Merge pull request #2490 from kolyshkin/dev-opt
libct/cgroups: add SkipDevices to Resources
This commit is contained in:
commit
3f81131845
|
@ -23,6 +23,9 @@ func (s *DevicesGroup) Name() string {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *DevicesGroup) Apply(d *cgroupData) error {
|
func (s *DevicesGroup) Apply(d *cgroupData) error {
|
||||||
|
if d.config.SkipDevices {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
_, err := d.join("devices")
|
_, err := d.join("devices")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// We will return error even it's `not found` error, devices
|
// We will return error even it's `not found` error, devices
|
||||||
|
@ -52,7 +55,7 @@ func buildEmulator(rules []*configs.DeviceRule) (*devices.Emulator, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
|
func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
|
||||||
if system.RunningInUserNS() {
|
if system.RunningInUserNS() || cgroup.SkipDevices {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -204,7 +204,7 @@ func (m *manager) Apply(pid int) (err error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// The non-presence of the devices subsystem is
|
// The non-presence of the devices subsystem is
|
||||||
// considered fatal for security reasons.
|
// considered fatal for security reasons.
|
||||||
if cgroups.IsNotFound(err) && sys.Name() != "devices" {
|
if cgroups.IsNotFound(err) && (c.SkipDevices || sys.Name() != "devices") {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
|
|
|
@ -37,6 +37,9 @@ func canSkipEBPFError(cgroup *configs.Cgroup) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
func setDevices(dirPath string, cgroup *configs.Cgroup) error {
|
func setDevices(dirPath string, cgroup *configs.Cgroup) error {
|
||||||
|
if cgroup.SkipDevices {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
// XXX: This is currently a white-list (but all callers pass a blacklist of
|
// XXX: This is currently a white-list (but all callers pass a blacklist of
|
||||||
// devices). This is bad for a whole variety of reasons, but will need
|
// devices). This is bad for a whole variety of reasons, but will need
|
||||||
// to be fixed with co-ordinated effort with downstreams.
|
// to be fixed with co-ordinated effort with downstreams.
|
||||||
|
|
|
@ -376,24 +376,27 @@ func (m *legacyManager) Set(container *configs.Config) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Figure out the current freezer state, so we can revert to it after we
|
|
||||||
// temporarily freeze the container.
|
|
||||||
targetFreezerState, err := m.GetFreezerState()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if targetFreezerState == configs.Undefined {
|
|
||||||
targetFreezerState = configs.Thawed
|
|
||||||
}
|
|
||||||
|
|
||||||
// We have to freeze the container while systemd sets the cgroup settings.
|
// We have to freeze the container while systemd sets the cgroup settings.
|
||||||
// The reason for this is that systemd's application of DeviceAllow rules
|
// The reason for this is that systemd's application of DeviceAllow rules
|
||||||
// is done disruptively, resulting in spurrious errors to common devices
|
// is done disruptively, resulting in spurrious errors to common devices
|
||||||
// (unlike our fs driver, they will happily write deny-all rules to running
|
// (unlike our fs driver, they will happily write deny-all rules to running
|
||||||
// containers). So we freeze the container to avoid them hitting the cgroup
|
// containers). So we freeze the container to avoid them hitting the cgroup
|
||||||
// error. But if the freezer cgroup isn't supported, we just warn about it.
|
// error. But if the freezer cgroup isn't supported, we just warn about it.
|
||||||
if err := m.Freeze(configs.Frozen); err != nil {
|
targetFreezerState := configs.Undefined
|
||||||
logrus.Infof("freeze container before SetUnitProperties failed: %v", err)
|
if !m.cgroups.SkipDevices {
|
||||||
|
// Figure out the current freezer state, so we can revert to it after we
|
||||||
|
// temporarily freeze the container.
|
||||||
|
targetFreezerState, err = m.GetFreezerState()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if targetFreezerState == configs.Undefined {
|
||||||
|
targetFreezerState = configs.Thawed
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := m.Freeze(configs.Frozen); err != nil {
|
||||||
|
logrus.Infof("freeze container before SetUnitProperties failed: %v", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := dbusConnection.SetUnitProperties(getUnitName(container.Cgroups), true, properties...); err != nil {
|
if err := dbusConnection.SetUnitProperties(getUnitName(container.Cgroups), true, properties...); err != nil {
|
||||||
|
|
|
@ -298,24 +298,27 @@ func (m *unifiedManager) Set(container *configs.Config) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Figure out the current freezer state, so we can revert to it after we
|
|
||||||
// temporarily freeze the container.
|
|
||||||
targetFreezerState, err := m.GetFreezerState()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if targetFreezerState == configs.Undefined {
|
|
||||||
targetFreezerState = configs.Thawed
|
|
||||||
}
|
|
||||||
|
|
||||||
// We have to freeze the container while systemd sets the cgroup settings.
|
// We have to freeze the container while systemd sets the cgroup settings.
|
||||||
// The reason for this is that systemd's application of DeviceAllow rules
|
// The reason for this is that systemd's application of DeviceAllow rules
|
||||||
// is done disruptively, resulting in spurrious errors to common devices
|
// is done disruptively, resulting in spurrious errors to common devices
|
||||||
// (unlike our fs driver, they will happily write deny-all rules to running
|
// (unlike our fs driver, they will happily write deny-all rules to running
|
||||||
// containers). So we freeze the container to avoid them hitting the cgroup
|
// containers). So we freeze the container to avoid them hitting the cgroup
|
||||||
// error. But if the freezer cgroup isn't supported, we just warn about it.
|
// error. But if the freezer cgroup isn't supported, we just warn about it.
|
||||||
if err := m.Freeze(configs.Frozen); err != nil {
|
targetFreezerState := configs.Undefined
|
||||||
logrus.Infof("freeze container before SetUnitProperties failed: %v", err)
|
if !m.cgroups.SkipDevices {
|
||||||
|
// Figure out the current freezer state, so we can revert to it after we
|
||||||
|
// temporarily freeze the container.
|
||||||
|
targetFreezerState, err = m.GetFreezerState()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if targetFreezerState == configs.Undefined {
|
||||||
|
targetFreezerState = configs.Thawed
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := m.Freeze(configs.Frozen); err != nil {
|
||||||
|
logrus.Infof("freeze container before SetUnitProperties failed: %v", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := dbusConnection.SetUnitProperties(getUnitName(m.cgroups), true, properties...); err != nil {
|
if err := dbusConnection.SetUnitProperties(getUnitName(m.cgroups), true, properties...); err != nil {
|
||||||
|
|
|
@ -126,4 +126,11 @@ type Resources struct {
|
||||||
|
|
||||||
// CpuWeight sets a proportional bandwidth limit.
|
// CpuWeight sets a proportional bandwidth limit.
|
||||||
CpuWeight uint64 `json:"cpu_weight"`
|
CpuWeight uint64 `json:"cpu_weight"`
|
||||||
|
|
||||||
|
// SkipDevices allows to skip configuring device permissions.
|
||||||
|
// Used by e.g. kubelet while creating a parent cgroup (kubepods)
|
||||||
|
// common for many containers.
|
||||||
|
//
|
||||||
|
// NOTE it is impossible to start a container which has this flag set.
|
||||||
|
SkipDevices bool `json:"skip_devices"`
|
||||||
}
|
}
|
||||||
|
|
|
@ -251,6 +251,9 @@ func (c *linuxContainer) Set(config configs.Config) error {
|
||||||
func (c *linuxContainer) Start(process *Process) error {
|
func (c *linuxContainer) Start(process *Process) error {
|
||||||
c.m.Lock()
|
c.m.Lock()
|
||||||
defer c.m.Unlock()
|
defer c.m.Unlock()
|
||||||
|
if c.config.Cgroups.Resources.SkipDevices {
|
||||||
|
return newGenericError(errors.New("can't start container with SkipDevices set"), ConfigInvalid)
|
||||||
|
}
|
||||||
if process.Init {
|
if process.Init {
|
||||||
if err := c.createExecFifo(); err != nil {
|
if err := c.createExecFifo(); err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
Loading…
Reference in New Issue