cgroups icon indicating copy to clipboard operation
cgroups copied to clipboard
verified publisher icon containerd

Question: What is the equivalent of writing input into `devices.allow`?

Open allfro opened this issue 3 years ago • 1 comments

Hi there,

Apologies if this question is in the wrong place. I am trying to write a docker plugin which adds entries into devices.allow. I've successfully made it work using cgroup v1 by simply writing to the file exposed under /sys/fs/devices/docker/<cid>/devices.allow. However, in newer versions of Linux using cgroup v2, that option is no longer feasible. What is the equivalent in cgroup v2? How do I add an entry to the equivalent of devices.allow using this library?

Thanks in advance!

allfro avatar Nov 15 '22 21:11 allfro

@allfro Fairly sure it'd be through the generic Update method on the Manager. https://github.com/containerd/cgroups/blob/fc3b020f386da06f1facfddef993420644875926/cgroup2/manager.go#L257

Resources has a Device field that is a slice of OCI runtime spec LinuxDeviceCgroup's that has an Allow field

dcantah avatar Jan 04 '23 01:01 dcantah