From 32a46614eb072906340932b1c8ff751df3a80e65 Mon Sep 17 00:00:00 2001 From: sha7khan Date: Tue, 23 Nov 2021 10:43:40 +0530 Subject: [PATCH 1/3] Enable all devices in privileged mode The Privileged mode in containerd driver is not adding devices from host device. This change will make the driver's privileged mode equivalent to ctr tool's privileged mode - https://github.com/containerd/containerd/blob/main/cmd/ctr/commands/run/run_unix.go#L205-L207 --- containerd/containerd.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containerd/containerd.go b/containerd/containerd.go index 8ee3878..37958d8 100644 --- a/containerd/containerd.go +++ b/containerd/containerd.go @@ -149,7 +149,7 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC // Enable privileged mode. if config.Privileged { - opts = append(opts, oci.WithPrivileged) + opts = append(opts, oci.WithPrivileged, oci.WithAllDevicesAllowed, oci.WithHostDevices) } // WithPidsLimit sets the container's pid limit or maximum From ae3c77d578eb127ec363ff9e7721df80b4096b74 Mon Sep 17 00:00:00 2001 From: sha7khan Date: Sun, 5 Dec 2021 08:53:20 +0530 Subject: [PATCH 2/3] Enable oci.WithNewPrivileges in privileged mode --- containerd/containerd.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containerd/containerd.go b/containerd/containerd.go index 37958d8..83d9b8e 100644 --- a/containerd/containerd.go +++ b/containerd/containerd.go @@ -149,7 +149,7 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC // Enable privileged mode. if config.Privileged { - opts = append(opts, oci.WithPrivileged, oci.WithAllDevicesAllowed, oci.WithHostDevices) + opts = append(opts, oci.WithPrivileged, oci.WithAllDevicesAllowed, oci.WithHostDevices, oci.WithNewPrivileges) } // WithPidsLimit sets the container's pid limit or maximum From b5840de3528f77b317cde0257622394e3f447a60 Mon Sep 17 00:00:00 2001 From: sha7khan Date: Sun, 5 Dec 2021 08:58:02 +0530 Subject: [PATCH 3/3] set expected_capabilities=40 when running GHA --- tests/004-test-privileged.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/004-test-privileged.sh b/tests/004-test-privileged.sh index d79f13e..3eda055 100755 --- a/tests/004-test-privileged.sh +++ b/tests/004-test-privileged.sh @@ -41,7 +41,7 @@ test_privileged_nomad_job() { # depending on the execution environment. expected_capabilities="37" if [[ "$GITHUB_ACTIONS" == "true" ]]; then - expected_capabilities="39" + expected_capabilities="40" fi actual_capabilities=$(nomad alloc exec -job privileged capsh --print|grep -i bounding|cut -d '=' -f 2|awk '{split($0,a,","); print a[length(a)]}')