mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
lcow: Allow the client to add device cgroup rules
Signed-off-by: John Starks <jostarks@microsoft.com>
This commit is contained in:
parent
349aeeab7c
commit
e9268d9642
3 changed files with 56 additions and 39 deletions
|
@ -1,11 +1,20 @@
|
||||||
package daemon // import "github.com/docker/docker/daemon"
|
package daemon // import "github.com/docker/docker/daemon"
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
|
"regexp"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
"github.com/docker/docker/container"
|
"github.com/docker/docker/container"
|
||||||
"github.com/docker/docker/daemon/caps"
|
"github.com/docker/docker/daemon/caps"
|
||||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// nolint: gosimple
|
||||||
|
var (
|
||||||
|
deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
|
||||||
|
)
|
||||||
|
|
||||||
func setCapabilities(s *specs.Spec, c *container.Container) error {
|
func setCapabilities(s *specs.Spec, c *container.Container) error {
|
||||||
var caplist []string
|
var caplist []string
|
||||||
var err error
|
var err error
|
||||||
|
@ -29,3 +38,41 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func appendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
|
||||||
|
for _, deviceCgroupRule := range rules {
|
||||||
|
ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
|
||||||
|
if len(ss[0]) != 5 {
|
||||||
|
return nil, fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
|
||||||
|
}
|
||||||
|
matches := ss[0]
|
||||||
|
|
||||||
|
dPermissions := specs.LinuxDeviceCgroup{
|
||||||
|
Allow: true,
|
||||||
|
Type: matches[1],
|
||||||
|
Access: matches[4],
|
||||||
|
}
|
||||||
|
if matches[2] == "*" {
|
||||||
|
major := int64(-1)
|
||||||
|
dPermissions.Major = &major
|
||||||
|
} else {
|
||||||
|
major, err := strconv.ParseInt(matches[2], 10, 64)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
|
||||||
|
}
|
||||||
|
dPermissions.Major = &major
|
||||||
|
}
|
||||||
|
if matches[3] == "*" {
|
||||||
|
minor := int64(-1)
|
||||||
|
dPermissions.Minor = &minor
|
||||||
|
} else {
|
||||||
|
minor, err := strconv.ParseInt(matches[3], 10, 64)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)
|
||||||
|
}
|
||||||
|
dPermissions.Minor = &minor
|
||||||
|
}
|
||||||
|
devPermissions = append(devPermissions, dPermissions)
|
||||||
|
}
|
||||||
|
return devPermissions, nil
|
||||||
|
}
|
||||||
|
|
|
@ -6,7 +6,6 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"regexp"
|
|
||||||
"sort"
|
"sort"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -28,11 +27,6 @@ import (
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
)
|
)
|
||||||
|
|
||||||
// nolint: gosimple
|
|
||||||
var (
|
|
||||||
deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
|
|
||||||
)
|
|
||||||
|
|
||||||
func setResources(s *specs.Spec, r containertypes.Resources) error {
|
func setResources(s *specs.Spec, r containertypes.Resources) error {
|
||||||
weightDevices, err := getBlkioWeightDevices(r)
|
weightDevices, err := getBlkioWeightDevices(r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -114,39 +108,10 @@ func setDevices(s *specs.Spec, c *container.Container) error {
|
||||||
devPermissions = append(devPermissions, dPermissions...)
|
devPermissions = append(devPermissions, dPermissions...)
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, deviceCgroupRule := range c.HostConfig.DeviceCgroupRules {
|
var err error
|
||||||
ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
|
devPermissions, err = appendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
|
||||||
if len(ss[0]) != 5 {
|
if err != nil {
|
||||||
return fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
|
return err
|
||||||
}
|
|
||||||
matches := ss[0]
|
|
||||||
|
|
||||||
dPermissions := specs.LinuxDeviceCgroup{
|
|
||||||
Allow: true,
|
|
||||||
Type: matches[1],
|
|
||||||
Access: matches[4],
|
|
||||||
}
|
|
||||||
if matches[2] == "*" {
|
|
||||||
major := int64(-1)
|
|
||||||
dPermissions.Major = &major
|
|
||||||
} else {
|
|
||||||
major, err := strconv.ParseInt(matches[2], 10, 64)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
|
|
||||||
}
|
|
||||||
dPermissions.Major = &major
|
|
||||||
}
|
|
||||||
if matches[3] == "*" {
|
|
||||||
minor := int64(-1)
|
|
||||||
dPermissions.Minor = &minor
|
|
||||||
} else {
|
|
||||||
minor, err := strconv.ParseInt(matches[3], 10, 64)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)
|
|
||||||
}
|
|
||||||
dPermissions.Minor = &minor
|
|
||||||
}
|
|
||||||
devPermissions = append(devPermissions, dPermissions)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -347,6 +347,11 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe
|
||||||
if err := setCapabilities(s, c); err != nil {
|
if err := setCapabilities(s, c); err != nil {
|
||||||
return fmt.Errorf("linux spec capabilities: %v", err)
|
return fmt.Errorf("linux spec capabilities: %v", err)
|
||||||
}
|
}
|
||||||
|
devPermissions, err := appendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("linux runtime spec devices: %v", err)
|
||||||
|
}
|
||||||
|
s.Linux.Resources.Devices = devPermissions
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue