diff --git a/pkg/nvcdi/spec/builder.go b/pkg/nvcdi/spec/builder.go index 6379ad0f..32b27f8d 100644 --- a/pkg/nvcdi/spec/builder.go +++ b/pkg/nvcdi/spec/builder.go @@ -18,6 +18,7 @@ package spec import ( "fmt" + "os" "github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform" "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi" @@ -33,6 +34,7 @@ type builder struct { edits specs.ContainerEdits format string noSimplify bool + permissions os.FileMode } // newBuilder creates a new spec builder with the supplied options @@ -60,7 +62,9 @@ func newBuilder(opts ...Option) *builder { if s.format == "" { s.format = FormatYAML } - + if s.permissions == 0 { + s.permissions = 0600 + } return s } @@ -157,3 +161,10 @@ func WithRawSpec(raw *specs.Spec) Option { o.raw = raw } } + +// WithPermissions sets the permissions for the generated spec file +func WithPermissions(permissions os.FileMode) Option { + return func(o *builder) { + o.permissions = permissions + } +} diff --git a/pkg/nvcdi/spec/spec.go b/pkg/nvcdi/spec/spec.go index 2bb26a71..999220b7 100644 --- a/pkg/nvcdi/spec/spec.go +++ b/pkg/nvcdi/spec/spec.go @@ -28,7 +28,8 @@ import ( type spec struct { *specs.Spec - format string + format string + permissions os.FileMode } var _ Interface = (*spec)(nil) @@ -51,7 +52,15 @@ func (s *spec) Save(path string) error { cdi.WithSpecDirs(specDir), ) - return registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)) + if err := registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)); err != nil { + return fmt.Errorf("failed to write spec: %w", err) + } + + if err := os.Chmod(path, s.permissions); err != nil { + return fmt.Errorf("failed to set permissions on spec file: %w", err) + } + + return nil } // WriteTo writes the spec to the specified writer.