Skip to content

Commit

Permalink
libct/cg/sd: set the DeviceAllow property before DevicePolicy
Browse files Browse the repository at this point in the history
Every unit created by runc need daemon reload since systemd v230.
This breaks support for NVIDIA GPUs, see
opencontainers#3708 (comment)

Add a workaround for the below systemd issue.
systemd/systemd#35710

Instead of filling the empty DeviceAllow array, a new array is created
with allowed devices. Remove the comment about it, since it's misleading.

Closes opencontainers#4568

Signed-off-by: Jian Wen <[email protected]>
  • Loading branch information
wenjianhn authored and Jian Wen committed Dec 23, 2024
1 parent 90f38e7 commit cac15b7
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions libcontainer/cgroups/devices/systemd.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,9 @@ func systemdProperties(r *cgroups.Resources, sdVer int) ([]systemdDbus.Property,
}

properties := []systemdDbus.Property{
newProp("DeviceAllow", []deviceAllowEntry{}),
// Always run in the strictest white-list mode.
newProp("DevicePolicy", "strict"),
// Empty the DeviceAllow array before filling it.
newProp("DeviceAllow", []deviceAllowEntry{}),
}

// Figure out the set of rules.
Expand Down Expand Up @@ -239,7 +238,7 @@ func allowAllDevices() []systemdDbus.Property {
// Setting mode to auto and removing all DeviceAllow rules
// results in allowing access to all devices.
return []systemdDbus.Property{
newProp("DevicePolicy", "auto"),
newProp("DeviceAllow", []deviceAllowEntry{}),
newProp("DevicePolicy", "auto"),
}
}

0 comments on commit cac15b7

Please sign in to comment.