From dc5df57c262efd4f856295f7f67813568a527f25 Mon Sep 17 00:00:00 2001 From: Victor Morales Date: Mon, 8 Mar 2021 00:17:44 -0800 Subject: [PATCH] Add privileged_without_host_devices support (#7343) When privileged is enabled for a container, all the `/dev/*` block devices from the host are mounted into the guest. The `privileged_without_host_devices` flag prevents host devices from being passed to privileged containers. More information: * https://github.com/containerd/cri/pull/1225 * https://github.com/cri-o/cri-o/commit/1d0f68156ba382651c776a44f156614c4fcf981d --- roles/container-engine/containerd/defaults/main.yml | 1 + roles/container-engine/containerd/templates/config.toml.j2 | 2 ++ roles/container-engine/cri-o/templates/crio.conf.j2 | 1 + 3 files changed, 4 insertions(+) diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml index 1138f835a43..470e96d2e37 100644 --- a/roles/container-engine/containerd/defaults/main.yml +++ b/roles/container-engine/containerd/defaults/main.yml @@ -65,6 +65,7 @@ containerd_default_runtime: # type: io.containerd.kata.v2 # engine: "" # root: "" +# privileged_without_host_devices: true containerd_runtimes: [] containerd_untrusted_runtime_type: '' diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2 index 9ed28ef5392..0f0f80ba0d6 100644 --- a/roles/container-engine/containerd/templates/config.toml.j2 +++ b/roles/container-engine/containerd/templates/config.toml.j2 @@ -42,6 +42,7 @@ disabled_plugins = ["restart"] runtime_type = "{{ containerd_default_runtime.type }}" runtime_engine = "{{ containerd_default_runtime.engine }}" runtime_root = "{{ containerd_default_runtime.root }}" + privileged_without_host_devices = {{ containerd_default_runtime.privileged_without_host_devices|default(false)|lower }} {% if kata_containers_enabled %} [plugins.cri.containerd.runtimes.kata-qemu] @@ -55,6 +56,7 @@ disabled_plugins = ["restart"] runtime_type = "{{ runtime.type }}" runtime_engine = "{{ runtime.engine }}" runtime_root = "{{ runtime.root }}" + privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }} {% endfor %} [plugins.cri.containerd.untrusted_workload_runtime] diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2 index 7cb9f93b63a..493744c2082 100644 --- a/roles/container-engine/cri-o/templates/crio.conf.j2 +++ b/roles/container-engine/cri-o/templates/crio.conf.j2 @@ -293,6 +293,7 @@ pinns_path = "" runtime_path = "{{ runtime.path }}" runtime_type = "{{ runtime.type }}" runtime_root = "{{ runtime.root }}" +privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }} {% endfor %} # Kata Containers with the Firecracker VMM