Adjust cgroup change in libcontainer

client/fingerprint/cgroup_linux.go

@@ -15,18 +15,15 @@ const (
 // FindCgroupMountpointDir is used to find the cgroup mount point on a Linux
 // system.
 func FindCgroupMountpointDir() (string, error) {
-	mount, err := cgroups.FindCgroupMountpointDir()
+	mount, err := cgroups.GetCgroupMounts(false)
 	if err != nil {
-		switch e := err.(type) {
-		case *cgroups.NotFoundError:
-			// It's okay if the mount point is not discovered
-			return "", nil
-		default:
-			// All other errors are passed back as is
-			return "", e
-		}
+		return "", err
 	}
-	return mount, nil
+	// It's okay if the mount point is not discovered
+	if len(mount) == 0 {
+		return "", nil
+	}
+	return mount[0].Mountpoint, nil
 }
 
 // Fingerprint tries to find a valid cgroup mount point

drivers/shared/executor/executor_linux.go

@@ -28,6 +28,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	lconfigs "github.com/opencontainers/runc/libcontainer/configs"
 	ldevices "github.com/opencontainers/runc/libcontainer/devices"
+	"github.com/opencontainers/runc/libcontainer/specconv"
 	lutils "github.com/opencontainers/runc/libcontainer/utils"
 	"github.com/syndtr/gocapability/capability"
 	"golang.org/x/sys/unix"
@@ -599,7 +600,7 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 		"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
 	}
 
-	cfg.Devices = lconfigs.DefaultAutoCreatedDevices
+	cfg.Devices = specconv.AllowedDevices
 	if len(command.Devices) > 0 {
 		devs, err := cmdDevices(command.Devices)
 		if err != nil {
@@ -732,13 +733,14 @@ func newLibcontainerConfig(command *ExecCommand) (*lconfigs.Config, error) {
 	cfg := &lconfigs.Config{
 		Cgroups: &lconfigs.Cgroup{
 			Resources: &lconfigs.Resources{
-				AllowAllDevices:  nil,
 				MemorySwappiness: nil,
-				AllowedDevices:   lconfigs.DefaultAllowedDevices,
 			},
 		},
 		Version: "1.0.0",
 	}
+	for _, device := range specconv.AllowedDevices {
+		cfg.Cgroups.Resources.Devices = append(cfg.Cgroups.Resources.Devices, &device.DeviceRule)
+	}
 
 	if err := configureCapabilities(cfg, command); err != nil {
 		return nil, err

drivers/shared/executor/executor_linux_test.go

@@ -513,11 +513,13 @@ func TestExecutor_cmdDevices(t *testing.T) {
 	}
 
 	expected := &lconfigs.Device{
-		Path:        "/task/dev/null",
-		Type:        99,
-		Major:       1,
-		Minor:       3,
-		Permissions: "rwm",
+		DeviceRule: lconfigs.DeviceRule{
+			Type:        99,
+			Major:       1,
+			Minor:       3,
+			Permissions: "rwm",
+		},
+		Path: "/task/dev/null",
 	}
 
 	found, err := cmdDevices(input)

drivers/shared/executor/executor_universal_linux.go

@@ -9,11 +9,11 @@ import (
 
 	"github.com/containernetworking/plugins/pkg/ns"
 	multierror "github.com/hashicorp/go-multierror"
-	"github.com/hashicorp/nomad/helper"
 	"github.com/hashicorp/nomad/plugins/drivers"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	cgroupFs "github.com/opencontainers/runc/libcontainer/cgroups/fs"
 	lconfigs "github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/specconv"
 )
 
 // runAs takes a user id as a string and looks up the user, and sets the command
@@ -71,11 +71,12 @@ func (e *UniversalExecutor) runAs(userid string) error {
 func (e *UniversalExecutor) configureResourceContainer(pid int) error {
 	cfg := &lconfigs.Config{
 		Cgroups: &lconfigs.Cgroup{
-			Resources: &lconfigs.Resources{
-				AllowAllDevices: helper.BoolToPtr(true),
-			},
+			Resources: &lconfigs.Resources{},
 		},
 	}
+	for _, device := range specconv.AllowedDevices {
+		cfg.Cgroups.Resources.Devices = append(cfg.Cgroups.Resources.Devices, &device.DeviceRule)
+	}
 
 	err := configureBasicCgroups(cfg)
 	if err != nil {