Forráskód Böngészése

Make `--device` flag work in privileged mode

When a container is started in privileged mode, the device mappings
provided by `--device` flag was ignored. Now the device mappings will
be considered even in privileged mode.

Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
Akhil Mohan 5 éve
szülő
commit
35b9e6989f
1 módosított fájl, 25 hozzáadás és 1 törlés
  1. 25 1
      daemon/oci_linux.go

+ 25 - 1
daemon/oci_linux.go

@@ -16,7 +16,6 @@ import (
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/container"
 	daemonconfig "github.com/docker/docker/daemon/config"
-	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/oci"
 	"github.com/docker/docker/oci/caps"
 	"github.com/docker/docker/pkg/idtools"
@@ -806,6 +805,7 @@ func WithDevices(daemon *Daemon, c *container.Container) coci.SpecOpts {
 		// Build lists of devices allowed and created within the container.
 		var devs []specs.LinuxDevice
 		devPermissions := s.Linux.Resources.Devices
+
 		if c.HostConfig.Privileged && !rsystem.RunningInUserNS() {
 			hostDevices, err := devices.HostDevices()
 			if err != nil {
@@ -814,6 +814,30 @@ func WithDevices(daemon *Daemon, c *container.Container) coci.SpecOpts {
 			for _, d := range hostDevices {
 				devs = append(devs, oci.Device(d))
 			}
+
+			// adding device mappings in privileged containers
+			for _, deviceMapping := range c.HostConfig.Devices {
+				// issue a warning that custom cgroup permissions are ignored in privileged mode
+				if deviceMapping.CgroupPermissions != "rwm" {
+					logrus.WithField("container", c.ID).Warnf("custom %s permissions for device %s are ignored in privileged mode", deviceMapping.CgroupPermissions, deviceMapping.PathOnHost)
+				}
+				// issue a warning that the device path already exists via /dev mounting in privileged mode
+				if deviceMapping.PathOnHost == deviceMapping.PathInContainer {
+					logrus.WithField("container", c.ID).Warnf("path in container %s already exists in privileged mode", deviceMapping.PathInContainer)
+					continue
+				}
+				// check if the path exists in the container. need to create a device only if the
+				// path does not exists.
+				if _, err := os.Stat(deviceMapping.PathInContainer); !os.IsNotExist(err) {
+					return errors.Errorf("container device path: %s must be different from any host device path for privileged mode containers", deviceMapping.PathInContainer)
+				}
+				d, _, err := oci.DevicesFromPath(deviceMapping.PathOnHost, deviceMapping.PathInContainer, "rwm")
+				if err != nil {
+					return err
+				}
+				devs = append(devs, d...)
+			}
+
 			devPermissions = []specs.LinuxDeviceCgroup{
 				{
 					Allow:  true,