From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 21 Aug 2018 07:57:59 +0000 (+0200)
Subject: fix #1874: autodev hook: setup devices cgroup
X-Git-Url: https://git.proxmox.com/?p=pve-container.git;a=commitdiff_plain;h=7b31bd8c535b9e289e0491a8a8f8f50c28777eb4

fix #1874: autodev hook: setup devices cgroup

Currently the autodev hook only adds device nodes, but in
order for the container to use them we also need to add
entries to the devices cgroup to both the limiting and the
namespaced devices cgroup directory.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

diff --git a/src/lxc-pve-autodev-hook b/src/lxc-pve-autodev-hook
index d8f5012..c934bfd 100755
--- a/src/lxc-pve-autodev-hook
+++ b/src/lxc-pve-autodev-hook
@@ -29,6 +29,21 @@ if (! open $fd, '<', $devlist_file) {
     die "failed to open device list: $!\n";
 }
 
+sub cgroup_do_write($$) {
+    my ($path, $value) = @_;
+    my $fd;
+    if (!open($fd, '>', $path)) {
+	warn "failed to open cgroup file $path: $!\n";
+	return 0;
+    }
+    if (!defined syswrite($fd, $value)) {
+	warn "failed to write value $value to cgroup file $path: $!\n";
+	return 0;
+    }
+    close($fd);
+    return 1;
+}
+
 while (defined(my $line = <$fd>)) {
     if ($line !~ m@^(b):(\d+):(\d+):/dev/(\S+)\s*$@) {
 	warn "invalid .pve-devices entry: $line\n";
@@ -60,6 +75,16 @@ while (defined(my $line = <$fd>)) {
 	chomp $mapped_name;
 	symlink("/dev/$dev", "$root/dev/mapper/$mapped_name");
     }
+
+    my $cgbase = "/sys/fs/cgroup/devices/lxc/$vmid";
+    my $limitpath = "$cgbase/devices.allow";
+    my $nspath = "$cgbase/ns/devices.allow";
+    if (!cgroup_do_write($limitpath, "$type $major:$minor rwm")) {
+	warn "failed to allow access to device $dev ($major:$minor)\n";
+    }
+    if (!cgroup_do_write($nspath, "$type $major:$minor rwm")) {
+	warn "failed to allow access to device $dev ($major:$minor) inside the namespace\n";
+    }
 }
 close $fd;