github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-15 22:08:47 +00:00
Code Issues Projects Releases Wiki Activity

runtime: make debug console work with sandbox_cgroup_only

Browse Source 
If a hypervisor debug console is enabled and sandbox_cgroup_only is set,
the hypervisor can fail to open /dev/ptmx, which prevents the sandbox
from launching.

This is caused by the absence of a device cgroup entry to allow access
to /dev/ptmx.  When sandbox_cgroup_only is not set, the hypervisor
inherits the default unrestrcited device cgroup, but with it enabled it
runs into allow / deny list restrictions.

Fix by adding an allowlist entry for /dev/ptmx when debug is enabled,
sandbox_cgroup_only is true, and no /dev/ptmx is already in the list of
devices.

Fixes: #6870

Signed-off-by: Krister Johansen <kjlx@templeofstupid.com>
This commit is contained in:
Krister Johansen
2023-05-17 16:21:32 -07:00
parent 3a4b924226
commit eff6ed2d5f
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/runtime/virtcontainers/sandbox.go
View File

@@ -697,6 +697,7 @@ func (s *Sandbox) createResourceController() error {
// Determine if device /dev/null and /dev/urandom exist, and add if they don't
nullDeviceExist := false
urandomDeviceExist := false
ptmxDeviceExist := false
for _, device := range resources.Devices {
if device.Type == "c" && device.Major == intptr(1) && device.Minor == intptr(3) {
nullDeviceExist = true
@@ -705,6 +706,10 @@ func (s *Sandbox) createResourceController() error {
if device.Type == "c" && device.Major == intptr(1) && device.Minor == intptr(9) {
urandomDeviceExist = true
}
if device.Type == "c" && device.Major == intptr(5) && device.Minor == intptr(2) {
ptmxDeviceExist = true
}
}
if !nullDeviceExist {
@@ -720,6 +725,18 @@ func (s *Sandbox) createResourceController() error {
}...)
}
// If the hypervisor debug console is enabled and
// sandbox_cgroup_only are configured, then the vmm needs access to
// /dev/ptmx. Add this to the device allowlist if it is not
// already present in the config.
if s.config.HypervisorConfig.Debug && s.config.SandboxCgroupOnly && !ptmxDeviceExist {
// "/dev/ptmx"
resources.Devices = append(resources.Devices, []specs.LinuxDeviceCgroup{
{Type: "c", Major: intptr(5), Minor: intptr(2), Access: rwm, Allow: true},
}...)
}
if spec.Linux.Resources.CPU != nil {
resources.CPU = &specs.LinuxCPU{
Cpus: spec.Linux.Resources.CPU.Cpus,