From f7e5e24a051fe2650e04c002849b1029f7294671 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Mon, 8 May 2017 15:10:09 -0700 Subject: [PATCH 1/4] Add helper for adding devices to OCI spec Signed-off-by: Mrunal Patel --- server/container_create.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/server/container_create.go b/server/container_create.go index 38fc3c6f..e240c7ef 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -18,7 +18,9 @@ import ( "github.com/kubernetes-incubator/cri-o/server/apparmor" "github.com/kubernetes-incubator/cri-o/server/seccomp" "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/runc/libcontainer/user" + rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/selinux/go-selinux/label" "golang.org/x/net/context" @@ -62,6 +64,34 @@ func addOciBindMounts(sb *sandbox, containerConfig *pb.ContainerConfig, specgen return nil } +func addDevices(sb *sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) error { + sp := specgen.Spec() + for _, device := range containerConfig.GetDevices() { + dev, err := devices.DeviceFromPath(device.HostPath, device.Permissions) + if err != nil { + return fmt.Errorf("failed to add device: %v", err) + } + rd := rspec.LinuxDevice{ + Path: device.ContainerPath, + Type: string(dev.Type), + Major: dev.Major, + Minor: dev.Minor, + UID: &dev.Uid, + GID: &dev.Gid, + } + specgen.AddDevice(rd) + sp.Linux.Resources.Devices = append(sp.Linux.Resources.Devices, rspec.LinuxDeviceCgroup{ + Allow: true, + Type: string(dev.Type), + Major: &dev.Major, + Minor: &dev.Minor, + Access: dev.Permissions, + }) + + } + return nil +} + // buildOCIProcessArgs build an OCI compatible process arguments slice. func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, imageOCIConfig *v1.Image) ([]string, error) { processArgs := []string{} From 23cf1a6fdbb1ab24908b9e19995d1be363f80ae2 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Mon, 8 May 2017 15:11:36 -0700 Subject: [PATCH 2/4] Add devices to OCI config Signed-off-by: Mrunal Patel --- server/container_create.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/server/container_create.go b/server/container_create.go index e240c7ef..3b7ce7e8 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -87,7 +87,6 @@ func addDevices(sb *sandbox, containerConfig *pb.ContainerConfig, specgen *gener Minor: &dev.Minor, Access: dev.Permissions, }) - } return nil } @@ -333,6 +332,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, return nil, err } + if err := addDevices(sb, containerConfig, &specgen); err != nil { + return nil, err + } + labels := containerConfig.GetLabels() metadata := containerConfig.GetMetadata() From 4a02418c826273bf47af6c7c02413d08ee6f9772 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Wed, 10 May 2017 13:36:33 -0700 Subject: [PATCH 3/4] Add a test config for device Signed-off-by: Mrunal Patel --- test/testdata/container_redis_device.json | 69 +++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 test/testdata/container_redis_device.json diff --git a/test/testdata/container_redis_device.json b/test/testdata/container_redis_device.json new file mode 100644 index 00000000..abeaadee --- /dev/null +++ b/test/testdata/container_redis_device.json @@ -0,0 +1,69 @@ +{ + "metadata": { + "name": "podsandbox1-redis" + }, + "image": { + "image": "redis:alpine" + }, + "args": [ + "docker-entrypoint.sh", + "redis-server" + ], + "working_dir": "/data", + "envs": [ + { + "key": "PATH", + "value": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + }, + { + "key": "TERM", + "value": "xterm" + }, + { + "key": "REDIS_VERSION", + "value": "3.2.3" + }, + { + "key": "REDIS_DOWNLOAD_URL", + "value": "http://download.redis.io/releases/redis-3.2.3.tar.gz" + }, + { + "key": "REDIS_DOWNLOAD_SHA1", + "value": "92d6d93ef2efc91e595c8bf578bf72baff397507" + } + ], + "devices": [ + { + "host_path": "/dev/null", + "container_path": "/dev/mynull", + "permissions": "rwm" + } + ], + "labels": { + "tier": "backend" + }, + "annotations": { + "pod": "podsandbox1" + }, + "readonly_rootfs": false, + "log_path": "", + "stdin": false, + "stdin_once": false, + "tty": false, + "linux": { + "resources": { + "cpu_period": 10000, + "cpu_quota": 20000, + "cpu_shares": 512, + "memory_limit_in_bytes": 88000000, + "oom_score_adj": 30 + }, + "security_context": { + "capabilities": { + "add_capabilities": [ + "sys_admin" + ] + } + } + } +} From d3c7a24896eb57121ad65722e725479df487daec Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Wed, 10 May 2017 13:36:51 -0700 Subject: [PATCH 4/4] bats: Add a test for adding device to a container Signed-off-by: Mrunal Patel --- test/ctr.bats | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/test/ctr.bats b/test/ctr.bats index 2c936add..375fc8bf 100644 --- a/test/ctr.bats +++ b/test/ctr.bats @@ -429,6 +429,31 @@ function teardown() { stop_ocid } +@test "ctr device add" { + start_ocid + run ocic pod run --config "$TESTDATA"/sandbox_config.json + echo "$output" + [ "$status" -eq 0 ] + pod_id="$output" + run ocic ctr create --config "$TESTDATA"/container_redis_device.json --pod "$pod_id" + echo "$output" + [ "$status" -eq 0 ] + ctr_id="$output" + run ocic ctr start --id "$ctr_id" + echo "$output" + [ "$status" -eq 0 ] + run ocic ctr execsync --id "$ctr_id" ls /dev/mynull + echo "$output" + [ "$status" -eq 0 ] + [[ "$output" =~ "/dev/mynull" ]] + run ocic pod remove --id "$pod_id" + echo "$output" + [ "$status" -eq 0 ] + cleanup_ctrs + cleanup_pods + stop_ocid +} + @test "ctr execsync failure" { start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json