config: map host devices into container

Fixes #41

CHANGELOG.md

@@ -1,5 +1,8 @@
 ## UNRELEASED
 
+FEATURES:
+* config: Map host devices into container. [[GH-41](https://github.com/hashicorp/nomad-driver-podman/pull/41)]
+
 BUG FIXES:
 * log: Use error key context to log errors rather than Go err style. [[GH-126](https://github.com/hashicorp/nomad-driver-podman/pull/126)]
 

README.md

@@ -231,6 +231,17 @@ config {
 }
 ```
 
+* **devices** - (Optional) A list of `host-device[:container-device][:permissions]` definitions. 
+Each entry adds a host device to the container. Optional permissions can be used to specify device permissions, it is combination of r for read, w for write, and m for mknod(2). See podman documentation for more details.
+
+```
+config {
+  devices = [
+    "/dev/net/tun"
+  ]
+}
+```
+
 * **hostname** -  (Optional) The hostname to assign to the container. When launching more than one of a task (using count) with this option set, every container the task starts will have the same hostname.
 
 * **Forwarding and Exposing Ports** - (Optional) See [Docker Driver Configuration](https://www.nomadproject.io/docs/drivers/docker.html#forwarding-and-exposing-ports) for details.

config.go

@@ -47,6 +47,7 @@ var (
 		"command":            hclspec.NewAttr("command", "string", false),
 		"cap_add":            hclspec.NewAttr("cap_add", "list(string)", false),
 		"cap_drop":           hclspec.NewAttr("cap_drop", "list(string)", false),
+		"devices":            hclspec.NewAttr("devices", "list(string)", false),
 		"entrypoint":         hclspec.NewAttr("entrypoint", "string", false),
 		"working_dir":        hclspec.NewAttr("working_dir", "string", false),
 		"hostname":           hclspec.NewAttr("hostname", "string", false),
@@ -103,6 +104,7 @@ type TaskConfig struct {
 	CapAdd            []string           `codec:"cap_add"`
 	CapDrop           []string           `codec:"cap_drop"`
 	Command           string             `codec:"command"`
+	Devices           []string           `codec:"devices"`
 	Entrypoint        string             `codec:"entrypoint"`
 	WorkingDir        string             `codec:"working_dir"`
 	Hostname          string             `codec:"hostname"`

driver.go

@@ -388,6 +388,11 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 		return nil, nil, err
 	}
 	createOpts.ContainerStorageConfig.Mounts = allMounts
+	allDevices := []spec.LinuxDevice{}
+	for _, device := range driverConfig.Devices {
+		allDevices = append(allDevices, spec.LinuxDevice{Path: device})
+	}
+	createOpts.ContainerStorageConfig.Devices = allDevices
 
 	// Resources config options
 	createOpts.ContainerResourceConfig.ResourceLimits = &spec.LinuxResources{

driver_test.go

@@ -981,6 +981,54 @@ func TestPodmanDriver_User(t *testing.T) {
 
 }
 
+func TestPodmanDriver_Device(t *testing.T) {
+	if !tu.IsCI() {
+		t.Parallel()
+	}
+
+	taskCfg := newTaskConfig("", []string{
+		// print our username to stdout
+		"sh",
+		"-c",
+		"sleep 1; ls -l /dev/net/tun",
+	})
+
+	task := &drivers.TaskConfig{
+		ID:        uuid.Generate(),
+		Name:      "device",
+		AllocID:   uuid.Generate(),
+		Resources: createBasicResources(),
+	}
+	taskCfg.Devices = []string{"/dev/net/tun"}
+	require.NoError(t, task.EncodeConcreteDriverConfig(&taskCfg))
+
+	d := podmanDriverHarness(t, nil)
+	cleanup := d.MkAllocDir(task, true)
+	defer cleanup()
+
+	_, _, err := d.StartTask(task)
+	require.NoError(t, err)
+
+	defer d.DestroyTask(task.ID, true)
+
+	// Attempt to wait
+	waitCh, err := d.WaitTask(context.Background(), task.ID)
+	require.NoError(t, err)
+
+	select {
+	case res := <-waitCh:
+		// should have a exitcode=0 result
+		require.True(t, res.Successful())
+	case <-time.After(time.Duration(tu.TestMultiplier()*2) * time.Second):
+		t.Fatalf("Container did not exit in time")
+	}
+
+	// see if stdout was populated with the "whoami" output
+	tasklog := readLogfile(t, task)
+	require.Contains(t, tasklog, "dev/net/tun")
+
+}
+
 // test memory/swap options
 func TestPodmanDriver_Swap(t *testing.T) {
 	if !tu.IsCI() {