From def436547260241680283ec09c28812dd75a20b3 Mon Sep 17 00:00:00 2001 From: Kenfe-Mickael Laventure Date: Thu, 2 Feb 2017 07:31:17 -0800 Subject: [PATCH] Add example for --device-cgroup-rule to create reference Signed-off-by: Kenfe-Mickael Laventure Upstream-commit: 2d9105335bbfb41ace97b82ffaff1b93dc468f68 Component: engine --- .../docs/reference/commandline/create.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/components/engine/docs/reference/commandline/create.md b/components/engine/docs/reference/commandline/create.md index cbb9598a78..1d5ec5904e 100644 --- a/components/engine/docs/reference/commandline/create.md +++ b/components/engine/docs/reference/commandline/create.md @@ -210,3 +210,26 @@ daemon is running on Windows server, or `hyperv` if running on Windows client. | `hyperv` | Hyper-V hypervisor partition-based isolation. | Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`. + +### Dealing with dynamically created devices (--device-cgroup-rule) + +Devices available to a container are assigned at creation time. The +assigned devices will both be added to the cgroup.allow file and +created into the container once it is run. This poses a problem when +a new device needs to be added to running container. + +One of the solution is to add a more permissive rule to a container +allowing it access to a wider range of devices. For example, supposing +our container needs access to a character device with major `42` and +any number of minor number (added as new devices appear), the +following rule would be added: + +``` +docker create --device-cgroup-rule='c 42:* rmw' -name my-container my-image +``` + +Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 ` +the required device when it is added. + +NOTE: initially present devices still need to be explicitely added to +the create/run command