Share tty* with an app container
28 views
Skip to first unread message
Eric Zaluzec
Apr 4, 2018, 10:35:24 AM4/4/18
to rkt-dev
Hi rkt-dev,
I'm using rkt v1.29.0 on my embedded Linux system to start multiple appc containers. I have one app that monitors one wire sensors via ttyUSBx devices. Is there way to share devices from my host system (/dev/ttyUSB* or /dev/tty*) with a container started by rkt running as a systemd service?
which makes ttyUSB0 available to my container, but if a new tty device is added, then the container has to be restarted with new volume/mount for device. I was looking to see if there was a way to start a container with rkt where existing and new devices are available to the container.
If there is not a way to share all devices, then my approach is going have a systemd service watch for new tty devices. When new tty device is found, restart the systemd service running the container app that is monitoring sensors and append the rkt run command with the new and existing tty. This approach takes extra running scripts and services on the host system which is okay but can have problems because of more moving parts. I was just looking for a good path to handle this with rkt before making my own trail.
Any recommendations or input is appreciated.
Cheers!
I'm using rkt v1.29.0 on my embedded Linux system to start multiple appc containers. I have one app that monitors one wire sensors via ttyUSBx devices. Is there way to share devices from my host system (/dev/ttyUSB* or /dev/tty*) with a container started by rkt running as a systemd service?
--volume tty,kind=host,source=/dev/ttyUSB0 --mount volume=tty,target=/dev/ttyUSB0If there is not a way to share all devices, then my approach is going have a systemd service watch for new tty devices. When new tty device is found, restart the systemd service running the container app that is monitoring sensors and append the rkt run command with the new and existing tty. This approach takes extra running scripts and services on the host system which is okay but can have problems because of more moving parts. I was just looking for a good path to handle this with rkt before making my own trail.
Any recommendations or input is appreciated.
Cheers!
~# rkt version
rkt Version: 1.29.0
appc Version: 0.8.11
Go Version: go1.8
Go OS/Arch: linux/amd64
Features: -TPM +SDJOURNAL
Alban Crequy
Apr 6, 2018, 6:47:16 AM4/6/18
to rkt-dev, Eric Zaluzec
I don't have perfect solution. Sharing devices is tricky
security-wise. I guess you have seen the documentation:
https://github.com/rkt/rkt/blob/master/Documentation/block-devices.md
If you don't care about security or container isolation, you can
always share all of /dev:
--volume devs,kind=host,source=/dev --mount volume=devs,target=/host-dev
But then, the device cgroup would not automatically allow the access
to the ttyUSBx device nodes. You would have to add:
--insecure-options=paths
Alternatively, to avoid giving full access to /dev, if you have a
script you can run whenever there is a new ttyUSBx available, you
could run "mknod" inside the container manually (you would need
CAP_MKNOD) and allow access to it with writing manually to the
cgroups, following the kernel documentation:
https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt
It's also possible to grant access to all devices with a specific
major, regardless of the minor number ("b 116:*"). I am not sure of
the security implications: the major number could be shared with other
devices you don't want to give to the container.
With either ways, you would not need to restart the container.
Cheers,
Alban
Reply all
Reply to author
Forward
0 new messages