Merge pull request #2550 from devimc/topic/virtcontainers/noVFIOInGuest

virtcontainers: Don't create vfio devices in the guest
2025-07-05 03:26:37 +00:00 · 2020-03-24 09:39:23 -06:00 · 2020-03-24 09:39:23 -06:00 · 213f5dbaf5
commit 213f5dbaf5
parent 078da1a6de 4d2574a723
3 changed files with 30 additions and 3 deletions
--- a/virtcontainers/kata_agent.go
+++ b/virtcontainers/kata_agent.go
@ -51,6 +51,9 @@ const (
 	// KataLocalDevType creates a local directory inside the VM for sharing files between
 	// containers.
 	KataLocalDevType = "local"
+
+	// path to vfio devices
+	vfioPath = "/dev/vfio/"
 )

 var (
@ -1067,6 +1070,18 @@ func (k *kataAgent) constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
 		}
 	}
 	grpcSpec.Linux.Namespaces = tmpNamespaces
+
+	// VFIO char device shouldn't not appear in the guest,
+	// the device driver should handle it and determinate its group.
+	var linuxDevices []grpc.LinuxDevice
+	for _, dev := range grpcSpec.Linux.Devices {
+		if dev.Type == "c" && strings.HasPrefix(dev.Path, vfioPath) {
+			k.Logger().WithField("vfio-dev", dev.Path).Debug("removing vfio device from grpcSpec")
+			continue
+		}
+		linuxDevices = append(linuxDevices, dev)
+	}
+	grpcSpec.Linux.Devices = linuxDevices
 }

 func (k *kataAgent) handleShm(grpcSpec *grpc.Spec, sandbox *Sandbox) {
--- a/virtcontainers/kata_agent_test.go
+++ b/virtcontainers/kata_agent_test.go
@ -9,7 +9,6 @@ import (
 	"bufio"
 	"context"
 	"fmt"
-	vcAnnotations "github.com/kata-containers/runtime/virtcontainers/pkg/annotations"
 	"io/ioutil"
 	"net"
 	"os"
@ -20,6 +19,8 @@ import (
 	"syscall"
 	"testing"

+	vcAnnotations "github.com/kata-containers/runtime/virtcontainers/pkg/annotations"
+
 	gpb "github.com/gogo/protobuf/types"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/assert"
@ -611,6 +612,16 @@ func TestConstraintGRPCSpec(t *testing.T) {
 				Network:        &pb.LinuxNetwork{},
 			},
 			CgroupsPath: "system.slice:foo:bar",
+			Devices: []pb.LinuxDevice{
+				{
+					Path: "/dev/vfio/1",
+					Type: "c",
+				},
+				{
+					Path: "/dev/vfio/2",
+					Type: "c",
+				},
+			},
 		},
 		Process: &pb.Process{
 			SelinuxLabel: "foo",
@ -641,6 +652,9 @@ func TestConstraintGRPCSpec(t *testing.T) {

 	// check cgroup path
 	assert.Equal(expectedCgroupPath, g.Linux.CgroupsPath)
+
+	// check Linux devices
+	assert.Empty(g.Linux.Devices)
 }

 func TestHandleShm(t *testing.T) {
--- a/virtcontainers/sandbox_test.go
+++ b/virtcontainers/sandbox_test.go
@ -675,8 +675,6 @@ func TestContainerStateSetFstype(t *testing.T) {
 	assert.Equal(cImpl.state.Fstype, newFstype)
 }

-const vfioPath = "/dev/vfio/"
-
 func TestSandboxAttachDevicesVFIO(t *testing.T) {
 	tmpDir, err := ioutil.TempDir("", "")
 	assert.Nil(t, err)