From e59594d0ba4108526ed86e77469903c05185d237 Mon Sep 17 00:00:00 2001 From: Christophe de Dinechin Date: Tue, 3 May 2022 12:33:21 +0200 Subject: [PATCH] config-linux: Clarify where device nodes can be created Clarify that device nodes need not be under `/dev`, but that the runtime need to be informed of all the device nodes that are used by the container. Virtual-machine based runtimes such as Kata Containers need to be able to perform adjustment on device nodes, and cannot be required to deep-scan file-systems to do so. The proposed wording was chosen to avoid any regression for any workload mounding nodes elsewhere, while at the same time clarifying that correct behaviour cannot be guaranteed if a device node is created on the host and used by the container without being passed in the devices list. This fixes issue #1147. Signed-off-by: Christophe de Dinechin --- config-linux.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config-linux.md b/config-linux.md index 178361f34..7e49f1a27 100644 --- a/config-linux.md +++ b/config-linux.md @@ -118,6 +118,7 @@ Each entry has the following structure: More info in [mknod(1)][mknod.1]. * **`path`** *(string, REQUIRED)* - full path to device inside container. If a [file][] already exists at `path` that does not match the requested device, the runtime MUST generate an error. + The path MAY be anywhere in the container filesystem, notably outside of `/dev`. * **`major, minor`** *(int64, REQUIRED unless `type` is `p`)* - [major, minor numbers][devices] for the device. * **`fileMode`** *(uint32, OPTIONAL)* - file mode for the device. You can also control access to devices [with cgroups](#configLinuxDeviceAllowedlist). @@ -126,6 +127,12 @@ Each entry has the following structure: The same `type`, `major` and `minor` SHOULD NOT be used for multiple devices. +Containers MUST NOT access any device node that is not explicitly referenced in +the **`devices`** array. Rationale: runtimes based on virtual machines need to +be able to adjust the node devices, and accessing device nodes that were not +adjusted could have undefined behaviour. + + ### Example ```json