-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
validation: add cgroup devices validation #633
validation: add cgroup devices validation #633
Conversation
When creating a cgroup like this,
all devices are allowed by default, so that the major, minor numbers are always interpreted to 0:0. We would not want it to happen. How about doing initialization by denying all devices like this, before running tests?
|
I think it's hard to confirm this time, devices are built in But when I use
|
fa93b60
to
762800c
Compare
How do you start it, |
Just configured a
|
validation/linux_cgroups_devices.go
Outdated
g.SetLinuxCgroupsPath(cgroups.AbsCgroupPath) | ||
g.AddLinuxResourcesDevice(true, "c", &major1, &minor1, "rwm") | ||
g.AddLinuxResourcesDevice(false, "b", &major2, &minor2, "rw") | ||
g.AddLinuxResourcesDevice(true, "a", &major3, &minor3, "r") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@q384566678 I've just looked into this PR again.
True, as you said, when running manually runc run mycontainer
, the device cgroups list shows the full result correctly.
Apart from that, I think the line above g.AddLinuxResourcesDevice(true, "a", &major3, &minor3, "r")
causes the issue of the wrong device list.
Think about a sequence of the following command lines.
# echo "c 10:229 rwm" > /sys/fs/cgroup/devices/cgrouptest/devices.allow
# cat /sys/fs/cgroup/devices/cgrouptest/devices.list # This shows a correct result
c 10:229 rwm
# echo "a 10:200 r" > /sys/fs/cgroup/devices/cgrouptest/devices.allow
# cat /sys/fs/cgroup/devices/cgrouptest/devices.list # an unexpected result. Existing devices are now gone
a *:* rwm
According to the Kernel cgroup v1 document, doing echo a > /sys/fs/cgroup/1/devices.allow
will add the 'a : rwm' entry to the whitelist. Apparently allowing all devices
results in wiping out existing entries and adding a single wildcard entry, even when the input is given by a specific pair of major/minor number.
When testing without the line for a
, it shows a lot better result, doesn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# echo "a 10:200 r" > /sys/fs/cgroup/devices/cgrouptest/devices.allow # cat /sys/fs/cgroup/devices/cgrouptest/devices.list # an unexpected result. Existing devices are now gone a *:* rwm
That's surprising to me. In the wild, I expect few users to care about major/minor but not block/char. Still, does anyone have time to file a kernel patch to either respect the passed value or error out when major or minor are passed with a
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated, @dongsupark @liangchenye PTAL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@q384566678 Tested, and it works well. LGTM. 👍
Signed-off-by: Zhou Hao <[email protected]>
762800c
to
1794938
Compare
@liangchenye PTAL |
@q384566678 @dongsupark , as @wking mentioned, will you fire a bug to kernel? |
I will try to do it when I have free time. |
On the one hand in order to achieve devices validation, on the other hand in order to achieve the following
specerror
:DevicesApplyInOrder
: The runtime MUST apply entries in the listed order.But the test results are not the same as I expected, so I want to see what do you think.
@wking @liangchenye @alban @dongsupark PTAL
Signed-off-by: Zhou Hao [email protected]