Skip to content

[1.2] libct/cg/sd: set the DeviceAllow property before DevicePolicy#4615

Merged
AkihiroSuda merged 1 commit intoopencontainers:release-1.2from
kolyshkin:1.2-4612
Feb 7, 2025
Merged

[1.2] libct/cg/sd: set the DeviceAllow property before DevicePolicy#4615
AkihiroSuda merged 1 commit intoopencontainers:release-1.2from
kolyshkin:1.2-4612

Conversation

@kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Feb 5, 2025
edited
Loading

A backport of #4612 to release-1.2. Draft until that one is merged. Original description follows.

Every unit created by runc need daemon reload since systemd v230. This breaks support for NVIDIA GPUs, see
#3708 (comment)

A workaround is to set DeviceAllow before DevicePolicy.

Also:

  • add a test case (which fails before the fix) by @kolyshkin
  • better explain why we need empty DeviceAllow (by @cyphar)

Fixes 4568.

Reported-by: Jian Wen wenjianhn@gmail.com

(cherry picked from commit d84388a)

@kolyshkin @wenjianhn @cyphar
libct/cg/sd: set the DeviceAllow property before DevicePolicy
9742b6c 
Every unit created by runc need daemon reload since systemd v230.
This breaks support for NVIDIA GPUs, see
opencontainers#3708 (comment)

A workaround is to set DeviceAllow before DevicePolicy.

Also:
 - add a test case (which fails before the fix) by @kolyshkin
 - better explain why we need empty DeviceAllow (by @cyphar)

Fixes 4568.

Reported-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Jian Wen <wenjianhn@gmail.com>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d84388a)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin added this to the 1.2.5 milestone Feb 5, 2025
@kolyshkin kolyshkin mentioned this pull request Feb 5, 2025
Merged
@kolyshkin kolyshkin added backport/1.2-pr A backport PR to release-1.2 area/systemd labels Feb 6, 2025
@kolyshkin kolyshkin marked this pull request as ready for review February 7, 2025 03:06
@kolyshkin
Copy link
Contributor Author

kolyshkin commented Feb 7, 2025

No longer a draft.

@AkihiroSuda AkihiroSuda merged commit 6635338 into opencontainers:release-1.2 Feb 7, 2025
40 checks passed
@kolyshkin kolyshkin mentioned this pull request Feb 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cyphar cyphar cyphar approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@rata rata Awaiting requested review from rata

@lifubang lifubang Awaiting requested review from lifubang

@thaJeztah thaJeztah Awaiting requested review from thaJeztah

Assignees

No one assigned

Labels

area/systemd backport/1.2-pr A backport PR to release-1.2

Projects

None yet

Milestone

1.2.5

Development

Successfully merging this pull request may close these issues.

3 participants

@kolyshkin @cyphar @AkihiroSuda