While the cgroups/devices
isolator allows operators to control container access to host devices, the container might still need additional privileges to create a device node to actually use the device. The linux/devices
isolator ensures that containers that are granted access to host devices are populated with the correct set of device nodes. Access to host devices is granted by using the --allowed_devices
flag on the agent.
To enable the linux/devices
isolator, append linux/devices
to the --isolation
flag when starting the Mesos agent.
Device access is configured at container granularity. For example, this means that if the --allowed_devices
flag specifies read access for a device, then every process in the container will be able to read from the specified device.
The linux/devices
isolator does not require the --allowed_devices
entry to grant mknod
access, since it creates device nodes from outside the container.