oci: WithDefaultUnixDevices(): remove tun/tap from the default devices

thaJeztah · thaJeztah · commit ed9d3dc37c7d · 2022-08-08T10:12:04.000+02:00
A container should not have access to tun/tap device, unless it is explicitly specified in configuration. This device was already removed from docker's default, and runc's default; - opencontainers/runc@2ce40b6 - https://github.com/moby/moby//commit/9c4570a958df42d1ad19364b1a8da55b891d850a Per the commit message in runc, this should also fix these messages; > Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory coming from systemd on every container start, when the systemd cgroup driver is used, and the system runs an old (< v240) version of systemd (the message was presumably eliminated by [1]). [1]: systemd/systemd@d5aecba Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a3ac156) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/oci/spec_opts.go b/oci/spec_opts.go
@@ -1120,20 +1120,13 @@ func WithDefaultUnixDevices(_ context.Context, _ Client, _ *containers.Container
 			Allow:  true,
 		},
 		{
+			// "dev/ptmx"
 			Type:   "c",
 			Major:  intptr(5),
 			Minor:  intptr(2),
 			Access: rwm,
 			Allow:  true,
 		},
-		{
-			// tuntap
-			Type:   "c",
-			Major:  intptr(10),
-			Minor:  intptr(200),
-			Access: rwm,
-			Allow:  true,
-		},
 	}...)
 	return nil
 }
