From aea1a85bb4a8cc4d76289b30180f6a1c1c6bc0fb Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Thu, 7 Jul 2022 11:29:54 +0200 Subject: [PATCH 1/2] Update vendored runc version Signed-off-by: Evan Lezar --- go.mod | 1 + go.sum | 4 +++- vendor/modules.txt | 3 ++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 3a681c67..49be9135 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,7 @@ require ( github.com/NVIDIA/go-nvml v0.11.6-0 github.com/container-orchestrated-devices/container-device-interface v0.4.1-0.20220614144320-dc973e22f674 github.com/containers/podman/v4 v4.0.3 + github.com/opencontainers/runc v1.1.3 github.com/opencontainers/runtime-spec v1.0.3-0.20211214071223-8958f93039ab github.com/pelletier/go-toml v1.9.4 github.com/sirupsen/logrus v1.8.1 diff --git a/go.sum b/go.sum index 3b13ac5b..8bd79c5a 100644 --- a/go.sum +++ b/go.sum @@ -951,8 +951,9 @@ github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84 github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= -github.com/opencontainers/runc v1.1.2 h1:2VSZwLx5k/BfsBxMMipG/LYUnmqOD/BPkIVgQUcTlLw= github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= +github.com/opencontainers/runc v1.1.3 h1:vIXrkId+0/J2Ymu2m7VjGvbSlAId9XNRPhn2p4b+d8w= +github.com/opencontainers/runc v1.1.3/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= @@ -1078,6 +1079,7 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg github.com/sebdah/goldie/v2 v2.5.3/go.mod h1:oZ9fp0+se1eapSRjfYbsV/0Hqhbuu3bJVvKI/NNtssI= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= +github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= diff --git a/vendor/modules.txt b/vendor/modules.txt index a247ce3b..67d60341 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -24,7 +24,8 @@ github.com/fsnotify/fsnotify github.com/hashicorp/errwrap # github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-multierror -# github.com/opencontainers/runc v1.1.2 +# github.com/opencontainers/runc v1.1.3 +## explicit github.com/opencontainers/runc/libcontainer/devices # github.com/opencontainers/runtime-spec v1.0.3-0.20211214071223-8958f93039ab ## explicit From b68b3c543b846da18f9733a3f87399a36e879ca1 Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Thu, 7 Jul 2022 11:30:53 +0200 Subject: [PATCH 2/2] Use device host path to determine properties This mirrors what is done in cri-o and allows for devices nodes from, for example, the driver container to be injected into a container at /dev instead of /dev Signed-off-by: Evan Lezar --- internal/edits/device.go | 35 +++++++++++++++++++++++++++-------- internal/edits/edits.go | 6 +++++- 2 files changed, 32 insertions(+), 9 deletions(-) diff --git a/internal/edits/device.go b/internal/edits/device.go index 4dd6a303..aca095e3 100644 --- a/internal/edits/device.go +++ b/internal/edits/device.go @@ -17,32 +17,51 @@ package edits import ( + "fmt" + "github.com/NVIDIA/nvidia-container-toolkit/internal/discover" "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi" "github.com/container-orchestrated-devices/container-device-interface/specs-go" + + "github.com/opencontainers/runc/libcontainer/devices" ) type device discover.Device // toEdits converts a discovered device to CDI Container Edits. -func (d device) toEdits() *cdi.ContainerEdits { +func (d device) toEdits() (*cdi.ContainerEdits, error) { + deviceNode, err := d.toSpec() + if err != nil { + return nil, err + } + e := cdi.ContainerEdits{ ContainerEdits: &specs.ContainerEdits{ - DeviceNodes: []*specs.DeviceNode{d.toSpec()}, + DeviceNodes: []*specs.DeviceNode{deviceNode}, }, } - return &e + return &e, nil } // toSpec converts a discovered Device to a CDI Spec Device. Note // that missing info is filled in when edits are applied by querying the Device node. -func (d device) toSpec() *specs.DeviceNode { - // NOTE: We may want to mirror what is done in cri-o w.r.t src (Host) and dst (Container) paths - // to ensure that the right permissions are included. +func (d device) toSpec() (*specs.DeviceNode, error) { + // NOTE: This mirrors what cri-o does. // https://github.com/cri-o/cri-o/blob/ca3bb80a3dda0440659fcf8da8ed6f23211de94e/internal/config/device/device.go#L93 + // This can be removed once https://github.com/container-orchestrated-devices/container-device-interface/issues/72 is addressed + dev, err := devices.DeviceFromPath(d.HostPath, "rwm") + if err != nil { + return nil, fmt.Errorf("failed to query device node %v: %v", d.HostPath, err) + } s := specs.DeviceNode{ - Path: d.Path, + Path: d.Path, + Type: string(dev.Type), + Major: dev.Major, + Minor: dev.Minor, + FileMode: &dev.FileMode, + UID: &dev.Uid, + GID: &dev.Gid, } - return &s + return &s, nil } diff --git a/internal/edits/edits.go b/internal/edits/edits.go index 4f4ee150..14e79b7b 100644 --- a/internal/edits/edits.go +++ b/internal/edits/edits.go @@ -51,7 +51,11 @@ func NewSpecEdits(logger *logrus.Logger, d discover.Discover) (oci.SpecModifier, c := cdi.ContainerEdits{} for _, d := range devices { - c.Append(device(d).toEdits()) + edits, err := device(d).toEdits() + if err != nil { + return nil, fmt.Errorf("failed to created container edits for device: %v", err) + } + c.Append(edits) } for _, m := range mounts {