New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rootless: bind mount devices instead of creating them #3909
rootless: bind mount devices instead of creating them #3909
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Are there any side effects of bind-mount versus recreating the node? I can't think of any... |
6158afb
to
7e006f7
Compare
There are potential SELinux issues, since the devices do not have the SELinux label, But hopefully we allow the devices a non privileged user would be allowed to read/write already. LGTM |
7e006f7
to
3ee4385
Compare
3ee4385
to
07bd848
Compare
/retest |
LGTM again. |
07bd848
to
10d34b9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one nit (in case a rebase/repush is required).
Otherwise, LGTM
when running in rootless mode, --device creates a bind mount from the host instead of specifying the device in the OCI configuration. This is required as an unprivileged user cannot use mknod, even when root in a user namespace. Closes: containers#3905 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
eBPF requires to be root in the init namespace. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
10d34b9
to
2a115d1
Compare
provide an implementation for getDevices that skip unreadable directories for the current user. Based on the implementation from runc/libcontainer. Closes: containers#3919 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2a115d1
to
759ca2c
Compare
disabling selinux for the devices tests did the trick. Tests are all green now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/lgtm |
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration. This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.
Closes: #3905
Signed-off-by: Giuseppe Scrivano giuseppe@scrivano.org