github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

oci: WithDefaultUnixDevices(): remove tun/tap from the default devices

Browse Source 
A container should not have access to tun/tap device, unless it is explicitly
specified in configuration.

This device was already removed from docker's default, and runc's default;

- 2ce40b6ad7
- 9c4570a958

Per the commit message in runc, this should also fix these messages;

> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory

coming from systemd on every container start, when the systemd cgroup driver
is used, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).

[1]: d5aecba6e0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2022-05-11 00:31:15 +02:00
parent 6067aeb6fd
commit a3ac156007
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
1 changed files with 1 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
oci/spec_opts.go
View File

@ -1192,20 +1192,13 @@ func WithDefaultUnixDevices(_ context.Context, _ Client, _ *containers.Container
Allow: true, Allow: true,
}, },
{ {
// "dev/ptmx"
Type: "c", Type: "c",
Major: intptr(5), Major: intptr(5),
Minor: intptr(2), Minor: intptr(2),
Access: rwm, Access: rwm,
Allow: true, Allow: true,
}, },
{
// tuntap
Type: "c",
Major: intptr(10),
Minor: intptr(200),
Access: rwm,
Allow: true,
},
}...) }...)
return nil return nil
} }