Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.2] libct/cg/sd: set the DeviceAllow property before DevicePolicy #4615

Merged
merged 1 commit into from
Feb 7, 2025
Merged

[1.2] libct/cg/sd: set the DeviceAllow property before DevicePolicy #4615

merged 1 commit into from
Feb 7, 2025

Conversation

kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Feb 5, 2025
edited
Loading

A backport of #4612 to release-1.2. Draft until that one is merged. Original description follows.

Every unit created by runc need daemon reload since systemd v230. This breaks support for NVIDIA GPUs, see
#3708 (comment)

A workaround is to set DeviceAllow before DevicePolicy.

Also:

  • add a test case (which fails before the fix) by @kolyshkin
  • better explain why we need empty DeviceAllow (by @cyphar)

Fixes 4568.

Reported-by: Jian Wen [email protected]

(cherry picked from commit d84388a)

@kolyshkin @wenjianhn @cyphar
libct/cg/sd: set the DeviceAllow property before DevicePolicy
9742b6c 
Every unit created by runc need daemon reload since systemd v230.
This breaks support for NVIDIA GPUs, see
opencontainers#3708 (comment)

A workaround is to set DeviceAllow before DevicePolicy.

Also:
 - add a test case (which fails before the fix) by @kolyshkin
 - better explain why we need empty DeviceAllow (by @cyphar)

Fixes 4568.

Reported-by: Jian Wen <[email protected]>
Co-authored-by: Jian Wen <[email protected]>
Co-authored-by: Aleksa Sarai <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]>
(cherry picked from commit d84388a)
Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin kolyshkin added this to the 1.2.5 milestone Feb 5, 2025
@kolyshkin kolyshkin mentioned this pull request Feb 5, 2025
Merged
@kolyshkin kolyshkin added backport/1.2-pr A backport PR to release-1.2 area/systemd labels Feb 6, 2025
@kolyshkin kolyshkin marked this pull request as ready for review February 7, 2025 03:06
@kolyshkin
Copy link
Contributor Author

No longer a draft.

@AkihiroSuda AkihiroSuda merged commit 6635338 into opencontainers:release-1.2 Feb 7, 2025
40 checks passed
@kolyshkin kolyshkin mentioned this pull request Feb 12, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyphar cyphar cyphar approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@xximwon xximwon xximwon approved these changes

@rata rata Awaiting requested review from rata

@lifubang lifubang Awaiting requested review from lifubang

@thaJeztah thaJeztah Awaiting requested review from thaJeztah

Assignees
No one assigned
Labels
area/systemd backport/1.2-pr A backport PR to release-1.2
Projects
None yet
Milestone
1.2.5
Development

Successfully merging this pull request may close these issues.
4 participants
@kolyshkin @cyphar @AkihiroSuda @xximwon