Merge pull request #5929 from alexlarsson/systemd-cgroup-allow-mknod

cgroups: Allow mknod for any device in systemd cgroup backend

pkg/libcontainer/cgroups/systemd/apply_systemd.go

@@ -174,13 +174,22 @@ func Apply(c *cgroups.Cgroup, pid int) (cgroups.ActiveCgroup, error) {
 
 		path := filepath.Join(mountpoint, cgroup)
 
-		// /dev/pts/*
+		allow := []string{
-		if err := ioutil.WriteFile(filepath.Join(path, "devices.allow"), []byte("c 136:* rwm"), 0700); err != nil {
+			// allow mknod for any device
-			return nil, err
+			"c *:* m",
+			"b *:* m",
+
+			// /dev/pts/ - pts namespaces are "coming soon"
+			"c 136:* rwm",
+
+			// tuntap
+			"c 10:200 rwm",
 		}
-		// tuntap
+
-		if err := ioutil.WriteFile(filepath.Join(path, "devices.allow"), []byte("c 10:200 rwm"), 0700); err != nil {
+		for _, val := range allow {
-			return nil, err
+			if err := ioutil.WriteFile(filepath.Join(path, "devices.allow"), []byte(val), 0700); err != nil {
+				return nil, err
+			}
 		}
 	}