From dc5df57c262efd4f856295f7f67813568a527f25 Mon Sep 17 00:00:00 2001
From: Victor Morales <chipahuac@hotmail.com>
Date: Mon, 8 Mar 2021 00:17:44 -0800
Subject: [PATCH] Add privileged_without_host_devices support (#7343)

When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.

More information:
* https://github.com/containerd/cri/pull/1225
* https://github.com/cri-o/cri-o/commit/1d0f68156ba382651c776a44f156614c4fcf981d
---
 roles/container-engine/containerd/defaults/main.yml        | 1 +
 roles/container-engine/containerd/templates/config.toml.j2 | 2 ++
 roles/container-engine/cri-o/templates/crio.conf.j2        | 1 +
 3 files changed, 4 insertions(+)

diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml
index 1138f835a..470e96d2e 100644
--- a/roles/container-engine/containerd/defaults/main.yml
+++ b/roles/container-engine/containerd/defaults/main.yml
@@ -65,6 +65,7 @@ containerd_default_runtime:
 #     type: io.containerd.kata.v2
 #     engine: ""
 #     root: ""
+#     privileged_without_host_devices: true
 containerd_runtimes: []
 
 containerd_untrusted_runtime_type: ''
diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2
index 9ed28ef53..0f0f80ba0 100644
--- a/roles/container-engine/containerd/templates/config.toml.j2
+++ b/roles/container-engine/containerd/templates/config.toml.j2
@@ -42,6 +42,7 @@ disabled_plugins = ["restart"]
   runtime_type = "{{ containerd_default_runtime.type }}"
   runtime_engine = "{{ containerd_default_runtime.engine }}"
   runtime_root = "{{ containerd_default_runtime.root }}"
+  privileged_without_host_devices = {{ containerd_default_runtime.privileged_without_host_devices|default(false)|lower }}
 
 {% if kata_containers_enabled %}
 [plugins.cri.containerd.runtimes.kata-qemu]
@@ -55,6 +56,7 @@ disabled_plugins = ["restart"]
   runtime_type = "{{ runtime.type }}"
   runtime_engine = "{{ runtime.engine }}"
   runtime_root = "{{ runtime.root }}"
+  privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
 {% endfor %}
 
 [plugins.cri.containerd.untrusted_workload_runtime]
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index 7cb9f93b6..493744c20 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -293,6 +293,7 @@ pinns_path = ""
 runtime_path = "{{ runtime.path }}"
 runtime_type = "{{ runtime.type }}"
 runtime_root = "{{ runtime.root }}"
+privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
 {% endfor %}
 
 # Kata Containers with the Firecracker VMM
-- 
GitLab