[pve-devel] [PATCH container] fix #1874: autodev hook: setup devices cgroup

Wolfgang Bumiller w.bumiller at proxmox.com
Tue Aug 21 09:57:59 CEST 2018


Currently the autodev hook only adds device nodes, but in
order for the container to use them we also need to add
entries to the devices cgroup to both the limiting and the
namespaced devices cgroup directory.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/lxc-pve-autodev-hook | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/lxc-pve-autodev-hook b/src/lxc-pve-autodev-hook
index d8f5012..c934bfd 100755
--- a/src/lxc-pve-autodev-hook
+++ b/src/lxc-pve-autodev-hook
@@ -29,6 +29,21 @@ if (! open $fd, '<', $devlist_file) {
     die "failed to open device list: $!\n";
 }
 
+sub cgroup_do_write($$) {
+    my ($path, $value) = @_;
+    my $fd;
+    if (!open($fd, '>', $path)) {
+	warn "failed to open cgroup file $path: $!\n";
+	return 0;
+    }
+    if (!defined syswrite($fd, $value)) {
+	warn "failed to write value $value to cgroup file $path: $!\n";
+	return 0;
+    }
+    close($fd);
+    return 1;
+}
+
 while (defined(my $line = <$fd>)) {
     if ($line !~ m@^(b):(\d+):(\d+):/dev/(\S+)\s*$@) {
 	warn "invalid .pve-devices entry: $line\n";
@@ -60,6 +75,16 @@ while (defined(my $line = <$fd>)) {
 	chomp $mapped_name;
 	symlink("/dev/$dev", "$root/dev/mapper/$mapped_name");
     }
+
+    my $cgbase = "/sys/fs/cgroup/devices/lxc/$vmid";
+    my $limitpath = "$cgbase/devices.allow";
+    my $nspath = "$cgbase/ns/devices.allow";
+    if (!cgroup_do_write($limitpath, "$type $major:$minor rwm")) {
+	warn "failed to allow access to device $dev ($major:$minor)\n";
+    }
+    if (!cgroup_do_write($nspath, "$type $major:$minor rwm")) {
+	warn "failed to allow access to device $dev ($major:$minor) inside the namespace\n";
+    }
 }
 close $fd;
 
-- 
2.11.0





More information about the pve-devel mailing list