From 6849399ddb9276ceb3300d0403abace582db3dc4 Mon Sep 17 00:00:00 2001 From: Gary Guo Date: Fri, 29 Nov 2024 20:33:23 +0000 Subject: [PATCH] Remove systemd's device filter configuration if any We remove systemd's filter but it might be added back by systemd if we don't get rid of these config completely. --- src/runc/container.rs | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/runc/container.rs b/src/runc/container.rs index 4a0e486..0ef39cd 100644 --- a/src/runc/container.rs +++ b/src/runc/container.rs @@ -85,6 +85,22 @@ impl Container { } }); + // runc configures systemd to also perform device filtering. + // The removal of systemd's filtering is insufficient since after daemon-reload (or maybe + // some other triggers as well), systemd will reconcile and add it back, which disrupts + // container-hotplug's operation. + // So we'll also go ahead and remove these configuration files. Ignore errors if any since + // the cgroup might be handled by runc directly if `--cgroup-manager=cgroupfs` is used. + let cgroup_name = state + .cgroup_paths + .unified + .file_name() + .context("cgroup doesn't have file name")? + .to_str() + .context("cgroup name is not UTF-8")?; + let _ = std::fs::remove_file(format!("/run/systemd/transient/{cgroup_name}.d/50-DeviceAllow.conf")); + let _ = std::fs::remove_file(format!("/run/systemd/transient/{cgroup_name}.d/50-DevicePolicy.conf")); + let cgroup_device_filter: Box = if let Some(device_cgroup) = &state.cgroup_paths.devices { Box::new(DeviceAccessControllerV1::new(device_cgroup)?)