Why runc in does not configure cgroup devices controller for new containers in JetPack4.6(Ubuntu 18.04)

[abaw]

I have a jetson device running JetPack4.6, recently I upgraded it to JetPack5.1.1 and found some difference in the runc behavior. runc does not configure the cgroup devices controller for the new containers in JetPack4.6 but it does in JetPack5.1.1. Although the new behavior makes more sense to me, but I was wondering why it happens. Because I found that it should do it according to the source code.

The versions of runc in JetPack 4.6 and JetPack5.1.1 are:

• 1.0.0~rc10-0ubuntu1~18.04.2
• 1.1.7-0ubuntu1~20.04.1 on JetPack 5.1.1

Here is the result to use the same command on different versions:

• JetPack 4.6/runc 1.0.0~rc10-0ubuntu1~18.04.2

# podman run -it --name devices-test ubuntu:20.04 cat /sys/fs/cgroup/devices/devices.list
a *:* rwm

• JetPack 5.1.1/1.1.7-0ubuntu1~20.04.1 on JetPack 5.1.1

root@pan-appliance:~# podman run -it --name devices-test ubuntu:20.04 cat /sys/fs/cgroup/devices/devices.list
b *:* m
c *:* m
c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 5:2 rwm
c 10:200 rwm
c 136:* rwm

The generated OCI configs are basically the same.
oci-jp46.json
oci-jp51.json

Does anyone has some insights on why this happens?

[cyphar]

I don't know anything about JetPack but the first thing that comes to mind is that it might be because of #2391. In principle a new container should always have the rules applied but systemd can mess with that and #2391 (along with some other changes we made at the time -- 1.0.0-rc90 is from 2020, so this was quite a while ago) helped resolve some of those overwriting issues.

In short, the old behaviour was a bug we fixed.

(Also, runc-1.1.7 is still outdated and is missing security patches for some critical security issues. Though I guess it's possible that they backported them, though I doubt it...)

[abaw]

Thanks for the explanation, it looks highly possible!