Merge pull request #9353 from openshift-cherrypick-robot/cherry-pick-9296-to-release-1.31

openshift-merge-bot[bot] · web-flow · commit 3a7cdabffa82 · 2025-07-18T19:21:16.000Z
[release-1.31] server,factory/container: delay CDI device injection later.
diff --git a/internal/factory/container/container.go b/internal/factory/container/container.go
@@ -110,6 +110,9 @@ type Container interface {
 	// SpecAddDevices adds devices from the server config, and container CRI config
 	SpecAddDevices([]device.Device, []device.Device, bool, bool) error
 
+	// SpecInjectCDIDevices injects any requested CDI devices to the container's Spec.
+	SpecInjectCDIDevices() error
+
 	// AddUnifiedResourcesFromAnnotations adds the cgroup-v2 resources specified in the io.kubernetes.cri-o.UnifiedCgroup annotation
 	AddUnifiedResourcesFromAnnotations(annotationsMap map[string]string) error
 
diff --git a/internal/factory/container/device_linux.go b/internal/factory/container/device_linux.go
@@ -49,8 +49,7 @@ func (c *container) SpecAddDevices(configuredDevices, annotationDevices []device
 		return err
 	}
 
-	// Finally, inject CDI devices
-	return c.specInjectCDIDevices()
+	return nil
 }
 
 func (c *container) specAddHostDevicesIfPrivileged(privilegedWithoutHostDevices bool) error {
@@ -171,7 +170,7 @@ func (c *container) specAddContainerConfigDevices(enableDeviceOwnershipFromSecur
 	return nil
 }
 
-func (c *container) specInjectCDIDevices() error {
+func (c *container) SpecInjectCDIDevices() error {
 	var (
 		cdiDevices = c.Config().CDIDevices
 		fromCRI    = map[string]struct{}{}
diff --git a/internal/factory/container/device_test.go b/internal/factory/container/device_test.go
@@ -185,7 +185,7 @@ var _ = t.Describe("Container", func() {
 		}
 	})
 
-	t.Describe("SpecAdd(CDI)Devices", func() {
+	t.Describe("SpecInjectCDIDevices", func() {
 		writeCDISpecFiles := func(content []string) error {
 			if len(content) == 0 {
 				return nil
@@ -419,7 +419,7 @@ containerEdits:
 				Expect(writeCDISpecFiles(test.cdiSpecFiles)).To(Succeed())
 
 				// When
-				err := sut.SpecAddDevices(nil, nil, false, false)
+				err := sut.SpecInjectCDIDevices()
 
 				// Then
 				Expect(err != nil).To(Equal(test.expectError))
diff --git a/internal/factory/container/device_unsupported.go b/internal/factory/container/device_unsupported.go
@@ -13,3 +13,10 @@ import (
 func (c *container) SpecAddDevices(configuredDevices, annotationDevices []devicecfg.Device, privilegedWithoutHostDevices, enableDeviceOwnershipFromSecurityContext bool) error {
 	return fmt.Errorf("(*container).SpecAddDevices not supported on %s", runtime.GOOS)
 }
+
+func (c *container) SpecInjectCDIDevices() error {
+	if len(c.Config().CDIDevices) > 0 {
+		return fmt.Errorf("(*container).SpecInjectCDIDevices not supported on %s", runtime.GOOS)
+	}
+	return nil
+}
diff --git a/scripts/github-actions-setup b/scripts/github-actions-setup
@@ -39,7 +39,8 @@ prepare_system() {
     sudo swapon --show
 
     # enable necessary kernel modules
-    sudo ip6tables --list >/dev/null
+    sudo modprobe br_netfilter
+    sudo sysctl -p /etc/sysctl.conf
 
     # enable necessary sysctls
     sudo sysctl -w net.ipv4.conf.all.route_localnet=1
diff --git a/server/container_create_linux.go b/server/container_create_linux.go
@@ -828,6 +828,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrfactory.Cont
 		}
 	}
 
+	if err := ctr.SpecInjectCDIDevices(); err != nil {
+		return nil, err
+	}
+
 	// Set up pids limit if pids cgroup is mounted
 	if node.CgroupHasPid() {
 		specgen.SetLinuxResourcesPidsLimit(s.config.PidsLimit)
diff --git a/test/cdi.bats b/test/cdi.bats
@@ -111,7 +111,7 @@ function annotate_ctr_with_unknown_cdidev {
 }
 
 function prepare_ctr_with_cdidev {
-	jq ".CDI_Devices |= . + [ { \"Name\": \"vendor0.com/device=loop8\" }, { \"Name\": \"vendor0.com/device=loop9\" } ]" \
+	jq ".CDI_Devices |= . + [ { \"Name\": \"vendor0.com/device=loop8\" }, { \"Name\": \"vendor0.com/device=loop9\" } ] | .envs |= . + [ { \"key\": \"VENDOR0\", \"value\": \"unset\" }, { \"key\": \"LOOP8\", \"value\": \"unset\" } ]" \
 		"$TESTDATA/container_sleep.json" > "$ctr_config"
 }
 

Original file line number	Diff line number	Diff line change
`@@ -49,8 +49,7 @@ func (c *container) SpecAddDevices(configuredDevices, annotationDevices []device`
`49`	`49`	`return err`
`50`	`50`	`}`
`51`	`51`
`52`		`- // Finally, inject CDI devices`
`53`		`- return c.specInjectCDIDevices()`
	`52`	`+ return nil`
`54`	`53`	`}`
`55`	`54`
`56`	`55`	`func (c *container) specAddHostDevicesIfPrivileged(privilegedWithoutHostDevices bool) error {`
`@@ -171,7 +170,7 @@ func (c *container) specAddContainerConfigDevices(enableDeviceOwnershipFromSecur`
`171`	`170`	`return nil`
`172`	`171`	`}`
`173`	`172`
`174`		`-func (c *container) specInjectCDIDevices() error {`
	`173`	`+func (c *container) SpecInjectCDIDevices() error {`
`175`	`174`	`var (`
`176`	`175`	`cdiDevices = c.Config().CDIDevices`
`177`	`176`	`fromCRI = map[string]struct{}{}`
Original file line number	Diff line number	Diff line change
`@@ -828,6 +828,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, ctr ctrfactory.Cont`
`828`	`828`	`}`
`829`	`829`	`}`
`830`	`830`
	`831`	`+ if err := ctr.SpecInjectCDIDevices(); err != nil {`
	`832`	`+ return nil, err`
	`833`	`+ }`
	`834`	`+`
`831`	`835`	`// Set up pids limit if pids cgroup is mounted`
`832`	`836`	`if node.CgroupHasPid() {`
`833`	`837`	`specgen.SetLinuxResourcesPidsLimit(s.config.PidsLimit)`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ function annotate_ctr_with_unknown_cdidev {`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`function prepare_ctr_with_cdidev {`
`114`		`- jq ".CDI_Devices \|= . + [ { \"Name\": \"vendor0.com/device=loop8\" }, { \"Name\": \"vendor0.com/device=loop9\" } ]" \`
	`114`	`+ jq ".CDI_Devices \|= . + [ { \"Name\": \"vendor0.com/device=loop8\" }, { \"Name\": \"vendor0.com/device=loop9\" } ] \| .envs \|= . + [ { \"key\": \"VENDOR0\", \"value\": \"unset\" }, { \"key\": \"LOOP8\", \"value\": \"unset\" } ]" \`
`115`	`115`	`"$TESTDATA/container_sleep.json" > "$ctr_config"`
`116`	`116`	`}`
`117`	`117`