From 68696e051dd29329209fc9f52c9fe64899f2a55d Mon Sep 17 00:00:00 2001 From: David Gibson Date: Fri, 8 Oct 2021 17:03:59 +1100 Subject: [PATCH] runtime: Add parameter to constrainGRPCSpec to control VFIO handling Currently constrainGRPCSpec always removes VFIO devices from the OCI container spec which will be used for the inner container. For upcoming support for VFIO devices in DPDK usecases we'll need to not do that. As a preliminary to that, add an extra parameter to the function to control whether or not it will remove the VFIO devices from the spec. Signed-off-by: David Gibson --- src/runtime/virtcontainers/kata_agent.go | 26 +++++++++++-------- src/runtime/virtcontainers/kata_agent_test.go | 2 +- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index f46f5f3a1b..c1a39220fb 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -995,7 +995,7 @@ func (k *kataAgent) replaceOCIMountsForStorages(spec *specs.Spec, volumeStorages return nil } -func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) { +func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool, stripVfio bool) { // Disable Hooks since they have been handled on the host and there is // no reason to send them to the agent. It would make no sense to try // to apply them on the guest. @@ -1058,17 +1058,21 @@ func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) { } grpcSpec.Linux.Namespaces = tmpNamespaces - // VFIO char device shouldn't not appear in the guest, - // the device driver should handle it and determinate its group. - var linuxDevices []grpc.LinuxDevice - for _, dev := range grpcSpec.Linux.Devices { - if dev.Type == "c" && strings.HasPrefix(dev.Path, vfioPath) { - k.Logger().WithField("vfio-dev", dev.Path).Debug("removing vfio device from grpcSpec") - continue + if stripVfio { + // VFIO char device shouldn't appear in the guest + // (because the VM device driver will do something + // with it rather than just presenting it to the + // container unmodified) + var linuxDevices []grpc.LinuxDevice + for _, dev := range grpcSpec.Linux.Devices { + if dev.Type == "c" && strings.HasPrefix(dev.Path, vfioPath) { + k.Logger().WithField("vfio-dev", dev.Path).Debug("removing vfio device from grpcSpec") + continue + } + linuxDevices = append(linuxDevices, dev) } - linuxDevices = append(linuxDevices, dev) + grpcSpec.Linux.Devices = linuxDevices } - grpcSpec.Linux.Devices = linuxDevices } func (k *kataAgent) handleShm(mounts []specs.Mount, sandbox *Sandbox) { @@ -1413,7 +1417,7 @@ func (k *kataAgent) createContainer(ctx context.Context, sandbox *Sandbox, c *Co // We need to constrain the spec to make sure we're not // passing irrelevant information to the agent. - k.constrainGRPCSpec(grpcSpec, passSeccomp) + k.constrainGRPCSpec(grpcSpec, passSeccomp, true) req := &grpc.CreateContainerRequest{ ContainerId: c.id, diff --git a/src/runtime/virtcontainers/kata_agent_test.go b/src/runtime/virtcontainers/kata_agent_test.go index fa50569cea..0db6f4b28b 100644 --- a/src/runtime/virtcontainers/kata_agent_test.go +++ b/src/runtime/virtcontainers/kata_agent_test.go @@ -589,7 +589,7 @@ func TestConstrainGRPCSpec(t *testing.T) { } k := kataAgent{} - k.constrainGRPCSpec(g, true) + k.constrainGRPCSpec(g, true, true) // check nil fields assert.Nil(g.Hooks)