fix issue: make --device works at privileged mode #36258
fix issue: make --device works at privileged mode #36258wenlxie wants to merge 1 commit intomoby:masterfrom
Conversation
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
from
71bd87b to
d1e7e67
Compare
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
from
55bbdef to
651a5d1
Compare
GordonTheTurtle
added
the
dco/no
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
from
dcc4917 to
ba5a007
Compare
GordonTheTurtle
added
dco/no
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
from
52c0543 to
8310364
Compare
GordonTheTurtle
removed
the
dco/no
|
ping @kolyshkin PTAL |
There was a problem hiding this comment.
If a user specified --privileged --device xxx:xxx, then xxx will anyway be available, so specifying --device xxx:xxx is redundant, and it should not cause an error. One option is to just ignore it, the other is to have a warning, something like this maybe:
log.Warnf("Specifying a device %s is redundant for privileged mode", deviceMapping.PathOnHost)There was a problem hiding this comment.
Was thinking about that; --device allows setting r (read), w (write), and m (mknod) options; what options are used if the device passed through --device overlaps with a device on the host?
There was a problem hiding this comment.
This is a valid concern which I totally overlooked. I think in case restrictive permissions (anything other than the most permissive rwm) are given, the code should return an error as it can't enforce the required permissions (e.g. read-only).
What do you think?
There was a problem hiding this comment.
In case of a conflict, yes. Perhaps a warning is ok, after all, --privileged is expected to remove any restrictions, so perhaps lifting the restrictions that were specified to be ignored is ok.
@wenlxie what would your expectations be?
There was a problem hiding this comment.
If a user specified --privileged --device xxx:xxx, then xxx will anyway be available, so specifying --device xxx:xxx is redundant, and it should not cause an error. One option is to just ignore it, the other is to have a warning, something like this maybe:
Thanks for the comments, will change the code.
Was thinking about that; --device allows setting r (read), w (write), and m (mknod) options; what options are used if the device passed through --device overlaps with a device on the host?
@thaJeztah @kolyshkin
For this case, I'd like to ignore the restrictions and respect the --privileged option.
There was a problem hiding this comment.
One problem, though, is that the user (say, docker cli user) won't see it -- this is a warning in daemon logs. Or will they? Frankly I don't remember
There was a problem hiding this comment.
@kolyshkin It will be at the daemon logs and user will not see it.
GordonTheTurtle
added
the
dco/no
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
from
b8a060b to
df9931e
Compare
GordonTheTurtle
removed
the
dco/no
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
from
3be9d6d to
ad10f6f
Compare
Codecov Report
@@ Coverage Diff @@
## master #36258 +/- ##
=========================================
Coverage ? 36.08%
=========================================
Files ? 610
Lines ? 45151
Branches ? 0
=========================================
Hits ? 16293
Misses ? 26617
Partials ? 2241 |
|
@thaJeztah @kolyshkin |
There was a problem hiding this comment.
Extra space after Specify
Also should be Specifying.
These could all use some extra context on the log messages... e.g. logrus.WithField("container", c.ID)
There was a problem hiding this comment.
Extra space after Specify, and should be Specifying
There was a problem hiding this comment.
return errdefs.InvalidParameter(errors.New(errorMsg))
Additionally this should be validated on container create.
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
from
ad10f6f to
daae071
Compare
|
@cpuguy83 code changes as your commnets , PTAL |
There was a problem hiding this comment.
Can we clean up some of the grammar here?
Suggestion:
container device path must be different from any host device path for privileged mode containers
There was a problem hiding this comment.
Same comment as above re: grammer
There was a problem hiding this comment.
This might be cleaner like:
if _, err := os.Stat(...); err != nil {
if os.IsNotExist(err) {
continue
}
return nil, errors.Wrap(err, "error stating device path in container")
}
return nil, errors.Errorf(...)
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
3 times, most recently
from
0d0b7b1 to
40f8953
Compare
There was a problem hiding this comment.
I'd prefer this warning to look more like a warning; it's not really "redundant", but will be ignored (so you'd end up with different permissions than you configured);
Something like:
running in privileged mode: custom %s permissions for device %s are ignored
or
custom %s permissions for device %s are ignored in privileged mode
There was a problem hiding this comment.
Same question as above: in what situation do we end here?
The error message seems to be if deviceMapping.PathOnHost == deviceMapping.PathInContainer (but that's already handled above, and prints a warning ? (perhaps I'm looking wrong, 😅)
There was a problem hiding this comment.
Change the logic to make it more clear
There was a problem hiding this comment.
Looking at this again, I'm wondering if it's worth logging this, or if it's ok to just skip this warning: if there are no custom options (permissions) set, then the end result is exactly the same (with or without this device), so perhaps it's ok to just ignore this without logging a warning
There was a problem hiding this comment.
In what situation do we end here? (looks like we only get here if deviceMapping.PathOnHost != deviceMapping.PathInContainer and if deviceMapping.PathInContainer exists.
But the error says (if I interpret correctly); it's not allowed to add a device if deviceMapping.PathOnHost == deviceMapping.PathInContainer ?
There was a problem hiding this comment.
@thaJeztah deviceMapping.PathOnHost == deviceMapping.PathInContainer has a continue
There was a problem hiding this comment.
Trying to go through the logic:
--device /dev/vdc:/dev/vdc, means:deviceMapping.PathOnHost == deviceMapping.PathInContainer
- continue (no error)
--device /dev/vdc:/some/path, and/some/pathdoesn't exist in the container:
- continue (no error)
--device /dev/vdc:/some/path, and/some/pathcannot be read in the container:
- error:
error stating device path in container
--device /dev/vdc:/some/path, and exists in the container:
- error:
container device path: /some/path must be different from any host device path for privileged mode containers
So for 4., the device target in the container is not allowed to overlap with an existing path in the container;
- Is this different for non-privileged containers? (I guess not; but we don't seem to be validating that)
- If
deviceMapping.PathOnHost == deviceMapping.PathInContainer, should we still validate ifPathInContaineris not an existing path in the container? (could there be situations where a device exists on the host at/foo/bar, but the container has a directory (or file) at that location?) - The error message confuses me, because (IIUC) it's actually about the container path (not the host path), correct?
(again, apologies if I'm misunderstanding 😄)
There was a problem hiding this comment.
@thaJeztah
For step 4:
The device target in the container is not allowed to overlap with an existing path on the host but not in the container.
For privileged mode containers , some hostpath maybe mapped into the container, so I do this check here. I admit it is a bit excessive, maybe just check the /dev/ path is enough? What do you think?
There was a problem hiding this comment.
Same comment here re: error message wording
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
from
40f8953 to
0d8733a
Compare
|
ping, any update on this? kube is affected by this |
There was a problem hiding this comment.
One problem, though, is that the user (say, docker cli user) won't see it -- this is a warning in daemon logs. Or will they? Frankly I don't remember
|
The only concern I have, will docker CLI user see those errors/warnings about device perms being ignored? If yes, this PR LGTM. If not, that looks like a big issue -- a user set perms, they are ignored, and the user is not even aware of that. |
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
looks like this needs a rebase 🤗
There was a problem hiding this comment.
Looks like this err is not used other than inside the if below, so to prevent confusion, it may be better to just;
if _, err := os.Stat(deviceMapping.PathInContainer); os.IsNotExist(err) {There was a problem hiding this comment.
Can you change error to something else (e.g., err2)? error is also the "type" for an error, so the name is confusing.
There was a problem hiding this comment.
Was looking if we could get rid old all these nested ifs (for example, but extracting the "non-privileged" and "privileged" branches to separate functions), but may be best to leave that refactoring for another PR
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
3 times, most recently
from
05f5e2d to
85615cf
Compare
Signed-off-by: wenlxie <[email protected]>
It is better for user to know the info. @kolyshkin @thaJeztah Any Ideas? |
wenlxie
force-pushed
the
origin.master.fixdevicemapissuewhenenableprivilege
branch
from
85615cf to
4cdc729
Compare
I think I'm ok with logging the error in that case. Showing the warning to the user would definitely be better, but if we don't have a mechanism to do so, I don't think it should be a blocker. We should be clear in the documentation though; point out that limitation. @kolyshkin WDYT? |
|
This needs a documentation update (that goes to https://github.com/docker/cli repo I guess) noting that device permissions are ignored when |
|
@wenlxie this one needs to be rebased |
derek
Bot
added
the
status/failing-ci
|
@wenlxie If you are not working on this, can I take it forward. |
|
Carried over in #40291 |
12 participants
Signed-off-by: wenlxie [email protected]
Please provide the following information:
-->
- What I did
fixs #35991
- How I verify it
Make the docker binary, test following cases
Then I will get the error message
Then I enter the docker,
I can see the device /dev/vdx
I exit the docker, and there is no /dev/vdx at host
- Description for the changelog
Make --device options works at privileged mode