Skip to content

cdi,SPECS.md: allow empty cgroup permissions. #301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
klihub wants to merge 1 commit into
base: main
Choose a base branch
from
Open

cdi,SPECS.md: allow empty cgroup permissions. #301

klihub wants to merge 1 commit into from
+78 −6

Conversation

@klihub
Copy link
Contributor

@klihub klihub commented Dec 16, 2025
edited
Loading

Allow injecting devices with empty cgroup permissions, requested by the "none" permission string or the new pkg/cdi.NoPermissions constant.

Fixes #300

@klihub
Copy link
Contributor Author

klihub commented Dec 16, 2025

/cc @oOraph

@klihub klihub requested a review from elezar December 16, 2025 11:03
@klihub klihub mentioned this pull request Dec 16, 2025
Open
@klihub
Copy link
Contributor Author

klihub commented Dec 17, 2025
edited
Loading

@elezar According to @oOraph this would be useful outside the CRI domain for you guys. He also said you can share a bit more context about why and how.

kad
kad approved these changes Jan 19, 2026
View reviewed changes
Copy link
Contributor

@kad kad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks ok to me.

@klihub
Copy link
Contributor Author

klihub commented Jan 20, 2026

@elezar PTAL, if you have a few spare cycles.

elezar
elezar previously requested changes Jan 20, 2026
View reviewed changes
Copy link
Contributor

@elezar elezar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The addition of none as a special case looks good. I do think that the device validation needs to be properly updated for this though.

@oOraph
Copy link

oOraph commented Jan 20, 2026

hello, thanks for this pull request. Since the cdi is generic it may still be worth adding the none case. I just want to mention some runc specificity regarding permissions that would make the none case ineffective for this runtime:
opencontainers/runc#5073
because none would be equivalent to "m" anyway (which is already possible). This is not the only implem concerned though so, so it might still be worth adding it :)

@klihub klihub force-pushed the devel/allow-empty-cgroup-permissions branch from 4d1f56c to f8d98e4 Compare January 20, 2026 10:59
@klihub
cdi,SPECS.md: allow empty cgroup permissions.
df2a787 
Allow injecting devices with empty cgroup permissions, requested by
the "none" permission string, also defined as pkg/cdi.NoPermissions.

Signed-off-by: Krisztian Litkey <[email protected]>
@klihub klihub force-pushed the devel/allow-empty-cgroup-permissions branch from f8d98e4 to df2a787 Compare January 20, 2026 11:03
@klihub klihub requested a review from elezar January 20, 2026 11:04
@elezar elezar dismissed their stale review January 20, 2026 12:28

Changes applied.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kad kad kad approved these changes

@elezar elezar Awaiting requested review from elezar

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CDI spec does not allow empty permissions for device nodes

4 participants

@klihub @oOraph @kad @elezar