Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

device: Do not allow container access to the nvdimm rootfs #792

Merged
merged 1 commit into from
Jun 3, 2020
Merged

device: Do not allow container access to the nvdimm rootfs #792

merged 1 commit into from
Jun 3, 2020

Conversation

amshinde
Copy link
Member

@amshinde amshinde commented Jun 3, 2020

With this change, a container is not longer given access to
the underlying nvdimm root partition.
This is done by explicitly adding the nvdimm root partition
to the device cgroup of the container.

Fixes #791

Signed-off-by: Archana Shinde archana.m.shinde@intel.com

@amshinde
Copy link
Member Author

amshinde commented Jun 3, 2020

/test

devimc
devimc reviewed Jun 3, 2020
View reviewed changes
Copy link

@devimc devimc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @amshinde - just one comment

device.go Outdated
@@ -50,6 +50,7 @@ var (
getPCIDeviceName = getPCIDeviceNameImpl
getDevicePCIAddress = getDevicePCIAddressImpl
scanSCSIBus = scanSCSIBusImpl
rootfsNvdimmDisk = "/dev/pmem0p1"
Copy link

@devimc devimc Jun 3, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there is a different way to get the rootfs device

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@devimc PR updated. PTAL

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

@amshinde amshinde requested a review from jcvenegas June 3, 2020 15:51
@codecov
Copy link

codecov bot commented Jun 3, 2020
edited
Loading

Codecov Report

Merging #792 into master will increase coverage by 0.18%.
The diff coverage is 80.00%.

@@            Coverage Diff             @@
##           master     #792      +/-   ##
==========================================
+ Coverage   60.26%   60.45%   +0.18%     
==========================================
  Files          17       17              
  Lines        2640     2655      +15     
==========================================
+ Hits         1591     1605      +14     
- Misses        890      891       +1     
  Partials      159      159

@amshinde
device: Do not allow container access to the nvdimm rootfs
a88af32 
With this change, a container is not longer given access to
the underlying nvdimm root partition.
This is done by explicitly adding the nvdimm root partition
to the device cgroup of the container.

Fixes kata-containers#791

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
@amshinde amshinde force-pushed the deny-nvdimm-devices-access branch from 75e275f to a88af32 Compare June 3, 2020 16:52
@amshinde
Copy link
Member Author

amshinde commented Jun 3, 2020

/test

@devimc
Copy link

devimc commented Jun 3, 2020

restarting ubuntu CI

@amshinde amshinde merged commit 33fa379 into kata-containers:master Jun 3, 2020
@amshinde amshinde mentioned this pull request Jun 15, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@devimc devimc devimc approved these changes

@jodh-intel jodh-intel jodh-intel approved these changes

@bergwolf bergwolf Awaiting requested review from bergwolf

@jcvenegas jcvenegas Awaiting requested review from jcvenegas

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Explicitly deny any access to the nvdimm root partition
3 participants
@amshinde @devimc @jodh-intel