feat: Add devices option (runfinch#236)

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

api/handlers/container/create.go

@@ -7,6 +7,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -24,6 +26,8 @@ import (
 	"github.com/runfinch/finch-daemon/pkg/utility/maputility"
 )
 
+const errGatheringDeviceInfo = "error gathering device information while adding custom device"
+
 type containerCreateResponse struct {
 	ID string `json:"Id"`
 }
@@ -197,6 +201,16 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 	} else {
 		cgroupnsMode = defaults.CgroupnsMode()
 	}
+	devices := []string{}
+	if req.HostConfig.Devices != nil {
+		// Validate device configurations
+		for _, device := range req.HostConfig.Devices {
+			if err := validateDevice(w, device.PathOnHost); err != nil {
+				return
+			}
+		}
+		devices = translateDevices(req.HostConfig.Devices)
+	}
 
 	globalOpt := ncTypes.GlobalCommandOptions(*h.Config)
 	createOpt := ncTypes.ContainerCreateOptions{
@@ -247,6 +261,8 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 		BlkioDeviceWriteIOps: throttleDevicesToStrings(req.HostConfig.BlkioDeviceWriteIOps),
 		IPC:                  req.HostConfig.IpcMode, // IPC namespace to use
 		ShmSize:              shmSize,
+		Device:               devices, // Device specifies add a host device to the container
+
 		// #endregion
 
 		// #region for user flags
@@ -440,3 +456,61 @@ func translateAnnotations(annotations map[string]string) []string {
 	}
 	return result
 }
+
+// translateDevices converts a slice of DeviceMapping to a slice of strings in the format "PATH_ON_HOST[:PATH_IN_CONTAINER][:CGROUP_PERMISSIONS]".
+func translateDevices(devices []types.DeviceMapping) []string {
+	if devices == nil {
+		return nil
+	}
+
+	var result []string
+	for _, deviceMap := range devices {
+		deviceString := deviceMap.PathOnHost
+
+		if deviceMap.PathInContainer != "" {
+			deviceString += ":" + deviceMap.PathInContainer
+			if deviceMap.CgroupPermissions != "" {
+				deviceString += ":" + deviceMap.CgroupPermissions
+			}
+		} else if deviceMap.CgroupPermissions != "" {
+			deviceString += ":" + deviceMap.CgroupPermissions
+		}
+
+		result = append(result, deviceString)
+	}
+	return result
+}
+
+// validateDevice validates a device path and returns an error if validation fails.
+// The error is sent as a JSON response with HTTP 400 status code.
+func validateDevice(w http.ResponseWriter, pathOnHost string) error {
+	if pathOnHost == "" {
+		response.JSON(w, http.StatusBadRequest, response.NewErrorFromMsg(errGatheringDeviceInfo))
+		return fmt.Errorf("empty device path")
+	}
+
+	// Check if path exists and resolve symlinks
+	resolvedPath := pathOnHost
+	if src, err := os.Lstat(pathOnHost); err != nil {
+		response.JSON(w, http.StatusBadRequest, response.NewErrorFromMsg(fmt.Sprintf("%s %q: %v", errGatheringDeviceInfo, pathOnHost, err)))
+		return err
+	} else if src.Mode()&os.ModeSymlink == os.ModeSymlink {
+		if linkedPath, err := filepath.EvalSymlinks(pathOnHost); err != nil {
+			response.JSON(w, http.StatusBadRequest, response.NewErrorFromMsg(fmt.Sprintf("%s %q: %v", errGatheringDeviceInfo, pathOnHost, err)))
+			return err
+		} else {
+			resolvedPath = linkedPath
+		}
+	}
+
+	// Check if path is a device or directory
+	if src, err := os.Stat(resolvedPath); err != nil {
+		response.JSON(w, http.StatusBadRequest, response.NewErrorFromMsg(fmt.Sprintf("%s %q: %v", errGatheringDeviceInfo, pathOnHost, err)))
+		return err
+	} else if !src.IsDir() && (src.Mode()&os.ModeDevice) == 0 {
+		response.JSON(w, http.StatusBadRequest, response.NewErrorFromMsg(fmt.Sprintf("%s %q: not a device", errGatheringDeviceInfo, pathOnHost)))
+		return fmt.Errorf("not a device")
+	}
+
+	return nil
+}

api/handlers/container/create_test.go

@@ -928,50 +928,64 @@ var _ = Describe("Container Create API ", func() {
 			Expect(rr.Body).Should(MatchJSON(jsonResponse))
 		})
 
-		It("should set specified annotation", func() {
+		It("should reject invalid device paths", func() {
 			body := []byte(`{
 				"Image": "test-image",
 				"HostConfig": {
-					"Annotations": {
-						"com.example.key": "value1"
-					}
+					"Devices": [
+						{
+							"PathOnHost": "/dev/nonexistent",
+							"PathInContainer": "/dev/nonexistent",
+							"CgroupPermissions": "rwm"
+						}
+					]
 				}
 			}`)
 			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
 
-			// Create a copy of default options and add annotation
-			expectedCreateOpt := createOpt
-			expectedCreateOpt.Annotations = []string{"com.example.key=value1"}
-
-			service.EXPECT().Create(gomock.Any(), "test-image", nil, equalTo(expectedCreateOpt), equalTo(netOpt)).Return(
-				cid, nil)
-
 			h.create(rr, req)
-			Expect(rr).Should(HaveHTTPStatus(http.StatusCreated))
-			Expect(rr.Body).Should(MatchJSON(jsonResponse))
+			Expect(rr).Should(HaveHTTPStatus(http.StatusBadRequest))
+			Expect(rr.Body.String()).Should(ContainSubstring(`{"message":"error gathering device information while adding custom device \"/dev/nonexistent\": lstat /dev/nonexistent: no such file or directory"}`))
 		})
 
-		It("should set specified annotation", func() {
+		It("should reject empty device paths", func() {
 			body := []byte(`{
 				"Image": "test-image",
 				"HostConfig": {
-					"Annotations": {
-						"com.example.key": "value1"
-					}
+					"Devices": [
+						{
+							"PathOnHost": "",
+							"PathInContainer": "/dev/null",
+							"CgroupPermissions": "rwm"
+						}
+					]
 				}
 			}`)
 			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
 
-			// Create a copy of default options and add annotation
-			expectedCreateOpt := createOpt
-			expectedCreateOpt.Annotations = []string{"com.example.key=value1"}
+			h.create(rr, req)
+			Expect(rr).Should(HaveHTTPStatus(http.StatusBadRequest))
+			Expect(rr.Body.String()).Should(ContainSubstring(`{"message":"error gathering device information while adding custom device"}`))
+		})
 
-			service.EXPECT().Create(gomock.Any(), "test-image", nil, equalTo(expectedCreateOpt), equalTo(netOpt)).Return(
-				cid, nil)
+		It("should reject non-device paths", func() {
+			body := []byte(`{
+				"Image": "test-image",
+				"HostConfig": {
+					"Devices": [
+						{
+							"PathOnHost": "/etc/hosts",
+							"PathInContainer": "/dev/null",
+							"CgroupPermissions": "rwm"
+						}
+					]
+				}
+			}`)
+			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
 
 			h.create(rr, req)
-			Expect(rr).Should(HaveHTTPStatus(http.StatusCreated))
-			Expect(rr.Body).Should(MatchJSON(jsonResponse))
+			Expect(rr).Should(HaveHTTPStatus(http.StatusBadRequest))
+			Expect(rr.Body.String()).Should(ContainSubstring(`{"message":"error gathering device information while adding custom device \"/etc/hosts\": not a device"}`))
 		})
 
 		It("should set CgroupnsMode option", func() {
@@ -1206,6 +1220,7 @@ func getDefaultCreateOpt(conf config.Config) types.ContainerCreateOptions {
 		BlkioDeviceWriteBps:  []string{},
 		BlkioDeviceReadIOps:  []string{},
 		BlkioDeviceWriteIOps: []string{},
+		Device:               []string{},
 		// #endregion
 
 		// #region for user flags

api/types/container_types.go

@@ -121,8 +121,8 @@ type ContainerHostConfig struct {
 	BlkioDeviceWriteBps  []*blkiodev.ThrottleDevice
 	BlkioDeviceReadIOps  []*blkiodev.ThrottleDevice
 	BlkioDeviceWriteIOps []*blkiodev.ThrottleDevice
-	// TODO: Devices     []DeviceMapping // List of devices to map inside the container
-	PidsLimit int64 // Setting PIDs limit for a container; Set `0` or `-1` for unlimited, or `null` to not change.
+	Devices              []DeviceMapping // List of devices to map inside the container
+	PidsLimit            int64           // Setting PIDs limit for a container; Set `0` or `-1` for unlimited, or `null` to not change.
 	// Mounts specs used by the container
 	// TODO: Mounts []mount.Mount `json:",omitempty"`
 
@@ -286,3 +286,9 @@ const (
 func (c CgroupnsMode) Valid() bool {
 	return c == CgroupnsModePrivate || c == CgroupnsModeHost
 }
+
+type DeviceMapping struct {
+	PathOnHost        string
+	PathInContainer   string
+	CgroupPermissions string
+}

e2e/e2e_test.go

@@ -59,7 +59,7 @@ func TestRun(t *testing.T) {
 	const description = "Finch Daemon Functional test"
 	ginkgo.Describe(description, func() {
 		// functional test for container APIs
-		tests.ContainerCreate(opt)
+		tests.ContainerCreate(opt, pOpt)
 		tests.ContainerStart(opt)
 		tests.ContainerStop(opt)
 		tests.ContainerRestart(opt)

e2e/tests/container_create.go

@@ -11,6 +11,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 
@@ -26,6 +27,7 @@ import (
 
 	"github.com/runfinch/finch-daemon/api/types"
 	"github.com/runfinch/finch-daemon/e2e/client"
+	"github.com/runfinch/finch-daemon/e2e/util"
 )
 
 type containerCreateResponse struct {
@@ -34,7 +36,7 @@ type containerCreateResponse struct {
 }
 
 // ContainerCreate tests the `POST containers/create` API.
-func ContainerCreate(opt *option.Option) {
+func ContainerCreate(opt *option.Option, pOpt util.NewOpt) {
 	Describe("create container", func() {
 		var (
 			uClient *http.Client
@@ -1452,6 +1454,113 @@ func ContainerCreate(opt *option.Option) {
 			}
 			Expect(foundCgroupNS).Should(BeFalse())
 		})
+
+		It("should create a container with device mappings", func() {
+			// Create a temporary file to use as backing store
+			tmpFileOpt, _ := pOpt([]string{"touch", "/tmp/loopdev"})
+			command.Run(tmpFileOpt)
+			defer func() {
+				rmOpt, _ := pOpt([]string{"rm", "-f", "/tmp/loopdev"})
+				command.Run(rmOpt)
+			}()
+
+			// Write 4KB of data to the file
+			ddOpt, _ := pOpt([]string{"dd", "if=/dev/zero", "of=/tmp/loopdev", "bs=4096", "count=1"})
+			command.Run(ddOpt)
+
+			// Set up loop device
+			loopDevOpt, _ := pOpt([]string{"losetup", "-f", "--show", "/tmp/loopdev"})
+			loopDev := command.StdoutStr(loopDevOpt)
+			Expect(loopDev).ShouldNot(BeEmpty())
+			defer func() {
+				detachOpt, _ := pOpt([]string{"losetup", "-d", loopDev})
+				command.Run(detachOpt)
+			}()
+
+			// Write test content to the device
+			writeOpt, _ := pOpt([]string{"sh", "-c", "echo -n test-content > " + loopDev})
+			command.Run(writeOpt)
+
+			// Get device info to verify major/minor numbers
+			statOpt, _ := pOpt([]string{"stat", "-c", "%t,%T", loopDev})
+			devNums := command.StdoutStr(statOpt)
+			parts := strings.Split(devNums, ",")
+			major, _ := strconv.ParseUint(parts[0], 16, 64)
+			minor, _ := strconv.ParseUint(parts[1], 16, 64)
+
+			options.Cmd = []string{"sleep", "Infinity"}
+			options.HostConfig.Devices = []types.DeviceMapping{
+				{
+					PathOnHost:        loopDev,
+					PathInContainer:   loopDev,
+					CgroupPermissions: "rwm",
+				},
+			}
+
+			// Create container
+			statusCode, ctr := createContainer(uClient, url, testContainerName, options)
+			Expect(statusCode).Should(Equal(http.StatusCreated))
+			Expect(ctr.ID).ShouldNot(BeEmpty())
+
+			// Start container
+			command.Run(opt, "start", testContainerName)
+
+			// Inspect using native format
+			nativeResp := command.Stdout(opt, "inspect", "--mode=native", testContainerName)
+			var nativeInspect []map[string]interface{}
+			err := json.Unmarshal(nativeResp, &nativeInspect)
+			Expect(err).Should(BeNil())
+			Expect(nativeInspect).Should(HaveLen(1))
+
+			// Navigate to the linux section
+			spec, ok := nativeInspect[0]["Spec"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			linux, ok := spec["linux"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+
+			// Verify device in linux.devices
+			devices, ok := linux["devices"].([]interface{})
+			Expect(ok).Should(BeTrue())
+
+			foundDevice := false
+			for _, device := range devices {
+				d := device.(map[string]interface{})
+				if d["path"] == loopDev {
+					foundDevice = true
+					Expect(d["type"]).Should(Equal("b")) // block device
+					Expect(d["major"].(float64)).Should(Equal(float64(major)))
+					Expect(d["minor"].(float64)).Should(Equal(float64(minor)))
+					break
+				}
+			}
+			Expect(foundDevice).Should(BeTrue())
+
+			// Verify device permissions in linux.resources.devices
+			resources, ok := linux["resources"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			resourceDevices, ok := resources["devices"].([]interface{})
+			Expect(ok).Should(BeTrue())
+
+			// First rule should be deny all
+			denyAll := resourceDevices[0].(map[string]interface{})
+			Expect(denyAll["allow"]).Should(BeFalse())
+			Expect(denyAll["access"]).Should(Equal("rwm"))
+
+			// Should find an allow rule for our device
+			foundAllowRule := false
+			for _, rule := range resourceDevices {
+				r := rule.(map[string]interface{})
+				if r["allow"] == true &&
+					r["type"] == "b" &&
+					r["major"].(float64) == float64(major) &&
+					r["minor"].(float64) == float64(minor) {
+					foundAllowRule = true
+					Expect(r["access"]).Should(Equal("rwm"))
+					break
+				}
+			}
+			Expect(foundAllowRule).Should(BeTrue())
+		})
 	})
 }