diff --git a/completions/fish/crio.fish b/completions/fish/crio.fish index 888fe86a310..3996fc8b231 100644 --- a/completions/fish/crio.fish +++ b/completions/fish/crio.fish @@ -114,7 +114,7 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l read-only -d 'Setup all un complete -c crio -n '__fish_crio_no_subcommand' -f -l registry -r -d 'Registry to be prepended when pulling unqualified images, can be specified multiple times' complete -c crio -n '__fish_crio_no_subcommand' -l root -s r -r -d 'The CRI-O root directory' complete -c crio -n '__fish_crio_no_subcommand' -l runroot -r -d 'The CRI-O state directory' -complete -c crio -n '__fish_crio_no_subcommand' -f -l runtimes -r -d 'OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type' +complete -c crio -n '__fish_crio_no_subcommand' -f -l runtimes -r -d 'OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices' complete -c crio -n '__fish_crio_no_subcommand' -l seccomp-profile -r -d 'Path to the seccomp.json profile to be used as the runtime\'s default. If not specified, then the internal default seccomp profile will be used. (default: "")' complete -c crio -n '__fish_crio_no_subcommand' -f -l seccomp-use-default-when-empty -r -d 'Use the default seccomp profile when an empty one is specified (default: false)' complete -c crio -n '__fish_crio_no_subcommand' -f -l selinux -d 'Enable selinux support (default: false)' diff --git a/docs/crio.8.md b/docs/crio.8.md index e914eab612d..b29efc9be54 100644 --- a/docs/crio.8.md +++ b/docs/crio.8.md @@ -292,7 +292,7 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...] **--runroot**="": The CRI-O state directory (default: /run/containers/storage) -**--runtimes**="": OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type (default: []) +**--runtimes**="": OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices (default: []) **--seccomp-profile**="": Path to the seccomp.json profile to be used as the runtime's default. If not specified, then the internal default seccomp profile will be used. (default: "") diff --git a/internal/criocli/criocli.go b/internal/criocli/criocli.go index a66b8f4059d..7fde777576b 100644 --- a/internal/criocli/criocli.go +++ b/internal/criocli/criocli.go @@ -136,16 +136,23 @@ func mergeConfig(config *libconfig.Config, ctx *cli.Context) error { fields := strings.Split(r, ":") runtimeType := libconfig.DefaultRuntimeType + privilegedWithoutHostDevices := false switch len(fields) { + case 5: + if fields[4] == "true" { + privilegedWithoutHostDevices = true + } + fallthrough case 4: runtimeType = fields[3] fallthrough case 3: config.Runtimes[fields[0]] = &libconfig.RuntimeHandler{ - RuntimePath: fields[1], - RuntimeRoot: fields[2], - RuntimeType: runtimeType, + RuntimePath: fields[1], + RuntimeRoot: fields[2], + RuntimeType: runtimeType, + PrivilegedWithoutHostDevices: privilegedWithoutHostDevices, } default: return fmt.Errorf("wrong format for --runtimes: %q", r) @@ -531,7 +538,7 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag { }, &cli.StringSliceFlag{ Name: "runtimes", - Usage: "OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type", + Usage: "OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices", EnvVars: []string{"CONTAINER_RUNTIMES"}, }, &cli.StringFlag{ diff --git a/test/helpers.bash b/test/helpers.bash index 30b8d569e32..14b4740654a 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -38,6 +38,7 @@ OVERRIDE_OPTIONS=${OVERRIDE_OPTIONS:-} CONTAINER_DEFAULT_RUNTIME=${CONTAINER_DEFAULT_RUNTIME:-runc} RUNTIME_BINARY_PATH=$(command -v "$CONTAINER_DEFAULT_RUNTIME") RUNTIME_TYPE=${RUNTIME_TYPE:-oci} +PRIVILEGED_WITHOUT_HOST_DEVICES=${PRIVILEGED_WITHOUT_HOST_DEVICES:-} # Path of the apparmor_parser binary. APPARMOR_PARSER_BINARY=${APPARMOR_PARSER_BINARY:-/sbin/apparmor_parser} # Path of the apparmor profile for test. @@ -260,7 +261,7 @@ function setup_crio() { RUNTIME_ROOT=${RUNTIME_ROOT:-"$TESTDIR/crio-runtime-root"} # export here so direct calls to crio later inherit the variable - export CONTAINER_RUNTIMES=${CONTAINER_RUNTIMES:-$CONTAINER_DEFAULT_RUNTIME:$RUNTIME_BINARY_PATH:$RUNTIME_ROOT:$RUNTIME_TYPE} + export CONTAINER_RUNTIMES=${CONTAINER_RUNTIMES:-$CONTAINER_DEFAULT_RUNTIME:$RUNTIME_BINARY_PATH:$RUNTIME_ROOT:$RUNTIME_TYPE:$PRIVILEGED_WITHOUT_HOST_DEVICES} # generate the default config file "$CRIO_BINARY_PATH" config --default >"$CRIO_CONFIG"