HostDevices() race with older udevd versions #2093
Description
Older versions of udevd (prior to systemd-udev) will fallback to using /dev/.udev to hold runtime state (which includes some temporary symlinks to device nodes) under certain conditions where /run/udev is not accessible. See this Changelog entry for example.
In these cases where udevd falls back to using /dev/.udev, privileged docker containers can occasionally hit a race condition where a temporary link to a device node that was found by HostDevices() under /dev/.udev no longer exists by the time the actual container is being created, which results in a ENOENT error and the container failing start. This seems to be especially prevalent when the devicemapper storage backend is used (in which case it's not surprising there is some turbulence in udevd's runtime state dir).
There appears to be at least one report of this happening in the wild here: moby/moby#37456
I saw that runc currently has workarounds that skip looking for devices under /dev/.lxc and /dev/.lxd-mounts. While the issue with .udev is a little different, it seems reasonable to me for there also to be a skip of .udev on that line. I imagine few to no people using HostDevices() actually want the devices from udevd's temporary runtime state dir and, in the offchance someone in the world does, it seems like bind mounting the host's /dev into the container would be a much more reasonable option (as they will get any updates made by udevd to its state dir).
I'm opening this issue to see if the runc maintainers would be okay with adding an additional skip of /dev/.udev, in which case I'm happy to submit the PR. If you are okay, I'll link to this issue in a comment above the skip similar to the other lxc issue.