cdi: read XDG_CONFIG_HOME/cdi and XDG_RUNTIME_DIR/cdi for rootless#51624
cdi: read XDG_CONFIG_HOME/cdi and XDG_RUNTIME_DIR/cdi for rootless#51624thaJeztah merged 4 commits intomoby:masterfrom
Conversation
AkihiroSuda
force-pushed
the
fix-51601
branch
from
686cf5c to
c77199d
Compare
AkihiroSuda
force-pushed
the
fix-51601
branch
from
c77199d to
6f2d484
Compare
| # the CDI paths need to exist before the Docker daemon is started in | ||
| # order for it to read the CDI specification files. Otherwise, a | ||
| # Docker daemon restart will be required for the daemon to discover | ||
| # them. |
There was a problem hiding this comment.
NOTE: now the daemon has to be restarted when /etc/cdi (or /var/run/cdi) was created after starting the daemon
systemctl --user restart docker
This is not required for ~/.config/cdi and /run/user/$UID/cdi.
AkihiroSuda
force-pushed
the
fix-51601
branch
from
7fdd104 to
8a6f1a4
Compare
Fix issue 51601 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This simplifies `dockerd-rootless.sh` by removing the workaround for `CDI: Error associated with spec file /etc/cdi: failed to monitor for changes: permission denied`. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Fix using /etc/cdi entries in rootless mode: > level=warning msg="Refreshing the CDI registry generated errors" > error="failed to monitor for changes: no such file or directory\nfailed to monitor for changes: no such file or directory" Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
…ss mode Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
AkihiroSuda
force-pushed
the
fix-51601
branch
from
8a6f1a4 to
b9d18a1
Compare
| if rootless.RunningWithRootlessKit() { | ||
| // In rootless mode, we add the user-specific CDI spec directory. | ||
| xch, err := homedir.GetConfigHome() | ||
| if err != nil { |
There was a problem hiding this comment.
Perhaps a silly question, but something I've been looking at a few times; is there any reason why we wouldn't handle XDG_xxx directories when running rootful?
I'm assuming here that when running as root, the XDG_xx directories would be owned by root, so if that's the case, it wouldn't risk a non-privileged user from installing CDI-related things that would be executed as root, but it would make the logic slightly more consistent without needing special branches for rootless / non-rootless sprinkled in various parts of the code.
There was a problem hiding this comment.
That said; what does CDI itself define for this? Having a quick glance at the README (https://github.com/cncf-tags/container-device-interface), it mentions;
CDI file containing updates for the OCI spec in JSON or YAML format (with a .json or .yaml file extension, respectively) should be present in a CDI spec directory. The default directories are /etc/cdi and /var/run/cdi, but may depend on your runtime configuration
So, should adding XDG directories be something that's ideally also defined in the CDI specification?
There was a problem hiding this comment.
Perhaps a silly question, but something I've been looking at a few times; is there any reason why we wouldn't handle XDG_xxx directories when running rootful?
Just because we have not been using XDG dirs for other components in rootful.
I think this can be discussed in a separate issue/PR.
3 participants
- What I did
Commit 1:
cdi: read XDG_CONFIG_HOME/cdi and XDG_RUNTIME_DIR/cdi for rootlessFix #51601
Commit 2:
cdi: skip scanning non-readable dirsThis simplifies
dockerd-rootless.shby removing the workaround forCDI: Error associated with spec file /etc/cdi: failed to monitor for changes: permission denied.- How I did it
See the commits
- How to verify it
For commit 1
cdi: read XDG_CONFIG_HOME/cdi and XDG_RUNTIME_DIR/cdi for rootless, create~/.config/cdi/foo.yamlas follows, and rundocker run --rm --device example.com/foo=foo alpine ls -l /dev/null2Try the same with
/run/user/$UID/cdi,/etc/cdi, and/var/run/cditoo.For commit 2
cdi: skip scanning non-readable dirs:sudo mkdir -p -m /etc/cdi dockerd-rootless-setuptool.sh install docker info # no error- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)