From 7a503e6613195217c7724ead44079d5faee6c3ad Mon Sep 17 00:00:00 2001
From: Li Bo <borgerli@tencent.com>
Date: Sun, 28 Mar 2021 10:15:16 +0800
Subject: [PATCH] Do not set devices cgroup when updating containers to avoid
 eBPF programs leak

Signed-off-by: Li Bo <borgerli@tencent.com>
---
 update.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/update.go b/update.go
index 4e9b3f4f1d4..999eef0f7a9 100644
--- a/update.go
+++ b/update.go
@@ -327,6 +327,9 @@ other options are ignored.
 			config.IntelRdt.MemBwSchema = memBwSchema
 		}
 
+		// Do not set devices cgroup when updating containers to avoid eBPF programs leak
+		config.Cgroups.SkipDevices = true
+
 		return container.Set(config)
 	},
 }