MobiledgeX supports providing pass-thorugh devices and assigning elevated permissions to docker containers. This requires that a docker-compose file to pass the necessary parameters through to docker. This example shows how to deploy a container with SYS_ADMIN and NET_ADMIN privileges and has the /dev/tun device pass through.
It is strongly recommended that containers be deployed with the least permissions required to run. If you require additional permissions for your container please be aware of the potential issues in providing these permissions.
This compose file uses a standard nginx container as an example to show the process. This is not a suggested configuration for production deployment; nginx does not require these permissions and is only being used as an example.
version: '3'
services:
web:
image: nginx:latest
ports:
- "8080:80"
volumes:
- ./data:/usr/share/nginx/html:ro
cap_add:
- NET_ADMIN
- SYS_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
command: [nginx-debug, '-g', 'daemon off;']
Notes:
The process for deployment is the same as described in (INSERT LINK TO DEPLOYMENT WITH MANIFEST).
To confirm that the container has been created properly, go to the MobiledgeX Console, select the application instance, and open a terminal in the container (NOT SURE IF WE HAVE THIS ILLUSTRATED - IF SO LINK HERE) and start a shell (‘/bin/bash’ or ‘/bin/sh’). You should see a root prompt similar to below:
root@b1cbc48be9fb:/#
root@b1cbc48be9fb:/#
root@b1cbc48be9fb:/# id
uid=0(root) gid=0(root) groups=0(root)
You should also see the device that was passed through:
root@b1cbc48be9fb:/# ls /dev/net/tun
/dev/net/tun
root@b1cbc48be9fb:/# ls -lat /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Jul 30 17:22 /dev/net/tun
If you run into issues deploying the application, first try removing the cap_add and devices lines from your compose file, recreating your manifest, and redeploying.