github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-16 14:28:35 +00:00
Code Issues Projects Releases Wiki Activity

runtime-rs: Remove default value of Linux.Resources.Devices in OCI Spec

Browse Source 
In certain scenarios, particularly under CoCo/Agent Policy enforcement,
the default initial value of `Linux.Resources.Devices` is considered
non-compliant, leading to container creation failures. To address this
issue and ensure consistency with the behavior in `runtime-go`, this
commit removes the default value of `Linux.Resources.Devices` from the
OCI Spec.

This cleanup ensures that the OCI Spec aligns with runtime expectations
and prevents policy violations during container creation.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
This commit is contained in:
Alex Lyn
2025-09-03 18:00:04 +08:00
parent 203f7090a6
commit e235fc1efb
1 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
View File

@@ -18,7 +18,7 @@ use common::{
};
use kata_sys_util::k8s::update_ephemeral_storage_type;
use kata_types::k8s;
use oci_spec::runtime as oci;
use oci_spec::runtime::{self as oci, LinuxDeviceCgroup};
use oci::{LinuxResources, Process as OCIProcess};
use resource::{
@@ -602,13 +602,33 @@ fn amend_spec(
// special process K8s ephemeral volumes.
update_ephemeral_storage_type(spec);
if let Some(linux) = spec.linux_mut() {
if let Some(linux) = &mut spec.linux_mut() {
if disable_guest_seccomp {
linux.set_seccomp(None);
}
if let Some(_resource) = linux.resources_mut() {
LinuxResources::default();
// In certain scenarios, particularly under CoCo/Agent Policy enforcement, the default initial value of `Linux.Resources.Devices`
// is considered non-compliant, leading to container creation failures. To address this issue and ensure consistency with the behavior
// in `runtime-go`, the default value of `Linux.Resources.Devices` from the OCI Spec should be removed.
if let Some(resources) = linux.resources_mut() {
if let Some(devices) = resources.devices_mut().take() {
let cleaned_devices: Vec<LinuxDeviceCgroup> = devices
.into_iter()
.filter(|device| {
!(!device.allow()
&& device.typ().is_none()
&& device.major().is_none()
&& device.minor().is_none()
&& device.access().as_deref() == Some("rwm"))
})
.collect();
resources.set_devices(if cleaned_devices.is_empty() {
None
} else {
Some(cleaned_devices)
});
}
}
// Host pidns path does not make sense in kata. Let's just align it with