runc update: skip devices

The runc update CLI is not able to modify devices, so let's set SkipDevices (so that a cgroup controller won't try to update devices cgroup). This helps use cases when some other device management (NVIDIA GPUs) applies its configuration on top of what runc does. Make sure we do not save SkipDevices into state.json. Signed-off-by: Kir Kolyshkin <[email protected]>
opencontainers · Jun 3, 2021 · bf7492e · bf7492e
1 parent c8653a2
commit bf7492e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/libcontainer/configs/cgroup_linux.go b/libcontainer/configs/cgroup_linux.go
@@ -127,8 +127,8 @@ type Resources struct {
 
 	// SkipDevices allows to skip configuring device permissions.
 	// Used by e.g. kubelet while creating a parent cgroup (kubepods)
-	// common for many containers.
+	// common for many containers, and by runc update.
 	//
 	// NOTE it is impossible to start a container which has this flag set.
-	SkipDevices bool `json:"skip_devices"`
+	SkipDevices bool `json:"-"`
 }
diff --git a/update.go b/update.go
@@ -329,6 +329,13 @@ other options are ignored.
 			config.IntelRdt.MemBwSchema = memBwSchema
 		}
 
+		// XXX(kolyshkin@): currently "runc update" is unable to change
+		// device configuration, so add this to skip device update.
+		// This helps in case an extra plugin (nvidia GPU) applies some
+		// configuration on top of what runc does.
+		// Note this field is not saved into container's state.json.
+		config.Cgroups.SkipDevices = true
+
 		return container.Set(config)
 	},
 }