devcontainers
Add support for devices in devcontainer-feature.json
While implementing a Dev Container feature for Tailscale, I discovered that there's no way to have the feature add the equivalent of runArgs: ["--device=/dev/net/tun"], even though you can set privileged (which would work, but gives way more access than needed). Would it be possible to add this to the feature metadata spec?
Adding a device property to devcontainer-feature.json makes sense to me and is aligned with the privileged, init, capAdd, securityOpt, and entrypoint options. The reason we don't support raw runArgs in features is that the merging semantics can be different for runArg properties and are harder to get right with the end user and features all contributing different sets of arguments. By formalizing specific properties in devcontainer-feature.json that get turned into runArgs in the end, we can control the merge logic better for each property individually.
Sorry for the ambiguity: yes, a devices property is what I envisioned as well. 👍 Totally makes sense to not merge runArgs, and I was able to use capAdd for a couple things I needed, but there wasn't any equivalent for --device.
Implementation concern:
Podman maps in GPUs via a CDI-spec device line: --device nvidia.com/gpu=gpu0 (the --gpus option is ignored). This isn't a device on the host (you can't stat it, for example).
Nvidia has said the CDI spec is their intended way forward, although I'm not sure what that ends up meaning for docker scenarios atm...
Another side note: Similar to #132 we likely need a way to make these optional or hard requirements.