Skip to content

fix: cgroups: ensure cgroups device limits are default allow #790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 11, 2022
Merged

fix: cgroups: ensure cgroups device limits are default allow #790

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1f852df
fix: cgroups: ensure cgroups device limits are default allow
dtrudg May 11, 2022
5dce3ed
e2e: remove units from instance stats test
dtrudg May 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

- Correctly launch CleanupHost process only when needed in `--sif-fuse` flow.
- Add specific error for unreadable image / overlay file.
- Ensure cgroups device limits are default allow per past behavior.

## 3.10.0-rc.1 \[2022-05-04\]

Expand Down
11 changes: 8 additions & 3 deletions e2e/cgroups/cgroups.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,9 +97,6 @@ func (c *ctx) instanceStats(t *testing.T, profile e2e.Profile) {
e2e.ExpectOutput(e2e.ContainMatch, "MEM %"),
e2e.ExpectOutput(e2e.ContainMatch, "BLOCK I/O"),
e2e.ExpectOutput(e2e.ContainMatch, "PIDS"),
e2e.ExpectOutput(e2e.ContainMatch, "GiB"),
e2e.ExpectOutput(e2e.ContainMatch, "KiB"),
e2e.ExpectOutput(e2e.ContainMatch, "MiB"),
),
)
c.env.RunSingularity(
Expand Down Expand Up @@ -303,6 +300,14 @@ func (c *ctx) actionApply(t *testing.T, profile e2e.Profile) {
// Reason is believed to be: https://github.com/opencontainers/runc/issues/3026
rootless: false,
},
// Device access is allowed by default.
{
name: "device allow default",
args: []string{"--apply-cgroups", "testdata/cgroups/null.toml", c.env.ImagePath, "cat", "/dev/null"},
expectErrorCode: 0,
rootfull: true,
rootless: true,
},
// Device limits are properly applied only in rootful mode. Rootless will ignore them with a warning.
{
name: "device deny",
Expand Down
Empty file added e2e/testdata/cgroups/null.toml
View file
Open in desktop
Empty file.
16 changes: 16 additions & 0 deletions internal/pkg/cgroups/manager_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,14 @@ func (m *Manager) UpdateFromSpec(resources *specs.LinuxResources) (err error) {
return fmt.Errorf("could not create cgroup config: %w", err)
}

// runc/libcontainer/cgroups for v2 defaults to a deny-all policy, while
// singularity has always allowed access to devices by default. If no device
// rules are provided in the spec, then skip setting them so the deny-all is
// not applied.
if len(resources.Devices) == 0 {
lcConfig.SkipDevices = true
}

err = m.cgroup.Set(lcConfig.Resources)
if err != nil {
return fmt.Errorf("while setting cgroup limits: %w", err)
Expand Down Expand Up @@ -291,6 +299,14 @@ func newManager(resources *specs.LinuxResources, group string, systemd bool) (ma
return nil, fmt.Errorf("could not create cgroup config: %w", err)
}

// runc/libcontainer/cgroups for v2 defaults to a deny-all policy, while
// singularity has always allowed access to devices by default. If no device
// rules are provided in the spec, then skip setting them so the deny-all is
// not applied.
if len(resources.Devices) == 0 {
lcConfig.SkipDevices = true
}

cgroup, err := lcmanager.New(lcConfig)
if err != nil {
return nil, fmt.Errorf("while creating cgroup manager: %w", err)
Expand Down