diff --git a/README.md b/README.md
index 255afe5..dc82c56 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,9 @@ services:
     image: caomingjun/warp
     container_name: warp
     restart: always
+    # add removed rule back (https://github.com/opencontainers/runc/pull/3468)
+    device_cgroup_rules:
+      - 'c 10:200 rwm'
     ports:
       - "1080:1080"
     environment:
diff --git a/docker-compose.yml b/docker-compose.yml
index 8b111f7..3f518fd 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,6 +5,9 @@ services:
     image: caomingjun/warp
     container_name: warp
     restart: always
+    # add removed rule back (https://github.com/opencontainers/runc/pull/3468)
+    device_cgroup_rules:
+      - 'c 10:200 rwm'
     ports:
       - "1080:1080"
     environment:
diff --git a/docs/proxy-mode.md b/docs/proxy-mode.md
index 3e8ea28..2200845 100644
--- a/docs/proxy-mode.md
+++ b/docs/proxy-mode.md
@@ -36,6 +36,9 @@ services:
     image: caomingjun/warp
     container_name: warp
     restart: always
+    # add removed rule back (https://github.com/opencontainers/runc/pull/3468)
+    device_cgroup_rules:
+      - 'c 10:200 rwm'
     ports:
       - "1080:1080"
     environment:
diff --git a/docs/tun-not-permitted.md b/docs/tun-not-permitted.md
index 2f98d53..2a274c3 100644
--- a/docs/tun-not-permitted.md
+++ b/docs/tun-not-permitted.md
@@ -2,6 +2,8 @@
 
 You are seeing this page because you encounter `{ err: Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" }, context: "open tun" }` or `CRITIC: /dev/net/tun not pass`.
 
+If you get `CRITIC: /dev/net/tun not pass`, update the image to the latest version. It's caused by a [previous (later reverted) fix](#previous-solution) that requires `/dev/net/tun` to be passed to the container. The latest image has removed this requirement. If you still get `{ err: Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" }, context: "open tun" }` after updating the image, please follow the instructions below.
+
 ## Problem
 
 On Nov 21, 2024, [containerd](https://github.com/containerd/containerd) released version [1.7.24](https://github.com/containerd/containerd/releases/tag/v1.7.24) which updated [runc](https://github.com/opencontainers/runc) to 1.2.2 and introduced [a breaking change that remove tun/tap from the default device rules](https://github.com/opencontainers/runc/pull/3468).
@@ -12,6 +14,46 @@ Thanks [@hugoghx](https://github.com/hugoghx) for [reporting this issue](https:/
 
 ## Solution
 
+To solve this issue, you need to add the removed rule back to the container. For example:
+
+```yaml
+version: "3"
+
+services:
+  warp:
+    image: caomingjun/warp
+    container_name: warp
+    restart: always
+    # ===== Add the following 2 lines =====
+    device_cgroup_rules:
+      - 'c 10:200 rwm'
+    # ================ End ================
+    ports:
+      - "1080:1080"
+    environment:
+      - WARP_SLEEP=2
+      # - WARP_LICENSE_KEY= # optional
+    cap_add:
+      # Docker already have them, these are for podman users
+      - MKNOD
+      - AUDIT_WRITE
+      # additional required cap for warp, both for podman and docker
+      - NET_ADMIN
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv4.conf.all.src_valid_mark=1
+    volumes:
+      - ./data:/var/lib/cloudflare-warp
+```
+
+## Previous Solution
+
+> [!NOTE]
+> This is a previous (later reverted) solution, which used in image [`fc0c8c6`](https://hub.docker.com/layers/caomingjun/warp/2024.11.309.0-2.12.0-fc0c8c625dc421bbe29c235c79bea18d07be2510/images/sha256-e0aef1a4dde98926a398b0028b8feebd56c7070e7fbb262c7c947843c30e5dc7), [`1f75fb6`](https://hub.docker.com/layers/caomingjun/warp/2024.11.309.0-2.12.0-1f75fb6b6b15bdefda72dfbf1a2b43c19c776bd2/images/sha256-339f4c31197de6424f6c02e59911e5ebd39d5110e37d10dfcf7f553ada95a352) and [`1dab548`](https://hub.docker.com/layers/caomingjun/warp/2024.11.309.0-2.12.0-1dab548db478e27d68506c181d374e3bd02193e5/images/sha256-cabe746469889f16c60d9a77fcb7482c68863865160038882ce0fe8be41868e3). Although it solved the problem on most devices, it caused issues on some devices. We have reverted this change.
+
+> [!WARNING]
+> This section is only for recording the solution for possible future needs; please **do NOT follow this solution**!
+
 To solve this issue, you need to pass the `/dev/net/tun` device to the container. We also recommend you to update the image to the latest version to avoid any other issues.
 
 To pass the device to the container, you need to add `devices` to service level. For example:
diff --git a/docs/warp-connector.md b/docs/warp-connector.md
index 8bc11cd..64d2846 100644
--- a/docs/warp-connector.md
+++ b/docs/warp-connector.md
@@ -17,6 +17,9 @@ services:
     image: caomingjun/warp
     container_name: warp
     restart: always
+    # add removed rule back (https://github.com/opencontainers/runc/pull/3468)
+    device_cgroup_rules:
+      - 'c 10:200 rwm'
     ports:
       - "1080:1080"
     environment:
diff --git a/entrypoint.sh b/entrypoint.sh
index 7796d85..d4532a1 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -3,7 +3,8 @@
 # exit when any command fails
 set -e
 
-# create a tun device if not exist to ensure compatibility with Podman
+# create a tun device if not exist
+# allow passing device to ensure compatibility with Podman
 if [ ! -e /dev/net/tun ]; then
     sudo mkdir -p /dev/net
     sudo mknod /dev/net/tun c 10 200