-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Re-add tun/tap to default device rules #4555
Conversation
It took 2+ years between the date of the original commit and when it was rolled out in Docker. So if it will take another two years until this revert is effectuated, it will be a bit pointless because by that time everyone already changed their compose files to workaround it. |
@@ -120,14 +120,21 @@ block-8: | |||
51: MovImm32 dst: r0 imm: 1 | |||
52: Exit | |||
block-9: | |||
// /dev/pts (c, 136, wildcard, rwm, true) | |||
// tuntap (c, 10, 200, rwm, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a comment line to describe the background of this revert?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean here, in the test file?
I don't think it's needed here in the test -- in here we just check that the eBPF generated is as expected, and since we've re-added tuntap, we have to modify the expected program.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, it should be in spec_linux.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added; PTAL
Probably s/impractical/cumbersome/. For Kubernetes, an additional device rule can be specified via the Generic Device Plugin: https://github.com/squat/generic-device-plugin |
Unfortunately, the scope of this is not limited to docker compose. |
Since v1.2.0 was released, a number of users complained that the removal of tun/tap device access from the default device ruleset is causing a regression in their workloads. Additionally, it seems that some upper-level orchestration tools (Docker Swarm, Kubernetes) makes it either impossible or cumbersome to supply additional device rules. While it's probably not quite right to have /dev/net/tun in a default device list, it was there from the very beginning, and users rely on it. Let's keep it there for the sake of backward compatibility. This reverts commit 2ce40b6. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
596eda5
to
394f4c3
Compare
Just FYI, I think this approach is broken too. |
@kroese That's because of the long time between tunc 1.1 and tunc 1.2 releases (the patch was not backported to 1.1.z). This is going to be included in the 1.2.4 release and so it will take very little time for the official Docker builds to package the new runc (and if you are using distribution packages it will happen automatically). |
1.2 backport: #4556 |
Since v1.2.0 was released, a number of users complained that the removal of tun/tap device access from the default device ruleset is causing a regression in their workloads.
Additionally, it seems that some upper-level orchestration tools (Docker Swarm, Kubernetes) makes it either impossible or impractical to supply additional device rules.
While it's probably not right to have /dev/net/tun in a default device list, it was there from the very beginning, and users rely on it.
This reverts commit 2ce40b6 / PR #3468.