From 8f5a69373b0afb2dea2bfe2a282c90114ebfb7a4 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Tue, 26 May 2020 00:30:47 -0700 Subject: [PATCH] virtcontainers: apply constraints to the sandbox cgroup Kata relies on the cgroup parent created and configured by the container engine, but sometimes the sandbox cgroup is not configured and the container may have access to all the resources, hence the runtime must constrain the sandbox and update the list of devices with the devices hotplugged in the hypervisor. Fixes: kata-containers/runtime#2605 Signed-off-by: Julio Montes Signed-off-by: Peng Tao --- src/runtime/virtcontainers/sandbox.go | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go index 93dfbfe9e..5b65da3c1 100644 --- a/src/runtime/virtcontainers/sandbox.go +++ b/src/runtime/virtcontainers/sandbox.go @@ -641,11 +641,22 @@ func (s *Sandbox) createCgroupManager() error { if spec != nil { cgroupPath = spec.Linux.CgroupsPath - // kata should rely on the cgroup created and configured by - // container engine *only* if actual container was - // marked *explicitly* as sandbox through annotations. - if !s.config.HasCRIContainerType { - resources = *spec.Linux.Resources + // Kata relies on the cgroup parent created and configured by the container + // engine, but sometimes the sandbox cgroup is not configured and the container + // may have access to all the resources, hence the runtime must constrain the + // sandbox and update the list of devices with the devices hotplugged in the + // hypervisor. + resources = *spec.Linux.Resources + } + + if s.devManager != nil { + for _, d := range s.devManager.GetAllDevices() { + dev, err := vccgroups.DeviceToLinuxDevice(d.GetHostPath()) + if err != nil { + s.Logger().WithError(err).WithField("device", d.GetHostPath()).Warn("Could not add device to sandbox resources") + continue + } + resources.Devices = append(resources.Devices, dev) } }