Skip to content

Replace Linux.Device with more specific config #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 6, 2015
Merged

Replace Linux.Device with more specific config #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 73 additions & 11 deletions config-linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,20 +55,82 @@ within the container.

### Access to devices

Devices is an array specifying the list of devices from the host to make available in the container.
By providing a device name within the list the runtime should look up the same device on the host's `/dev`
and collect information about the device node so that it can be recreated for the container. The runtime
should not only create the device inside the container but ensure that the root user inside
the container has access rights for the device.
Devices is an array specifying the list of devices to be created in the container.
Next parameters can be specified:

* type - type of device: 'c', 'b', 'u' or 'p'. More info in `man mknod`
Copy link
Contributor

@laijs laijs Aug 6, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my instinct, the abbreviation of r/w/m is OK for permissions. But here, I think we should use "character", "block" and "fifo". I don't have strong reason, just feeling.

Copy link
Contributor

@mrunalp mrunalp Aug 6, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is okay as more information could be looked up in the man page.

* path - full path to device inside container
* major, minor - major, minor numbers for device. More info in `man mknod`.
There is special value: `-1`, which means `*` for `device`
cgroup setup.
* permissions - cgroup permissions for device. A composition of 'r'
(read), 'w' (write), and 'm' (mknod).
* fileMode - file mode for device file
* uid - uid of device owner
* gid - gid of device owner

```json
"devices": [
"null",
"random",
"full",
"tty",
"zero",
"urandom"
{
"path": "/dev/random",
Copy link
Member

@crosbymichael crosbymichael Aug 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably specify or describe in this doc what each of the fields mean. But overall this PR looks good

Copy link
Contributor Author

@LK4D4 LK4D4 Aug 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll combine description from docstrings.

Copy link
Contributor

@philips philips Aug 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there ever a reason not to include null, random, full, tty, zero and urandom? It seems like we should just say every container can expect to have those device nodes available without specifying.

Copy link
Contributor Author

@LK4D4 LK4D4 Aug 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, okay, thought about this just like about json example, not real config :) I'll add all from runc defaults.

Copy link
Contributor

@philips philips Aug 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LK4D4 Yes, I will file a separate issue on this one.

Copy link
Contributor

@philips philips Aug 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LK4D4 filed #95

"type": "c",
"major": 1,
"minor": 8,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/urandom",
"type": "c",
"major": 1,
"minor": 9,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/null",
"type": "c",
"major": 1,
"minor": 3,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/zero",
"type": "c",
"major": 1,
"minor": 5,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/tty",
"type": "c",
"major": 5,
"minor": 0,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
},
{
"path": "/dev/full",
"type": "c",
"major": 1,
"minor": 7,
"permissions": "rwm",
"fileMode": 0666,
"uid": 0,
"gid": 0
}
]
```

Expand Down
23 changes: 22 additions & 1 deletion spec_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

package specs

import "os"

// LinuxSpec is the full specification for Linux containers
type LinuxSpec struct {
Spec
Expand All @@ -27,7 +29,7 @@ type Linux struct {
// Capabilities are Linux capabilities that are kept for the container
Capabilities []string `json:"capabilities"`
// Devices are a list of device nodes that are created and enabled for the container
Devices []string `json:"devices"`
Devices []Device `json:"devices"`
// RootfsPropagation is the rootfs mount propagation mode for the container
RootfsPropagation string `json:"rootfsPropagation"`
}
Expand Down Expand Up @@ -157,3 +159,22 @@ type Resources struct {
// Network restriction configuration
Network Network `json:"network"`
}

type Device struct {
// Device type, block, char, etc.
Type rune `json:"type"`
// Path to the device.
Path string `json:"path"`
// Major is the device's major number.
Major int64 `json:"major"`
// Minor is the device's minor number.
Minor int64 `json:"minor"`
// Cgroup permissions format, rwm.
Permissions string `json:"permissions"`
// FileMode permission bits for the device.
FileMode os.FileMode `json:"fileMode"`
// UID of the device.
UID uint32 `json:"uid"`
// Gid of the device.
GID uint32 `json:"gid"`
}