I agree with a feature, but naming is confusing I think. Maybe something like device-cgroup-rule? I dunno

@LK4D4 I like the name, thanks! Will update shortly

ping @LK4D4 ptal

Added a test

This seems super low-level (much more so than any other flag we have, I think).

I don't understand the limitations on the devices cgroup, but... it seems like we should be able to address the use case with docker update to deal with adding the device to the whitelist and performing the mknod for the user.

This could also be looked at along with security profiles... some profile option to enable host device update access.

ping @tonistiigi , if I'm not wrong he was against a docker update solution. I'll let him explain his view :)

Design LGTM

@mlaventure looks like you forgot to update the CLI reference with the example; #22563 (comment)

ping @albers I had initially added a basic completion for bash (it's a very old PR), but I think you would do a better job, mind having a second look?

Thanks!

@mlaventure I don't think this can be improved because the argument contains a space. AFAIK, bash completion does not work inside quoted arguments.

@albers thanks for checking!

Why not improving --device to support something like --device /dev/sdb*:rx than to introduce this option?

@hqhq what you suggest would require to spawn a goroutine to monitor changes to the filesystem and replicate it within the container. But that would also assume that the container has all the tools necessary for this (e.g. mknod) or force it to be there.

Also, maybe the right of the device thus newly created would need to be changed within the container.

It's easier to let people set up their own policy with the tool provided.

1. How can I use --device-cgroup-rule option by docker-compose?

2. Also, I created some POC for working with dynamically created USB devices in Docker, does it correct? It works fine, but it seems very ugly:
   https://github.com/pbelskiy/docker-usb-sync

@TH3MIS

1. I don't think it's supported, you should ask on the compose repository: https://github.com/docker/compose

2. That looks correct. I don't see the ugliness in it. I'm not fan of adding a whole udev handler in the Docker daemon when there's already a dedicated architecture for udev.

@mlaventure
Why also there is no option to initially add с 189:* rwminto devices.list when create new cgroup for container? I suppose it best solution, but I am new in Docker, and maybe I'm wrong here

@TH3MIS that what the option you're providing does.

I think this feature is really helpful.