Access host devices from a container
This article refers to Platform v3.1.0. The current Platform version is v3.2.0.
Overview
Many edge workloads need to talk to real hardware — a USB serial radio, a SIM modem, a GPU, an industrial bus. Docker exposes individual host device nodes to a container via the devices: directive in docker-compose.yaml. This article covers the syntax, host-side permissions, and a Filebrowser example that reads a USB drive.
Host-side permissions
The container needs read/write access to the device node on the host. Two common ways to grant it:
-
Loosen the permissions on the device (quick, blunt):
sudo chmod 666 /dev/sda1 -
Add the user the agent runs as to a group with native access:
sudo usermod -aG disk $(whoami)
Pick the option that matches your security model. The first is faster for one-off testing; the second is the right choice for persistent deployments.
Compose syntax
The devices: directive maps a host device node to a path inside the container. The form is <host path>:<container path>:
version: '3.8'
services:
filebrowser:
image: filebrowser/filebrowser:latest
ports:
- "8080:80"
volumes:
- /mnt/usb:/srv
devices:
- "/dev/sda1:/dev/sda1"
What each piece does:
volumes— mount the filesystem the USB stick is exposing at/srvso Filebrowser shows its contents.devices— give the container raw access to the USB block device at/dev/sda1.
For Barbara apps, device access must be declared explicitly in the compose file — privileged containers and broad capability grants are not allowed on edge nodes (see the Docker apps packaging rules).
Summary
devices: is the right knob when your container needs raw access to a piece of hardware on the host. Grant just the device nodes the app actually needs, set sensible host-side permissions, and avoid privileged mode entirely — Barbara rejects privileged containers on edge nodes.