Proxmox --> Docker USB pass-through fails when Docker restarts

[pancakes]

Hi,

I have the following nested setup:
1. Proxmox PVE on bare metal (Intel Nuc / 5.15.158-2-pve)
2. Debian Stable as LXC container on 5.15.158-2-pve
3. Home Assistant as unprivileged Docker container (Docker version 27.1.1, build 6312585)

This works well, except for USB pass-through, when I update/restart Docker, when I get the error:

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error creating device nodes: mount /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00:/var/lib/docker/overlay2/963a244fa0d220f872cc0e02714e6045b112c5db6404ce5a47903ec936b2e51e/merged/dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 (via /proc/self/fd/6), flags: 0x1000: no such file or directory: unknown

When I reboot either the Debian LXC or PVE as a whole the error goes away and Docker images start without a problem. --> actually, today it doesn't go away at all, neither rebooting Debian LXC or PVE solves the issue.

What doesn't work:
1. Restarting either Docker, the LXC, or PVE
2. Running docker system prune
3. Deleting /var/lib/docker/overlay2/ and rebuilding all containers/images
4. Running docker in privileged mode

Question 1: Why do I get this error and how can I solve this?
Question 2: Why do these pass-through USB ports show up under /mount/ on my Debian LXC container?

I've also asked the question on the Docker forum for the Docker perspective.

On Proxmox I have the following config:

tim@pve:~$ sudo cat /etc/pve/lxc/201.conf
#Debian LXC server
arch: amd64
cores: 4
features: nesting=1
hostname: proteus
memory: 16384
mp0: /mnt/bulk,mp=/mnt/bulk
net0: name=eth0,bridge=vmbr0,firewall=0,gw=172.17.10.1,hwaddr=7E:D5:09:E1:91:0D,ip=172.17.10.2/24,tag=10,type=veth
onboot: 1
ostype: debian
rootfs: thinpool_vms:vm-201-disk-0,size=300G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 1010
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 60
lxc.idmap: g 105 103 1
lxc.idmap: g 106 100106 904
lxc.idmap: u 1010 1010 10
lxc.idmap: g 1010 1010 10
lxc.idmap: u 1020 101020 64515
lxc.idmap: g 1020 101020 64515
lxc.init.cmd: /sbin/init systemd.unified_cgroup_hierarchy=0
lxc.cgroup2.devices.allow: c 188:* rwm
lxc.mount.entry: /lxc/201/devices/FTDI_FT232R_USB_UART_AC2F17KR-container-link dev/usb-FTDI_FT232R_USB_UART_AC2F17KR-if00-port0 none bind,optional,create=file
lxc.cgroup2.devices.allow: c 166:* rwm
lxc.mount.entry: /lxc/201/devices/dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-container-link dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 none bind,optional,create=file
lxc.cgroup2.devices.allow: c 226:* rwm
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir

Which gives me these links to pass through:

tim@pve:~$ sudo ls -l  /lxc/201/devices
crw-rw---- 1 100000 100020 166, 0 Aug  8 08:42 dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-container-link
crw-rw---- 1 100000 100020 188, 1 Jun  8 13:56 FTDI_FT232R_USB_UART_AC2F17KR-container-link

On my Debian LXC image I see the following:

tim@debian:~$ mount | grep usb
/dev/mapper/pve-root on /dev/usb-FTDI_FT232R_USB_UART_AC2F17KR-if00-port0 type ext4 (rw,relatime,errors=remount-ro)
/dev/mapper/pve-root on /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 type ext4 (rw,relatime,errors=remount-ro)

tim@debian:~/docker$ ls -l /dev/usb-*
crw-rw---- 0 root dialout 166, 0 Aug  8 08:12 /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00
crw-rw---- 0 root dialout 188, 1 Jun  8 13:56 /dev/usb-FTDI_FT232R_USB_UART_AC2F17KR-if00-port0

On Docker I have the following compose file. Note that 'privileged: true' is disabled for security reasons:

tim@debian:~$ cat docker/home-assistant-compose.yml
# version: '3'
# https://www.home-assistant.io/installation/linux#docker-compose
# docker compose -f home-assistant-compose.yml up -d
services:
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /var/lib/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    network_mode: host
    devices:
      - /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00

This works when I boot the LXC fresh. When I try to restart the container, I get an error:

tim@debian:~/docker$ sudo docker compose -f home-assistant-compose.yml up -d
WARN[0000] Found orphan containers ([docker-app-1 docker-db-1 pigallery2]) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
[+] Running 0/1
 ⠼ Container homeassistant  Starting                                                                                                                                                         0.4s
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error creating device nodes: mount /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00:/var/lib/docker/overlay2/06f5efd809d035a93128edc19bb936c62b21b18f6e3e6a402a881c3852aa81c3/merged/dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 (via /proc/self/fd/6), flags: 0x1000: no such file or directory: unknown

Looking at the specifics, the source file exists:

tim@debian:~$ ls -l /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00
crw-rw---- 0 root dialout 166, 0 Aug  8 08:12 /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00

And the overlay source also exists:

tim@debian:~$ sudo ls -l /var/lib/docker/overlay2/06f5efd809d035a93128edc19bb936c62b21b18f6e3e6a402a881c3852aa81c3/
total 16
drwxr-xr-x 3 root root 4096 Aug  8 08:53 diff
-rw-r--r-- 1 root root   26 Aug  8 08:53 link
-rw-r--r-- 1 root root  927 Aug  8 08:53 lower
drwx------ 3 root root 4096 Aug  8 08:53 work

however there is no 'merged' folder under the overlay directory structure. It seems Docker doesn't (re)create this?

Does anyone have any pointers? It's a bit annoying to have to restart the LXC to get docker images to work, and breaks a smooth docker update flow. I'm not sure if this is a Docker error or Proxmox, but since it involves USB pass through I thought I'd start here. Thanks in advance!

 

[pancakes]

Immediate update: looking into the problem I found some hints here https://stackoverflow.com/questions...-overlay2-id-merged-no-such-file-or-directory

I have a bit of stale images/containers:

tim@debian:~/docker$ sudo docker ps -a
CONTAINER ID   IMAGE                                          COMMAND                  CREATED          STATUS                     PORTS                                   NAMES
e6c6c35cc084   ghcr.io/home-assistant/home-assistant:stable   "/init"                  13 minutes ago   Created                                                            homeassistant
f1398db5f5fe   hello-world                                    "/hello"                 17 months ago    Exited (0) 17 months ago                                           suspicious_curran

tim@debian:~/docker$ sudo docker images -a
REPOSITORY                              TAG       IMAGE ID       CREATED         SIZE
ghcr.io/home-assistant/home-assistant   stable    6fc36c77bb70   13 hours ago    1.64GB
ghcr.io/home-assistant/home-assistant   <none>    abeda236c4f0   2 months ago    1.57GB
ghcr.io/home-assistant/home-assistant   <none>    3c81da062cb9   3 months ago    1.56GB
ghcr.io/home-assistant/home-assistant   <none>    c8584cb713b2   10 months ago   1.83GB
ghcr.io/home-assistant/home-assistant   <none>    f13412c6b5ec   18 months ago   1.56GB
hello-world                             latest    feb5d9fea6a5   2 years ago     13.3kB

Running docker system prune -a gives me:

tim@debian:~/docker$ sudo docker system prune -a
WARNING! This will remove:
  - all stopped containers
  - all networks not used by at least one container
  - all images without at least one container associated to them
  - all build cache


Are you sure you want to continue? [y/N] y
Deleted Containers:
e6c6c35cc084cfc330ee45e1d9f69b56836e14a138dc06f2389610e75a661a1a
f1398db5f5fe4b47a7b2fd81af693fe22b3d4ad9a211c6e05a1ac9ade9740d03
00fff2e9e5e9f464101a87929b4ee879f91ce22ed76af27c01937c3b95e75a62
a78cdcf3ce0a2e501bef96c8e86c950cf84f08b99536b779dc5b73fbc95bfadf
22e5de4a63543027dc6b8767e64e7d2e4f4f8b1a16c941accc6221af5cd2e8f2
0e4132e4df34906c26f5510b07b8a29b7a99d48b8cb2b0a3a2924c5084fcccee
b83eb0b14737f735dc32eb55942bea3e10d027f26e4ba826ab79e2851d421a97
5ed1e59b29dd38204e78c2102b9a63ab8a37cba3af8d4a5a57508c2d3c2fbd34
c982a1bb15521f2311ea9e487eb0015d91deae30429fddd42d7c7da56739a0e2
190ae7dde7b55b5914ec0a339b9f2299f96760effe3b004489d5f348583c56fe
39020211477f5ec094f263bc9f8c6c99444f67b4416684bc1699f9167a5cabe3
90387f7e234478cd23bc2c80abe2515cbadc12fc13e66e9265f86ec57497151e


Deleted Images:
untagged: ghcr.io/home-assistant/home-assistant@sha256:a615c4a8ea9c6dd0fa8b0383b2d665d2bf03f31d35d7924662a355c3dca2bdd8
[...]
deleted: sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230

Total reclaimed space: 10.33GB

Then re-pull & restart the issue container:

tim@debian:~/docker$ sudo docker compose -f home-assistant-compose.yml pull
tim@debian:~/docker$ sudo docker compose -f home-assistant-compose.yml up -d

which unfortunately doesn't solve the problem:

tim@debian:~/docker$ sudo docker compose -f home-assistant-compose.yml up -d
WARN[0000] Found orphan containers ([docker-app-1 docker-db-1 pigallery2]) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
[+] Running 0/1
 ⠹ Container homeassistant  Starting                                                                                                                                                         0.2s
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error creating device nodes: mount /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00:/var/lib/docker/overlay2/b8345e7b768de92423ef6601ce87142939dfadd18b1394a369f8c7655a48a3c4/merged/dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 (via /proc/self/fd/6), flags: 0x1000: no such file or directory: unknown

 

[jinx23]

I had the same issue with a zigbee usb adaptor, ended up upgrading to proxmox 8 and used the device passthrough option from the web GUI. No issues since then.

 

[pancakes]

I had the same issue with a zigbee usb adaptor, ended up upgrading to proxmox 8 and used the device passthrough option from the web GUI. No issues since then.

Thanks! I think device passthrough only holds for VMs, not containers (LXC) right? Even in spite of that, upgrading might cause a whole new set of headaches

 

[jinx23]

I actually thought the same and wasn't keen on upgrading but having found no other solution, I eventually gave in and went through it. Device passthrough now works with containers as well. Upgrade is pretty seamless, followed this https://pve.proxmox.com/wiki/Upgrade_from_7_to_8

 

[pancakes]

I actually thought the same and wasn't keen on upgrading but having found no other solution, I eventually gave in and went through it. Device passthrough now works with containers as well. Upgrade is pretty seamless, followed this https://pve.proxmox.com/wiki/Upgrade_from_7_to_8

ok thanks for the feedback, I found the page but didn't look into it in detail. For now I'm moving my USB-related activity out of docker, and keep the upgrade to PVE 8 in mind for a rainy day

 

[jhong]

@pancakes, I had the same problem when moving my home assistant container to run on a LXC CT. I spent my entire Saturday morning, finally got it to work before I was able to give up.

Here what I did.

• removed the conbee device mapping from docker-compose.yml
• started hass without conbee
• reconfigured ZHA to use the device directly, i.e. choose /dev/ttyACM0

and it worked magically!

Hope this helps.