Hard time passing through USB to LXC

Tullibulli

New Member
Feb 23, 2023
14
1
3
I run a Debian-LXC as a Dockerhost.
The Dockerhost is dedicatet to my workshop running services for a 3D-printer and a CNC-router.

For the sake of keeping it simple, lets take one of them out of the equation and focus on the CNC-router.
The CNC-router need a USB-connection that I call ttyUSB0.

Technically, I have gotten this to work but not as how I want it to.

The node conf include the following
lxc.cgroup2.devices.allow: c 188:* rwm lxc.mount.entry: /dev/ttyUSB0 dev/ttyUSB0 none bind,optional,create=file

(As a side note, I've also tried lxc.cgroup2.devices.allow: a, and that is likely what I will be running with eventually to keep things simple).

Now, the problem is that this does not work until I log in to the shell of the host and enter
chmod a+rw /dev/ttyUSB0

This change the device from
crw-rw---- 1 root dialout 188, 0 Jul 1 18:21 /dev/ttyUSB0
to
crw-rw-rw- 1 root dialout 188, 0 Jul 1 18:21 /dev/ttyUSB0

This change both on the host/machine and the container/node.
The node (Debian-LXC) gets read/write-permissions to the host's USB (Proxmox-host), and the second passthrough from LXC to Docker is a non-issue.
Everything start to work.

Until I restart the host...
Is there an easy way to have this persistant? I know Proxmox create all dev during bootup so they're alway new but is there a option in Proxmox to make the passthrough persitent, similar as with the VM's?
I would like to avoid special operations such as a cronjob if there's any other way to do it.
Or at least as easy so I don't need to relearn it every second 10 month? The extra lines in the node conf is already to much to keep in mind next time I do this operation...
 
Last edited:
Is there an easy way to have this persistant? I know Proxmox create all dev during bootup so they're alway new but is there a option in Proxmox to make the passthrough persitent, similar as with the VM's?
The right way is to lxc.idmap the host group that has permissions on that device to the same group inside the container. Then (container) users of that group will have the necessary permissions. The easy way is to setup that chmod command in crontab to run at reboot.
 
I need to map nogroup to dailout but can't seem to find the GID for that group in Linux.
I could map root to nobody, but then that would probably be a bad practice out of a security perspective.

Host: crw-rw-rw- 1 root dialout 188, 0 Jul 2 01:12 /dev/ttyUSB0
Node: crw-rw---- 1 nobody nogroup 188, 0 Jul 1 23:09 /dev/ttyUSB0

Yes, lxc.idmap seems even more complex than crontab.
 
When working with an unprivileged LXC keep user/group remapping in mind. GID 188 inside the LXC by default would be GID 100188 on the PVE host. So manual mapping would be required, so that 188 isn't mapped to 100188 anymore.
 
Last edited:
  • Like
Reactions: Tullibulli
Thanks for the help. I went along your first suggestion and made some careful notes about crontab in the summary of the LXC.

I'm considering running my dockerhosts as VM's instead, that'll manage everything much easier.
I run 3 HP mini's as hosts in a cluster, each with one dockerhost in LCX along side some VM's.
Containers seems much more lightweight though.
 
Thanks for the help. I went along your first suggestion and made some careful notes about crontab in the summary of the LXC.

I'm considering running my dockerhosts as VM's instead, that'll manage everything much easier.
I run 3 HP mini's as hosts in a cluster, each with one dockerhost in LCX along side some VM's.
Containers seems much more lightweight though.
Yeah, thats the official recommended way to do it...and much less problems... ;)

https://pve.proxmox.com/wiki/Linux_Container said:
If you want to run application containers, for example, Docker images, it is recommended that you run them inside a Proxmox QEMU VM. This will give you all the advantages of application containerization, while also providing the benefits that VMs offer, such as strong isolation from the host and the ability to live-migrate, which otherwise isn’t possible with containers.
 
Last edited:
I can understand that, much easier. To be frank, I initially thought LXC had some benefits over docker (such as unique IP and hardware allocation) but Docker is catching up to the point I'm close to suggest Proxmox should ditch LXC and implement a docker interface instead (as Unraid or Synology).

Anyways...
Everything is running fine but I hit another issue with VM which makes console work really hard:
https://forum.proxmox.com/threads/xhci_hcd-error/
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!