cgroups/devices isolator allows operators to control container access to host devices, the container might still need additional privileges to create a device node to actually use the device. The
linux/devices isolator ensures that containers that are granted access to host devices are populated with the the correct set of device nodes. Access to host devices is granted by using the
--allowed_devices flag on the agent.
To enable the
linux/devices isolator, append
linux/devices to the
--isolation flag when starting the Mesos agent.
Device access is configured at container granularity. For example, this means that if the
--allowed_devices flag specifies read access for a device, then every process in the container will be able to read from the specified device.
linux/devices isolator does not require the
--allowed_devices entry to grant
mknod access, since it creates device nodes from outside the container.