Skip to content

35991- make --device works at privileged mode#40291

Merged
cpuguy83 merged 3 commits intomoby:masterfrom
akhilerm:privileged-device
Jan 2, 2020
Merged

35991- make --device works at privileged mode#40291
cpuguy83 merged 3 commits intomoby:masterfrom
akhilerm:privileged-device

Conversation

@akhilerm
Copy link
Copy Markdown
Contributor

@akhilerm akhilerm commented Dec 6, 2019
edited
Loading

Signed-off-by: Akhil Mohan [email protected]

- What I did
Fixes issue #35991. Most changes have been taken from PR #36258, since it was not being actively worked on.

Changes:

  • --device flag will not be ignored in privileged mode

- How I did it
When creating the container spec for privileged containers, the device mapping is also included along with the entries from /dev. Since the container is already privileged, the cgroup permissions will be rwm for all the devices.

- How to verify it
Test Cases:
1. When the same host and container device is specified
Host

# docker run -it --rm --privileged --device /dev/sdc:/dev/sdc ubuntu:18.04

Daemon Logs

WARN[2019-12-06T13:28:23.599463805Z] path in container /dev/sdc already exists in privileged mode  container=00350c5f59fe356178d2fea5f1de29d7205a45c76cb3a1c6cb723061dfcccd56

2. When two different path in /dev is specified
Host

# docker run -it --rm --privileged --device /dev/sdc:/dev/sdx ubuntu:18.04

Container

root@55cdc2bb2a40:/# ls -l /dev | grep sdc 
brw-rw---- 1 root disk      8,  32 Dec  6 13:31 sdc
root@55cdc2bb2a40:/# ls -l /dev | grep sdx 
brw-rw---- 1 root disk      8,  32 Dec  6 13:31 sdx

3. When a path other than /dev is specified
Host

# docker run -it --rm --privileged --device /dev/sdc:/data ubuntu:18.04

Container

root@15572380927b:/# ls -l | grep data
brw-rw----   1 root disk 8, 32 Dec  6 13:33 data
root@15572380927b:/# ls -l /dev | grep sdc 
brw-rw---- 1 root disk      8,  32 Dec  6 13:33 sdc

4. Device mapped with a different permission
Host

# docker run -it --rm --privileged --device /dev/sdc:/data:r ubuntu:18.04

Daemon Logs

WARN[2019-12-06T13:35:17.899953587Z] custom r permissions for device /dev/sdc are ignored in privileged mode  container=bd02db4980eebc4180af75fee403bef986565c711ca96d74778e29cdbf191eab

- Description for the changelog

The --device flag in docker run will now be honored when the container is started in privileged mode.

- A picture of a cute animal (not mandatory but encouraged)

wenlxie and others added 2 commits December 6, 2019 18:17
@wenlxie @akhilerm
make --device works at privileged mode
03b3ec1 
Signed-off-by: wenlxie <[email protected]>
@akhilerm
Make --device flag work in privileged mode
35b9e69 
When a container is started in privileged mode, the device mappings
provided by `--device` flag was ignored. Now the device mappings will
be considered even in privileged mode.

Signed-off-by: Akhil Mohan <[email protected]>
kolyshkin
kolyshkin approved these changes Dec 6, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin kolyshkin mentioned this pull request Dec 6, 2019
Closed
@kolyshkin
Copy link
Copy Markdown
Contributor

kolyshkin commented Dec 6, 2019

As I mentioned in the original PR, a documentation update is needed to warn that device permissions are ignored in privileged mode. Can you work on this one @akhilerm ?

@akhilerm
Copy link
Copy Markdown
Contributor Author

akhilerm commented Dec 7, 2019

Sure. I will raise the PR to docker documentation.
@kolyshkin are the warning messages in this PR enough or should it be changed further?

akhilerm
akhilerm commented Dec 7, 2019
View reviewed changes
Comment thread daemon/oci_linux.go Outdated
}
// check if the path exists in the container. need to create a device only if the
// path does not exists.
if _, err := os.Stat(deviceMapping.PathInContainer); !os.IsNotExist(err) {
Copy link
Copy Markdown
Contributor Author

@akhilerm akhilerm Dec 7, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kolyshkin Just now I was testing this change. This code where we do an os.Stat for a path in the container. Is it the right way to do it. Because I can see that the container creation fails, if such a path exists on the host.

Example: There is a /test directory on the host. And the mapping used is --device /dev/sdc:/test. This will fail because os.Stat checks and finds that a directory exists, but in actual case there is no such directory inside the container.

The same issue can happen in reverse also. There is a directory /test available inside the container but not on the host. When docker run is executed with --device /dev/sdc:/test, it won't show any errors. Inside the container, the device won't be available at /test. Just the original directory.

How should both these cases be handled.
cc: @thaJeztah

@akhilerm akhilerm mentioned this pull request Dec 8, 2019
Merged
@akhilerm akhilerm requested a review from kolyshkin December 10, 2019 02:56
cpuguy83
cpuguy83 requested changes Dec 19, 2019
View reviewed changes
Comment thread daemon/container.go Outdated
@akhilerm
remove host directory check
86ebbe1 
Signed-off-by: Akhil Mohan <[email protected]>
cpuguy83
cpuguy83 approved these changes Jan 2, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@cpuguy83 cpuguy83 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cpuguy83 cpuguy83 merged commit 03163f6 into moby:master Jan 2, 2020
@akhilerm akhilerm deleted the privileged-device branch January 3, 2020 04:08
@akhilerm akhilerm mentioned this pull request Mar 3, 2020
Closed
@thaJeztah thaJeztah added this to the 20.03.0 milestone Apr 2, 2020
@wilhelmguo
Copy link
Copy Markdown

wilhelmguo commented Nov 9, 2020

Can this PR be merged into version 19 of Moby?

@mowangdk
Copy link
Copy Markdown

mowangdk commented Nov 9, 2020

Can this PR be merged into version 19 of Moby?

+1

1 similar comment
@JasonRD
Copy link
Copy Markdown

JasonRD commented Nov 11, 2020

Can this PR be merged into version 19 of Moby?

+1

@qiutongs qiutongs mentioned this pull request Feb 18, 2021
Closed
@bsousaa bsousaa mentioned this pull request Jan 10, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpuguy83 cpuguy83 cpuguy83 approved these changes

@kolyshkin kolyshkin Awaiting requested review from kolyshkin

Assignees

No one assigned

Labels

impact/changelog status/2-code-review

Projects

None yet

Milestone

20.10.0

Development

Successfully merging this pull request may close these issues.

8 participants

@akhilerm @kolyshkin @wilhelmguo @mowangdk @JasonRD @cpuguy83 @thaJeztah @wenlxie