----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75006/#review226706 -----------------------------------------------------------
src/slave/containerizer/device_manager/device_manager.cpp Lines 258 (patched) <https://reviews.apache.org/r/75006/#comment314967> we remove the entry's accesses if its major, minor and type match that of diff_entry src/slave/containerizer/device_manager/device_manager.cpp Lines 303 (patched) <https://reviews.apache.org/r/75006/#comment314968> If the wildcard_selector's type/major/minor fields aren't a wildcard and does not match with the removal entry, then there is no overlap, else, there is potential overlap between the existing_allow_entry and the removal entry, and we will have to create a new deny entry. src/slave/containerizer/device_manager/device_manager.cpp Lines 326 (patched) <https://reviews.apache.org/r/75006/#comment314969> For the accesses of the new deny entry to be inserted, we only set them to true if it's specified by an overlapping wildcard AND by the removal entry itself. src/tests/device_manager_tests.cpp Lines 317 (patched) <https://reviews.apache.org/r/75006/#comment314971> Entry `c 3:1 rm` and `c 3:1 rw` only overlap for the read access. Hence, the read access is removed from the `c 3:1 rm` in the original deny list, and only `c 3:1 m` is left. src/tests/device_manager_tests.cpp Lines 328 (patched) <https://reviews.apache.org/r/75006/#comment314970> The wildcard has accesses rm, the removal entry has accesses rw, the only overlapping access is r, so we insert it into the deny list. - Jason Zhou On July 22, 2024, 6:50 p.m., Jason Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75006/ > ----------------------------------------------------------- > > (Updated July 22, 2024, 6:50 p.m.) > > > Review request for mesos and Benjamin Mahler. > > > Repository: mesos > > > Description > ------- > > This change introduces the DeviceManagerProcess to help facilitate > device access management in cgroups2 via ebpf program file changes. > > Device requests can be made to the manager by calling > `configure` or `reconfigure`. Note that `configure` > should only be used when setting up a cgroup's device access, i.e. it > has not requested any device to be allowed/denied before. > In addition, `reconfigure` cannot be used to add deny entries containing > wildcards. > This manager will be made available to all controllers under the > cgroups2 isolator, and the GPU isolator. > > > Diffs > ----- > > src/CMakeLists.txt ea0fee1bbaed6f2494e9b9739bb65812a4a0042b > src/Makefile.am 03eb0cc28ee18da7f1a13f35a7e3255e56869b56 > src/slave/containerizer/device_manager/device_manager.hpp PRE-CREATION > src/slave/containerizer/device_manager/device_manager.cpp PRE-CREATION > src/tests/containerizer/cgroups2_tests.cpp > 3982e25987c40bc3748bc9be4e7b19c5b53dc211 > src/tests/device_manager_tests.cpp PRE-CREATION > > > Diff: https://reviews.apache.org/r/75006/diff/21/ > > > Testing > ------- > > Added unit tests for DeviceManager to test configure and reconfigure, as well > as DeviceManager::CgroupDeviceAccess::is_access_granted. All unit tests pass > > > Thanks, > > Jason Zhou > >
