fix #1874: autodev hook: setup devices cgroup

Currently the autodev hook only adds device nodes, but in
order for the container to use them we also need to add
entries to the devices cgroup to both the limiting and the
namespaced devices cgroup directory.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/lxc-pve-autodev-hook b/src/lxc-pve-autodev-hook
index d8f5012e4828e0f9d9242055f10cbd047686ae0b..c934bfde06bed8a90b434d9965b4f0e24145bc49 100755 (executable)
--- a/src/lxc-pve-autodev-hook
+++ b/src/lxc-pve-autodev-hook
@@ -29,6 +29,21 @@ if (! open $fd, '<', $devlist_file) {
     die "failed to open device list: $!\n";
 }
 
+sub cgroup_do_write($$) {
+    my ($path, $value) = @_;
+    my $fd;
+    if (!open($fd, '>', $path)) {
+       warn "failed to open cgroup file $path: $!\n";
+       return 0;
+    }
+    if (!defined syswrite($fd, $value)) {
+       warn "failed to write value $value to cgroup file $path: $!\n";
+       return 0;
+    }
+    close($fd);
+    return 1;
+}
+
 while (defined(my $line = <$fd>)) {
     if ($line !~ m@^(b):(\d+):(\d+):/dev/(\S+)\s*$@) {
        warn "invalid .pve-devices entry: $line\n";
@@ -60,6 +75,16 @@ while (defined(my $line = <$fd>)) {
        chomp $mapped_name;
        symlink("/dev/$dev", "$root/dev/mapper/$mapped_name");
     }
+
+    my $cgbase = "/sys/fs/cgroup/devices/lxc/$vmid";
+    my $limitpath = "$cgbase/devices.allow";
+    my $nspath = "$cgbase/ns/devices.allow";
+    if (!cgroup_do_write($limitpath, "$type $major:$minor rwm")) {
+       warn "failed to allow access to device $dev ($major:$minor)\n";
+    }
+    if (!cgroup_do_write($nspath, "$type $major:$minor rwm")) {
+       warn "failed to allow access to device $dev ($major:$minor) inside the namespace\n";
+    }
 }
 close $fd;