From 3ff4eb9bfc21c1d2e89058221768c6783aade5f4 Mon Sep 17 00:00:00 2001
From: Morris Jette <jette@schedmd.com>
Date: Mon, 25 Jul 2011 09:16:15 -0700
Subject: [PATCH] tches for cgroup devices support

third patch adds the man page and an example.
0003_bull_cgroup_devices_doc_add_allowed_devices_support-2.3.0-0.pre7.patch
Patch from Yiannis Georgiou, Bull.
---
 Makefile.am                                  |  1 +
 Makefile.in                                  |  1 +
 doc/man/man5/cgroup.conf.5                   | 12 ++++++++++++
 etc/cgroup_allowed_devices_file.conf.example |  6 ++++++
 4 files changed, 20 insertions(+)
 create mode 100644 etc/cgroup_allowed_devices_file.conf.example

diff --git a/Makefile.am b/Makefile.am
index fe02765b5ae..3436f6c5db4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -12,6 +12,7 @@ EXTRA_DIST =			\
 	etc/init.d.slurmdbd	\
 	etc/cgroup.conf.example \
 	etc/cgroup.release_common.example \
+	etc/cgroup_allowed_devices_file.conf.example \
 	autogen.sh		\
 	slurm.spec		\
 	README.rst		\
diff --git a/Makefile.in b/Makefile.in
index c22b01ead29..5957ece7c46 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -379,6 +379,7 @@ EXTRA_DIST = \
 	etc/init.d.slurmdbd	\
 	etc/cgroup.conf.example \
 	etc/cgroup.release_common.example \
+	etc/cgroup_allowed_devices_file.conf.example \
 	autogen.sh		\
 	slurm.spec		\
 	README.rst		\
diff --git a/doc/man/man5/cgroup.conf.5 b/doc/man/man5/cgroup.conf.5
index 63878cb1b24..6e086b2a50a 100644
--- a/doc/man/man5/cgroup.conf.5
+++ b/doc/man/man5/cgroup.conf.5
@@ -136,6 +136,18 @@ If configured to "yes" then constrain the job's allowed devices based on GRES
 allocated resources. It uses the devices subsystem for that.
 The default value is "no".
 
+.TP
+\fBAllowedDevicesFile\fR=<path_to_allowed_devices_file>
+If the ConstrainDevices field is set to "yes" then this file has to be used to declare 
+the devices that need to be allowed by default for all the jobs. The current implementation 
+of cgroup devices subsystem works as a whitelist of entries, which means that in order to
+isolate the access of a job upon particular devices we need to allow the access on all
+the devices, supported by default and then deny on those that the job does not have the 
+permission to use. The default value is "/etc/slurm/cgroup_allowed_devices_file.conf". The syntax of 
+the file accepts one device per line and it permits lines like /dev/sda* or /dev/cpu/*/*. 
+See also an example of this file in etc/allowed_devices_file.conf.example.
+
+
 .SH "EXAMPLE"
 .LP
 .br
diff --git a/etc/cgroup_allowed_devices_file.conf.example b/etc/cgroup_allowed_devices_file.conf.example
new file mode 100644
index 00000000000..dcd22949d7a
--- /dev/null
+++ b/etc/cgroup_allowed_devices_file.conf.example
@@ -0,0 +1,6 @@
+/dev/null
+/dev/urandom
+/dev/zero
+/dev/sda*
+/dev/cpu/*/*
+/dev/pts/*
-- 
GitLab