Add manpages and bash-completion for --device-access-add and --device-access-remove

Signed-off-by: Zhai Zhaoxuan <[email protected]>
Signed-off-by: zhouhao <[email protected]>

Author: Zhai Zhaoxuan

cmd/oci-runtime-tool/generate.go

@@ -40,6 +40,8 @@ var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "linux-device-add", Usage: "add a device which must be made available in the container"},
 	cli.StringSliceFlag{Name: "linux-device-remove", Usage: "remove a device which must be made available in the container"},
 	cli.BoolFlag{Name: "linux-device-remove-all", Usage: "remove all devices which must be made available in the container"},
+	cli.StringSliceFlag{Name: "linux-device-cgroup-add", Usage: "add a device access rule"},
+	cli.StringSliceFlag{Name: "linux-device-cgroup-remove", Usage: "remove a device access rule"},
 	cli.BoolFlag{Name: "linux-disable-oom-kill", Usage: "disable OOM Killer"},
 	cli.StringSliceFlag{Name: "linux-gidmappings", Usage: "add GIDMappings e.g HostID:ContainerID:Size"},
 	cli.StringSliceFlag{Name: "linux-hugepage-limits-add", Usage: "add hugepage resource limits"},
@@ -63,8 +65,6 @@ var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "linux-readonly-paths", Usage: "specifies paths readonly inside container"},
 	cli.Int64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"},
 	cli.Int64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"},
-	cli.StringSliceFlag{Name: "linux-resources-device-add", Usage: "add a device access rule"},
-	cli.StringSliceFlag{Name: "linux-resources-device-remove", Usage: "remove a device access rule"},
 	cli.StringFlag{Name: "linux-rootfs-propagation", Usage: "mount propagation for rootfs"},
 	cli.StringFlag{Name: "linux-seccomp-allow", Usage: "specifies syscalls to respond with allow"},
 	cli.StringFlag{Name: "linux-seccomp-arch", Usage: "specifies additional architectures permitted to be used for system calls"},
@@ -243,8 +243,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
-	if context.IsSet("linux-resources-device-add") {
-		devices := context.StringSlice("linux-resources-device-add")
+	if context.IsSet("linux-device-cgroup-add") {
+		devices := context.StringSlice("linux-device-cgroup-add")
 		for _, device := range devices {
 			dev, err := parseLinuxResourcesDeviceAccess(device, g)
 			if err != nil {
@@ -254,8 +254,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		}
 	}
 
-	if context.IsSet("linux-resources-device-remove") {
-		devices := context.StringSlice("linux-resources-device-remove")
+	if context.IsSet("linux-device-cgroup-remove") {
+		devices := context.StringSlice("linux-device-cgroup-remove")
 		for _, device := range devices {
 			dev, err := parseLinuxResourcesDeviceAccess(device, g)
 			if err != nil {
@@ -835,7 +835,6 @@ func parseRlimit(rlimit string) (string, uint64, uint64, error) {
 	return parts[0], uint64(hard), uint64(soft), nil
 }
 
-<<<<<<< 9e0e42dbf918070406a2a4a2e1476e7350ba9129
 func parseNamespace(ns string) (string, string, error) {
 	parts := strings.SplitN(ns, ":", 2)
 	if len(parts) == 0 || parts[0] == "" {
@@ -943,7 +942,7 @@ var cgroupDeviceAccess = map[string]bool{
 }
 
 // parseLinuxResourcesDeviceAccess parses the raw string passed with the --device-access-add flag
-func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspec.DeviceCgroup, error) {
+func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspec.LinuxDeviceCgroup, error) {
 	var allow bool
 	var devType, access string
 	var major, minor *int64
@@ -956,7 +955,7 @@ func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspe
 	case "deny":
 		allow = false
 	default:
-		return rspec.DeviceCgroup{},
+		return rspec.LinuxDeviceCgroup{},
 			fmt.Errorf("Only 'allow' and 'deny' are allowed in the first field of device-access-add: %s", device)
 	}
 
@@ -967,38 +966,38 @@ func parseLinuxResourcesDeviceAccess(device string, g *generate.Generator) (rspe
 		}
 		parts := strings.SplitN(s, "=", 2)
 		if len(parts) != 2 {
-			return rspec.DeviceCgroup{}, fmt.Errorf("Incomplete device-access-add arguments: %s", s)
+			return rspec.LinuxDeviceCgroup{}, fmt.Errorf("Incomplete device-access-add arguments: %s", s)
 		}
 		name, value := parts[0], parts[1]
 
 		switch name {
 		case "type":
 			if !cgroupDeviceType[value] {
-				return rspec.DeviceCgroup{}, fmt.Errorf("Invalid device type in device-access-add: %s", value)
+				return rspec.LinuxDeviceCgroup{}, fmt.Errorf("Invalid device type in device-access-add: %s", value)
 			}
-			devType = &value
+			devType = value
 		case "major":
 			i, err := strconv.ParseInt(value, 10, 64)
 			if err != nil {
-				return rspec.DeviceCgroup{}, err
+				return rspec.LinuxDeviceCgroup{}, err
 			}
 			major = &i
 		case "minor":
 			i, err := strconv.ParseInt(value, 10, 64)
 			if err != nil {
-				return rspec.DeviceCgroup{}, err
+				return rspec.LinuxDeviceCgroup{}, err
 			}
 			minor = &i
 		case "access":
 			for _, c := range strings.Split(value, "") {
 				if !cgroupDeviceAccess[c] {
-					return rspec.DeviceCgroup{}, fmt.Errorf("Invalid device access in device-access-add: %s", c)
+					return rspec.LinuxDeviceCgroup{}, fmt.Errorf("Invalid device access in device-access-add: %s", c)
 				}
 			}
-			access = &value
+			access = value
 		}
 	}
-	return rspec.DeviceCgroup{
+	return rspec.LinuxDeviceCgroup{
 		Allow:  allow,
 		Type:   devType,
 		Major:  major,

completions/bash/oci-runtime-tool

@@ -326,6 +326,8 @@ _oci-runtime-tool_generate() {
 		--linux-cpu-shares
 		--linux-device-add
 		--linux-device-remove
+		--linux-device-cgroup-add
+		--linux-device-cgroup-remove
 		--linux-gidmappings
 		--linux-hugepage-limits-add
 		--linux-hugepage-limits-drop

generate/generate.go

@@ -1177,10 +1177,10 @@ func (g *Generator) ClearLinuxDevices() {
 }
 
 // AddLinuxResourcesDevice - add a device into g.spec.Linux.Resources.Devices
-func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access *string) {
+func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) {
 	g.initSpecLinuxResources()
 
-	device := rspec.DeviceCgroup{
+	device := rspec.LinuxDeviceCgroup{
 		Allow:  allow,
 		Type:   devType,
 		Access: access,
@@ -1191,7 +1191,7 @@ func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, m
 }
 
 // RemoveLinuxResourcesDevice - remove a device from g.spec.Linux.Resources.Devices
-func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access *string) {
+func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) {
 	if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil {
 		return
 	}

man/oci-runtime-tool-generate.1.md

@@ -121,6 +121,17 @@ read the configuration from `config.json`.
 **--linux-device-remove-all**=true|false
   Remove all devices for linux inside the container. The default is *false*.
 
+**--linux-device-cgroup-add**=allow|deny[,type=TYPE][,major=MAJOR][,minor=MINOR][,access=ACCESS]
+  Add a device control rule.
+  allow|deny: whether the entry is allowed or denied.
+  TYPE: the device type. The value could be one of 'a' (all), 'b' (block), 'c' (character).
+  MAJOR/MINOR: the major/minor id of device.
+  ACCESS: cgroup permissions for device. A composition of r (read), w (write), and m (mknod).
+
+**--linux-device-cgroup-remove**=allow|deny[,type=TYPE][,major=MAJOR][,minor=MINOR][,access=ACCESS]
+  Remove a device control rule.
+  The arguments is same as *--linux-device-cgroup-add*.
+  
 **--linux-disable-oom-kill**=true|false
   Whether to disable OOM Killer for the container or not.