Filter auto-created device list if user namespaces enabled
Because devices will be bind-mounted instead of using `mknod`, we need
to make sure the source exists and filter the list by only those whose
source is a valid path/current device entry.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
(cherry picked from commit 9a554e8c37
)
This commit is contained in:
parent
ba797dd6a2
commit
4899a04a2a
|
@ -140,7 +140,7 @@ func InitContainer(c *Command) *configs.Config {
|
||||||
container.Hostname = getEnv("HOSTNAME", c.ProcessConfig.Env)
|
container.Hostname = getEnv("HOSTNAME", c.ProcessConfig.Env)
|
||||||
container.Cgroups.Name = c.ID
|
container.Cgroups.Name = c.ID
|
||||||
container.Cgroups.Resources.AllowedDevices = c.AllowedDevices
|
container.Cgroups.Resources.AllowedDevices = c.AllowedDevices
|
||||||
container.Devices = c.AutoCreatedDevices
|
container.Devices = filterDevices(c.AutoCreatedDevices, (c.RemappedRoot.UID != 0))
|
||||||
container.Rootfs = c.Rootfs
|
container.Rootfs = c.Rootfs
|
||||||
container.Readonlyfs = c.ReadonlyRootfs
|
container.Readonlyfs = c.ReadonlyRootfs
|
||||||
// This can be overridden later by driver during mount setup based
|
// This can be overridden later by driver during mount setup based
|
||||||
|
@ -154,6 +154,24 @@ func InitContainer(c *Command) *configs.Config {
|
||||||
return container
|
return container
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func filterDevices(devices []*configs.Device, userNamespacesEnabled bool) []*configs.Device {
|
||||||
|
if !userNamespacesEnabled {
|
||||||
|
return devices
|
||||||
|
}
|
||||||
|
|
||||||
|
filtered := []*configs.Device{}
|
||||||
|
// if we have user namespaces enabled, these devices will not be created
|
||||||
|
// because of the mknod limitation in the kernel for an unprivileged process.
|
||||||
|
// Rather, they will be bind-mounted, which will only work if they exist;
|
||||||
|
// check for existence and remove non-existent entries from the list
|
||||||
|
for _, device := range devices {
|
||||||
|
if _, err := os.Stat(device.Path); err == nil {
|
||||||
|
filtered = append(filtered, device)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return filtered
|
||||||
|
}
|
||||||
|
|
||||||
func getEnv(key string, env []string) string {
|
func getEnv(key string, env []string) string {
|
||||||
for _, pair := range env {
|
for _, pair := range env {
|
||||||
parts := strings.SplitN(pair, "=", 2)
|
parts := strings.SplitN(pair, "=", 2)
|
||||||
|
|
Loading…
Reference in New Issue