diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index 5d3cf47372..e67bc41039 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -258,6 +258,16 @@ allocated port can be found with the `podman port` command. This key can be listed multiple times. +#### `AddDevice=` + +Adds a device node from the host into the container. The format of this is +`HOST-DEVICE[:CONTAINER-DEVICE][:PERMISSIONS]`, where `HOST-DEVICE` is the path of +the device node on the host, `CONTAINER-DEVICE` is the path of the device node in +the container, and `PERMISSIONS` is a list of permissions combining 'r' for read, +'w' for write, and 'm' for mknod(2). + +This key can be listed multiple times. + #### `PodmanArgs=` This key contains a list of arguments passed directly to the end of the `podman run` command diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index 4674bf15b1..877e10516b 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -71,6 +71,7 @@ const ( KeyVolatileTmp = "VolatileTmp" KeyTimezone = "Timezone" KeySeccompProfile = "SeccompProfile" + KeyAddDevice = "AddDevice" ) // Supported keys in "Container" group @@ -104,6 +105,7 @@ var supportedContainerKeys = map[string]bool{ KeyVolatileTmp: true, KeyTimezone: true, KeySeccompProfile: true, + KeyAddDevice: true, } // Supported keys in "Volume" group @@ -396,6 +398,12 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile podman.add("--security-opt=no-new-privileges") } + // But allow overrides with AddCapability + devices := container.LookupAllStrv(ContainerGroup, KeyAddDevice) + for _, device := range devices { + podman.addf("--device=%s", device) + } + // Default to no higher level privileges or caps seccompProfile, hasSeccompProfile := container.Lookup(ContainerGroup, KeySeccompProfile) if hasSeccompProfile { diff --git a/test/e2e/quadlet/devices.container b/test/e2e/quadlet/devices.container new file mode 100644 index 0000000000..2e958c0db6 --- /dev/null +++ b/test/e2e/quadlet/devices.container @@ -0,0 +1,7 @@ +## assert-podman-args --device=/dev/fuse +## assert-podman-args --device=/dev/loop0:r + +[Container] +Image=localhost/imagename +AddDevice=/dev/fuse +AddDevice=/dev/loop0:r diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go index 640aaf1c4b..b453d08d58 100644 --- a/test/e2e/quadlet_test.go +++ b/test/e2e/quadlet_test.go @@ -270,6 +270,7 @@ var _ = Describe("quadlet system generator", func() { Entry("basepodman.container", "basepodman.container"), Entry("capabilities.container", "capabilities.container"), Entry("capabilities2.container", "capabilities2.container"), + Entry("devices.container", "devices.container"), Entry("env.container", "env.container"), Entry("escapes.container", "escapes.container"), Entry("exec.container", "exec.container"),