From e11dec6df3f08d12af9ba35f186fd9c0875053e3 Mon Sep 17 00:00:00 2001
From: zwtop <wang.zhan@smartx.com>
Date: Mon, 22 Sep 2025 17:28:28 +0800
Subject: [PATCH] fix: allow all devices on systemd cgroup

Signed-off-by: zwtop <wang.zhan@smartx.com>
---
 client/runtime.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/client/runtime.go b/client/runtime.go
index 04b2d1b..de997d8 100644
--- a/client/runtime.go
+++ b/client/runtime.go
@@ -493,6 +493,9 @@ func containerSpecOpts(namespace string, img containerd.Image, container *model.
 		specOpts = append(specOpts, oci.WithCPUCFS(container.CPUQuota, container.CPUPeriod))
 	}
 	specOpts = append(specOpts, withRlimits(container.Rlimits))
+	if container.Runtime.SystemdCgroup {
+		specOpts = append(specOpts, withAllowAllDevices)
+	}
 	specOpts = append(specOpts, withSpecPatches(container.SpecPatches))
 	specOpts = append(specOpts, withRuntimeENV(namespace, container))
 	return specOpts
@@ -721,3 +724,13 @@ func withRuntimeENV(namespace string, container *model.Container) oci.SpecOpts {
 		fmt.Sprintf("%s=%s", ENVRuntimeContainerImage, container.Image),
 	})
 }
+
+func withAllowAllDevices(_ context.Context, _ oci.Client, _ *containers.Container, spec *oci.Spec) error {
+	spec.Linux.Resources.Devices = []specs.LinuxDeviceCgroup{
+		{
+			Allow:  true,
+			Access: "rwm",
+		},
+	}
+	return nil
+}