From f0c71168481e525414a38dc3eaf5a027afe2d4e7 Mon Sep 17 00:00:00 2001 From: baude Date: Thu, 1 Oct 2020 15:18:11 -0500 Subject: fix compat api privileged and entrypoint code when adding /dev to a privileged container using the compatibility API, we need to make sure we dont pass on devices that are simply symlinks. this was already being done by specgen but not on the compat. side. the entrypoint code that was recently rewritten for the compatibility layer was also failing due to the odd inputs that docker is willing to accept in its json, specifically [] vs "". in the case of the latter, this was being made into a []string with a len of one but no content. this would then be used to prefix the command to run in the container and would fail. For example " ls" vs "ls". Signed-off-by: baude --- pkg/spec/config_linux.go | 3 +++ 1 file changed, 3 insertions(+) (limited to 'pkg/spec/config_linux.go') diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go index d03663f12..319cce61f 100644 --- a/pkg/spec/config_linux.go +++ b/pkg/spec/config_linux.go @@ -200,6 +200,9 @@ func getDevices(path string) ([]*configs.Device, error) { } case f.Name() == "console": continue + case f.Mode()&os.ModeSymlink != 0: + // do not add symlink'd devices to privileged devices + continue } device, err := devices.DeviceFromPath(filepath.Join(path, f.Name()), "rwm") if err != nil { -- cgit v1.2.3-54-g00ecf