mirror of
				https://github.com/kata-containers/kata-containers.git
				synced 2025-10-24 21:51:37 +00:00 
			
		
		
		
	kata-deploy: Add default privileged_without_host_devices
For privieleged containers, all host devices are passed to container. We have done work in crio and containerd to define a scope of privileged in Kata to prevent this from happening. Add this as the default as this falls under a best practice to follow with Kata. Note that if this flag has been already defined, then this change does not override it. Fixes #582 Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This commit is contained in:
		| @@ -96,6 +96,7 @@ function configure_crio() { | |||||||
| # Path to the Kata Containers runtime binary that uses the QEMU hypervisor. | # Path to the Kata Containers runtime binary that uses the QEMU hypervisor. | ||||||
| [$kata_qemu_conf] | [$kata_qemu_conf] | ||||||
|   runtime_path = "${kata_qemu_path}" |   runtime_path = "${kata_qemu_path}" | ||||||
|  |   privileged_without_host_devices = true | ||||||
| EOT | EOT | ||||||
| 	fi | 	fi | ||||||
|  |  | ||||||
| @@ -109,6 +110,7 @@ EOT | |||||||
| # Path to the Kata Containers runtime binary that uses the QEMU hypervisor with virtiofs support. | # Path to the Kata Containers runtime binary that uses the QEMU hypervisor with virtiofs support. | ||||||
| [$kata_qemu_virtiofs_conf] | [$kata_qemu_virtiofs_conf] | ||||||
|   runtime_path = "${kata_qemu_virtiofs_path}" |   runtime_path = "${kata_qemu_virtiofs_path}" | ||||||
|  |   privileged_without_host_devices = true | ||||||
| EOT | EOT | ||||||
|         fi |         fi | ||||||
|  |  | ||||||
| @@ -122,6 +124,7 @@ EOT | |||||||
| # Path to the Kata Containers runtime binary that uses the firecracker hypervisor. | # Path to the Kata Containers runtime binary that uses the firecracker hypervisor. | ||||||
| [$kata_fc_conf] | [$kata_fc_conf] | ||||||
|   runtime_path = "${kata_fc_path}" |   runtime_path = "${kata_fc_path}" | ||||||
|  |   privileged_without_host_devices = true | ||||||
| EOT | EOT | ||||||
| 	fi | 	fi | ||||||
|  |  | ||||||
| @@ -135,6 +138,7 @@ EOT | |||||||
| # Path to the Kata Containers runtime binary that uses the Cloud Hypervisor. | # Path to the Kata Containers runtime binary that uses the Cloud Hypervisor. | ||||||
| [$kata_clh_conf] | [$kata_clh_conf] | ||||||
|   runtime_path = "${kata_clh_path}" |   runtime_path = "${kata_clh_path}" | ||||||
|  |   privileged_without_host_devices = true | ||||||
| EOT | EOT | ||||||
| 	fi | 	fi | ||||||
|  |  | ||||||
| @@ -166,6 +170,7 @@ function configure_containerd_runtime() { | |||||||
| 		cat <<EOT | tee -a "$containerd_conf_file" | 		cat <<EOT | tee -a "$containerd_conf_file" | ||||||
| [$runtime_table] | [$runtime_table] | ||||||
|   runtime_type = "${runtime_type}" |   runtime_type = "${runtime_type}" | ||||||
|  |   privileged_without_host_devices = true | ||||||
| EOT | EOT | ||||||
| 	fi | 	fi | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user