mirror of
				https://github.com/kata-containers/kata-containers.git
				synced 2025-10-24 21:51:37 +00:00 
			
		
		
		
	runtime: Add parameter to constrainGRPCSpec to control VFIO handling
Currently constrainGRPCSpec always removes VFIO devices from the OCI container spec which will be used for the inner container. For upcoming support for VFIO devices in DPDK usecases we'll need to not do that. As a preliminary to that, add an extra parameter to the function to control whether or not it will remove the VFIO devices from the spec. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
		| @@ -995,7 +995,7 @@ func (k *kataAgent) replaceOCIMountsForStorages(spec *specs.Spec, volumeStorages | |||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
|  |  | ||||||
| func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) { | func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool, stripVfio bool) { | ||||||
| 	// Disable Hooks since they have been handled on the host and there is | 	// Disable Hooks since they have been handled on the host and there is | ||||||
| 	// no reason to send them to the agent. It would make no sense to try | 	// no reason to send them to the agent. It would make no sense to try | ||||||
| 	// to apply them on the guest. | 	// to apply them on the guest. | ||||||
| @@ -1058,8 +1058,11 @@ func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) { | |||||||
| 	} | 	} | ||||||
| 	grpcSpec.Linux.Namespaces = tmpNamespaces | 	grpcSpec.Linux.Namespaces = tmpNamespaces | ||||||
|  |  | ||||||
| 	// VFIO char device shouldn't not appear in the guest, | 	if stripVfio { | ||||||
| 	// the device driver should handle it and determinate its group. | 		// VFIO char device shouldn't appear in the guest | ||||||
|  | 		// (because the VM device driver will do something | ||||||
|  | 		// with it rather than just presenting it to the | ||||||
|  | 		// container unmodified) | ||||||
| 		var linuxDevices []grpc.LinuxDevice | 		var linuxDevices []grpc.LinuxDevice | ||||||
| 		for _, dev := range grpcSpec.Linux.Devices { | 		for _, dev := range grpcSpec.Linux.Devices { | ||||||
| 			if dev.Type == "c" && strings.HasPrefix(dev.Path, vfioPath) { | 			if dev.Type == "c" && strings.HasPrefix(dev.Path, vfioPath) { | ||||||
| @@ -1069,6 +1072,7 @@ func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) { | |||||||
| 			linuxDevices = append(linuxDevices, dev) | 			linuxDevices = append(linuxDevices, dev) | ||||||
| 		} | 		} | ||||||
| 		grpcSpec.Linux.Devices = linuxDevices | 		grpcSpec.Linux.Devices = linuxDevices | ||||||
|  | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
| func (k *kataAgent) handleShm(mounts []specs.Mount, sandbox *Sandbox) { | func (k *kataAgent) handleShm(mounts []specs.Mount, sandbox *Sandbox) { | ||||||
| @@ -1413,7 +1417,7 @@ func (k *kataAgent) createContainer(ctx context.Context, sandbox *Sandbox, c *Co | |||||||
|  |  | ||||||
| 	// We need to constrain the spec to make sure we're not | 	// We need to constrain the spec to make sure we're not | ||||||
| 	// passing irrelevant information to the agent. | 	// passing irrelevant information to the agent. | ||||||
| 	k.constrainGRPCSpec(grpcSpec, passSeccomp) | 	k.constrainGRPCSpec(grpcSpec, passSeccomp, true) | ||||||
|  |  | ||||||
| 	req := &grpc.CreateContainerRequest{ | 	req := &grpc.CreateContainerRequest{ | ||||||
| 		ContainerId:  c.id, | 		ContainerId:  c.id, | ||||||
|   | |||||||
| @@ -589,7 +589,7 @@ func TestConstrainGRPCSpec(t *testing.T) { | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	k := kataAgent{} | 	k := kataAgent{} | ||||||
| 	k.constrainGRPCSpec(g, true) | 	k.constrainGRPCSpec(g, true, true) | ||||||
|  |  | ||||||
| 	// check nil fields | 	// check nil fields | ||||||
| 	assert.Nil(g.Hooks) | 	assert.Nil(g.Hooks) | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user