Add manpages and bash-completion for --device-access-add and --device-access-remove

Signed-off-by: Zhai Zhaoxuan <[email protected]>
Signed-off-by: zhouhao <[email protected]>

Author: Zhai Zhaoxuan

cmd/oci-runtime-tool/generate.go

@@ -18,18 +18,6 @@ import (
 
 var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "args", Usage: "command to run in the container"},
-<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
-=======
-	cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest[:options...]"},
-	cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"},
-	cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"},
-	cli.StringFlag{Name: "cgroup", Usage: "cgroup namespace"},
-	cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"},
-	cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"},
-	cli.StringSliceFlag{Name: "device-access-add", Usage: "add a device access rule"},
-	cli.StringSliceFlag{Name: "device-access-remove", Usage: "remove a device access rule"},
-	cli.BoolFlag{Name: "disable-oom-kill", Usage: "disable OOM Killer"},
->>>>>>> generate: add --device-access-add and --device-access-remove option
 	cli.StringSliceFlag{Name: "env", Usage: "add environment variable e.g. key=value"},
 	cli.StringSliceFlag{Name: "env-file", Usage: "read in a file of environment variables"},
 	cli.StringSliceFlag{Name: "hooks-poststart", Usage: "set command to run in poststart hooks"},
@@ -75,6 +63,8 @@ var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "linux-readonly-paths", Usage: "specifies paths readonly inside container"},
 	cli.Int64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"},
 	cli.Int64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"},
+	cli.StringSliceFlag{Name: "linux-resources-device-add", Usage: "add a device access rule"},
+	cli.StringSliceFlag{Name: "linux-resources-device-remove", Usage: "remove a device access rule"},
 	cli.StringFlag{Name: "linux-rootfs-propagation", Usage: "mount propagation for rootfs"},
 	cli.StringFlag{Name: "linux-seccomp-allow", Usage: "specifies syscalls to respond with allow"},
 	cli.StringFlag{Name: "linux-seccomp-arch", Usage: "specifies additional architectures permitted to be used for system calls"},
@@ -246,12 +236,15 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		g.SetLinuxCgroupsPath(context.String("linux-cgroups-path"))
 	}
 
-<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
 	if context.IsSet("linux-masked-paths") {
 		paths := context.StringSlice("linux-masked-paths")
-=======
-	if context.IsSet("device-access-add") {
-		devices := context.StringSlice("device-access-add")
+		for _, path := range paths {
+			g.AddLinuxMaskedPaths(path)
+		}
+	}
+
+	if context.IsSet("linux-resources-device-add") {
+		devices := context.StringSlice("linux-resources-device-add")
 		for _, device := range devices {
 			dev, err := parseLinuxResourcesDeviceAccess(device, g)
 			if err != nil {
@@ -261,8 +254,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
-	if context.IsSet("device-access-remove") {
-		devices := context.StringSlice("device-access-remove")
+	if context.IsSet("linux-resources-device-remove") {
+		devices := context.StringSlice("linux-resources-device-remove")
 		for _, device := range devices {
 			dev, err := parseLinuxResourcesDeviceAccess(device, g)
 			if err != nil {
@@ -272,14 +265,6 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
-	if context.IsSet("masked-paths") {
-		paths := context.StringSlice("masked-paths")
->>>>>>> generate: add --device-access-add and --device-access-remove option
-		for _, path := range paths {
-			g.AddLinuxMaskedPaths(path)
-		}
-	}
-
 	if context.IsSet("linux-readonly-paths") {
 		paths := context.StringSlice("linux-readonly-paths")
 		for _, path := range paths {
@@ -850,7 +835,6 @@ func parseRlimit(rlimit string) (string, uint64, uint64, error) {
 	return parts[0], uint64(hard), uint64(soft), nil
 }
 
-<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
 func parseNamespace(ns string) (string, string, error) {
 	parts := strings.SplitN(ns, ":", 2)
 	if len(parts) == 0 || parts[0] == "" {
@@ -944,7 +928,8 @@ func parseDevice(device string, g *generate.Generator) (rspec.LinuxDevice, error
 	}
 
 	return dev, nil
-=======
+}
+
 var cgroupDeviceType = map[string]bool{
 	"a": true, // all
 	"b": true, // block device
@@ -957,9 +942,9 @@ var cgroupDeviceAccess = map[string]bool{
 }
 
 // parseLinuxResourcesDeviceAccess parses the raw string passed with the --device-access-add flag
-func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspec.DeviceCgroup, error) {
+func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspec.LinuxDeviceCgroup, error) {
 	var allow bool
-	var devType, access *string
+	var devType, access string
 	var major, minor *int64
 
 	argsParts := strings.Split(device, ",")
@@ -970,7 +955,7 @@ func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspe
 	case "deny":
 		allow = false
 	default:
-		return rspec.DeviceCgroup{},
+		return rspec.LinuxDeviceCgroup{},
 			fmt.Errorf("Only 'allow' and 'deny' are allowed in the first field of device-access-add: %s", device)
 	}
 
@@ -981,45 +966,44 @@ func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspe
 		}
 		parts := strings.SplitN(s, "=", 2)
 		if len(parts) != 2 {
-			return rspec.DeviceCgroup{}, fmt.Errorf("Incomplete device-access-add arguments: %s", s)
+			return rspec.LinuxDeviceCgroup{}, fmt.Errorf("Incomplete device-access-add arguments: %s", s)
 		}
 		name, value := parts[0], parts[1]
 
 		switch name {
 		case "type":
 			if !cgroupDeviceType[value] {
-				return rspec.DeviceCgroup{}, fmt.Errorf("Invalid device type in device-access-add: %s", value)
+				return rspec.LinuxDeviceCgroup{}, fmt.Errorf("Invalid device type in device-access-add: %s", value)
 			}
-			devType = &value
+			devType = value
 		case "major":
 			i, err := strconv.ParseInt(value, 10, 64)
 			if err != nil {
-				return rspec.DeviceCgroup{}, err
+				return rspec.LinuxDeviceCgroup{}, err
 			}
 			major = &i
 		case "minor":
 			i, err := strconv.ParseInt(value, 10, 64)
 			if err != nil {
-				return rspec.DeviceCgroup{}, err
+				return rspec.LinuxDeviceCgroup{}, err
 			}
 			minor = &i
 		case "access":
 			for _, c := range strings.Split(value, "") {
 				if !cgroupDeviceAccess[c] {
-					return rspec.DeviceCgroup{}, fmt.Errorf("Invalid device access in device-access-add: %s", c)
+					return rspec.LinuxDeviceCgroup{}, fmt.Errorf("Invalid device access in device-access-add: %s", c)
 				}
 			}
-			access = &value
+			access = value
 		}
 	}
-	return rspec.DeviceCgroup{
+	return rspec.LinuxDeviceCgroup{
 		Allow:  allow,
 		Type:   devType,
 		Major:  major,
 		Minor:  minor,
 		Access: access,
 	}, nil
->>>>>>> generate: add --device-access-add and --device-access-remove option
 }
 
 func addSeccomp(context *cli.Context, g *generate.Generator) error {

completions/bash/oci-runtime-tool

@@ -347,6 +347,8 @@ _oci-runtime-tool_generate() {
 		--linux-readonly-paths
 		--linux-realtime-period
 		--linux-realtime-runtime
+		--linux-resources-device-add
+		--linux-resources-device-remove
 		--linux-rootfs-propagation
 		--linux-seccomp-allow
 		--linux-seccomp-arch

generate/generate.go

@@ -1135,7 +1135,6 @@ func (g *Generator) RemoveLinuxNamespace(ns string) error {
 	return nil
 }
 
-<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
 // AddDevice - add a device into g.spec.Linux.Devices
 func (g *Generator) AddDevice(device rspec.LinuxDevice) {
 	g.initSpecLinux()
@@ -1175,12 +1174,13 @@ func (g *Generator) ClearLinuxDevices() {
 	}
 
 	g.spec.Linux.Devices = []rspec.LinuxDevice{}
-=======
+}
+
 // AddLinuxResourcesDevice - add a device into g.spec.Linux.Resources.Devices
-func (g *Generator) AddLinuxResourcesDevice(allow bool, devType *string, major, minor *int64, access *string) {
+func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) {
 	g.initSpecLinuxResources()
 
-	device := rspec.DeviceCgroup{
+	device := rspec.LinuxDeviceCgroup{
 		Allow:  allow,
 		Type:   devType,
 		Access: access,
@@ -1191,14 +1191,14 @@ func (g *Generator) AddLinuxResourcesDevice(allow bool, devType *string, major,
 }
 
 // RemoveLinuxResourcesDevice - remove a device from g.spec.Linux.Resources.Devices
-func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType *string, major, minor *int64, access *string) {
+func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) {
 	if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil {
 		return
 	}
 	for i, device := range g.spec.Linux.Resources.Devices {
 		if device.Allow == allow &&
-			(devType == device.Type || (devType != nil && device.Type != nil && *devType == *device.Type)) &&
-			(access == device.Access || (access != nil && device.Access != nil && *access == *device.Access)) &&
+			(devType == device.Type || (devType != "" && device.Type != "" && devType == device.Type)) &&
+			(access == device.Access || (access != "" && device.Access != "" && access == device.Access)) &&
 			(major == device.Major || (major != nil && device.Major != nil && *major == *device.Major)) &&
 			(minor == device.Minor || (minor != nil && device.Minor != nil && *minor == *device.Minor)) {
 
@@ -1207,7 +1207,6 @@ func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType *string, majo
 		}
 	}
 	return
->>>>>>> generate: add --device-access-add and --device-access-remove option
 }
 
 // strPtr returns the pointer pointing to the string s.

man/oci-runtime-tool-generate.1.md

@@ -211,6 +211,17 @@ read the configuration from `config.json`.
 **--linux-realtime-runtime**=REALTIMERUNTIME
   Specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.
 
+**--linux-resources-device-add**=allow|deny[,type=TYPE][,major=MAJOR][,minor=MINOR][,access=ACCESS]
+  Add a device control rule.
+  allow|deny: whether the entry is allowed or denied.
+  TYPE: the device type. The value could be one of 'a' (all), 'b' (block), 'c' (character).
+  MAJOR/MINOR: the major/minor id of device.
+  ACCESS: cgroup permissions for device. A composition of r (read), w (write), and m (mknod).
+
+**--linux-resources-device-remove**=allow|deny[,type=TYPE][,major=MAJOR][,minor=MINOR][,access=ACCESS]
+  Remove a device control rule.
+  The arguments is same as *--linux-resources-device-add*.
+  
 **--linux-rootfs-propagation**=PROPOGATIONMODE
   Mount propagation for root filesystem.
   Values are "shared, rshared, private, rprivate, slave, rslave"