quadlet: Add support for AddDevice=

This lets you add custom device nodes into the container Signed-off-by: Alexander Larsson <alexl@redhat.com>
2025-10-17 11:14:40 +08:00 · 2022-10-20 12:26:35 +02:00
parent f6f65f49db
commit 6042ca7fd0
4 changed files with 26 additions and 0 deletions
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@ -258,6 +258,16 @@ allocated port can be found with the `podman port` command.

 This key can be listed multiple times.

+#### `AddDevice=`
+
+Adds a device node from the host into the container. The format of this is
+`HOST-DEVICE[:CONTAINER-DEVICE][:PERMISSIONS]`, where `HOST-DEVICE` is the path of
+the device node on the host, `CONTAINER-DEVICE` is the path of the device node in
+the container, and `PERMISSIONS` is a list of permissions combining 'r' for read,
+'w' for write, and 'm' for mknod(2).
+
+This key can be listed multiple times.
+
 #### `PodmanArgs=`

 This key contains a list of arguments passed directly to the end of the `podman run` command
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -71,6 +71,7 @@ const (
 	KeyVolatileTmp     = "VolatileTmp"
 	KeyTimezone        = "Timezone"
 	KeySeccompProfile  = "SeccompProfile"
+	KeyAddDevice       = "AddDevice"
 )

 // Supported keys in "Container" group
@ -104,6 +105,7 @@ var supportedContainerKeys = map[string]bool{
 	KeyVolatileTmp:     true,
 	KeyTimezone:        true,
 	KeySeccompProfile:  true,
+	KeyAddDevice:       true,
 }

 // Supported keys in "Volume" group
@ -396,6 +398,12 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 		podman.add("--security-opt=no-new-privileges")
 	}

+	// But allow overrides with AddCapability
+	devices := container.LookupAllStrv(ContainerGroup, KeyAddDevice)
+	for _, device := range devices {
+		podman.addf("--device=%s", device)
+	}
+
 	// Default to no higher level privileges or caps
 	seccompProfile, hasSeccompProfile := container.Lookup(ContainerGroup, KeySeccompProfile)
 	if hasSeccompProfile {
--- a/test/e2e/quadlet/devices.container
+++ b/test/e2e/quadlet/devices.container
@ -0,0 +1,7 @@
+## assert-podman-args --device=/dev/fuse
+## assert-podman-args --device=/dev/loop0:r
+
+[Container]
+Image=localhost/imagename
+AddDevice=/dev/fuse
+AddDevice=/dev/loop0:r
--- a/test/e2e/quadlet_test.go
+++ b/test/e2e/quadlet_test.go
@ -270,6 +270,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("basepodman.container", "basepodman.container"),
 		Entry("capabilities.container", "capabilities.container"),
 		Entry("capabilities2.container", "capabilities2.container"),
+		Entry("devices.container", "devices.container"),
 		Entry("env.container", "env.container"),
 		Entry("escapes.container", "escapes.container"),
 		Entry("exec.container", "exec.container"),