test_create_with_device_cgroup_rules: don't check devices.list #2940
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This test was verifying that the container has the right options set (through `docker inspect`), but also checks if the cgroup-rules are set within the container by reading `/sys/fs/cgroup/devices/devices.list` Unlike cgroups v1, on cgroups v2, there is no file interface, and rules are handled through ebpf, which means that the test will fail because this file is not present. From the Linux documentation for cgroups v2: https://github.com/torvalds/linux/blob/v5.16/Documentation/admin-guide/cgroup-v2.rst#device-controller > (...) > Device controller manages access to device files. It includes both creation of > new device files (using mknod), and access to the existing device files. > > Cgroup v2 device controller has no interface files and is implemented on top > of cgroup BPF. To control access to device files, a user may create bpf programs > of type BPF_PROG_TYPE_CGROUP_DEVICE and attach them to cgroups with > BPF_CGROUP_DEVICE flag. (...) Given that setting the right cgroups is not really a responsibility of this SDK, it should be sufficient to verify that the right options were set in the container configuration, so this patch is removing the part that checks the cgroup, to allow this test to be run on a host with cgroups v2 enabled. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
@aiordache @ulyssessouza ptal |
rumpl
approved these changes
Feb 8, 2022
milas
approved these changes
Jul 26, 2022
|
Hmm.. right, so I got confused a bit, because GitHub showed that this PR's commit was not part of the repository when I wanted to verify if this one was in the v6.0.0 tag; 55e3e4c
Then I noticed that the merged commit was different than the PR commit (
And.. lost my GPG signing
.. I guess this was merged with the "rebase and merge" option on GitHub? 😬 (things like the above are why I don't like that feature 😂) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #2939
relates to moby/moby#42941 (comment)
This test was verifying that the container has the right options set (through
docker inspect), but also checks if the cgroup-rules are set within thecontainer by reading
/sys/fs/cgroup/devices/devices.listUnlike cgroups v1, on cgroups v2, there is no file interface, and rules are
handled through ebpf, which means that the test will fail because this file
is not present.
From the Linux documentation for cgroups v2:
https://github.com/torvalds/linux/blob/v5.16/Documentation/admin-guide/cgroup-v2.rst#device-controller
Given that setting the right cgroups is not really a responsibility of this SDK,
it should be sufficient to verify that the right options were set in the container
configuration, so this patch is removing the part that checks the cgroup, to
allow this test to be run on a host with cgroups v2 enabled.
Signed-off-by: Sebastiaan van Stijn github@gone.nl