New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mapping only some host devices to container #37607

Closed
SergiyIvanovAtGTI opened this Issue Aug 8, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@SergiyIvanovAtGTI
Copy link

SergiyIvanovAtGTI commented Aug 8, 2018

hi there.
It is not possible to map link device that created by SYMLINK+="my_device" udev rule to container.
Container is created by post to '/containers/create' endpoint with device json like this:
...
"Devices": [{ "PathOnHost": "/dev/my_device", "PathInContainer": "/dev/my_device", "CgroupPermissions": "..."}],
...

Expected result : 'ls -la' inside docker should return my_device in list
ls -la

Actual result: device /dev/my_device is not present on container file system at all. Instead, if we create and run container via 'docker run' on host we will obtain rather simplified list of devices like this:

drwxr-xr-x 5 root root 340 Aug 7 03:40 .
drwxr-xr-x 1 root root 4096 Aug 7 03:14 ..
lrwxrwxrwx 1 root root 11 Aug 7 03:40 core -> /proc/kcore
lrwxrwxrwx 1 root root 13 Aug 7 03:40 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 Aug 7 03:40 full
drwxrwxrwt 2 root root 40 Aug 7 03:40 mqueue
crw-rw-rw- 1 root root 1, 3 Aug 7 03:40 null
lrwxrwxrwx 1 root root 8 Aug 7 03:40 ptmx -> pts/ptmx
drwxr-xr-x 2 root root 0 Aug 7 03:40 pts
crw-rw-rw- 1 root root 1, 8 Aug 7 03:40 random
drwxrwxrwt 2 root root 40 Aug 7 03:40 shm
lrwxrwxrwx 1 root root 15 Aug 7 03:40 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 Aug 7 03:40 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 Aug 7 03:40 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root 5, 0 Aug 7 03:40 tty
crw-rw-rw- 1 root root 1, 9 Aug 7 03:40 urandom
crw-rw-rw- 1 root root 1, 5 Aug 7 03:40 zero

but if we create container via POST request with nonempty device list then we will obtain a full list of 'regular devices' from host.

Output of docker version:
Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:11:19 2017
OS/Arch: linux/amd64

Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:09:53 2017
OS/Arch: linux/amd64
Experimental: false

Output of docker info:

Containers: 9
Running: 8
Paused: 0
Stopped: 1
Images: 10
Server Version: 17.12.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-28-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.739GiB
Name: DT002
ID: M4XQ:JEW7:NWDK:QT2G:XCFF:VHAC:YROS:L5WZ:5HQ5:JZF7:QA66:EFUD
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: techincubator
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.): host is a physical system with ubuntu 16.04

And yes... It shouldn't be the same as #20228, i don't want add devices to docker container directly once we have appropriate option in json.

@SergiyIvanovAtGTI

This comment has been minimized.

Copy link

SergiyIvanovAtGTI commented Aug 8, 2018

half of actual behavior as list of host devices is an expected as well: sub-containers are running in privileged mode.

@SergiyIvanovAtGTI

This comment has been minimized.

Copy link

SergiyIvanovAtGTI commented Aug 8, 2018

As a workaround a file binding is applied instead

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Aug 8, 2018

The device option allows a container to access a device - it will still have to be mounted (mount ..) inside the container.

If the source on the host is a mounted device, using the -v <hostpath>:<containerpath> option is probably what you're looking for.

Regarding other devices; by default, a container only has very limited access, so that's expected

@SergiyIvanovAtGTI

This comment has been minimized.

Copy link

SergiyIvanovAtGTI commented Aug 8, 2018

Thanks. So approach to interpret device option for already mounted points is a wrong one.

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Aug 17, 2018

looks like the question is answered, so I'll go ahead and close, but feel free to continue the conversation

@thaJeztah thaJeztah closed this Aug 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment