Adding devices to container while running

Docker Engine General
1

Hi
Is there a way to add devices (for example block devices /dev/sd*) to a running docker container?
The problem is that I have an application running inside a docker container and I would like to access the block device as soon as someone plugs in a USB stick in the host machine.
Thx!

2

Could you mount the parent folder into the container at runtime? Or would that give the container too much access to the host?

3

Hi rufus
Thanks for the answer. Actually I am applying your approach for accessing the files. I mount the device on the host into a predefined directory. This directory is accessed by the container using --volume. However I have to fetch diverse information about the USB device from /sys and /dev. In this case this approach doesn’t work. When I start a container using --privileged=true, only the block devices that exist at the time of firing up the container, are accessible by the container. Devices that get connected to the host at a later time are not. I heard about a feature request on docker’s github page where they discuss about a docker update command. This would allow to update the container configuration during its existence. Unfortunately that feature is not yet available.

4

<begin hand-wavy answer>It seems like there must be a series of events that happen when a new USB device is inserted, from recognizing it to mounting it. Is there a way to listen to those events from inside the container? Then, once you know something is happening on the host, maybe with the right permissions you could mount the new device.

This is one of those cases where the fact that the same kernel is accessible from inside and outside the container should work to your benefit. The container by default will try to isolate its contents from this kind of change on the host, but I think with the right set of --cap-add capabilities, either the container or a host process should be able to mount a newly-created device in a container.</end hand-wavy answer>

5

Hi rufus
I like your approach. But I think docker is not yet ready for that- or I am simply not aware how to achieve that. The mouting is done by the host because I didn’t want to bother about it any longer (therefore I cannot answer your question whether there are some indication in the container about a inserted device on the host or not). But I would still like to access the block device in /dev to get some infos about it that I need to compute…

Perhaps it is possible to define device cgroups (perhaps it is possible to define devices that do not yet exist at the time the container is being launched).

So far I cannot find a cap that would help: http://man7.org/linux/man-pages/man7/capabilities.7.html.

Btw, about the docker update thing I was talking, this is the github link: https://github.com/docker/docker/issues/3285.

cheerio!