Issue with USB Passthrough to LXC container

[skelleton]

Hello,

I have a LXC container that i use only sporadically.
It has a USB card reader passthrough configured like this:

arch: amd64
cores: 2
features: nesting=1
hostname: homecard01
memory: 2048
net0: name=eth0,bridge=vmbr100,firewall=1,hwaddr=xxxxxxxxx,ip=dhcp,type=veth
ostype: debian
rootfs: Fast-Pool:subvol-134-disk-0,mountoptions=noatime,size=8G
swap: 0
lxc.cgroup.devices.allow: c 188:* rwm
lxc.mount.entry: /dev/card01 dev/card01 none bind,optional,create=file,mode=0666

This has worked the last time i used the container in PVE 6.x.
It stopped working with PVE 7.0. I always got the error operation not permitted when accessing the card reader
It was not a huge issue before but not i need the container again and experimented a bit.

I have gotten the passthrough working by doing the following:

1. remove the config entry: lxc.mount.entry: /dev/card01 dev/card01 none bind,optional,create=file,mode=0666
2. Start the container
3. run the following command lxc-device add -n 134 /dev/card01
4. after this i was able to access the card reader without error but I could not actually use it in my program.
5. To get this to work i had to also passthrough the usb device itself: lxc-device add -n 134 /dev/bus/usb/001/003

This works for now but is a bit tedious.

Is there anything that i can change in the config to get the lxc.mount.entry to work?
Is it possible to automate the lxc-device add commands with the container start?

 

[oguz]

hi,

It stopped working with PVE 7.0.

mentioned in a lot of threads in the forum... [0]

TLDR: since PVE7 cgroup2 is default, change lxc.cgroup.devices.allow to lxc.cgroup2.devices.allow in your config

please mark the thread [SOLVED] when it starts working

[0]: https://pve.proxmox.com/pve-docs/chapter-pct.html#pct_cgroup_compat

 

[skelleton]

Thank that worked.

It seems odd then that i have another container with a USB device passed through where this config still works:

lxc.cgroup.devices.allow: c 166:* rwm
lxc.mount.entry: /dev/ttyACM0 dev/ttyACM0 none bind,optional,create=file,mode=0666

 

[oguz]

Thank that worked.

great

It seems odd then that i have another container with a USB device passed through where this config still works:

hmm... that's a bit weird. have you rebooted that container after the upgrades?

you also haven't mentioned if you rebooted your PVE after the upgrade to 7.

does /dev/ttyACM0 really use 166 as the major number?
what do you get if you run ls -aln /dev/ttyACM0 on the host?

does the device show up correctly in the container?

what container is this? please post the full config...

 

[skelleton]

Hello oguz,

Sorry for the late reply. This was low on my priority list, as the actual problem is resolved now.
To be safe in the future i also changed the other container to cgroup 2 and had no adverse effects.
But to be complete I am posting the answers below in case it helps with things in the future.
And yes I did reboot after the upgrade to Proxmox 7. The update has also been a while ago. I just didn't use the machine with the issue in a while.

Yes 166 is the major number for ttyACM0.

ls -aln /dev/ttyACM0
crw-rw-rw- 1 0 20 166, 0 Jan 18 08:48 /dev/ttyACM0

In case its relevant: the device is a Conbee 2 Zigbee gateway.


Here is the container:

arch: amd64
cores: 4
features: nesting=1
hostname: homeassistant
memory: 2048
net0: name=eth0,bridge=vmbr100,firewall=1,gw=192.168.80.250,hwaddr=EE:C3:77:09:47:FE,ip=192.168.80.248/24,type=veth
onboot: 1
ostype: debian
rootfs: Fast-Pool:subvol-139-disk-0,size=20G
swap: 512
unprivileged: 1
lxc.cgroup2.devices.allow: c 166:* rwm
lxc.mount.entry: /dev/ttyACM0 dev/ttyACM0 none bind,optional,create=file,mode=0666

Edit: just as a note when i opened a ticket the cgroup2 was still only configured as cgroup and it still worked fine on this container.
I can do some limited testing on that in case there is something interesting for you, but id prefer not to have any major down time on my home automation.