-
Antonio Terceiro authored
Under cgroups v2, device access control is done with BPF programs only. When docker creates a container, it already attaches a BPF program to that container cgroup. lava-dispather-host replaces that BPF program with one of its own, that allows the regular list of devices containers can usually access (/dev/null, /dev/zero etc), plus all the devices shared with the container. Subsequent device sharing with the same container overrides that BPF program with a new one. cgroups v2 is the default on Debian 11 (bullseye), so in there we need python3-bpfcc >= 0.21. In Debian 10 (buster, base-files << 1), we don't need python3-bpfcc, bpftool and the kernel headers, since the corresponding code path will not be used anyway. Fixes: https://git.lavasoftware.org/lava/lava/-/issues/467
180cb3c1