github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-13 21:09:31 +00:00
Code Issues Projects Releases Wiki Activity

pkg/cgroups: update the list of devices for the hypervisor

Browse Source 
The hypervisor needs access to `/dev/vfio/vfio` to use VFIO devices.
Remove all devicemapper devices from the allowed list, the device cgroup
must be updated when before hotpluggin any device.

Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
This commit is contained in:
Julio Montes
2020-05-26 00:30:06 -07:00
committed by Peng Tao
parent 44ed777c0f
commit 9cdc899c76
1 changed files with 6 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
src/runtime/virtcontainers/pkg/cgroups/manager.go
View File

@@ -23,7 +23,6 @@ import (
"github.com/opencontainers/runc/libcontainer/specconv" "github.com/opencontainers/runc/libcontainer/specconv"
"github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
) )
type Config struct { type Config struct {
@@ -74,22 +73,8 @@ func UseSystemdCgroup() bool {
// returns the list of devices that a hypervisor may need // returns the list of devices that a hypervisor may need
func hypervisorDevices() []specs.LinuxDeviceCgroup { func hypervisorDevices() []specs.LinuxDeviceCgroup {
wildcard := int64(-1)
devicemapperMajor := int64(253)
devices := []specs.LinuxDeviceCgroup{} devices := []specs.LinuxDeviceCgroup{}
devices = append(devices,
// hypervisor needs access to all devicemapper devices,
// since they can be hotplugged in the VM.
specs.LinuxDeviceCgroup{
Allow: true,
Type: "b",
Major: &devicemapperMajor,
Minor: &wildcard,
Access: "rwm",
})
// Processes running in a device-cgroup are constrained, they have acccess // Processes running in a device-cgroup are constrained, they have acccess
// only to the devices listed in the devices.list file. // only to the devices listed in the devices.list file.
// In order to run Virtual Machines and create virtqueues, hypervisors // In order to run Virtual Machines and create virtqueues, hypervisors
@@ -97,33 +82,16 @@ func hypervisorDevices() []specs.LinuxDeviceCgroup {
hypervisorDevices := []string{ hypervisorDevices := []string{
"/dev/kvm", // To run virtual machines "/dev/kvm", // To run virtual machines
"/dev/vhost-net", // To create virtqueues "/dev/vhost-net", // To create virtqueues
"/dev/vfio/vfio", // To access VFIO devices
} }
for _, device := range hypervisorDevices { for _, device := range hypervisorDevices {
var st unix.Stat_t ldevice, err := DeviceToLinuxDevice(device)
linuxDevice := specs.LinuxDeviceCgroup{ if err != nil {
Allow: true, cgroupsLogger.WithError(err).Warnf("Could not get device information")
Access: "rwm",
}
if err := unix.Stat(device, &st); err != nil {
cgroupsLogger.WithError(err).WithField("device", device).Warn("Could not get device information")
continue continue
} }
devices = append(devices, ldevice)
switch st.Mode & unix.S_IFMT {
case unix.S_IFCHR:
linuxDevice.Type = "c"
case unix.S_IFBLK:
linuxDevice.Type = "b"
}
major := int64(unix.Major(st.Rdev))
minor := int64(unix.Minor(st.Rdev))
linuxDevice.Major = &major
linuxDevice.Minor = &minor
devices = append(devices, linuxDevice)
} }
return devices return devices
@@ -134,8 +102,7 @@ func New(config *Config) (*Manager, error) {
var err error var err error
useSystemdCgroup := UseSystemdCgroup() useSystemdCgroup := UseSystemdCgroup()
devices := []specs.LinuxDeviceCgroup{} devices := config.Resources.Devices
copy(devices, config.Resources.Devices)
devices = append(devices, hypervisorDevices()...) devices = append(devices, hypervisorDevices()...)
// Do not modify original devices // Do not modify original devices
config.Resources.Devices = devices config.Resources.Devices = devices