Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

Factor out setting of allowed devices so that we can update allowed devi... #7

Closed
wants to merge 1 commit into from
Closed

Factor out setting of allowed devices so that we can update allowed devi... #7

wants to merge 1 commit into from

Conversation

calfonso
Copy link

...ces

Co-Authored-By: Ian Main [email protected]
Docker-DCO-1.1-Signed-off-by: Chris Alfonso [email protected] (github: calfonso)

@calfonso calfonso mentioned this pull request Jun 11, 2014
Closed
vmarmol
vmarmol reviewed Jun 12, 2014
View reviewed changes
cgroups/systemd/apply_systemd.go Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: createAndEnterCgroup()? Then call on the above function:

createAndEnterCgroup(...)
UpdateAllowedDevices(...)

@vmarmol
Copy link
Contributor

vmarmol commented Jun 17, 2014

LGTM

@vmarmol
Copy link
Contributor

vmarmol commented Jun 17, 2014

Overall this LGTM. This will be taken over by an Update() in the libcontainer API. For now we should be okay. Waiting on @crosbymichael to OK as well.

@calfonso
Copy link
Author

Just to add some context of why we want to add a device at runtime...
Although this API is useful in general, it specifically gives us the ability to have OpenStack Nova APIs call the docker container hypervisor plugin to dynamically attach and detach a volume. In order for us to add the hypervisor plugin to OpenStack, the hypervisor plugin needs to implement certain features - including a runtime attaching/detaching of storage.

@vmarmol
Copy link
Contributor

vmarmol commented Jun 24, 2014

Ping @rjnagal @crosbymichael

@crosbymichael
Copy link
Contributor

testing now

@timthelion
Copy link
Contributor

This is also useful for subuser.org. While --device works fine for setting up sound and such, long running programs often need access to transient devices. For example, many people will launch skype when their computer starts but only plug in their web cams once they receive a call. This also raises the question: what happens when a device gets removed on the host and we have mknodded it within the container?

calfonso added a commit to calfonso/nova-docker that referenced this pull request Jun 26, 2014
@calfonso
RFC: Implement volume-attach/detach for docker
8a14fc9 
* This commit is dependent on several pull requests being merged into
docker and libcontainer that expose the devadd and devrm API.
moby/moby#6369
docker-archive/libcontainer#6
docker-archive/libcontainer#7

Change-Id: I6dcd7d809027bfe6ddcd9d521e519656a1ad526a
@calfonso
Copy link
Author

Ping @rjnagal @crosbymichael

@crosbymichael crosbymichael reopened this Jul 31, 2014
@crosbymichael crosbymichael mentioned this pull request Aug 12, 2014
Merged
@crosbymichael crosbymichael reopened this Aug 13, 2014
@crosbymichael
Copy link
Contributor

This needs to support non systemd but it maybe better to wait on #143 so that you can easily get the existing cgroup paths for a container.

@calfonso @imain
Factor out setting of allowed devices so that we can update allowed d…
8e365e1 
…evices

Co-Authored-By: Ian Main <[email protected]>
Docker-DCO-1.1-Signed-off-by: Chris Alfonso <[email protected]> (github: calfonso)
@calfonso
Copy link
Author

@crosbymichael I think that the cgroup API implementation for non systemd should be part of a different patch and PR, this one is intended just to allow updating the devices on the already implemented systemd based managed cgroups impl. Thoughts?

@timthelion
Copy link
Contributor

@calfonso is "UpdateAllowedDevices" systemd specific at all? It seems to me, that all it's doing is writting to the cgroups devices.allow file. The only difference in the implementation between systemd and fs should be the path.

@calfonso
Copy link
Author

@timthelion Correct. There isn't anything specific to systemd in the update func, the only thing that is specific to systemd is the location of this implementation. I'm not completely sure about the details of the original implementation, I know the freezer subsystem isn't implemented at the kernel level to work on non-systems - not sure if that was the original impitus to split them out or not.

@calfonso
Copy link
Author

I believe this is no longer needed now that joinDevices has been added upstream. We do need to capitalize the joinDevices method to make it accessable to docker though. Stay tuned fo that patch. Closing this PR.

@calfonso calfonso closed this Sep 29, 2014
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@calfonso @vmarmol @crosbymichael @timthelion