Merge pull request #2490 from kolyshkin/dev-opt

libct/cgroups: add SkipDevices to Resources
This commit is contained in:
Mrunal Patel 2020-07-06 14:28:30 -07:00 committed by GitHub
commit 3f81131845
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 48 additions and 26 deletions

View File

@ -23,6 +23,9 @@ func (s *DevicesGroup) Name() string {
} }
func (s *DevicesGroup) Apply(d *cgroupData) error { func (s *DevicesGroup) Apply(d *cgroupData) error {
if d.config.SkipDevices {
return nil
}
_, err := d.join("devices") _, err := d.join("devices")
if err != nil { if err != nil {
// We will return error even it's `not found` error, devices // We will return error even it's `not found` error, devices
@ -52,7 +55,7 @@ func buildEmulator(rules []*configs.DeviceRule) (*devices.Emulator, error) {
} }
func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error { func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
if system.RunningInUserNS() { if system.RunningInUserNS() || cgroup.SkipDevices {
return nil return nil
} }

View File

@ -204,7 +204,7 @@ func (m *manager) Apply(pid int) (err error) {
if err != nil { if err != nil {
// The non-presence of the devices subsystem is // The non-presence of the devices subsystem is
// considered fatal for security reasons. // considered fatal for security reasons.
if cgroups.IsNotFound(err) && sys.Name() != "devices" { if cgroups.IsNotFound(err) && (c.SkipDevices || sys.Name() != "devices") {
continue continue
} }
return err return err

View File

@ -37,6 +37,9 @@ func canSkipEBPFError(cgroup *configs.Cgroup) bool {
} }
func setDevices(dirPath string, cgroup *configs.Cgroup) error { func setDevices(dirPath string, cgroup *configs.Cgroup) error {
if cgroup.SkipDevices {
return nil
}
// XXX: This is currently a white-list (but all callers pass a blacklist of // XXX: This is currently a white-list (but all callers pass a blacklist of
// devices). This is bad for a whole variety of reasons, but will need // devices). This is bad for a whole variety of reasons, but will need
// to be fixed with co-ordinated effort with downstreams. // to be fixed with co-ordinated effort with downstreams.

View File

@ -376,24 +376,27 @@ func (m *legacyManager) Set(container *configs.Config) error {
return err return err
} }
// Figure out the current freezer state, so we can revert to it after we
// temporarily freeze the container.
targetFreezerState, err := m.GetFreezerState()
if err != nil {
return err
}
if targetFreezerState == configs.Undefined {
targetFreezerState = configs.Thawed
}
// We have to freeze the container while systemd sets the cgroup settings. // We have to freeze the container while systemd sets the cgroup settings.
// The reason for this is that systemd's application of DeviceAllow rules // The reason for this is that systemd's application of DeviceAllow rules
// is done disruptively, resulting in spurrious errors to common devices // is done disruptively, resulting in spurrious errors to common devices
// (unlike our fs driver, they will happily write deny-all rules to running // (unlike our fs driver, they will happily write deny-all rules to running
// containers). So we freeze the container to avoid them hitting the cgroup // containers). So we freeze the container to avoid them hitting the cgroup
// error. But if the freezer cgroup isn't supported, we just warn about it. // error. But if the freezer cgroup isn't supported, we just warn about it.
if err := m.Freeze(configs.Frozen); err != nil { targetFreezerState := configs.Undefined
logrus.Infof("freeze container before SetUnitProperties failed: %v", err) if !m.cgroups.SkipDevices {
// Figure out the current freezer state, so we can revert to it after we
// temporarily freeze the container.
targetFreezerState, err = m.GetFreezerState()
if err != nil {
return err
}
if targetFreezerState == configs.Undefined {
targetFreezerState = configs.Thawed
}
if err := m.Freeze(configs.Frozen); err != nil {
logrus.Infof("freeze container before SetUnitProperties failed: %v", err)
}
} }
if err := dbusConnection.SetUnitProperties(getUnitName(container.Cgroups), true, properties...); err != nil { if err := dbusConnection.SetUnitProperties(getUnitName(container.Cgroups), true, properties...); err != nil {

View File

@ -298,24 +298,27 @@ func (m *unifiedManager) Set(container *configs.Config) error {
return err return err
} }
// Figure out the current freezer state, so we can revert to it after we
// temporarily freeze the container.
targetFreezerState, err := m.GetFreezerState()
if err != nil {
return err
}
if targetFreezerState == configs.Undefined {
targetFreezerState = configs.Thawed
}
// We have to freeze the container while systemd sets the cgroup settings. // We have to freeze the container while systemd sets the cgroup settings.
// The reason for this is that systemd's application of DeviceAllow rules // The reason for this is that systemd's application of DeviceAllow rules
// is done disruptively, resulting in spurrious errors to common devices // is done disruptively, resulting in spurrious errors to common devices
// (unlike our fs driver, they will happily write deny-all rules to running // (unlike our fs driver, they will happily write deny-all rules to running
// containers). So we freeze the container to avoid them hitting the cgroup // containers). So we freeze the container to avoid them hitting the cgroup
// error. But if the freezer cgroup isn't supported, we just warn about it. // error. But if the freezer cgroup isn't supported, we just warn about it.
if err := m.Freeze(configs.Frozen); err != nil { targetFreezerState := configs.Undefined
logrus.Infof("freeze container before SetUnitProperties failed: %v", err) if !m.cgroups.SkipDevices {
// Figure out the current freezer state, so we can revert to it after we
// temporarily freeze the container.
targetFreezerState, err = m.GetFreezerState()
if err != nil {
return err
}
if targetFreezerState == configs.Undefined {
targetFreezerState = configs.Thawed
}
if err := m.Freeze(configs.Frozen); err != nil {
logrus.Infof("freeze container before SetUnitProperties failed: %v", err)
}
} }
if err := dbusConnection.SetUnitProperties(getUnitName(m.cgroups), true, properties...); err != nil { if err := dbusConnection.SetUnitProperties(getUnitName(m.cgroups), true, properties...); err != nil {

View File

@ -126,4 +126,11 @@ type Resources struct {
// CpuWeight sets a proportional bandwidth limit. // CpuWeight sets a proportional bandwidth limit.
CpuWeight uint64 `json:"cpu_weight"` CpuWeight uint64 `json:"cpu_weight"`
// SkipDevices allows to skip configuring device permissions.
// Used by e.g. kubelet while creating a parent cgroup (kubepods)
// common for many containers.
//
// NOTE it is impossible to start a container which has this flag set.
SkipDevices bool `json:"skip_devices"`
} }

View File

@ -251,6 +251,9 @@ func (c *linuxContainer) Set(config configs.Config) error {
func (c *linuxContainer) Start(process *Process) error { func (c *linuxContainer) Start(process *Process) error {
c.m.Lock() c.m.Lock()
defer c.m.Unlock() defer c.m.Unlock()
if c.config.Cgroups.Resources.SkipDevices {
return newGenericError(errors.New("can't start container with SkipDevices set"), ConfigInvalid)
}
if process.Init { if process.Init {
if err := c.createExecFifo(); err != nil { if err := c.createExecFifo(); err != nil {
return err return err