From 9cdc899c761d592068281ae94f652254f69cc7b5 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Tue, 26 May 2020 00:30:06 -0700 Subject: [PATCH] pkg/cgroups: update the list of devices for the hypervisor The hypervisor needs access to `/dev/vfio/vfio` to use VFIO devices. Remove all devicemapper devices from the allowed list, the device cgroup must be updated when before hotpluggin any device. Signed-off-by: Julio Montes Signed-off-by: Peng Tao --- .../virtcontainers/pkg/cgroups/manager.go | 45 +++---------------- 1 file changed, 6 insertions(+), 39 deletions(-) diff --git a/src/runtime/virtcontainers/pkg/cgroups/manager.go b/src/runtime/virtcontainers/pkg/cgroups/manager.go index b3edc5b4df..98421256f1 100644 --- a/src/runtime/virtcontainers/pkg/cgroups/manager.go +++ b/src/runtime/virtcontainers/pkg/cgroups/manager.go @@ -23,7 +23,6 @@ import ( "github.com/opencontainers/runc/libcontainer/specconv" "github.com/opencontainers/runtime-spec/specs-go" "github.com/sirupsen/logrus" - "golang.org/x/sys/unix" ) type Config struct { @@ -74,22 +73,8 @@ func UseSystemdCgroup() bool { // returns the list of devices that a hypervisor may need func hypervisorDevices() []specs.LinuxDeviceCgroup { - wildcard := int64(-1) - devicemapperMajor := int64(253) - devices := []specs.LinuxDeviceCgroup{} - devices = append(devices, - // hypervisor needs access to all devicemapper devices, - // since they can be hotplugged in the VM. - specs.LinuxDeviceCgroup{ - Allow: true, - Type: "b", - Major: &devicemapperMajor, - Minor: &wildcard, - Access: "rwm", - }) - // Processes running in a device-cgroup are constrained, they have acccess // only to the devices listed in the devices.list file. // In order to run Virtual Machines and create virtqueues, hypervisors @@ -97,33 +82,16 @@ func hypervisorDevices() []specs.LinuxDeviceCgroup { hypervisorDevices := []string{ "/dev/kvm", // To run virtual machines "/dev/vhost-net", // To create virtqueues + "/dev/vfio/vfio", // To access VFIO devices } for _, device := range hypervisorDevices { - var st unix.Stat_t - linuxDevice := specs.LinuxDeviceCgroup{ - Allow: true, - Access: "rwm", - } - - if err := unix.Stat(device, &st); err != nil { - cgroupsLogger.WithError(err).WithField("device", device).Warn("Could not get device information") + ldevice, err := DeviceToLinuxDevice(device) + if err != nil { + cgroupsLogger.WithError(err).Warnf("Could not get device information") continue } - - switch st.Mode & unix.S_IFMT { - case unix.S_IFCHR: - linuxDevice.Type = "c" - case unix.S_IFBLK: - linuxDevice.Type = "b" - } - - major := int64(unix.Major(st.Rdev)) - minor := int64(unix.Minor(st.Rdev)) - linuxDevice.Major = &major - linuxDevice.Minor = &minor - - devices = append(devices, linuxDevice) + devices = append(devices, ldevice) } return devices @@ -134,8 +102,7 @@ func New(config *Config) (*Manager, error) { var err error useSystemdCgroup := UseSystemdCgroup() - devices := []specs.LinuxDeviceCgroup{} - copy(devices, config.Resources.Devices) + devices := config.Resources.Devices devices = append(devices, hypervisorDevices()...) // Do not modify original devices config.Resources.Devices = devices