config-linux: Clarify where device nodes can be created #1148
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
c3d
requested review from
crosbymichael,
cyphar,
dqminh,
giuseppe,
hqhq,
mrunalp,
tianon and
vbatts
as code owners
c3d
force-pushed
the
issue/1147-device-location
branch
from
e59594d to
78c1161
Compare
|
A relevant issue in OpenShift sandboxed containers can be found here |
giuseppe
reviewed
May 3, 2022
c3d
force-pushed
the
issue/1147-device-location
branch
from
78c1161 to
30370e6
Compare
|
@TomSweeneyRedHat If this looks good to you, could you please change the status of your review to match? |
|
Ping? |
AkihiroSuda
reviewed
Aug 10, 2022
config-linux.md
Outdated
| @@ -126,6 +127,12 @@ Each entry has the following structure: | |||
|
|
|||
| The same `type`, `major` and `minor` SHOULD NOT be used for multiple devices. | |||
|
|
|||
| Containers MAY NOT access any device node that is not explicitly referenced in | |||
| the **`devices`** array. Rationale: runtimes based on virtual machines need to | |||
There was a problem hiding this comment.
Conflicts with the configLinuxDefaultDevices section
There was a problem hiding this comment.
@AkihiroSuda Good point. Reworded to indicate this.
AkihiroSuda
requested changes
Aug 10, 2022
Clarify that device nodes need not be under `/dev`, but that the runtimes need to be informed of all the device nodes that are used by the container. Virtual-machine based runtimes such as Kata Containers need to be able to perform adjustment on device nodes, and cannot be required to deep-scan file-systems to do so. The proposed wording was chosen to avoid any regression for any workload mounding nodes elsewhere, while at the same time clarifying that correct behaviour cannot be guaranteed if a device node is created on the host and used by the container without being passed in the devices list. This fixes issue opencontainers#1147. Signed-off-by: Christophe de Dinechin <[email protected]>
c3d
force-pushed
the
issue/1147-device-location
branch
from
30370e6 to
3565df5
Compare
AkihiroSuda
approved these changes
Jan 24, 2023
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Clarify that device nodes need not be under
/dev, but that the runtime need tobe informed of all the device nodes that are used by the
container.
Virtual-machine based runtimes such as Kata Containers need to be able to
perform adjustment on device nodes, and cannot be required to deep-scan
file-systems to do so.
The proposed wording was chosen to avoid any regression for any workload
mounding nodes elsewhere, while at the same time clarifying that correct
behaviour cannot be guaranteed if a device node is created on the host and used
by the container without being passed in the devices list.
This fixes issue #1147.
Signed-off-by: Christophe de Dinechin [email protected]