pkg/cgroups: update the list of devices for the hypervisor

The hypervisor needs access to `/dev/vfio/vfio` to use VFIO devices. Remove all devicemapper devices from the allowed list, the device cgroup must be updated when before hotpluggin any device. Signed-off-by: Julio Montes <julio.montes@intel.com> Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2025-09-12 20:39:30 +00:00 · 2020-05-26 00:30:06 -07:00
parent 44ed777c0f
commit 9cdc899c76
1 changed files with 6 additions and 39 deletions
--- a/src/runtime/virtcontainers/pkg/cgroups/manager.go
+++ b/src/runtime/virtcontainers/pkg/cgroups/manager.go
@@ -23,7 +23,6 @@ import (
 	"github.com/opencontainers/runc/libcontainer/specconv"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 )

 type Config struct {
@@ -74,22 +73,8 @@ func UseSystemdCgroup() bool {

 // returns the list of devices that a hypervisor may need
 func hypervisorDevices() []specs.LinuxDeviceCgroup {
-	wildcard := int64(-1)
-	devicemapperMajor := int64(253)
-
 	devices := []specs.LinuxDeviceCgroup{}

-	devices = append(devices,
-		// hypervisor needs access to all devicemapper devices,
-		// since they can be hotplugged in the VM.
-		specs.LinuxDeviceCgroup{
-			Allow:  true,
-			Type:   "b",
-			Major:  &devicemapperMajor,
-			Minor:  &wildcard,
-			Access: "rwm",
-		})
-
 	// Processes running in a device-cgroup are constrained, they have acccess
 	// only to the devices listed in the devices.list file.
 	// In order to run Virtual Machines and create virtqueues, hypervisors
@@ -97,33 +82,16 @@ func hypervisorDevices() []specs.LinuxDeviceCgroup {
 	hypervisorDevices := []string{
 		"/dev/kvm",       // To run virtual machines
 		"/dev/vhost-net", // To create virtqueues
+		"/dev/vfio/vfio", // To access VFIO devices
 	}

 	for _, device := range hypervisorDevices {
-		var st unix.Stat_t
-		linuxDevice := specs.LinuxDeviceCgroup{
-			Allow:  true,
-			Access: "rwm",
-		}
-
-		if err := unix.Stat(device, &st); err != nil {
-			cgroupsLogger.WithError(err).WithField("device", device).Warn("Could not get device information")
+		ldevice, err := DeviceToLinuxDevice(device)
+		if err != nil {
+			cgroupsLogger.WithError(err).Warnf("Could not get device information")
 			continue
 		}
-
-		switch st.Mode & unix.S_IFMT {
-		case unix.S_IFCHR:
-			linuxDevice.Type = "c"
-		case unix.S_IFBLK:
-			linuxDevice.Type = "b"
-		}
-
-		major := int64(unix.Major(st.Rdev))
-		minor := int64(unix.Minor(st.Rdev))
-		linuxDevice.Major = &major
-		linuxDevice.Minor = &minor
-
-		devices = append(devices, linuxDevice)
+		devices = append(devices, ldevice)
 	}

 	return devices
@@ -134,8 +102,7 @@ func New(config *Config) (*Manager, error) {
 	var err error
 	useSystemdCgroup := UseSystemdCgroup()

-	devices := []specs.LinuxDeviceCgroup{}
-	copy(devices, config.Resources.Devices)
+	devices := config.Resources.Devices
 	devices = append(devices, hypervisorDevices()...)
 	// Do not modify original devices
 	config.Resources.Devices = devices