1. docker
  2. Commit f3d824771a10a8143ea97afb6864d0a587c7b7e3
Browse code

Merge pull request #21487 from tonistiigi/fix-old-dind

Fix setting cgroup permission to user/privileged devices

Sebastiaan van Stijn authored on 2016/03/25 14:56:39
Showing 4 changed files
daemon/container_operations_unix.go
History View file @ f3d8247
... ... 
@@ -295,7 +295,18 @@ func specDevice(d *configs.Device) specs.Device {
295 295 
 	}
296 296 
 }
297 297
298 
-func getDevicesFromPath(deviceMapping containertypes.DeviceMapping) (devs []specs.Device, err error) {
298 
+func specDeviceCgroup(d *configs.Device) specs.DeviceCgroup {
299 
+	t := string(d.Type)
300 
+	return specs.DeviceCgroup{
301 
+		Allow:  true,
302 
+		Type:   &t,
303 
+		Major:  &d.Major,
304 
+		Minor:  &d.Minor,
305 
+		Access: &d.Permissions,
306 
+	}
307 
+}
308 
+
309 
+func getDevicesFromPath(deviceMapping containertypes.DeviceMapping) (devs []specs.Device, devPermissions []specs.DeviceCgroup, err error) {
299 310 
 	resolvedPathOnHost := deviceMapping.PathOnHost
300 311
301 312 
 	// check if it is a symbolic link
... ... 
@@ -309,7 +320,7 @@ func getDevicesFromPath(deviceMapping containertypes.DeviceMapping) (devs []spec
309 309 
 	// if there was no error, return the device
310 310 
 	if err == nil {
311 311 
 		device.Path = deviceMapping.PathInContainer
312 
-		return append(devs, specDevice(device)), nil
312 
+		return append(devs, specDevice(device)), append(devPermissions, specDeviceCgroup(device)), nil
313 313 
 	}
314 314
315 315 
 	// if the device is not a device node
... ... 
@@ -330,6 +341,7 @@ func getDevicesFromPath(deviceMapping containertypes.DeviceMapping) (devs []spec
330 330 
 				// add the device to userSpecified devices
331 331 
 				childDevice.Path = strings.Replace(dpath, resolvedPathOnHost, deviceMapping.PathInContainer, 1)
332 332 
 				devs = append(devs, specDevice(childDevice))
333 
+				devPermissions = append(devPermissions, specDeviceCgroup(childDevice))
333 334
334 335 
 				return nil
335 336 
 			})
... ... 
@@ -337,10 +349,10 @@ func getDevicesFromPath(deviceMapping containertypes.DeviceMapping) (devs []spec
337 337 
 	}
338 338
339 339 
 	if len(devs) > 0 {
340 
-		return devs, nil
340 
+		return devs, devPermissions, nil
341 341 
 	}
342 342
343 
-	return devs, fmt.Errorf("error gathering device information while adding custom device %q: %s", deviceMapping.PathOnHost, err)
343 
+	return devs, devPermissions, fmt.Errorf("error gathering device information while adding custom device %q: %s", deviceMapping.PathOnHost, err)
344 344 
 }
345 345
346 346 
 func mergeDevices(defaultDevices, userDevices []*configs.Device) []*configs.Device {
daemon/daemon_unix.go
History View file @ f3d8247
... ... 
@@ -130,7 +130,7 @@ func getBlkioWeightDevices(config containertypes.Resources) ([]specs.WeightDevic
130 130 
 		weight := weightDevice.Weight
131 131 
 		d := specs.WeightDevice{Weight: &weight}
132 132 
 		d.Major = int64(stat.Rdev / 256)
133 
-		d.Major = int64(stat.Rdev % 256)
133 
+		d.Minor = int64(stat.Rdev % 256)
134 134 
 		blkioWeightDevices = append(blkioWeightDevices, d)
135 135 
 	}
136 136
... ... 
@@ -187,7 +187,7 @@ func getBlkioReadIOpsDevices(config containertypes.Resources) ([]specs.ThrottleD
187 187 
 		rate := iopsDevice.Rate
188 188 
 		d := specs.ThrottleDevice{Rate: &rate}
189 189 
 		d.Major = int64(stat.Rdev / 256)
190 
-		d.Major = int64(stat.Rdev % 256)
190 
+		d.Minor = int64(stat.Rdev % 256)
191 191 
 		blkioReadIOpsDevice = append(blkioReadIOpsDevice, d)
192 192 
 	}
193 193
... ... 
@@ -205,7 +205,7 @@ func getBlkioWriteIOpsDevices(config containertypes.Resources) ([]specs.Throttle
205 205 
 		rate := iopsDevice.Rate
206 206 
 		d := specs.ThrottleDevice{Rate: &rate}
207 207 
 		d.Major = int64(stat.Rdev / 256)
208 
-		d.Major = int64(stat.Rdev % 256)
208 
+		d.Minor = int64(stat.Rdev % 256)
209 209 
 		blkioWriteIOpsDevice = append(blkioWriteIOpsDevice, d)
210 210 
 	}
211 211
... ... 
@@ -223,7 +223,7 @@ func getBlkioReadBpsDevices(config containertypes.Resources) ([]specs.ThrottleDe
223 223 
 		rate := bpsDevice.Rate
224 224 
 		d := specs.ThrottleDevice{Rate: &rate}
225 225 
 		d.Major = int64(stat.Rdev / 256)
226 
-		d.Major = int64(stat.Rdev % 256)
226 
+		d.Minor = int64(stat.Rdev % 256)
227 227 
 		blkioReadBpsDevice = append(blkioReadBpsDevice, d)
228 228 
 	}
229 229
... ... 
@@ -241,7 +241,7 @@ func getBlkioWriteBpsDevices(config containertypes.Resources) ([]specs.ThrottleD
241 241 
 		rate := bpsDevice.Rate
242 242 
 		d := specs.ThrottleDevice{Rate: &rate}
243 243 
 		d.Major = int64(stat.Rdev / 256)
244 
-		d.Major = int64(stat.Rdev % 256)
244 
+		d.Minor = int64(stat.Rdev % 256)
245 245 
 		blkioWriteBpsDevice = append(blkioWriteBpsDevice, d)
246 246 
 	}
247 247
daemon/oci_linux.go
History View file @ f3d8247
... ... 
@@ -78,6 +78,7 @@ func setResources(s *specs.Spec, r containertypes.Resources) error {
78 78 
 func setDevices(s *specs.Spec, c *container.Container) error {
79 79 
 	// Build lists of devices allowed and created within the container.
80 80 
 	var devs []specs.Device
81 
+	devPermissions := s.Linux.Resources.Devices
81 82 
 	if c.HostConfig.Privileged {
82 83 
 		hostDevices, err := devices.HostDevices()
83 84 
 		if err != nil {
... ... 
@@ -86,18 +87,26 @@ func setDevices(s *specs.Spec, c *container.Container) error {
86 86 
 		for _, d := range hostDevices {
87 87 
 			devs = append(devs, specDevice(d))
88 88 
 		}
89 
+		rwm := "rwm"
90 
+		devPermissions = []specs.DeviceCgroup{
91 
+			{
92 
+				Allow:  true,
93 
+				Access: &rwm,
94 
+			},
95 
+		}
89 96 
 	} else {
90 97 
 		for _, deviceMapping := range c.HostConfig.Devices {
91 
-			d, err := getDevicesFromPath(deviceMapping)
98 
+			d, dPermissions, err := getDevicesFromPath(deviceMapping)
92 99 
 			if err != nil {
93 100 
 				return err
94 101 
 			}
95 
-
96 102 
 			devs = append(devs, d...)
103 
+			devPermissions = append(devPermissions, dPermissions...)
97 104 
 		}
98 105 
 	}
99 106
100 107 
 	s.Linux.Devices = append(s.Linux.Devices, devs...)
108 
+	s.Linux.Resources.Devices = devPermissions
101 109 
 	return nil
102 110 
 }
103 111
integration-cli/docker_cli_run_unix_test.go
History View file @ f3d8247
... ... 
@@ -13,6 +13,7 @@ import (
13 13 
 	"strconv"
14 14 
 	"strings"
15 15 
 	"sync"
16 
+	"syscall"
16 17 
 	"time"
17 18
18 19 
 	"github.com/docker/docker/pkg/homedir"
... ... 
@@ -980,3 +981,29 @@ func (s *DockerSuite) TestRunPidsLimit(c *check.C) {
980 980 
 	out = inspectField(c, "skittles", "HostConfig.PidsLimit")
981 981 
 	c.Assert(out, checker.Equals, "2", check.Commentf("setting the pids limit failed"))
982 982 
 }
983 
+
984 
+func (s *DockerSuite) TestRunPrivilegedAllowedDevices(c *check.C) {
985 
+	testRequires(c, DaemonIsLinux)
986 
+
987 
+	file := "/sys/fs/cgroup/devices/devices.list"
988 
+	out, _ := dockerCmd(c, "run", "--privileged", "busybox", "cat", file)
989 
+	c.Logf("out: %q", out)
990 
+	c.Assert(strings.TrimSpace(out), checker.Equals, "a *:* rwm")
991 
+}
992 
+
993 
+func (s *DockerSuite) TestRunUserDeviceAllowed(c *check.C) {
994 
+	testRequires(c, DaemonIsLinux)
995 
+
996 
+	fi, err := os.Stat("/dev/snd/timer")
997 
+	if err != nil {
998 
+		c.Skip("Host does not have /dev/snd/timer")
999 
+	}
1000 
+	stat, ok := fi.Sys().(*syscall.Stat_t)
1001 
+	if !ok {
1002 
+		c.Skip("Could not stat /dev/snd/timer")
1003 
+	}
1004 
+
1005 
+	file := "/sys/fs/cgroup/devices/devices.list"
1006 
+	out, _ := dockerCmd(c, "run", "--device", "/dev/snd/timer:w", "busybox", "cat", file)
1007 
+	c.Assert(out, checker.Contains, fmt.Sprintf("c %d:%d w", stat.Rdev/256, stat.Rdev%256))
1008 
+}