fix: add /dev/kvm and /dev/net/tun to OCI spec, remove devices config field

Move device provisioning from CLI-side exec hack to the OCI runtime spec.
The bundle builder now always includes /dev/kvm (10,232) and /dev/net/tun
(10,200) as linux.devices entries, so youki creates them during container
setup. No user configuration needed.

Remove the "devices" field from vz.json — these devices are always created
when the kernel supports them.

Bump vz-cli to v0.3.5.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lightsofapollo

crates/Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "vz-cli"
-version = "0.3.4"
+version = "0.3.5"
 description = "CLI for managing containers and macOS VM sandboxes"
 edition.workspace = true
 rust-version.workspace = true

crates/vz-cli/Cargo.toml

@@ -97,11 +97,6 @@ struct VzConfig {
     /// Resource limits.
     #[serde(default)]
     resources: ResourceConfig,
-
-    /// Device nodes to create inside the container (e.g., "/dev/kvm", "/dev/net/tun").
-    /// These are created via mknod at container start using the host VM's device metadata.
-    #[serde(default)]
-    devices: Vec<String>,
 }
 
 fn default_image() -> String {
@@ -664,7 +659,7 @@ fn ensure_project_disk(sandbox_id: &str) -> anyhow::Result<PathBuf> {
 
 /// Compute a setup hash over the full vz.json config.
 ///
-/// Includes image, setup commands, devices, and resources so that
+/// Includes image, setup commands, and resources so that
 /// changes to any of these trigger re-execution of setup.
 fn compute_setup_hash(config: &VzConfig) -> String {
     let mut hasher = Sha256::new();
@@ -674,11 +669,6 @@ fn compute_setup_hash(config: &VzConfig) -> String {
         hasher.update(cmd.as_bytes());
         hasher.update(b"\n");
     }
-    for dev in &config.devices {
-        hasher.update(b"dev:");
-        hasher.update(dev.as_bytes());
-        hasher.update(b"\n");
-    }
     if let Some(cpus) = config.resources.cpus {
         hasher.update(format!("cpus:{cpus}\n").as_bytes());
     }
@@ -758,27 +748,6 @@ async fn run_setup_if_needed(
         return Ok(());
     }
 
-    // Create requested device nodes before running user setup commands.
-    if !config.devices.is_empty() {
-        let device_cmds: Vec<String> = config
-            .devices
-            .iter()
-            .map(|dev| {
-                // Read major:minor from /proc/misc or /sys for well-known devices.
-                // For now, handle the common cases directly.
-                match dev.as_str() {
-                    "/dev/kvm" => "mknod /dev/kvm c 10 232 2>/dev/null || true".to_string(),
-                    "/dev/net/tun" => "mkdir -p /dev/net && mknod /dev/net/tun c 10 200 2>/dev/null || true".to_string(),
-                    _ => format!("echo 'unsupported device: {dev}'"),
-                }
-            })
-            .collect();
-
-        for cmd in &device_cmds {
-            let _ = exec_quiet(client, &container_id, cmd).await;
-        }
-    }
-
     eprintln!("Running setup commands...");
     for (i, cmd) in config.setup.iter().enumerate() {
         eprintln!("  [{}/{}] {}", i + 1, config.setup.len(), cmd);

crates/vz-cli/src/commands/dev.rs

@@ -4,9 +4,10 @@ use std::io;
 use std::path::{Path, PathBuf};
 
 use oci_spec::runtime::{
-    Capability, LinuxCapabilities, LinuxCapabilitiesBuilder, LinuxCpuBuilder, LinuxNamespaceType,
-    LinuxPidsBuilder, LinuxResourcesBuilder, Mount, MountBuilder, PosixRlimit, PosixRlimitBuilder,
-    PosixRlimitType, ProcessBuilder, RootBuilder, Spec, SpecBuilder, User, UserBuilder, VERSION,
+    Capability, LinuxCapabilities, LinuxCapabilitiesBuilder, LinuxCpuBuilder, LinuxDeviceBuilder,
+    LinuxDeviceType, LinuxNamespaceType, LinuxPidsBuilder, LinuxResourcesBuilder, Mount,
+    MountBuilder, PosixRlimit, PosixRlimitBuilder, PosixRlimitType, ProcessBuilder, RootBuilder,
+    Spec, SpecBuilder, User, UserBuilder, VERSION,
 };
 
 use crate::error::OciError;
@@ -319,6 +320,10 @@ fn build_runtime_spec(spec: BundleSpec, rootfs_path: &str) -> Result<Spec, OciEr
         set_sysctls(&mut spec, sysctls);
     }
 
+    // Always expose /dev/kvm and /dev/net/tun when available in the host VM kernel.
+    // These are needed for nested virtualization (Firecracker) and tap networking.
+    set_default_devices(&mut spec);
+
     Ok(spec)
 }
 
@@ -766,6 +771,36 @@ fn parse_capability_name(name: &str) -> Option<Capability> {
     }
 }
 
+/// Add /dev/kvm and /dev/net/tun to the OCI spec so youki creates them
+/// during container setup. These are always useful when the host VM kernel
+/// supports them — no user configuration needed.
+fn set_default_devices(spec: &mut Spec) {
+    let Some(linux) = spec.linux_mut() else {
+        return;
+    };
+
+    let devices = vec![
+        LinuxDeviceBuilder::default()
+            .path("/dev/kvm")
+            .typ(LinuxDeviceType::C)
+            .major(10)
+            .minor(232)
+            .file_mode(0o666u32)
+            .build()
+            .expect("valid /dev/kvm device spec"),
+        LinuxDeviceBuilder::default()
+            .path("/dev/net/tun")
+            .typ(LinuxDeviceType::C)
+            .major(10)
+            .minor(200)
+            .file_mode(0o666u32)
+            .build()
+            .expect("valid /dev/net/tun device spec"),
+    ];
+
+    linux.set_devices(Some(devices));
+}
+
 /// Set sysctl parameters on the OCI spec's linux section.
 fn set_sysctls(spec: &mut Spec, sysctls: HashMap<String, String>) {
     if let Some(linux) = spec.linux_mut() {