From 219f93ffad25acf7f056b6564ef16abcedce8897 Mon Sep 17 00:00:00 2001 From: Archana Shinde Date: Wed, 26 Aug 2020 15:00:36 -0700 Subject: [PATCH] kata-deploy: Add default privileged_without_host_devices For privieleged containers, all host devices are passed to container. We have done work in crio and containerd to define a scope of privileged in Kata to prevent this from happening. Add this as the default as this falls under a best practice to follow with Kata. Note that if this flag has been already defined, then this change does not override it. Fixes #582 Signed-off-by: Archana Shinde --- tools/packaging/kata-deploy/scripts/kata-deploy.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index d1154b7970..2022475dce 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -96,6 +96,7 @@ function configure_crio() { # Path to the Kata Containers runtime binary that uses the QEMU hypervisor. [$kata_qemu_conf] runtime_path = "${kata_qemu_path}" + privileged_without_host_devices = true EOT fi @@ -109,6 +110,7 @@ EOT # Path to the Kata Containers runtime binary that uses the QEMU hypervisor with virtiofs support. [$kata_qemu_virtiofs_conf] runtime_path = "${kata_qemu_virtiofs_path}" + privileged_without_host_devices = true EOT fi @@ -122,6 +124,7 @@ EOT # Path to the Kata Containers runtime binary that uses the firecracker hypervisor. [$kata_fc_conf] runtime_path = "${kata_fc_path}" + privileged_without_host_devices = true EOT fi @@ -135,6 +138,7 @@ EOT # Path to the Kata Containers runtime binary that uses the Cloud Hypervisor. [$kata_clh_conf] runtime_path = "${kata_clh_path}" + privileged_without_host_devices = true EOT fi @@ -166,6 +170,7 @@ function configure_containerd_runtime() { cat <