Browse code
Add example for --device-cgroup-rule to create reference
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Kenfe-Mickael Laventure authored on 2017/02/03 00:31:17Showing 1 changed files
| ... | ... |
@@ -210,3 +210,26 @@ daemon is running on Windows server, or `hyperv` if running on Windows client. |
| 210 | 210 |
| `hyperv` | Hyper-V hypervisor partition-based isolation. | |
| 211 | 211 |
|
| 212 | 212 |
Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`. |
| 213 |
+ |
|
| 214 |
+### Dealing with dynamically created devices (--device-cgroup-rule) |
|
| 215 |
+ |
|
| 216 |
+Devices available to a container are assigned at creation time. The |
|
| 217 |
+assigned devices will both be added to the cgroup.allow file and |
|
| 218 |
+created into the container once it is run. This poses a problem when |
|
| 219 |
+a new device needs to be added to running container. |
|
| 220 |
+ |
|
| 221 |
+One of the solution is to add a more permissive rule to a container |
|
| 222 |
+allowing it access to a wider range of devices. For example, supposing |
|
| 223 |
+our container needs access to a character device with major `42` and |
|
| 224 |
+any number of minor number (added as new devices appear), the |
|
| 225 |
+following rule would be added: |
|
| 226 |
+ |
|
| 227 |
+``` |
|
| 228 |
+docker create --device-cgroup-rule='c 42:* rmw' -name my-container my-image |
|
| 229 |
+``` |
|
| 230 |
+ |
|
| 231 |
+Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 <minor>` |
|
| 232 |
+the required device when it is added. |
|
| 233 |
+ |
|
| 234 |
+NOTE: initially present devices still need to be explicitely added to |
|
| 235 |
+the create/run command |