Do not set devices cgroup when updating containers to avoid eBPF prog…

…rams leak Signed-off-by: Li Bo <[email protected]>
opencontainers · Mar 28, 2021 · 7a503e6 · 7a503e6
1 parent 3505f15
commit 7a503e6
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/update.go b/update.go
@@ -327,6 +327,9 @@ other options are ignored.
 			config.IntelRdt.MemBwSchema = memBwSchema
 		}
 
+		// Do not set devices cgroup when updating containers to avoid eBPF programs leak
+		config.Cgroups.SkipDevices = true
+
 		return container.Set(config)
 	},
 }