feat: Add cl_devices parameter for mounting host devices to CL containers (#1251)

# Update

This PR requires you to run the latest (1.14.1+) version of kurtosis! 

## Summary

This PR adds support for mounting host devices (e.g., `/dev/tpm0`) into
Consensus Layer (CL) containers. This enables use cases such as TPM
(Trusted Platform Module) access for hardware-backed security features
in CL clients like Lighthouse.

## Changes

### Configuration (`network_params.yaml`)
- Added `cl_devices: []` parameter to participant structure
- Accepts a list of device paths (e.g., `["/dev/tpm0"]`)

### Input Parser (`src/package_io/input_parser.star`)
- Added `cl_devices: []` to default participant structure
- Added `cl_devices` to participant struct creation

### Validation (`src/package_io/sanity_check.star`)
- Added `cl_devices` to participant validation lists
- Added to both `PARTICIPANT_CATEGORIES` and `PARTICIPANT_MATRIX_PARAMS`

### CL Launchers
Updated all CL client launchers to pass devices to `ServiceConfig`:
- `src/cl/lighthouse/lighthouse_launcher.star`
- `src/cl/lodestar/lodestar_launcher.star`
- `src/cl/nimbus/nimbus_launcher.star`
- `src/cl/prysm/prysm_launcher.star`
- `src/cl/teku/teku_launcher.star`
- `src/cl/grandine/grandine_launcher.star`

Each launcher now includes:
if len(participant.cl_devices) > 0:
config_args["devices"] = participant.cl_devices### Package Configuration
(`kurtosis.yml`)
- Updated package name to match repository location

## Usage

Users can now specify devices in their `network_params.yaml`:
aml
participants:
  - el_type: geth
    cl_type: lighthouse
    cl_devices: ["/dev/tpm0"]
    # ... other configOr for multiple devices:

cl_devices: ["/dev/tpm0", "/dev/tpm1"]
## Requirements

**This feature requires a patched version of Kurtosis** that includes
device mounting support in `ServiceConfig`. The standard Kurtosis
release does not yet support the `devices` field. A PR has been opened
there.

## Implementation Details

- Devices are passed through to Kurtosis `ServiceConfig` as a list of
strings
- Each device path is mounted at the same path inside the container
- Empty list (default) results in no device mounts
- Works with all supported CL clients (Lighthouse, Lodestar, Nimbus,
Prysm, Teku, Grandine)

## Testing

- [x] Added parameter to configuration structure
- [x] Updated all CL launchers
- [x] Added validation
- [ ] Requires testing with patched Kurtosis build

## Related

This change enables hardware device access for CL containers,
particularly useful for:
- TPM-based key management
- Hardware security modules (HSM)
- Other device-specific use cases

---------

Signed-off-by: Barnabas Busa <[email protected]>
Co-authored-by: Barnabas Busa <[email protected]>
Co-authored-by: Barnabas Busa <[email protected]>

Author: dzobbe

README.md

@@ -224,6 +224,12 @@ participants:
     # Example: el_extra_mounts: {"/config": "my_config_file"}  # Creates /config/my_config_file
     el_extra_mounts: {}
 
+    # A list of host devices to mount into the EL client container
+    # Useful for hardware device access like TPM, HSM, etc.
+    # Example: el_devices: ["/dev/tpm0"]
+    # Defaults to empty list
+    el_devices: []
+
     # A list of tolerations that will be passed to the EL client container
     # Only works with Kubernetes
     # Example: el_tolerations:
@@ -289,6 +295,12 @@ participants:
     # Example: cl_extra_mounts: {"/config": "my_config_file"}  # Creates /config/my_config_file
     cl_extra_mounts: {}
 
+    # A list of host devices to mount into the CL client container
+    # Useful for hardware device access like TPM, HSM, etc.
+    # Example: cl_devices: ["/dev/tpm0"]
+    # Defaults to empty list
+    cl_devices: []
+
     # A list of tolerations that will be passed to the CL client container
     # Only works with Kubernetes
     # Example: el_tolerations:
@@ -365,6 +377,12 @@ participants:
     # Example: vc_extra_mounts: {"/config": "my_validator_config"}  # Creates /config/my_validator_config
     vc_extra_mounts: {}
 
+    # A list of host devices to mount into the validator client container
+    # Useful for hardware device access like TPM, HSM, etc.
+    # Example: vc_devices: ["/dev/tpm0"]
+    # Defaults to empty list
+    vc_devices: []
+
     # A list of tolerations that will be passed to the validator container
     # Only works with Kubernetes
     # Example: el_tolerations:

network_params.yaml

@@ -7,6 +7,7 @@ participants:
     el_extra_labels: {}
     el_extra_params: []
     el_extra_mounts: {}
+    el_devices: []
     el_tolerations: []
     el_volume_size: 0
     el_min_cpu: 0
@@ -21,6 +22,7 @@ participants:
     cl_extra_labels: {}
     cl_extra_params: []
     cl_extra_mounts: {}
+    cl_devices: []
     cl_tolerations: []
     cl_volume_size: 0
     cl_min_cpu: 0
@@ -37,6 +39,7 @@ participants:
     vc_extra_labels: {}
     vc_extra_params: []
     vc_extra_mounts: {}
+    vc_devices: []
     vc_tolerations: []
     vc_min_cpu: 0
     vc_max_cpu: 0

src/cl/grandine/grandine_launcher.star

@@ -361,6 +361,8 @@ def get_beacon_config(
         "user": User(uid=0, gid=0),
     }
 
+    if len(participant.cl_devices) > 0:
+        config_args["devices"] = participant.cl_devices
     # Only add ready_conditions if not skipping start
     if not participant.skip_start:
         config_args["ready_conditions"] = cl_node_ready_conditions.get_ready_conditions(

src/cl/lighthouse/lighthouse_launcher.star

@@ -334,6 +334,8 @@ def get_beacon_config(
         "node_selectors": node_selectors,
     }
 
+    if len(participant.cl_devices) > 0:
+        config_args["devices"] = participant.cl_devices
     # Only add ready_conditions if not skipping start
     if not participant.skip_start:
         config_args["ready_conditions"] = cl_node_ready_conditions.get_ready_conditions(

src/cl/lodestar/lodestar_launcher.star

@@ -313,6 +313,8 @@ def get_beacon_config(
         "node_selectors": node_selectors,
     }
 
+    if len(participant.cl_devices) > 0:
+        config_args["devices"] = participant.cl_devices
     # Only add ready_conditions if not skipping start
     if not participant.skip_start:
         config_args["ready_conditions"] = cl_node_ready_conditions.get_ready_conditions(

src/cl/nimbus/nimbus_launcher.star

@@ -371,6 +371,8 @@ def get_beacon_config(
         "user": User(uid=0, gid=0),
     }
 
+    if len(participant.cl_devices) > 0:
+        config_args["devices"] = participant.cl_devices
     # Only add ready_conditions if not skipping start
     if not participant.skip_start:
         config_args["ready_conditions"] = cl_node_ready_conditions.get_ready_conditions(

src/cl/prysm/prysm_launcher.star

@@ -350,6 +350,8 @@ def get_beacon_config(
         "tty_enabled": True,
     }
 
+    if len(participant.cl_devices) > 0:
+        config_args["devices"] = participant.cl_devices
     # Only add ready_conditions if not skipping start (port checks are already disabled via wait="disable")
     if not participant.skip_start:
         config_args["ready_conditions"] = cl_node_ready_conditions.get_ready_conditions(

src/cl/teku/teku_launcher.star

@@ -372,6 +372,8 @@ def get_beacon_config(
         "user": User(uid=0, gid=0),
     }
 
+    if len(participant.cl_devices) > 0:
+        config_args["devices"] = participant.cl_devices
     # Only add ready_conditions if not skipping start
     if not participant.skip_start:
         config_args["ready_conditions"] = cl_node_ready_conditions.get_ready_conditions(

src/el/besu/besu_launcher.star

@@ -277,6 +277,8 @@ def get_config(
         config_args["min_memory"] = participant.el_min_mem
     if participant.el_max_mem > 0:
         config_args["max_memory"] = participant.el_max_mem
+    if len(participant.el_devices) > 0:
+        config_args["devices"] = participant.el_devices
     return ServiceConfig(**config_args)
 
 

src/el/erigon/erigon_launcher.star

@@ -282,6 +282,8 @@ def get_config(
         config_args["min_memory"] = participant.el_min_mem
     if participant.el_max_mem > 0:
         config_args["max_memory"] = participant.el_max_mem
+    if len(participant.el_devices) > 0:
+        config_args["devices"] = participant.el_devices
     return ServiceConfig(**config_args)