From 5dc7ae4bebe5413e957bb52387a13fcaa0c6a6e5 Mon Sep 17 00:00:00 2001 From: Archana Shinde Date: Fri, 10 Jul 2020 10:32:48 -0700 Subject: [PATCH] device: Ease device access for rootfs device to allow node creation For docker in docker scenario, the nested container created has entry "b *:* m" in the list of devices it is allowed to access under /sys/fs/cgroup/devices/docker/{ctrid}/devices.list. This entry was causing issues while starting a nested container as we were denying "m" access to the rootfs block devices. With this change we add back "m" access, the container would be allowed to create a device node for the rootfs device but will not have read-write access to the created device node. This fixes the docker in docker use case while still making sure the container is not allowed read/write access to the rootfs. Note, this could also be fixed by simply skipping {"Type : "b"} while creating the device cgroup with libcontainer. But this seems to be undocumented behaviour at this point, hence refrained from taking this approach. Fixes #806 Signed-off-by: Archana Shinde --- device.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device.go b/device.go index ae95572f2..01ee55960 100644 --- a/device.go +++ b/device.go @@ -496,7 +496,7 @@ func updateDeviceCgroupForGuestRootfs(spec *pb.Spec) { Major: devMajor, Minor: devMinor, Type: "b", - Access: "rwm", + Access: "rw", } spec.Linux.Resources.Devices = append(spec.Linux.Resources.Devices, nvdimmCg)