Add privileged_without_host_devices support (#7343)
When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.
More information:
* https://github.com/containerd/cri/pull/1225
* 1d0f68156b
This commit is contained in:
parent
a9c97e5253
commit
dc5df57c26
3 changed files with 4 additions and 0 deletions
|
@ -65,6 +65,7 @@ containerd_default_runtime:
|
||||||
# type: io.containerd.kata.v2
|
# type: io.containerd.kata.v2
|
||||||
# engine: ""
|
# engine: ""
|
||||||
# root: ""
|
# root: ""
|
||||||
|
# privileged_without_host_devices: true
|
||||||
containerd_runtimes: []
|
containerd_runtimes: []
|
||||||
|
|
||||||
containerd_untrusted_runtime_type: ''
|
containerd_untrusted_runtime_type: ''
|
||||||
|
|
|
@ -42,6 +42,7 @@ disabled_plugins = ["restart"]
|
||||||
runtime_type = "{{ containerd_default_runtime.type }}"
|
runtime_type = "{{ containerd_default_runtime.type }}"
|
||||||
runtime_engine = "{{ containerd_default_runtime.engine }}"
|
runtime_engine = "{{ containerd_default_runtime.engine }}"
|
||||||
runtime_root = "{{ containerd_default_runtime.root }}"
|
runtime_root = "{{ containerd_default_runtime.root }}"
|
||||||
|
privileged_without_host_devices = {{ containerd_default_runtime.privileged_without_host_devices|default(false)|lower }}
|
||||||
|
|
||||||
{% if kata_containers_enabled %}
|
{% if kata_containers_enabled %}
|
||||||
[plugins.cri.containerd.runtimes.kata-qemu]
|
[plugins.cri.containerd.runtimes.kata-qemu]
|
||||||
|
@ -55,6 +56,7 @@ disabled_plugins = ["restart"]
|
||||||
runtime_type = "{{ runtime.type }}"
|
runtime_type = "{{ runtime.type }}"
|
||||||
runtime_engine = "{{ runtime.engine }}"
|
runtime_engine = "{{ runtime.engine }}"
|
||||||
runtime_root = "{{ runtime.root }}"
|
runtime_root = "{{ runtime.root }}"
|
||||||
|
privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
[plugins.cri.containerd.untrusted_workload_runtime]
|
[plugins.cri.containerd.untrusted_workload_runtime]
|
||||||
|
|
|
@ -293,6 +293,7 @@ pinns_path = ""
|
||||||
runtime_path = "{{ runtime.path }}"
|
runtime_path = "{{ runtime.path }}"
|
||||||
runtime_type = "{{ runtime.type }}"
|
runtime_type = "{{ runtime.type }}"
|
||||||
runtime_root = "{{ runtime.root }}"
|
runtime_root = "{{ runtime.root }}"
|
||||||
|
privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
# Kata Containers with the Firecracker VMM
|
# Kata Containers with the Firecracker VMM
|
||||||
|
|
Loading…
Reference in a new issue