Add manpages and bash-completion for --device-access-add and --device-access-remove

Signed-off-by: Zhai Zhaoxuan <[email protected]>
Signed-off-by: zhouhao <[email protected]>

Author: Zhai Zhaoxuan

Diff for: cmd/oci-runtime-tool/generate.go

@@ -835,7 +835,6 @@ func parseRlimit(rlimit string) (string, uint64, uint64, error) {
 	return parts[0], uint64(hard), uint64(soft), nil
 }
 
-<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
 func parseNamespace(ns string) (string, string, error) {
 	parts := strings.SplitN(ns, ":", 2)
 	if len(parts) == 0 || parts[0] == "" {
@@ -943,7 +942,7 @@ var cgroupDeviceAccess = map[string]bool{
 }
 
 // parseLinuxResourcesDeviceAccess parses the raw string passed with the --device-access-add flag
-func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspec.DeviceCgroup, error) {
+func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspec.LinuxDeviceCgroup, error) {
 	var allow bool
 	var devType, access string
 	var major, minor *int64
@@ -956,7 +955,7 @@ func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspe
 	case "deny":
 		allow = false
 	default:
-		return rspec.DeviceCgroup{},
+		return rspec.LinuxDeviceCgroup{},
 			fmt.Errorf("Only 'allow' and 'deny' are allowed in the first field of device-access-add: %s", device)
 	}
 
@@ -967,38 +966,38 @@ func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspe
 		}
 		parts := strings.SplitN(s, "=", 2)
 		if len(parts) != 2 {
-			return rspec.DeviceCgroup{}, fmt.Errorf("Incomplete device-access-add arguments: %s", s)
+			return rspec.LinuxDeviceCgroup{}, fmt.Errorf("Incomplete device-access-add arguments: %s", s)
 		}
 		name, value := parts[0], parts[1]
 
 		switch name {
 		case "type":
 			if !cgroupDeviceType[value] {
-				return rspec.DeviceCgroup{}, fmt.Errorf("Invalid device type in device-access-add: %s", value)
+				return rspec.LinuxDeviceCgroup{}, fmt.Errorf("Invalid device type in device-access-add: %s", value)
 			}
-			devType = &value
+			devType = value
 		case "major":
 			i, err := strconv.ParseInt(value, 10, 64)
 			if err != nil {
-				return rspec.DeviceCgroup{}, err
+				return rspec.LinuxDeviceCgroup{}, err
 			}
 			major = &i
 		case "minor":
 			i, err := strconv.ParseInt(value, 10, 64)
 			if err != nil {
-				return rspec.DeviceCgroup{}, err
+				return rspec.LinuxDeviceCgroup{}, err
 			}
 			minor = &i
 		case "access":
 			for _, c := range strings.Split(value, "") {
 				if !cgroupDeviceAccess[c] {
-					return rspec.DeviceCgroup{}, fmt.Errorf("Invalid device access in device-access-add: %s", c)
+					return rspec.LinuxDeviceCgroup{}, fmt.Errorf("Invalid device access in device-access-add: %s", c)
 				}
 			}
-			access = &value
+			access = value
 		}
 	}
-	return rspec.DeviceCgroup{
+	return rspec.LinuxDeviceCgroup{
 		Allow:  allow,
 		Type:   devType,
 		Major:  major,

Diff for: completions/bash/oci-runtime-tool

@@ -347,6 +347,8 @@ _oci-runtime-tool_generate() {
 		--linux-readonly-paths
 		--linux-realtime-period
 		--linux-realtime-runtime
+		--linux-resources-device-add
+		--linux-resources-device-remove
 		--linux-rootfs-propagation
 		--linux-seccomp-allow
 		--linux-seccomp-arch

Diff for: generate/generate.go

@@ -1177,10 +1177,10 @@ func (g *Generator) ClearLinuxDevices() {
 }
 
 // AddLinuxResourcesDevice - add a device into g.spec.Linux.Resources.Devices
-func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access *string) {
+func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) {
 	g.initSpecLinuxResources()
 
-	device := rspec.DeviceCgroup{
+	device := rspec.LinuxDeviceCgroup{
 		Allow:  allow,
 		Type:   devType,
 		Access: access,
@@ -1191,7 +1191,7 @@ func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, m
 }
 
 // RemoveLinuxResourcesDevice - remove a device from g.spec.Linux.Resources.Devices
-func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access *string) {
+func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) {
 	if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil {
 		return
 	}

Diff for: man/oci-runtime-tool-generate.1.md

@@ -211,6 +211,17 @@ read the configuration from `config.json`.
 **--linux-realtime-runtime**=REALTIMERUNTIME
   Specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.
 
+**--linux-resources-device-add**=allow|deny[,type=TYPE][,major=MAJOR][,minor=MINOR][,access=ACCESS]
+  Add a device control rule.
+  allow|deny: whether the entry is allowed or denied.
+  TYPE: the device type. The value could be one of 'a' (all), 'b' (block), 'c' (character).
+  MAJOR/MINOR: the major/minor id of device.
+  ACCESS: cgroup permissions for device. A composition of r (read), w (write), and m (mknod).
+
+**--linux-resources-device-remove**=allow|deny[,type=TYPE][,major=MAJOR][,minor=MINOR][,access=ACCESS]
+  Remove a device control rule.
+  The arguments is same as *--linux-resources-device-add*.
+  
 **--linux-rootfs-propagation**=PROPOGATIONMODE
   Mount propagation for root filesystem.
   Values are "shared, rshared, private, rprivate, slave, rslave"