This is an automated email from the ASF dual-hosted git repository.
bmahler pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/master by this push:
new 067e14e82 [device manager] Let non-wildcards entries check device
access.
067e14e82 is described below
commit 067e14e8218acc1b95652b0452663e0c36c11043
Author: Jason Zhou <[email protected]>
AuthorDate: Thu Aug 1 14:11:45 2024 -0700
[device manager] Let non-wildcards entries check device access.
Currently, we only allow normal Entry instances for checking whether a
device access would be allowed for a cgroup.
We want to also allow NonWildcardEntry instances to do this as well.
Review: https://reviews.apache.org/r/75135/
---
.../device_manager/device_manager.cpp | 47 ++++++++++++++--------
.../device_manager/device_manager.hpp | 1 +
2 files changed, 31 insertions(+), 17 deletions(-)
diff --git a/src/slave/containerizer/device_manager/device_manager.cpp
b/src/slave/containerizer/device_manager/device_manager.cpp
index c255880aa..fbc532d6e 100644
--- a/src/slave/containerizer/device_manager/device_manager.cpp
+++ b/src/slave/containerizer/device_manager/device_manager.cpp
@@ -45,26 +45,33 @@ namespace internal {
namespace slave {
+Entry convert_to_entry(
+ const DeviceManager::NonWildcardEntry& non_wildcard_entry)
+{
+ Entry entry;
+ entry.access = non_wildcard_entry.access;
+ entry.selector.type = [&]() {
+ switch (non_wildcard_entry.selector.type) {
+ case DeviceManager::NonWildcardEntry::Selector::Type::BLOCK:
+ return Entry::Selector::Type::BLOCK;
+ case DeviceManager::NonWildcardEntry::Selector::Type::CHARACTER:
+ return Entry::Selector::Type::CHARACTER;
+ }
+ UNREACHABLE();
+ }();
+ entry.selector.major = non_wildcard_entry.selector.major;
+ entry.selector.minor = non_wildcard_entry.selector.minor;
+ return entry;
+}
+
+
vector<Entry> convert_to_entries(
- const vector<DeviceManager::NonWildcardEntry>& non_wildcards_entries)
+ const vector<DeviceManager::NonWildcardEntry>& non_wildcard_entries)
{
vector<Entry> entries = {};
- foreach (const DeviceManager::NonWildcardEntry& non_wildcards_entry,
- non_wildcards_entries) {
- Entry entry;
- entry.access = non_wildcards_entry.access;
- entry.selector.type = [&]() {
- switch (non_wildcards_entry.selector.type) {
- case DeviceManager::NonWildcardEntry::Selector::Type::BLOCK:
- return Entry::Selector::Type::BLOCK;
- case DeviceManager::NonWildcardEntry::Selector::Type::CHARACTER:
- return Entry::Selector::Type::CHARACTER;
- }
- UNREACHABLE();
- }();
- entry.selector.major = non_wildcards_entry.selector.major;
- entry.selector.minor = non_wildcards_entry.selector.minor;
- entries.push_back(entry);
+ foreach (const DeviceManager::NonWildcardEntry& non_wildcard,
+ non_wildcard_entries) {
+ entries.push_back(convert_to_entry(non_wildcard));
}
return entries;
}
@@ -390,6 +397,12 @@ bool DeviceManager::CgroupDeviceAccess::is_access_granted(
return allowed() && !denied();
}
+bool DeviceManager::CgroupDeviceAccess::is_access_granted(
+ const DeviceManager::NonWildcardEntry& query) const
+{
+ return is_access_granted(convert_to_entry(query));
+}
+
DeviceManager::CgroupDeviceAccess::CgroupDeviceAccess(
const std::vector<cgroups::devices::Entry>& _allow_list,
diff --git a/src/slave/containerizer/device_manager/device_manager.hpp
b/src/slave/containerizer/device_manager/device_manager.hpp
index c1bf3c35d..a987895d5 100644
--- a/src/slave/containerizer/device_manager/device_manager.hpp
+++ b/src/slave/containerizer/device_manager/device_manager.hpp
@@ -72,6 +72,7 @@ public:
// A device access is granted if it is encompassed by an allow entry
// and does not have access overlaps with any deny entry.
bool is_access_granted(const cgroups::devices::Entry& entry) const;
+ bool is_access_granted(const NonWildcardEntry& entry) const;
// Returns an error if it the allow or deny lists are not normalized.
static Try<CgroupDeviceAccess> create(
