Skip to content

Commit 429161b

Browse files
everzakoveverzakov
committed
cdi: add device uid/gid injection example
1 parent 7116a1d commit 429161b

File tree

2 files changed

+28
-12
lines changed

2 files changed

+28
-12
lines changed

pkg/cdi/container-edits.go

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -82,14 +82,24 @@ func (e *ContainerEdits) Apply(spec *oci.Spec) error {
8282
specgen.AddMultipleProcessEnv(e.Env)
8383
}
8484

85+
var (
86+
uids []oci.LinuxIDMapping
87+
gids []oci.LinuxIDMapping
88+
)
89+
90+
if specHasUserNamespace(spec) {
91+
uids = cloneIDMappings(spec.Linux.UIDMappings)
92+
gids = cloneIDMappings(spec.Linux.GIDMappings)
93+
}
94+
8595
for _, d := range e.DeviceNodes {
8696
dn := DeviceNode{d}
8797

8898
err := dn.fillMissingInfo()
8999
if err != nil {
90100
return err
91101
}
92-
dev := dn.toOCI()
102+
dev := dn.toOCI(uids, gids)
93103
if dev.UID == nil && spec.Process != nil {
94104
if uid := spec.Process.User.UID; uid > 0 {
95105
dev.UID = &uid
@@ -114,15 +124,6 @@ func (e *ContainerEdits) Apply(spec *oci.Spec) error {
114124
}
115125

116126
if len(e.Mounts) > 0 {
117-
var (
118-
uids []oci.LinuxIDMapping
119-
gids []oci.LinuxIDMapping
120-
)
121-
122-
if specHasUserNamespace(spec) {
123-
uids = cloneIDMappings(spec.Linux.UIDMappings)
124-
gids = cloneIDMappings(spec.Linux.GIDMappings)
125-
}
126127
for _, m := range e.Mounts {
127128
specgen.RemoveMount(m.ContainerPath)
128129
specgen.AddMount((&Mount{m}).toOCI(withMountIDMappings(uids, gids)))

pkg/cdi/oci.go

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ limitations under the License.
1717
package cdi
1818

1919
import (
20+
oci "github.com/opencontainers/runtime-spec/specs-go"
2021
spec "github.com/opencontainers/runtime-spec/specs-go"
2122
)
2223

@@ -60,8 +61,8 @@ func (m *Mount) toOCI(options ...ociMountOption) spec.Mount {
6061
}
6162

6263
// toOCI returns the opencontainers runtime Spec LinuxDevice for this DeviceNode.
63-
func (d *DeviceNode) toOCI() spec.LinuxDevice {
64-
return spec.LinuxDevice{
64+
func (d *DeviceNode) toOCI(UIDMappings, GIDMappings []oci.LinuxIDMapping) spec.LinuxDevice {
65+
dev := spec.LinuxDevice{
6566
Path: d.Path,
6667
Type: d.Type,
6768
Major: d.Major,
@@ -70,6 +71,20 @@ func (d *DeviceNode) toOCI() spec.LinuxDevice {
7071
UID: d.UID,
7172
GID: d.GID,
7273
}
74+
for _, mapping := range UIDMappings {
75+
if dev.UID != nil && *dev.UID >= mapping.ContainerID && *dev.UID < mapping.ContainerID+mapping.Size {
76+
delta := *dev.UID - mapping.ContainerID
77+
*dev.UID = mapping.HostID + delta
78+
}
79+
}
80+
81+
for _, mapping := range GIDMappings {
82+
if dev.GID != nil && *dev.GID >= mapping.ContainerID && *dev.GID < mapping.ContainerID+mapping.Size {
83+
delta := *dev.GID - mapping.ContainerID
84+
*dev.GID = mapping.HostID + delta
85+
}
86+
}
87+
return dev
7388
}
7489

7590
// toOCI returns the opencontainers runtime Spec LinuxIntelRdt for this IntelRdt config.

0 commit comments

Comments
 (0)