update network admin perms

Signed-off-by: Kristoffer Dalby <[email protected]>
juanfont · Dec 9, 2024 · fd7a2c3 · fd7a2c3
1 parent 0c06a64
commit fd7a2c3
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 12 deletions.
diff --git a/integration/dockertestutil/config.go b/integration/dockertestutil/config.go
@@ -31,10 +31,14 @@ func DockerAllowLocalIPv6(config *docker.HostConfig) {
 }
 
 func DockerAllowNetworkAdministration(config *docker.HostConfig) {
+	// Needed since containerd (1.7.24)
+	// https://github.com/tailscale/tailscale/issues/14256
+	// https://github.com/opencontainers/runc/commit/2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31
 	config.CapAdd = append(config.CapAdd, "NET_ADMIN")
-	config.Mounts = append(config.Mounts, docker.HostMount{
-		Type:   "bind",
-		Source: "/dev/net/tun",
-		Target: "/dev/net/tun",
+	config.CapAdd = append(config.CapAdd, "NET_RAW")
+	config.Devices = append(config.Devices, docker.Device{
+		PathOnHost:        "/dev/net/tun",
+		PathInContainer:   "/dev/net/tun",
+		CgroupPermissions: "rwm",
 	})
 }
diff --git a/integration/tsic/tsic.go b/integration/tsic/tsic.go
@@ -241,14 +241,6 @@ func New(
 		Entrypoint: tsic.withEntrypoint,
 		ExtraHosts: tsic.withExtraHosts,
 		Env:        []string{},
-
-		// Needed since containerd (1.7.24)
-		// https://github.com/tailscale/tailscale/issues/14256
-		// https://github.com/opencontainers/runc/commit/2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31
-		CapAdd: []string{"NET_ADMIN", "NET_RAW"},
-		Mounts: []string{
-			"/dev/net/tun:/dev/net/tun",
-		},
 	}
 
 	if tsic.withWebsocketDERP {