1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

lcow: Allow the client to add device cgroup rules

Signed-off-by: John Starks <jostarks@microsoft.com>
This commit is contained in:
John Starks 2018-06-15 16:14:17 -07:00
parent 349aeeab7c
commit e9268d9642
3 changed files with 56 additions and 39 deletions

View file

@ -1,11 +1,20 @@
package daemon // import "github.com/docker/docker/daemon" package daemon // import "github.com/docker/docker/daemon"
import ( import (
"fmt"
"regexp"
"strconv"
"github.com/docker/docker/container" "github.com/docker/docker/container"
"github.com/docker/docker/daemon/caps" "github.com/docker/docker/daemon/caps"
specs "github.com/opencontainers/runtime-spec/specs-go" specs "github.com/opencontainers/runtime-spec/specs-go"
) )
// nolint: gosimple
var (
deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
)
func setCapabilities(s *specs.Spec, c *container.Container) error { func setCapabilities(s *specs.Spec, c *container.Container) error {
var caplist []string var caplist []string
var err error var err error
@ -29,3 +38,41 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
} }
return nil return nil
} }
func appendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
for _, deviceCgroupRule := range rules {
ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
if len(ss[0]) != 5 {
return nil, fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
}
matches := ss[0]
dPermissions := specs.LinuxDeviceCgroup{
Allow: true,
Type: matches[1],
Access: matches[4],
}
if matches[2] == "*" {
major := int64(-1)
dPermissions.Major = &major
} else {
major, err := strconv.ParseInt(matches[2], 10, 64)
if err != nil {
return nil, fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
}
dPermissions.Major = &major
}
if matches[3] == "*" {
minor := int64(-1)
dPermissions.Minor = &minor
} else {
minor, err := strconv.ParseInt(matches[3], 10, 64)
if err != nil {
return nil, fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)
}
dPermissions.Minor = &minor
}
devPermissions = append(devPermissions, dPermissions)
}
return devPermissions, nil
}

View file

@ -6,7 +6,6 @@ import (
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"regexp"
"sort" "sort"
"strconv" "strconv"
"strings" "strings"
@ -28,11 +27,6 @@ import (
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
) )
// nolint: gosimple
var (
deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
)
func setResources(s *specs.Spec, r containertypes.Resources) error { func setResources(s *specs.Spec, r containertypes.Resources) error {
weightDevices, err := getBlkioWeightDevices(r) weightDevices, err := getBlkioWeightDevices(r)
if err != nil { if err != nil {
@ -114,39 +108,10 @@ func setDevices(s *specs.Spec, c *container.Container) error {
devPermissions = append(devPermissions, dPermissions...) devPermissions = append(devPermissions, dPermissions...)
} }
for _, deviceCgroupRule := range c.HostConfig.DeviceCgroupRules { var err error
ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1) devPermissions, err = appendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
if len(ss[0]) != 5 { if err != nil {
return fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule) return err
}
matches := ss[0]
dPermissions := specs.LinuxDeviceCgroup{
Allow: true,
Type: matches[1],
Access: matches[4],
}
if matches[2] == "*" {
major := int64(-1)
dPermissions.Major = &major
} else {
major, err := strconv.ParseInt(matches[2], 10, 64)
if err != nil {
return fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
}
dPermissions.Major = &major
}
if matches[3] == "*" {
minor := int64(-1)
dPermissions.Minor = &minor
} else {
minor, err := strconv.ParseInt(matches[3], 10, 64)
if err != nil {
return fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)
}
dPermissions.Minor = &minor
}
devPermissions = append(devPermissions, dPermissions)
} }
} }

View file

@ -347,6 +347,11 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe
if err := setCapabilities(s, c); err != nil { if err := setCapabilities(s, c); err != nil {
return fmt.Errorf("linux spec capabilities: %v", err) return fmt.Errorf("linux spec capabilities: %v", err)
} }
devPermissions, err := appendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
if err != nil {
return fmt.Errorf("linux runtime spec devices: %v", err)
}
s.Linux.Resources.Devices = devPermissions
return nil return nil
} }