rootless: bind mount devices instead of creating them #3909
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
approved
|
Are there any side effects of bind-mount versus recreating the node? I can't think of any... |
giuseppe
force-pushed
the
rootless-bind-mount-dev
branch
from
6158afb
to
7e006f7
Compare
|
There are potential SELinux issues, since the devices do not have the SELinux label, But hopefully we allow the devices a non privileged user would be allowed to read/write already. LGTM |
rhatdan
reviewed
Aug 30, 2019
giuseppe
force-pushed
the
rootless-bind-mount-dev
branch
from
7e006f7
to
3ee4385
Compare
giuseppe
force-pushed
the
rootless-bind-mount-dev
branch
from
3ee4385
to
07bd848
Compare
|
/retest |
|
LGTM again. |
giuseppe
force-pushed
the
rootless-bind-mount-dev
branch
from
07bd848
to
10d34b9
Compare
vrothberg
reviewed
Sep 2, 2019
when running in rootless mode, --device creates a bind mount from the host instead of specifying the device in the OCI configuration. This is required as an unprivileged user cannot use mknod, even when root in a user namespace. Closes: containers#3905 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
eBPF requires to be root in the init namespace. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
giuseppe
force-pushed
the
rootless-bind-mount-dev
branch
from
10d34b9
to
2a115d1
Compare
provide an implementation for getDevices that skip unreadable directories for the current user. Based on the implementation from runc/libcontainer. Closes: containers#3919 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
rootless-bind-mount-dev
branch
from
2a115d1
to
759ca2c
Compare
|
disabling selinux for the devices tests did the trick. Tests are all green now |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration. This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.
Closes: #3905
Signed-off-by: Giuseppe Scrivano giuseppe@scrivano.org