Pass USB Device to unprivileged LXC

[Dilnane]

I have a question very similar to this one: Pass USB Device to LXC
I have my externel disk enclosure that is plugged in USB on host:

root@pve:~# lsusb
Bus 004 Device 006: ID 174c:55aa ASMedia Technology Inc. ASM1051E SATA 6Gb/s bridge, ASM1053E SATA 6Gb/s bridge, ASM1153 SATA 3Gb/s bridge, ASM1153E SATA 6Gb/s bridge

I have this major and minor on host :

root@pve:~# ls -al /dev/bus/usb/004/006
crw-rw-r-- 1 root root 189, 388 Apr 23 17:52 /dev/bus/usb/004/006

in my ct.conf I added those two lines (I tried also with create=dir) :

lxc.cgroup2.devices.allow: c 189:388 rwm
lxc.mount.entry: /dev/bus/usb/004/006 dev/bus/usb/004/006 none bind,optional,create=file

I also created a /etc/udev/rules.d/50-myusb.rulesfile and triggered udevadm just after:

root@pve:~# udevadm info -a -n /dev/bus/usb/004/006 | grep '{idVendor}' | head -n1
    ATTR{idVendor}=="174c"
root@pve:~# udevadm info -a -n /dev/bus/usb/004/006 | grep '{idProduct}' | head -n1
    ATTR{idProduct}=="55aa"
root@pve:~# cat <<EOT >> /etc/udev/rules.d/50-myusb.rules
SUBSYSTEMS=="usb", ATTRS{idVendor}=="174c", ATTRS{idProduct}=="55aa", GROUP="users", MODE="0666"
EOT
root@pve:~# udevadm trigger

I then indeed have my node file created in my ct (with nobody/nogroup idk if that's part of the issue):

root@ct:/# stat /dev/bus/usb/004/006
  File: /dev/bus/usb/004/006
  Size: 0               Blocks: 0          IO Block: 4096   character special file
Device: 5h/5d   Inode: 1818        Links: 1     Device type: bd,186
Access: (0666/crw-rw-rw-)  Uid: (65534/  nobody)   Gid: (65534/ nogroup)
Access: 2024-04-25 13:19:44.944646064 +0000
Modify: 2024-04-25 13:19:44.944646064 +0000
Change: 2024-04-25 13:19:44.944646064 +0000
 Birth: 2024-04-25 13:19:44.932645524 +0000

But i don't have any device node under /dev/sdX as it should be.
I do have it under my host:

root@pve:~# ls -lah /dev/ | grep sd
brw-rw-rw-  1 root disk      8,     0 Apr 25 15:19 sda
brw-rw-rw-  1 root users     8,     1 Apr 25 15:40 sda1

So I can't mount anything in my ct as I'm aware.

 

[fiona]

Hi,
since Proxmox VE 8.1, you can simply pass-through the device in /dev/ via pct set <ID> --dev0 /dev/XYZ,<other options> (or --dev1, etc.) option. In Proxmox VE 8.2, this is also possible in the UI.

 

[Dilnane]

Interesting thanks.
I passed the partition straight awaypct set <ID> --dev0 /dev/sda1, as passing the all device node with pct set <ID> --dev0 /dev/sda wasn't creating my /dev/sda1 device node on CT.

It's owned by root as it should be:

root@ct:/dev# stat sda1
  File: sda1
  Size: 0               Blocks: 0          IO Block: 4096   block special file
Device: 2fh/47d Inode: 3           Links: 1     Device type: 8,1
Access: (0660/brw-rw----)  Uid: (    0/    root)   Gid: (    0/    root)

But I'm unable to mount it.

root@ct:/# mount /dev/sda1 /media/HDD/
ntfs-3g-mount: mount failed: Operation not permitted
User doesn't have privilege to mount. For more information
please see: http://tuxera.com/community/ntfs-3g-faq/#unprivileged

I found some answers here on ntfs-3g github WHY CAN’T UNPRIVILEGED USERS MOUNT BLOCK DEVICES? but I don't see an issue on my side on those points as I'm using my root user.
Did the sda1 truly owned by root ? If yes I shouldn't encounter any issue to mount it inside am I wrong ?

EDIT:
I do not want to mount it on my host. So pct set <ID> -mp0 /mnt/sda1_mountpoint/,mp=/media/HDD/ is excluded.

 

[fiona]

EDIT:
I do not want to mount it on my host. So pct set <ID> -mp0 /mnt/sda1_mountpoint/,mp=/media/HDD/ is excluded.

Why not? For such cases, that is usually the way to go.