github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-15 13:58:55 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11752 from Apokleos/fix-hooks-devcgrp

Browse Source 
runtime-rs: Remove default value of Linux.Resources.Devices and correctly set Hooks in OCI Spec to meet with Agent Policy requirements
This commit is contained in:
Alex Lyn
2025-09-07 18:01:02 +08:00
committed by GitHub
parent efbc69a2ec e235fc1efb
commit 4644a02871
1 changed files with 29 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
View File

@@ -18,7 +18,7 @@ use common::{
}; };
use kata_sys_util::k8s::update_ephemeral_storage_type; use kata_sys_util::k8s::update_ephemeral_storage_type;
use kata_types::k8s; use kata_types::k8s;
use oci_spec::runtime as oci; use oci_spec::runtime::{self as oci, LinuxDeviceCgroup};
use oci::{LinuxResources, Process as OCIProcess}; use oci::{LinuxResources, Process as OCIProcess};
use resource::{ use resource::{
@@ -593,26 +593,42 @@ fn amend_spec(
disable_guest_selinux: bool, disable_guest_selinux: bool,
) -> Result<()> { ) -> Result<()> {
// Only the StartContainer hook needs to be reserved for execution in the guest // Only the StartContainer hook needs to be reserved for execution in the guest
let start_container_hooks = if let Some(hooks) = spec.hooks().as_ref() { if let Some(hooks) = spec.hooks().as_ref() {
hooks.start_container().clone()
} else {
None
};
let mut oci_hooks = oci::Hooks::default(); let mut oci_hooks = oci::Hooks::default();
oci_hooks.set_start_container(start_container_hooks); oci_hooks.set_start_container(hooks.start_container().clone());
spec.set_hooks(Some(oci_hooks)); spec.set_hooks(Some(oci_hooks));
}
// special process K8s ephemeral volumes. // special process K8s ephemeral volumes.
update_ephemeral_storage_type(spec); update_ephemeral_storage_type(spec);
if let Some(linux) = spec.linux_mut() { if let Some(linux) = &mut spec.linux_mut() {
if disable_guest_seccomp { if disable_guest_seccomp {
linux.set_seccomp(None); linux.set_seccomp(None);
} }
if let Some(_resource) = linux.resources_mut() { // In certain scenarios, particularly under CoCo/Agent Policy enforcement, the default initial value of `Linux.Resources.Devices`
LinuxResources::default(); // is considered non-compliant, leading to container creation failures. To address this issue and ensure consistency with the behavior
// in `runtime-go`, the default value of `Linux.Resources.Devices` from the OCI Spec should be removed.
if let Some(resources) = linux.resources_mut() {
if let Some(devices) = resources.devices_mut().take() {
let cleaned_devices: Vec<LinuxDeviceCgroup> = devices
.into_iter()
.filter(|device| {
!(!device.allow()
&& device.typ().is_none()
&& device.major().is_none()
&& device.minor().is_none()
&& device.access().as_deref() == Some("rwm"))
})
.collect();
resources.set_devices(if cleaned_devices.is_empty() {
None
} else {
Some(cleaned_devices)
});
}
} }
// Host pidns path does not make sense in kata. Let's just align it with // Host pidns path does not make sense in kata. Let's just align it with