Skip updates on parent Devices cgroup

Signed-off-by: Buddha Prakash <buddhap@google.com>
This commit is contained in:
Buddha Prakash 2016-07-20 10:46:11 -07:00
parent bd1d3ac048
commit ef4ff6a8ad
5 changed files with 22 additions and 18 deletions

View File

@ -77,7 +77,7 @@ config := &configs.Config{
Parent: "system", Parent: "system",
Resources: &configs.Resources{ Resources: &configs.Resources{
MemorySwappiness: nil, MemorySwappiness: nil,
AllowAllDevices: false, AllowAllDevices: nil,
AllowedDevices: configs.DefaultAllowedDevices, AllowedDevices: configs.DefaultAllowedDevices,
}, },
}, },

View File

@ -43,21 +43,23 @@ func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
} }
return nil return nil
} }
if !cgroup.Resources.AllowAllDevices { if cgroup.Resources.AllowAllDevices != nil {
if err := writeFile(path, "devices.deny", "a"); err != nil { if *cgroup.Resources.AllowAllDevices == false {
return err if err := writeFile(path, "devices.deny", "a"); err != nil {
}
for _, dev := range cgroup.Resources.AllowedDevices {
if err := writeFile(path, "devices.allow", dev.CgroupString()); err != nil {
return err return err
} }
}
return nil
}
if err := writeFile(path, "devices.allow", "a"); err != nil { for _, dev := range cgroup.Resources.AllowedDevices {
return err if err := writeFile(path, "devices.allow", dev.CgroupString()); err != nil {
return err
}
}
return nil
}
if err := writeFile(path, "devices.allow", "a"); err != nil {
return err
}
} }
for _, dev := range cgroup.Resources.DeniedDevices { for _, dev := range cgroup.Resources.DeniedDevices {

View File

@ -40,8 +40,8 @@ func TestDevicesSetAllow(t *testing.T) {
helper.writeFileContents(map[string]string{ helper.writeFileContents(map[string]string{
"devices.deny": "a", "devices.deny": "a",
}) })
allowAllDevices := false
helper.CgroupData.config.Resources.AllowAllDevices = false helper.CgroupData.config.Resources.AllowAllDevices = &allowAllDevices
helper.CgroupData.config.Resources.AllowedDevices = allowedDevices helper.CgroupData.config.Resources.AllowedDevices = allowedDevices
devices := &DevicesGroup{} devices := &DevicesGroup{}
if err := devices.Set(helper.CgroupPath, helper.CgroupData.config); err != nil { if err := devices.Set(helper.CgroupPath, helper.CgroupData.config); err != nil {
@ -66,7 +66,8 @@ func TestDevicesSetDeny(t *testing.T) {
"devices.allow": "a", "devices.allow": "a",
}) })
helper.CgroupData.config.Resources.AllowAllDevices = true allowAllDevices := true
helper.CgroupData.config.Resources.AllowAllDevices = &allowAllDevices
helper.CgroupData.config.Resources.DeniedDevices = deniedDevices helper.CgroupData.config.Resources.DeniedDevices = deniedDevices
devices := &DevicesGroup{} devices := &DevicesGroup{}
if err := devices.Set(helper.CgroupPath, helper.CgroupData.config); err != nil { if err := devices.Set(helper.CgroupPath, helper.CgroupData.config); err != nil {

View File

@ -36,7 +36,7 @@ type Cgroup struct {
type Resources struct { type Resources struct {
// If this is true allow access to any kind of device within the container. If false, allow access only to devices explicitly listed in the allowed_devices list. // If this is true allow access to any kind of device within the container. If false, allow access only to devices explicitly listed in the allowed_devices list.
// Deprecated // Deprecated
AllowAllDevices bool `json:"allow_all_devices,omitempty"` AllowAllDevices *bool `json:"allow_all_devices,omitempty"`
// Deprecated // Deprecated
AllowedDevices []*Device `json:"allowed_devices,omitempty"` AllowedDevices []*Device `json:"allowed_devices,omitempty"`
// Deprecated // Deprecated

View File

@ -20,6 +20,7 @@ const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NOD
// it uses a network strategy of just setting a loopback interface // it uses a network strategy of just setting a loopback interface
// and the default setup for devices // and the default setup for devices
func newTemplateConfig(rootfs string) *configs.Config { func newTemplateConfig(rootfs string) *configs.Config {
allowAllDevices := false
return &configs.Config{ return &configs.Config{
Rootfs: rootfs, Rootfs: rootfs,
Capabilities: []string{ Capabilities: []string{
@ -49,7 +50,7 @@ func newTemplateConfig(rootfs string) *configs.Config {
Path: "integration/test", Path: "integration/test",
Resources: &configs.Resources{ Resources: &configs.Resources{
MemorySwappiness: nil, MemorySwappiness: nil,
AllowAllDevices: false, AllowAllDevices: &allowAllDevices,
AllowedDevices: configs.DefaultAllowedDevices, AllowedDevices: configs.DefaultAllowedDevices,
}, },
}, },