Skip to content

Additional documentation for overloaded mknod / cgroups in linux.devices #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

Additional documentation for overloaded mknod / cgroups in linux.devices #101

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7090c87
config-linux: Replace 'Next' with 'The following' for device parameters
wking Aug 7, 2015
171bb17
config-linux: Replace 'man mknod' references with links to mknod(1)
wking Aug 7, 2015
5d90eec
config-linux: Re-wrap device parameter list with one sentence per-line
wking Aug 7, 2015
4b7a061
config-linux: Reorder device types (b, c, u, p)
wking Aug 7, 2015
3236c26
config-linux: Explicitly document mknod/cgroups overloading
wking Aug 7, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 33 additions & 19 deletions config-linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,28 +55,45 @@ within the container.

### Access to devices

Devices is an array specifying the list of devices to be created in the container.
Next parameters can be specified:

* type - type of device: 'c', 'b', 'u' or 'p'. More info in `man mknod`
* path - full path to device inside container
* major, minor - major, minor numbers for device. More info in `man mknod`.
There is special value: `-1`, which means `*` for `device`
cgroup setup.
* permissions - cgroup permissions for device. A composition of 'r'
(read), 'w' (write), and 'm' (mknod).
* fileMode - file mode for device file
* uid - uid of device owner
* gid - gid of device owner
Devices is an array specifying both devices to be created in the container, and any device control group rules that should be applied.
The following parameters can be specified:

* type - type of device: 'a', 'b', 'c', 'u' or 'p'.
Required.
If path is given, only 'b', 'c', 'u', and 'p' are allowed (more info in [mknod(1)][]).
If permissions is given, only 'a', 'b', and 'c' are allowed (more info in the [cgroups devices documentation][cgroups-devices]).
* path - full path to device inside container.
Optional.
If not given, the entry only creates a cgroups allow rule.
* major, minor - major, minor numbers for device.
More info in [mknod(1)][].
There is special value: `-1`, which uses the wildcard `*` for the cgroups rule.
Copy link
Contributor

@mrunalp mrunalp Oct 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...is a special value..

If `-1` is used, path, uid, fileMode, uid, and gid are not allowed.
Required.
* permissions - cgroup permissions for device.
A composition of 'r' (read), 'w' (write), and 'm' (mknod) (more info in the [cgroups devices documentation][cgroups-devices]).
Optional.
If not given, the entry only creates the device node with mknod.
* fileMode - file mode for device file.
Required if path is given, otherwise not allowed.
* uid - uid of device owner.
Copy link
Member

@crosbymichael crosbymichael Oct 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why did u delete these lines?

Copy link
Contributor Author

@wking wking Oct 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On Mon, Oct 05, 2015 at 11:09:18AM -0700, Michael Crosby wrote:

         "path": "/dev/random",
         "type": "c",
         "major": 1,
         "minor": 8,

  •        "permissions": "rwm",

why did u delete these lines?

My first device entry set rwm permissions for all major/minor types,
so there's no need to repeat that in the later entries.

Required if path is given, otherwise not allowed.
* gid - gid of device owner.
Required if path is given, otherwise not allowed.

```json
"devices": [
{
"type": "a",
"major": -1,
"minor": -1,
"permissions": "rwm",
},
{
"path": "/dev/random",
"type": "c",
"major": 1,
"minor": 8,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
Expand All @@ -86,7 +103,6 @@ Next parameters can be specified:
"type": "c",
"major": 1,
"minor": 9,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
Expand All @@ -96,7 +112,6 @@ Next parameters can be specified:
"type": "c",
"major": 1,
"minor": 3,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
Expand All @@ -106,7 +121,6 @@ Next parameters can be specified:
"type": "c",
"major": 1,
"minor": 5,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
Expand All @@ -116,7 +130,6 @@ Next parameters can be specified:
"type": "c",
"major": 5,
"minor": 0,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
Expand All @@ -126,7 +139,6 @@ Next parameters can be specified:
"type": "c",
"major": 1,
"minor": 7,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
Expand Down Expand Up @@ -212,3 +224,5 @@ rootfsPropagation sets the rootfs's mount propagation. Its value is either slave

**TODO:** security profiles

[mknod(1)]: http://man7.org/linux/man-pages/man1/mknod.1.html
[cgroups-devices]: https://www.kernel.org/doc/Documentation/cgroups/devices.txt