summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/source/markdown/podman-create.1.md1
-rw-r--r--docs/source/markdown/podman-run.1.md1
-rw-r--r--go.mod1
-rw-r--r--go.sum2
-rw-r--r--libpod/container_config.go2
-rw-r--r--libpod/container_internal_linux.go8
-rw-r--r--libpod/options.go11
-rw-r--r--libpod/runtime.go12
-rw-r--r--pkg/domain/infra/abi/system.go7
-rw-r--r--pkg/rootless/rootless_linux.go65
-rw-r--r--pkg/specgen/generate/container_create.go33
-rw-r--r--test/e2e/cdi/device.json14
-rw-r--r--test/e2e/run_device_test.go19
-rw-r--r--vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE201
-rw-r--r--vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go180
-rw-r--r--vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go50
-rw-r--r--vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go104
-rw-r--r--vendor/modules.txt3
18 files changed, 702 insertions, 12 deletions
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 1ea9d1ea6..229bb82f5 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -1365,6 +1365,7 @@ $ podman create --name container1 -t -i fedora bash
$ podman create --name container2 -t -i fedora bash
$ podman create --name container3 --requires container1,container2 -t -i fedora bash
$ podman start --attach container3
+```
### Configure keep supplemental groups for access to volume
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index 3a2651f98..2e6d97a05 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -1719,6 +1719,7 @@ Multiple containers can be required.
$ podman create --name container1 -t -i fedora bash
$ podman create --name container2 -t -i fedora bash
$ podman run --name container3 --requires container1,container2 -t -i fedora bash
+```
### Configure keep supplemental groups for access to volume
diff --git a/go.mod b/go.mod
index 6d5a78111..6d79c8900 100644
--- a/go.mod
+++ b/go.mod
@@ -8,6 +8,7 @@ require (
github.com/buger/goterm v0.0.0-20181115115552-c206103e1f37
github.com/checkpoint-restore/checkpointctl v0.0.0-20210301084134-a2024f5584e7
github.com/checkpoint-restore/go-criu v0.0.0-20190109184317-bdb7599cd87b
+ github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9
github.com/containernetworking/cni v0.8.1
github.com/containernetworking/plugins v0.9.1
github.com/containers/buildah v1.20.1-0.20210402144408-36a37402d0c8
diff --git a/go.sum b/go.sum
index cf467c3f6..0de830099 100644
--- a/go.sum
+++ b/go.sum
@@ -120,6 +120,8 @@ github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
+github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9 h1:Kn0s9/APRtr5dk/83aXj97WX0+PYnJK9BO8g0Xclm0I=
+github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9/go.mod h1:eQt66kIaJpUhCrjCtBFQGQxGLbAUl0OuuwjTH16ON4s=
github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE=
github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU=
github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=
diff --git a/libpod/container_config.go b/libpod/container_config.go
index e6c3be1bd..d0572fbc2 100644
--- a/libpod/container_config.go
+++ b/libpod/container_config.go
@@ -366,4 +366,6 @@ type ContainerMiscConfig struct {
Umask string `json:"umask,omitempty"`
// PidFile is the file that saves the pid of the container process
PidFile string `json:"pid_file,omitempty"`
+ // CDIDevices contains devices that use the CDI
+ CDIDevices []string `json:"cdiDevices,omitempty"`
}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 1986f7438..f4762b5ff 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -20,6 +20,7 @@ import (
"time"
metadata "github.com/checkpoint-restore/checkpointctl/lib"
+ cdi "github.com/container-orchestrated-devices/container-device-interface/pkg"
cnitypes "github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/containers/buildah/pkg/chrootuser"
@@ -704,6 +705,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
g.SetLinuxCgroupsPath(cgroupPath)
+ // Warning: CDI may alter g.Config in place.
+ if len(c.config.CDIDevices) > 0 {
+ if err = cdi.UpdateOCISpecForDevices(g.Config, c.config.CDIDevices); err != nil {
+ return nil, errors.Wrapf(err, "error setting up CDI devices")
+ }
+ }
+
// Mounts need to be sorted so paths will not cover other paths
mounts := sortMounts(g.Mounts())
g.ClearMounts()
diff --git a/libpod/options.go b/libpod/options.go
index 5cd0f7b88..103a9a80a 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -293,6 +293,17 @@ func WithHooksDir(hooksDirs ...string) RuntimeOption {
}
}
+// WithCDI sets the devices to check for for CDI configuration.
+func WithCDI(devices []string) CtrCreateOption {
+ return func(ctr *Container) error {
+ if ctr.valid {
+ return define.ErrCtrFinalized
+ }
+ ctr.config.CDIDevices = devices
+ return nil
+ }
+}
+
// WithDefaultMountsFile sets the file to look at for default mounts (mainly
// secrets).
// Note we are not saving this in the database as it is for testing purposes
diff --git a/libpod/runtime.go b/libpod/runtime.go
index dc53d5ef1..3518ed25a 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -29,6 +29,7 @@ import (
"github.com/containers/podman/v3/pkg/rootless"
"github.com/containers/podman/v3/pkg/util"
"github.com/containers/storage"
+ "github.com/containers/storage/pkg/unshare"
"github.com/cri-o/ocicni/pkg/ocicni"
"github.com/docker/docker/pkg/namesgenerator"
spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -338,9 +339,16 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) {
}
logrus.Debugf("Set libpod namespace to %q", runtime.config.Engine.Namespace)
+ hasCapSysAdmin, err := unshare.HasCapSysAdmin()
+ if err != nil {
+ return err
+ }
+
+ needsUserns := !hasCapSysAdmin
+
// Set up containers/storage
var store storage.Store
- if os.Geteuid() != 0 {
+ if needsUserns {
logrus.Debug("Not configuring container store")
} else if runtime.noStore {
logrus.Debug("No store required. Not opening container store.")
@@ -480,7 +488,7 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) {
// If we need to refresh, then it is safe to assume there are
// no containers running. Create immediately a namespace, as
// we will need to access the storage.
- if os.Geteuid() != 0 {
+ if needsUserns {
aliveLock.Unlock() // Unlock to avoid deadlock as BecomeRootInUserNS will reexec.
pausePid, err := util.GetRootlessPauseProcessPidPathGivenDir(runtime.config.Engine.TmpDir)
if err != nil {
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index 6319c1ab1..9bba0fa6c 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -21,6 +21,7 @@ import (
"github.com/containers/podman/v3/pkg/util"
"github.com/containers/podman/v3/utils"
"github.com/containers/storage"
+ "github.com/containers/storage/pkg/unshare"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
@@ -58,7 +59,11 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) {
func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) error {
// do it only after podman has already re-execed and running with uid==0.
- if os.Geteuid() == 0 {
+ hasCapSysAdmin, err := unshare.HasCapSysAdmin()
+ if err != nil {
+ return err
+ }
+ if hasCapSysAdmin {
ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
if err != nil {
logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index dda230dbc..fdfeed854 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -4,6 +4,7 @@ package rootless
import (
"bufio"
+ "bytes"
"fmt"
"io"
"io/ioutil"
@@ -18,6 +19,7 @@ import (
"github.com/containers/podman/v3/pkg/errorhandling"
"github.com/containers/storage/pkg/idtools"
+ "github.com/containers/storage/pkg/unshare"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
@@ -67,6 +69,15 @@ func IsRootless() bool {
}
}
isRootless = os.Geteuid() != 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != ""
+ if !isRootless {
+ hasCapSysAdmin, err := unshare.HasCapSysAdmin()
+ if err != nil {
+ logrus.Warnf("failed to read CAP_SYS_ADMIN presence for the current process")
+ }
+ if err == nil && !hasCapSysAdmin {
+ isRootless = true
+ }
+ }
})
return isRootless
}
@@ -142,8 +153,12 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err
// namespace of the specified PID without looking up its parent. Useful to join directly
// the conmon process.
func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) {
- if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
- return false, -1, nil
+ hasCapSysAdmin, err := unshare.HasCapSysAdmin()
+ if err != nil {
+ return false, 0, err
+ }
+ if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
+ return false, 0, nil
}
cPausePid := C.CString(pausePid)
@@ -180,8 +195,11 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
}
mappings, err := idtools.NewIDMappings(username, username)
if err != nil {
- logrus.Errorf(
- "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err)
+ logLevel := logrus.ErrorLevel
+ if os.Geteuid() == 0 && GetRootlessUID() == 0 {
+ logLevel = logrus.DebugLevel
+ }
+ logrus.StandardLogger().Logf(logLevel, "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err)
} else {
uids = mappings.UIDs()
gids = mappings.GIDs()
@@ -189,8 +207,28 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
return uids, gids, nil
}
+func copyMappings(from, to string) error {
+ content, err := ioutil.ReadFile(from)
+ if err != nil {
+ return err
+ }
+ // Both runc and crun check whether the current process is in a user namespace
+ // by looking up 4294967295 in /proc/self/uid_map. If the mappings would be
+ // copied as they are, the check in the OCI runtimes would fail. So just split
+ // it in two different ranges.
+ if bytes.Contains(content, []byte("4294967295")) {
+ content = []byte("0 0 1\n1 1 4294967294\n")
+ }
+ return ioutil.WriteFile(to, content, 0600)
+}
+
func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ bool, _ int, retErr error) {
- if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
+ hasCapSysAdmin, err := unshare.HasCapSysAdmin()
+ if err != nil {
+ return false, 0, err
+ }
+
+ if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
if os.Getenv("_CONTAINERS_USERNS_CONFIGURED") == "init" {
return false, 0, runInUser()
}
@@ -247,8 +285,16 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
return false, -1, err
}
+ uidMap := fmt.Sprintf("/proc/%d/uid_map", pid)
+ gidMap := fmt.Sprintf("/proc/%d/gid_map", pid)
+
uidsMapped := false
- if uids != nil {
+
+ if err := copyMappings("/proc/self/uid_map", uidMap); err == nil {
+ uidsMapped = true
+ }
+
+ if uids != nil && !uidsMapped {
err := tryMappingTool(true, pid, os.Geteuid(), uids)
// If some mappings were specified, do not ignore the error
if err != nil && len(uids) > 0 {
@@ -265,7 +311,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
}
logrus.Debugf("write setgroups file exited with 0")
- uidMap := fmt.Sprintf("/proc/%d/uid_map", pid)
err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Geteuid())), 0666)
if err != nil {
return false, -1, errors.Wrapf(err, "cannot write uid_map")
@@ -274,7 +319,10 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
}
gidsMapped := false
- if gids != nil {
+ if err := copyMappings("/proc/self/gid_map", gidMap); err == nil {
+ gidsMapped = true
+ }
+ if gids != nil && !gidsMapped {
err := tryMappingTool(false, pid, os.Getegid(), gids)
// If some mappings were specified, do not ignore the error
if err != nil && len(gids) > 0 {
@@ -283,7 +331,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
gidsMapped = err == nil
}
if !gidsMapped {
- gidMap := fmt.Sprintf("/proc/%d/gid_map", pid)
err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getegid())), 0666)
if err != nil {
return false, -1, errors.Wrapf(err, "cannot write gid_map")
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 13d4b4926..2f623bf10 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -6,12 +6,14 @@ import (
"path/filepath"
"strings"
+ cdi "github.com/container-orchestrated-devices/container-device-interface/pkg"
"github.com/containers/common/pkg/config"
"github.com/containers/podman/v3/libpod"
"github.com/containers/podman/v3/libpod/image"
"github.com/containers/podman/v3/pkg/specgen"
"github.com/containers/podman/v3/pkg/util"
"github.com/containers/storage/types"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -136,6 +138,11 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
options = append(options, libpod.WithNetworkAliases(s.Aliases))
}
+ if len(s.Devices) > 0 {
+ opts = extractCDIDevices(s)
+ options = append(options, opts...)
+ }
+
runtimeSpec, err := SpecGenToOCI(ctx, s, rt, rtc, newImage, finalMounts, pod, command)
if err != nil {
return nil, err
@@ -143,6 +150,32 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
return rt.NewContainer(ctx, runtimeSpec, options...)
}
+func extractCDIDevices(s *specgen.SpecGenerator) []libpod.CtrCreateOption {
+ devs := make([]spec.LinuxDevice, 0, len(s.Devices))
+ var cdiDevs []string
+ var options []libpod.CtrCreateOption
+
+ for _, device := range s.Devices {
+ isCDIDevice, err := cdi.HasDevice(device.Path)
+ if err != nil {
+ logrus.Debugf("CDI HasDevice Error: %v", err)
+ }
+ if err == nil && isCDIDevice {
+ cdiDevs = append(cdiDevs, device.Path)
+ continue
+ }
+
+ devs = append(devs, device)
+ }
+
+ s.Devices = devs
+ if len(cdiDevs) > 0 {
+ options = append(options, libpod.WithCDI(cdiDevs))
+ }
+
+ return options
+}
+
func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGenerator, pod *libpod.Pod, volumes []*specgen.NamedVolume, overlays []*specgen.OverlayVolume, img *image.Image, command []string) ([]libpod.CtrCreateOption, error) {
var options []libpod.CtrCreateOption
var err error
diff --git a/test/e2e/cdi/device.json b/test/e2e/cdi/device.json
new file mode 100644
index 000000000..f49470c88
--- /dev/null
+++ b/test/e2e/cdi/device.json
@@ -0,0 +1,14 @@
+{
+ "cdiVersion": "0.2.0",
+ "kind": "vendor.com/device",
+ "devices": [
+ {
+ "name": "myKmsg",
+ "containerEdits": {
+ "mounts": [
+ {"hostPath": "/dev/kmsg", "containerPath": "/dev/kmsg1", "options": ["rw", "rprivate", "rbind"]}
+ ]
+ }
+ }
+ ]
+}
diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go
index 5a32ed827..3137e3fe4 100644
--- a/test/e2e/run_device_test.go
+++ b/test/e2e/run_device_test.go
@@ -2,6 +2,7 @@ package integration
import (
"os"
+ "os/exec"
. "github.com/containers/podman/v3/test/utils"
. "github.com/onsi/ginkgo"
@@ -94,4 +95,22 @@ var _ = Describe("Podman run device", func() {
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
})
+
+ It("podman run CDI device test", func() {
+ SkipIfRootless("Rootless will not be able to create files/folders in /etc")
+ cdiDir := "/etc/cdi"
+ if _, err := os.Stat(cdiDir); os.IsNotExist(err) {
+ Expect(os.MkdirAll(cdiDir, os.ModePerm)).To(BeNil())
+ }
+ defer os.RemoveAll(cdiDir)
+
+ cmd := exec.Command("cp", "cdi/device.json", cdiDir)
+ err = cmd.Run()
+ Expect(err).To(BeNil())
+
+ session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "myKmsg", ALPINE, "ls", "--color=never", "/dev/kmsg1"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(Equal("/dev/kmsg1"))
+ })
})
diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE b/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE
new file mode 100644
index 000000000..261eeb9e9
--- /dev/null
+++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go
new file mode 100644
index 000000000..e66fd36c0
--- /dev/null
+++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/pkg/devices.go
@@ -0,0 +1,180 @@
+package pkg
+
+import (
+ "encoding/json"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "strings"
+
+ cdispec "github.com/container-orchestrated-devices/container-device-interface/specs-go"
+ spec "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+const (
+ root = "/etc/cdi"
+)
+
+func collectCDISpecs() (map[string]*cdispec.Spec, error) {
+ var files []string
+ vendor := make(map[string]*cdispec.Spec)
+
+ err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
+ if info == nil || info.IsDir() {
+ return nil
+ }
+
+ if filepath.Ext(path) != ".json" {
+ return nil
+ }
+
+ files = append(files, path)
+ return nil
+ })
+
+ if err != nil {
+ return nil, err
+ }
+
+ for _, path := range files {
+ spec, err := loadCDIFile(path)
+ if err != nil {
+ continue
+ }
+
+ if _, ok := vendor[spec.Kind]; ok {
+ continue
+ }
+
+ vendor[spec.Kind] = spec
+ }
+
+ return vendor, nil
+}
+
+// TODO: Validate (e.g: duplicate device names)
+func loadCDIFile(path string) (*cdispec.Spec, error) {
+ file, err := ioutil.ReadFile(path)
+ if err != nil {
+ return nil, err
+ }
+
+ var spec *cdispec.Spec
+ err = json.Unmarshal([]byte(file), &spec)
+ if err != nil {
+ return nil, err
+ }
+
+ return spec, nil
+}
+
+/*
+* Pattern "vendor.com/device=myDevice" with the vendor being optional
+ */
+func extractVendor(dev string) (string, string) {
+ if strings.IndexByte(dev, '=') == -1 {
+ return "", dev
+ }
+
+ split := strings.SplitN(dev, "=", 2)
+ return split[0], split[1]
+}
+
+// GetCDIForDevice returns the CDI specification that matches the device name the user provided.
+func GetCDIForDevice(dev string, specs map[string]*cdispec.Spec) (*cdispec.Spec, error) {
+ vendor, device := extractVendor(dev)
+
+ if vendor != "" {
+ s, ok := specs[vendor]
+ if !ok {
+ return nil, fmt.Errorf("Could not find vendor %q for device %q", vendor, device)
+ }
+
+ for _, d := range s.Devices {
+ if d.Name != device {
+ continue
+ }
+
+ return s, nil
+ }
+
+ return nil, fmt.Errorf("Could not find device %q for vendor %q", device, vendor)
+ }
+
+ var found []*cdispec.Spec
+ var vendors []string
+ for vendor, spec := range specs {
+
+ for _, d := range spec.Devices {
+ if d.Name != device {
+ continue
+ }
+
+ found = append(found, spec)
+ vendors = append(vendors, vendor)
+ }
+ }
+
+ if len(found) > 1 {
+ return nil, fmt.Errorf("%q is ambiguous and currently refers to multiple devices from different vendors: %q", dev, vendors)
+ }
+
+ if len(found) == 1 {
+ return found[0], nil
+ }
+
+ return nil, fmt.Errorf("Could not find device %q", dev)
+}
+
+// HasDevice returns true if a device is a CDI device
+// an error may be returned in cases where permissions may be required
+func HasDevice(dev string) (bool, error) {
+ specs, err := collectCDISpecs()
+ if err != nil {
+ return false, err
+ }
+
+ d, err := GetCDIForDevice(dev, specs)
+ if err != nil {
+ return false, err
+ }
+
+ return d != nil, nil
+}
+
+// UpdateOCISpecForDevices updates the given OCI spec based on the requested CDI devices
+func UpdateOCISpecForDevices(ociconfig *spec.Spec, devs []string) error {
+ specs, err := collectCDISpecs()
+ if err != nil {
+ return err
+ }
+
+ return UpdateOCISpecForDevicesWithSpec(ociconfig, devs, specs)
+}
+
+// UpdateOCISpecForDevicesWithLoggerAndSpecs is mainly used for testing
+func UpdateOCISpecForDevicesWithSpec(ociconfig *spec.Spec, devs []string, specs map[string]*cdispec.Spec) error {
+ edits := make(map[string]*cdispec.Spec)
+
+ for _, d := range devs {
+ spec, err := GetCDIForDevice(d, specs)
+ if err != nil {
+ return err
+ }
+
+ edits[spec.Kind] = spec
+ err = cdispec.ApplyOCIEditsForDevice(ociconfig, spec, d)
+ if err != nil {
+ return err
+ }
+ }
+
+ for _, spec := range edits {
+ if err := cdispec.ApplyOCIEdits(ociconfig, spec); err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go
new file mode 100644
index 000000000..0223bb703
--- /dev/null
+++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/config.go
@@ -0,0 +1,50 @@
+package specs
+
+// Spec is the base configuration for CDI
+type Spec struct {
+ Version string `json:"cdiVersion"`
+ Kind string `json:"kind"`
+ KindShort []string `json:"kindShort,omitempty"`
+ ContainerRuntime []string `json:"containerRuntime,omitempty"`
+
+ Devices []Devices `json:"devices"`
+ ContainerEdits ContainerEdits `json:"containerEdits,omitempty"`
+}
+
+// Devices is a "Device" a container runtime can add to a container
+type Devices struct {
+ Name string `json:"name"`
+ NameShort []string `json:"nameShort"`
+ ContainerEdits ContainerEdits `json:"containerEdits"`
+}
+
+// ContainerEdits are edits a container runtime must make to the OCI spec to expose the device.
+type ContainerEdits struct {
+ Env []string `json:"env,omitempty"`
+ DeviceNodes []*DeviceNode `json:"deviceNodes,omitempty"`
+ Hooks []*Hook `json:"hooks,omitempty"`
+ Mounts []*Mount `json:"mounts,omitempty"`
+}
+
+// DeviceNode represents a device node that needs to be added to the OCI spec.
+type DeviceNode struct {
+ HostPath string `json:"hostPath"`
+ ContainerPath string `json:"containerPath"`
+ Permissions []string `json:"permissions,omitempty"`
+}
+
+// Mount represents a mount that needs to be added to the OCI spec.
+type Mount struct {
+ HostPath string `json:"hostPath"`
+ ContainerPath string `json:"containerPath"`
+ Options []string `json:"options,omitempty"`
+}
+
+// Hook represents a hook that needs to be added to the OCI spec.
+type Hook struct {
+ HookName string `json:"hookName"`
+ Path string `json:"path"`
+ Args []string `json:"args,omitempty"`
+ Env []string `json:"env,omitempty"`
+ Timeout *int `json:"timeout,omitempty"`
+}
diff --git a/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go
new file mode 100644
index 000000000..c59cda55d
--- /dev/null
+++ b/vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go
@@ -0,0 +1,104 @@
+package specs
+
+import (
+ "errors"
+ "fmt"
+
+ spec "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// ApplyOCIEditsForDevice applies devices OCI edits, in other words
+// it finds the device in the CDI spec and applies the OCI patches that device
+// requires to the OCI specification.
+func ApplyOCIEditsForDevice(config *spec.Spec, cdi *Spec, dev string) error {
+ for _, d := range cdi.Devices {
+ if d.Name != dev {
+ continue
+ }
+
+ return ApplyEditsToOCISpec(config, &d.ContainerEdits)
+ }
+
+ return fmt.Errorf("CDI: device %q not found for spec %q", dev, cdi.Kind)
+}
+
+// ApplyOCIEdits applies the OCI edits the CDI spec declares globablly
+func ApplyOCIEdits(config *spec.Spec, cdi *Spec) error {
+ return ApplyEditsToOCISpec(config, &cdi.ContainerEdits)
+}
+
+// ApplyEditsToOCISpec applies the specified edits to the OCI spec.
+func ApplyEditsToOCISpec(config *spec.Spec, edits *ContainerEdits) error {
+ if config == nil {
+ return errors.New("spec is nil")
+ }
+ if edits == nil {
+ return nil
+ }
+
+ if len(edits.Env) > 0 {
+
+ if config.Process == nil {
+ config.Process = &spec.Process{}
+ }
+
+ config.Process.Env = append(config.Process.Env, edits.Env...)
+ }
+
+ for _, d := range edits.DeviceNodes {
+ config.Mounts = append(config.Mounts, toOCIDevice(d))
+ }
+
+ for _, m := range edits.Mounts {
+ config.Mounts = append(config.Mounts, toOCIMount(m))
+ }
+
+ for _, h := range edits.Hooks {
+ if config.Hooks == nil {
+ config.Hooks = &spec.Hooks{}
+ }
+ switch h.HookName {
+ case "prestart":
+ config.Hooks.Prestart = append(config.Hooks.Prestart, toOCIHook(h))
+ case "createRuntime":
+ config.Hooks.CreateRuntime = append(config.Hooks.CreateRuntime, toOCIHook(h))
+ case "createContainer":
+ config.Hooks.CreateContainer = append(config.Hooks.CreateContainer, toOCIHook(h))
+ case "startContainer":
+ config.Hooks.StartContainer = append(config.Hooks.StartContainer, toOCIHook(h))
+ case "poststart":
+ config.Hooks.Poststart = append(config.Hooks.Poststart, toOCIHook(h))
+ case "poststop":
+ config.Hooks.Poststop = append(config.Hooks.Poststop, toOCIHook(h))
+ default:
+ fmt.Printf("CDI: Unknown hook %q\n", h.HookName)
+ }
+ }
+
+ return nil
+}
+
+func toOCIHook(h *Hook) spec.Hook {
+ return spec.Hook{
+ Path: h.Path,
+ Args: h.Args,
+ Env: h.Env,
+ Timeout: h.Timeout,
+ }
+}
+
+func toOCIMount(m *Mount) spec.Mount {
+ return spec.Mount{
+ Source: m.HostPath,
+ Destination: m.ContainerPath,
+ Options: m.Options,
+ }
+}
+
+func toOCIDevice(d *DeviceNode) spec.Mount {
+ return spec.Mount{
+ Source: d.HostPath,
+ Destination: d.ContainerPath,
+ Options: d.Permissions,
+ }
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 77dcb9744..b0658df5b 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -49,6 +49,9 @@ github.com/checkpoint-restore/go-criu
github.com/checkpoint-restore/go-criu/rpc
# github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
github.com/chzyer/readline
+# github.com/container-orchestrated-devices/container-device-interface v0.0.0-20210325223243-f99e8b6c10b9
+github.com/container-orchestrated-devices/container-device-interface/pkg
+github.com/container-orchestrated-devices/container-device-interface/specs-go
# github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68
github.com/containerd/cgroups/stats/v1
# github.com/containerd/containerd v1.5.0-beta.4