Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Ensure that devices are under /dev #1147

Open
c3d opened this issue May 3, 2022 · 1 comment
Open

Ensure that devices are under /dev #1147

c3d opened this issue May 3, 2022 · 1 comment

Comments

@c3d
Copy link
Contributor

c3d commented May 3, 2022
edited
Loading

In the Linux device specification, all the examples indicate devices created under /dev. However, it is not specified if this is necessary or mandated.

We recently ran across a test that specifically puts devices under /mnt, and that makes me wonder if this is legitimate. This notably causes possible problems with VM-based runtimes such as Kata containers. Without specific precautions, they would be forced to scan volumes in search for device nodes, in order to make necessary adjustments.

I believe that the wording should be improved to explicitly state that devices can be placed anywhere, but that they MUST be referenced from the devices array, and not left anywhere in the file systems. (This is an update, the old suggestion was: "can only be placed under /dev on Linux, and that having device nodes anywhere else has undefined behaviour", but I realized this could break existing usage).
c3d added a commit to c3d/runtime-spec that referenced this issue May 3, 2022
@c3d
config-linux: Clarify where device nodes can be created
e59594d 
Clarify that device nodes need not be under `/dev`, but that the runtime need to
be informed of all the device nodes that are used by the
container.

Virtual-machine based runtimes such as Kata Containers need to be able to
perform adjustment on device nodes, and cannot be required to deep-scan
file-systems to do so.

The proposed wording was chosen to avoid any regression for any workload
mounding nodes elsewhere, while at the same time clarifying that correct
behaviour cannot be guaranteed if a device node is created on the host and used
by the container without being passed in the devices list.

This fixes issue opencontainers#1147.

Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
@c3d c3d mentioned this issue May 3, 2022
Merged
c3d added a commit to c3d/runtime-spec that referenced this issue May 3, 2022
@c3d
config-linux: Clarify where device nodes can be created
78c1161 
Clarify that device nodes need not be under `/dev`, but that the runtimes need
to be informed of all the device nodes that are used by the container.

Virtual-machine based runtimes such as Kata Containers need to be able to
perform adjustment on device nodes, and cannot be required to deep-scan
file-systems to do so.

The proposed wording was chosen to avoid any regression for any workload
mounding nodes elsewhere, while at the same time clarifying that correct
behaviour cannot be guaranteed if a device node is created on the host and used
by the container without being passed in the devices list.

This fixes issue opencontainers#1147.

Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
@kolyshkin
Copy link
Contributor

In my humble opinion, /dev is just a convention, and UNIX/Linux do not impose any specific restriction as to where device nodes can or should be created, and therefore OCI spec should not enforce any restrictions either.

OTOH your scenario might be valid, too, so if you can either elaborate on it (does Kata containers need to explicitly find all device nodes in container filesystem? what for? is it currently only looking under /dev?), or just open a PR to modify/amend the existing wording in the spec, and we can discuss it further right there in the PR.

c3d added a commit to c3d/runtime-spec that referenced this issue May 5, 2022
@c3d
config-linux: Clarify where device nodes can be created
30370e6 
Clarify that device nodes need not be under `/dev`, but that the runtimes need
to be informed of all the device nodes that are used by the container.

Virtual-machine based runtimes such as Kata Containers need to be able to
perform adjustment on device nodes, and cannot be required to deep-scan
file-systems to do so.

The proposed wording was chosen to avoid any regression for any workload
mounding nodes elsewhere, while at the same time clarifying that correct
behaviour cannot be guaranteed if a device node is created on the host and used
by the container without being passed in the devices list.

This fixes issue opencontainers#1147.

Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
c3d added a commit to c3d/runtime-spec that referenced this issue Aug 10, 2022
@c3d
config-linux: Clarify where device nodes can be created
3565df5 
Clarify that device nodes need not be under `/dev`, but that the runtimes need
to be informed of all the device nodes that are used by the container.

Virtual-machine based runtimes such as Kata Containers need to be able to
perform adjustment on device nodes, and cannot be required to deep-scan
file-systems to do so.

The proposed wording was chosen to avoid any regression for any workload
mounding nodes elsewhere, while at the same time clarifying that correct
behaviour cannot be guaranteed if a device node is created on the host and used
by the container without being passed in the devices list.

This fixes issue opencontainers#1147.

Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c3d @kolyshkin