooks { + if config.Hooks == nil { + config.Hooks = &spec.Hooks{} + } + switch h.HookName { + case "prestart": + config.Hooks.Prestart = append(config.Hooks.Prestart, toOCIHook(h)) + case "createRuntime": + config.Hooks.CreateRuntime = append(config.Hooks.CreateRuntime, toOCIHook(h)) + case "createContainer": + config.Hooks.CreateContainer = append(config.Hooks.CreateContainer, toOCIHook(h)) + case "startContainer": + config.Hooks.StartContainer = append(config.Hooks.StartContainer, toOCIHook(h)) + case "poststart": + config.Hooks.Poststart = append(config.Hooks.Poststart, toOCIHook(h)) + case "poststop": + config.Hooks.Poststop = append(config.Hooks.Poststop, toOCIHook(h)) + default: + fmt.Printf("CDI: Unknown hook %q\n", h.HookName) + } + } + + return nil +} + +func toOCIHook(h *Hook) spec.Hook { + return spec.Hook{ + Path: h.Path, + Args: h.Args, + Env: h.Env, + Timeout: h.Timeout, + } +} + +func toOCIMount(m *Mount) spec.Mount { + return spec.Mount{ + Source: m.HostPath, + Destination: m.ContainerPath, + Options: m.Options, + } +} + +func toOCIDevice(d *DeviceNode) spec.Mount { + return spec.Mount{ + Source: d.HostPath, + Destination: d.ContainerPath, + Options: d.Permissions, + } +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 77dcb9744..b0658df5b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -49,6 +49,9 @@ github.com/checkpoint-restore/go-criu github.com/checkpoint-restore/go-criu/rpc # github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e github.com/chzyer/readline +# github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 +github.com/container-orchestrated-devices/container-device-interface/pkg +github.com/container-orchestrated-devices/container-device-interface/specs-go # github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68 github.com/containerd/cgroups/stats/v1 # github.com/containerd/containerd v1.5.0-beta.4 |