LXC USB pass-through not accessible (rights, owner)

eb8

Member
Jun 10, 2019
17
1
8
58
hello,
on two different laptops, connecting a mobile (different mobiles, but both in ADB) and passing it through to an unpriv. LXC give different results.

on laptop A, the device entry created looks like
crw-rw-rw-+ 1 root dialout 189, 138 Sep 24 07:27 /dev/bus/usb/002/011
in the container:
crw-rw-rw-+ 1 nobody nogroup 189, 138 Sep 24 07:27 /dev/bus/usb/002/011

on laptop B, it looks like:
crw-rw----+ 1 root audio 189, 7 Sep 24 07:18 /dev/bus/usb/001/008
in the container
crw-rw----+ 1 nobody nogroup 189, 7 Sep 24 07:18 /dev/bus/usb/001/008

On Laptop A, adb in a container can access the mobile, on B not.
I assume, these are the missing world-rw.

I've tried to setup secial udev-rules, to change the mode & group, and to create symlink. both did not work on Laptop B.
the lxc.mount.entry in the lxc-config also does not change mode & group…

Can please someone can shed some light on this?

Code:
arch: amd64
cores: 2
features: mknod=1,nesting=1,fuse=1,keyctl=1
hostname: usb
memory: 512
net0: name=eth0,bridge=vmbr0,hwaddr=B6:BA:34:66:B4:BA,ip=dhcp,type=veth
ostype: debian
rootfs: data:subvol-102-disk-0,mountoptions=noatime,size=8G
swap: 512
unprivileged: 1
lxc.cgroup.devices.allow: c 189:* rwm
lxc.mount.entry: /dev/bus/usb/001/008 dev/bus/usb/001/008 none bind,optional,create=file,uid=0,gid=20,mode=0666

TIA
guenter
 
hi,

could you try with the following mount entry on laptop B:
Code:
...
lxc.cgroup.devices.allow: c 189:7 * rwm
lxc.mount.entry: /dev/bus/usb/001/008 dev/bus/usb/001/008 none bind,create=file

if it doesn't work please post the working container config from laptop A
 
hey @oguz

could you try with the following mount entry on laptop B:
Code:
...
lxc.cgroup.devices.allow: c 189:7 * rwm
lxc.mount.entry: /dev/bus/usb/001/008 dev/bus/usb/001/008 none bind,create=file
has the same effect:
Code:
$ l bus/usb/001/008 
crw-rw----+ 1 nobody nogroup 189, 7 Sep 24 07:18 bus/usb/001/008


if it doesn't work please post the working container config from laptop A
sry didn't mention, but they are the same:
Code:
arch: amd64
cores: 2
features: mknod=1,nesting=1,fuse=1,keyctl=1
hostname: usb
memory: 512
net0: name=eth0,bridge=vmbr0,hwaddr=B6:BA:34:66:B4:BA,ip=dhcp,type=veth
ostype: debian
rootfs: data:subvol-102-disk-0,mountoptions=noatime,size=8G
swap: 512
unprivileged: 1
lxc.cgroup.devices.allow: c 189:* rwm
lxc.mount.entry: /dev/bus/usb/001/008 dev/bus/usb/001/008 none bind,create=file

also, both laptops are latest PVE-ce, same kernel 5.4.60-1-pve.
 
Code:
$ l bus/usb/001/008
crw-rw----+ 1 nobody nogroup 189, 7 Sep 24 07:18 bus/usb/001/008

is this inside the container or on the host?

what happens if you chown 100000:100000 /dev/bus/usb/001/008 on the host, you should then see the owner as root inside the container
 
is this inside the container or on the host?
container

what happens if you chown 100000:100000 /dev/bus/usb/001/008 on the host, you should then see the owner as root inside the container
yes, then it is accessible from adb as root. the goal is, to have it accessible from userid 1000 (+100000)

Code:
crw-rw----+ 1 root root 189, 7 Sep 24 07:18 /dev/bus/usb/001/008

but the udev-rools on the laptop B are not working:
Code:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="04e8",  ATTRS{idProduct}=="6860", MODE="0666", GROUP="20"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="04e8",  ATTRS{idProduct}=="6860", MODE="0666", GROUP="20", SYMLINK+="mobileadb"
on laptop A, the symlink will be created, on B not.
on both, the mode and group will not be changed.
 
yes, then it is accessible from adb as root. the goal is, to have it accessible from userid 1000 (+100000)

then you can chown 101000 on the host and it should come up as the uid 1000 in the CT

but the udev-rools on the laptop B are not working:
on laptop A, the symlink will be created, on B not.
on both, the mode and group will not be changed.

hmm, what are the versions you're using? pveversion -v

maybe you just have to update some packages or reboot the machine
 
@oguz ,

then you can chown 101000 on the host and it should come up as the uid 1000 in the CT
sure, but doing that manual is not a solution.

the initial question was, why do 2 identical systems behave differently on 2 different laptops?
why does udev give the mobiles diff. rights and groups and why do the udev-rules not work?

these would be the parts which where needed to get the USB-pass-through going.

hmm, what are the versions you're using? pveversion -v

maybe you just have to update some packages or reboot the machine

the laptops A & B are more ore less identical installs, managed by the same ansible roles.
and sure they have been rebooted, updated and any kinds of double checks, before I wrote here.

Code:
laptop A
proxmox-ve: 6.2-2 (running kernel: 5.4.60-1-pve)
pve-manager: 6.2-11 (running version: 6.2-11/22fb4983)
pve-kernel-5.4: 6.2-7
pve-kernel-helper: 6.2-7
pve-kernel-5.0: 6.0-11
pve-kernel-5.4.65-1-pve: 5.4.65-1
pve-kernel-5.4.60-1-pve: 5.4.60-2
pve-kernel-5.4.55-1-pve: 5.4.55-1
pve-kernel-5.4.41-1-pve: 5.4.41-1
pve-kernel-5.0.21-5-pve: 5.0.21-10
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.4-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: residual config
ifupdown2: 3.0.0-1+pve2
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.16-pve1
libproxmox-acme-perl: 1.0.5
libpve-access-control: 6.1-2
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.2-2
libpve-guest-common-perl: 3.1-3
libpve-http-server-perl: 3.0-6
libpve-storage-perl: 6.2-6
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.3-1
lxcfs: 4.0.3-pve3
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-12
pve-cluster: 6.1-8
pve-container: 3.2-1
pve-docs: 6.2-5
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-2
pve-firmware: 3.1-3
pve-ha-manager: 3.1-1
pve-i18n: 2.2-1
pve-qemu-kvm: 5.1.0-2
pve-xtermjs: 4.7.0-2
pve-zsync: 2.0-3
qemu-server: 6.2-14
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 0.8.4-pve1



laptop B
proxmox-ve: 6.2-2 (running kernel: 5.4.60-1-pve)
pve-manager: 6.2-11 (running version: 6.2-11/22fb4983)
pve-kernel-5.4: 6.2-7
pve-kernel-helper: 6.2-7
pve-kernel-5.0: 6.0-11
pve-kernel-5.4.65-1-pve: 5.4.65-1
pve-kernel-5.4.60-1-pve: 5.4.60-2
pve-kernel-5.4.55-1-pve: 5.4.55-1
pve-kernel-5.0.21-5-pve: 5.0.21-10
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.4-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
libjs-extjs: 6.0.1-10
libknet1: 1.16-pve1
libproxmox-acme-perl: 1.0.5
libpve-access-control: 6.1-2
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.2-2
libpve-guest-common-perl: 3.1-3
libpve-http-server-perl: 3.0-6
libpve-storage-perl: 6.2-6
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.3-1
lxcfs: 4.0.3-pve3
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-12
pve-cluster: 6.1-8
pve-container: 3.2-1
pve-docs: 6.2-5
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-2
pve-firmware: 3.1-3
pve-ha-manager: 3.1-1
pve-i18n: 2.2-1
pve-qemu-kvm: 5.1.0-2
pve-xtermjs: 4.7.0-2
qemu-server: 6.2-14
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 0.8.4-pve1
 
sure, but doing that manual is not a solution.
what do you mean? if you want it to be accessed by a specific uid then you need to set it on the host. please read [0]

the initial question was, why do 2 identical systems behave differently on 2 different laptops?
why does udev give the mobiles diff. rights and groups and why do the udev-rules not work?

that i can't give you a good answer to at the moment.
* are the laptops the same hardware?
* separate standalone hosts or in a cluster?
* any other containers or VMs running?
* maybe you can check dmesg output on the host to see if the device is being recognized/loaded correctly.


to be sure that everything on the container side is configured:
* pct config CTID (for both containers, please label them laptop A CT & laptop B CT )
* ls -aln /dev/bus/*/* output from host and from containers

[0]: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
 
@oguz,
thank you for helping me with that one & sry, was away for a few days.

> * are the laptops the same hardware?
no, Laptop A (my laptop) is a TP E490, 2019
Laptop B (customer) are actually 2 laptops, One HP one TP X1 (2018/2019)

> * separate standalone hosts or in a cluster?
all are standalone Hosts

> * any other containers or VMs running?
yes, on A, always 3 containers (2 x unpriv, 1 x priv) . normaly no USB-Passthroug, VMs unregular
on B two containers (2 x unpriv), one of them should carry the USB-Passthroug

> * maybe you can check dmesg output on the host to see if the device is being recognized/loaded correctly.
checked journal already a couple of times, no irregularities have ben seen.
Code:
[547676.271751] usb 1-2: new high-speed USB device number 13 using xhci_hcd
[547676.420996] usb 1-2: New USB device found, idVendor=04e8, idProduct=6860, bcdDevice= 4.00
[547676.421004] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[547676.421010] usb 1-2: Product: SAMSUNG_Android
[547676.421014] usb 1-2: Manufacturer: SAMSUNG
[547676.421020] usb 1-2: SerialNumber: 0815f844ba9b0905
[547676.424661] cdc_acm 1-2:1.1: ttyACM0: USB ACM device

laptop A pct config 102:
Code:
pct config 102
arch: amd64
cores: 3
description: insert docker part below%0Alxc.apparmor.profile%3A unconfined%0Alxc.cgroup.devices.allow%3A a%0Alxc.cap.drop%3A %0A for USB%0Alxc.mount.entry%3A /dev/motoZ dev/motoZ none bind,optional,create=file,uid=0,gid=dialout,mode=0666%0Alxc.mount.entry%3A /dev/motozadb dev/motozadb none bind,optional,create=file,uid=0,gid=dialout,mode=0666%0Alxc.mount.entry%3A /dev/motoZ dev/motoZ none bind,optional,create=file%0Alxc.mount.entry%3A /dev/motozadb dev/motozadb none bind,optional,create=file%0A
features: mknod=1,nesting=1,fuse=1,keyctl=1
hostname: testusb
memory: 512
net0: name=eth0,bridge=vmbr1,hwaddr=56:4C:A1:56:50:BA,ip=dhcp,type=veth
ostype: debian
rootfs: data:subvol-102-disk-0,mountoptions=noatime,size=32G
swap: 512
unprivileged: 1
lxc.cgroup.devices.allow: c 189:* rwm
lxc.mount.entry: /dev/bus/usb/002/012 dev/bus/usb/002/012 none bind,optional,create=file,uid=0,gid=20,mode=0666

Dir on host A
Code:
$ lsusb
Bus 002 Device 012: ID 22b8:2e82 Motorola PCS 
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 5986:2113 Acer, Inc 
Bus 001 Device 002: ID 8087:0025 Intel Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

$ ls -aln /dev/bus/*/*
/dev/bus/usb/001:
insgesamt 0
drwxr-xr-x 2 0 0    100 Sep 20 20:11 .
drwxr-xr-x 4 0 0     80 Sep 13 15:20 ..
crw-rw-r-- 1 0 0 189, 0 Sep 24 07:27 001
crw-rw-r-- 1 0 0 189, 1 Sep 24 07:27 002
crw-rw-r-- 1 0 0 189, 2 Sep 24 07:27 003

/dev/bus/usb/002:
insgesamt 0
drwxr-xr-x  2 0  0       80 Okt  1 07:06 .
drwxr-xr-x  4 0  0       80 Sep 13 15:20 ..
crw-rw-r--  1 0  0 189, 128 Sep 24 07:27 001
crw-rw-rw-+ 1 0 20 189, 139 Okt  1 07:06 012

dir on CT A
Code:
$ lsusb
Bus 002 Device 012: ID 22b8:2e82 Motorola PCS 
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 5986:2113 Acer, Inc 
Bus 001 Device 002: ID 8087:0025 Intel Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

$ ls -aln /dev/bus/*/*
insgesamt 0
drwxr-xr-x  2     0     0       60 Okt  1 07:12 .
drwxr-xr-x  3     0     0       60 Okt  1 07:12 ..
crw-rw-rw-+ 1 65534 65534 189, 139 Okt  1 07:06 012


Laptop B config
Code:
arch: amd64
cores: 2
features: mknod=1,nesting=1,fuse=1,keyctl=1
hostname: usb
memory: 512
net0: name=eth0,bridge=vmbr0,hwaddr=B6:BA:34:66:B4:BA,ip=dhcp,type=veth
ostype: debian
rootfs: data:subvol-102-disk-0,mountoptions=noatime,size=8G
swap: 512
unprivileged: 1
lxc.cgroup.devices.allow: c 189:* rwm
lxc.mount.entry: /dev/bus/usb/001/013 dev/bus/usb/001/013 none bind,create=file

Dir on Host B
Code:
$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 004: ID 04f2:b61e Chicony Electronics Co., Ltd 
Bus 001 Device 013: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy series, misc. (MTP mode)
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

$ ls -aln /dev/bus/*/*
/dev/bus/usb/001:
insgesamt 0
drwxr-xr-x  2 0  0     100 Sep 28 23:46 .
drwxr-xr-x  4 0  0      80 Sep 22 17:38 ..
crw-rw-r--  1 0  0 189,  0 Sep 24 07:18 001
crw-rw-r--  1 0  0 189,  3 Sep 24 07:18 004
crw-rw----+ 1 0 29 189, 12 Sep 28 23:46 013

/dev/bus/usb/002:
insgesamt 0
drwxr-xr-x 2 0 0       60 Sep 22 17:38 .
drwxr-xr-x 4 0 0       80 Sep 22 17:38 ..
crw-rw-r-- 1 0 0 189, 128 Sep 24 07:18 001

Dir on CT B
Code:
 lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 004: ID 04f2:b61e Chicony Electronics Co., Ltd 
Bus 001 Device 013: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy series, misc. (MTP mode)
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

$ ls -lan /dev/bus/*/*
total 0
drwxr-xr-x  2     0     0      60 Oct  1 07:20 .
drwxr-xr-x  3     0     0      60 Oct  1 07:20 ..
crw-rw----+ 1 65534 65534 189, 12 Sep 28 23:46 013
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!