fix docker network caps (#2273)

Docker releases a patch release which changed the required permissions to be able to do tun devices in containers, this caused all containers to fail in tests causing us to fail all tests. This fixes it, and adds some tools for debugging in the future. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-08-11 15:17:36 +00:00 · 2024-12-09 17:15:38 +01:00
parent 26d91ae513
commit 08bd4b9bc5
8 changed files with 81 additions and 42 deletions
--- a/integration/dockertestutil/config.go
+++ b/integration/dockertestutil/config.go
@@ -31,10 +31,14 @@ func DockerAllowLocalIPv6(config *docker.HostConfig) {
 }

 func DockerAllowNetworkAdministration(config *docker.HostConfig) {
+	// Needed since containerd (1.7.24)
+	// https://github.com/tailscale/tailscale/issues/14256
+	// https://github.com/opencontainers/runc/commit/2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31
 	config.CapAdd = append(config.CapAdd, "NET_ADMIN")
-	config.Mounts = append(config.Mounts, docker.HostMount{
-		Type:   "bind",
-		Source: "/dev/net/tun",
-		Target: "/dev/net/tun",
+	config.CapAdd = append(config.CapAdd, "NET_RAW")
+	config.Devices = append(config.Devices, docker.Device{
+		PathOnHost:        "/dev/net/tun",
+		PathInContainer:   "/dev/net/tun",
+		CgroupPermissions: "rwm",
 	})
 }