runtime: refactor hypervisor devices cgroup creation

Separatly added hypervisor devices to cgroup to omit not relevant warnings and fail if none of them are available. Fixes #6656 Signed-off-by: Balint Tobik <btobik@redhat.com>
2025-08-27 12:08:58 +00:00 · 2025-04-08 14:20:49 +02:00 · 2025-04-08 14:20:49 +02:00 · a4d3f813c2
commit a4d3f813c2
parent f04bb3f34c
1 changed files with 30 additions and 6 deletions
--- a/src/runtime/pkg/resourcecontrol/cgroups.go
+++ b/src/runtime/pkg/resourcecontrol/cgroups.go
@ -8,6 +8,7 @@
 package resourcecontrol

 import (
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@ -50,7 +51,7 @@ type LinuxCgroup struct {
 	sync.Mutex
 }

-func sandboxDevices() []specs.LinuxDeviceCgroup {
+func sandboxDevices() ([]specs.LinuxDeviceCgroup, error) {
 	devices := []specs.LinuxDeviceCgroup{}

 	defaultDevices := []string{
@ -68,14 +69,33 @@ func sandboxDevices() []specs.LinuxDeviceCgroup {
 	// In order to run Virtual Machines and create virtqueues, hypervisors
 	// need access to certain character devices in the host, like kvm and vhost-net.
 	hypervisorDevices := []string{
-		"/dev/kvm",         // To run virtual machines with KVM
-		"/dev/mshv",        // To run virtual machines with Hyper-V
+		"/dev/kvm",  // To run virtual machines with KVM
+		"/dev/mshv", // To run virtual machines with Hyper-V
+	}
+	virtualDevices := []string{
 		"/dev/vhost-net",   // To create virtqueues
 		"/dev/vfio/vfio",   // To access VFIO devices
 		"/dev/vhost-vsock", // To interact with vsock if
 	}

-	defaultDevices = append(defaultDevices, hypervisorDevices...)
+	hypervisorDeviceAdded := false
+	for _, hypervisor := range hypervisorDevices {
+		hypervisorDevice, err := DeviceToLinuxDevice(hypervisor)
+		if err != nil {
+			if !os.IsNotExist(err) {
+				controllerLogger.WithField("source", "cgroups").Warnf("Failed to add %s to the devices cgroup: %v", hypervisor, err)
+			}
+			continue
+		}
+		devices = append(devices, hypervisorDevice)
+		hypervisorDeviceAdded = true
+		controllerLogger.WithField("source", "cgroups").Infof("Adding %s to the devices cgroup", hypervisor)
+		break
+	}
+	if !hypervisorDeviceAdded {
+		return []specs.LinuxDeviceCgroup{}, errors.New("Could not add any hypervisor device to devices cgroup")
+	}
+	defaultDevices = append(defaultDevices, virtualDevices...)

 	for _, device := range defaultDevices {
 		ldevice, err := DeviceToLinuxDevice(device)
@ -128,7 +148,7 @@ func sandboxDevices() []specs.LinuxDeviceCgroup {

 	devices = append(devices, wildcardDevices...)

-	return devices
+	return devices, nil
 }

 func NewResourceController(path string, resources *specs.LinuxResources) (ResourceController, error) {
@ -168,7 +188,11 @@ func NewResourceController(path string, resources *specs.LinuxResources) (Resour

 func NewSandboxResourceController(path string, resources *specs.LinuxResources, sandboxCgroupOnly bool) (ResourceController, error) {
 	sandboxResources := *resources
-	sandboxResources.Devices = append(sandboxResources.Devices, sandboxDevices()...)
+	sandboxDevices, err := sandboxDevices()
+	if err != nil {
+		return nil, err
+	}
+	sandboxResources.Devices = append(sandboxResources.Devices, sandboxDevices...)

 	// Currently we know to handle systemd cgroup path only when it's the only cgroup (no overhead group), hence,
 	// if sandboxCgroupOnly is not true we treat it as cgroupfs path as it used to be, although it may be incorrect.