Proxmox --> Docker USB pass-through fails when Docker restarts

pancakes

New Member
Dec 3, 2022
13
3
3
Hi,

I have the following nested setup:
1. Proxmox PVE on bare metal (Intel Nuc / 5.15.158-2-pve)
2. Debian Stable as LXC container on 5.15.158-2-pve
3. Home Assistant as unprivileged Docker container (Docker version 27.1.1, build 6312585)

This works well, except for USB pass-through, when I update/restart Docker, when I get the error:

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error creating device nodes: mount /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00:/var/lib/docker/overlay2/963a244fa0d220f872cc0e02714e6045b112c5db6404ce5a47903ec936b2e51e/merged/dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 (via /proc/self/fd/6), flags: 0x1000: no such file or directory: unknown

When I reboot either the Debian LXC or PVE as a whole the error goes away and Docker images start without a problem. --> actually, today it doesn't go away at all, neither rebooting Debian LXC or PVE solves the issue.

What doesn't work:
1. Restarting either Docker, the LXC, or PVE
2. Running docker system prune
3. Deleting /var/lib/docker/overlay2/ and rebuilding all containers/images
4. Running docker in privileged mode

Question 1: Why do I get this error and how can I solve this?
Question 2: Why do these pass-through USB ports show up under /mount/ on my Debian LXC container?

I've also asked the question on the Docker forum for the Docker perspective.

On Proxmox I have the following config:

HTTP:
tim@pve:~$ sudo cat /etc/pve/lxc/201.conf
#Debian LXC server
arch: amd64
cores: 4
features: nesting=1
hostname: proteus
memory: 16384
mp0: /mnt/bulk,mp=/mnt/bulk
net0: name=eth0,bridge=vmbr0,firewall=0,gw=172.17.10.1,hwaddr=7E:D5:09:E1:91:0D,ip=172.17.10.2/24,tag=10,type=veth
onboot: 1
ostype: debian
rootfs: thinpool_vms:vm-201-disk-0,size=300G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 1010
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 60
lxc.idmap: g 105 103 1
lxc.idmap: g 106 100106 904
lxc.idmap: u 1010 1010 10
lxc.idmap: g 1010 1010 10
lxc.idmap: u 1020 101020 64515
lxc.idmap: g 1020 101020 64515
lxc.init.cmd: /sbin/init systemd.unified_cgroup_hierarchy=0
lxc.cgroup2.devices.allow: c 188:* rwm
lxc.mount.entry: /lxc/201/devices/FTDI_FT232R_USB_UART_AC2F17KR-container-link dev/usb-FTDI_FT232R_USB_UART_AC2F17KR-if00-port0 none bind,optional,create=file
lxc.cgroup2.devices.allow: c 166:* rwm
lxc.mount.entry: /lxc/201/devices/dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-container-link dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 none bind,optional,create=file
lxc.cgroup2.devices.allow: c 226:* rwm
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir

Which gives me these links to pass through:

Bash:
tim@pve:~$ sudo ls -l  /lxc/201/devices
crw-rw---- 1 100000 100020 166, 0 Aug  8 08:42 dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-container-link
crw-rw---- 1 100000 100020 188, 1 Jun  8 13:56 FTDI_FT232R_USB_UART_AC2F17KR-container-link

On my Debian LXC image I see the following:

Bash:
tim@debian:~$ mount | grep usb
/dev/mapper/pve-root on /dev/usb-FTDI_FT232R_USB_UART_AC2F17KR-if00-port0 type ext4 (rw,relatime,errors=remount-ro)
/dev/mapper/pve-root on /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 type ext4 (rw,relatime,errors=remount-ro)

tim@debian:~/docker$ ls -l /dev/usb-*
crw-rw---- 0 root dialout 166, 0 Aug  8 08:12 /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00
crw-rw---- 0 root dialout 188, 1 Jun  8 13:56 /dev/usb-FTDI_FT232R_USB_UART_AC2F17KR-if00-port0

On Docker I have the following compose file. Note that 'privileged: true' is disabled for security reasons:

JSON:
tim@debian:~$ cat docker/home-assistant-compose.yml
# version: '3'
# https://www.home-assistant.io/installation/linux#docker-compose
# docker compose -f home-assistant-compose.yml up -d
services:
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /var/lib/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    network_mode: host
    devices:
      - /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00

This works when I boot the LXC fresh. When I try to restart the container, I get an error:
Bash:
tim@debian:~/docker$ sudo docker compose -f home-assistant-compose.yml up -d
WARN[0000] Found orphan containers ([docker-app-1 docker-db-1 pigallery2]) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
[+] Running 0/1
 ⠼ Container homeassistant  Starting                                                                                                                                                         0.4s
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error creating device nodes: mount /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00:/var/lib/docker/overlay2/06f5efd809d035a93128edc19bb936c62b21b18f6e3e6a402a881c3852aa81c3/merged/dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 (via /proc/self/fd/6), flags: 0x1000: no such file or directory: unknown

Looking at the specifics, the source file exists:
Bash:
tim@debian:~$ ls -l /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00
crw-rw---- 0 root dialout 166, 0 Aug  8 08:12 /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00

And the overlay source also exists:

Bash:
tim@debian:~$ sudo ls -l /var/lib/docker/overlay2/06f5efd809d035a93128edc19bb936c62b21b18f6e3e6a402a881c3852aa81c3/
total 16
drwxr-xr-x 3 root root 4096 Aug  8 08:53 diff
-rw-r--r-- 1 root root   26 Aug  8 08:53 link
-rw-r--r-- 1 root root  927 Aug  8 08:53 lower
drwx------ 3 root root 4096 Aug  8 08:53 work

however there is no 'merged' folder under the overlay directory structure. It seems Docker doesn't (re)create this?

Does anyone have any pointers? It's a bit annoying to have to restart the LXC to get docker images to work, and breaks a smooth docker update flow. I'm not sure if this is a Docker error or Proxmox, but since it involves USB pass through I thought I'd start here. Thanks in advance! :)
 
Last edited:
Immediate update: looking into the problem I found some hints here https://stackoverflow.com/questions...-overlay2-id-merged-no-such-file-or-directory

I have a bit of stale images/containers:

Bash:
tim@debian:~/docker$ sudo docker ps -a
CONTAINER ID   IMAGE                                          COMMAND                  CREATED          STATUS                     PORTS                                   NAMES
e6c6c35cc084   ghcr.io/home-assistant/home-assistant:stable   "/init"                  13 minutes ago   Created                                                            homeassistant
f1398db5f5fe   hello-world                                    "/hello"                 17 months ago    Exited (0) 17 months ago                                           suspicious_curran

tim@debian:~/docker$ sudo docker images -a
REPOSITORY                              TAG       IMAGE ID       CREATED         SIZE
ghcr.io/home-assistant/home-assistant   stable    6fc36c77bb70   13 hours ago    1.64GB
ghcr.io/home-assistant/home-assistant   <none>    abeda236c4f0   2 months ago    1.57GB
ghcr.io/home-assistant/home-assistant   <none>    3c81da062cb9   3 months ago    1.56GB
ghcr.io/home-assistant/home-assistant   <none>    c8584cb713b2   10 months ago   1.83GB
ghcr.io/home-assistant/home-assistant   <none>    f13412c6b5ec   18 months ago   1.56GB
hello-world                             latest    feb5d9fea6a5   2 years ago     13.3kB


Running docker system prune -a gives me:

Bash:
tim@debian:~/docker$ sudo docker system prune -a
WARNING! This will remove:
  - all stopped containers
  - all networks not used by at least one container
  - all images without at least one container associated to them
  - all build cache


Are you sure you want to continue? [y/N] y
Deleted Containers:
e6c6c35cc084cfc330ee45e1d9f69b56836e14a138dc06f2389610e75a661a1a
f1398db5f5fe4b47a7b2fd81af693fe22b3d4ad9a211c6e05a1ac9ade9740d03
00fff2e9e5e9f464101a87929b4ee879f91ce22ed76af27c01937c3b95e75a62
a78cdcf3ce0a2e501bef96c8e86c950cf84f08b99536b779dc5b73fbc95bfadf
22e5de4a63543027dc6b8767e64e7d2e4f4f8b1a16c941accc6221af5cd2e8f2
0e4132e4df34906c26f5510b07b8a29b7a99d48b8cb2b0a3a2924c5084fcccee
b83eb0b14737f735dc32eb55942bea3e10d027f26e4ba826ab79e2851d421a97
5ed1e59b29dd38204e78c2102b9a63ab8a37cba3af8d4a5a57508c2d3c2fbd34
c982a1bb15521f2311ea9e487eb0015d91deae30429fddd42d7c7da56739a0e2
190ae7dde7b55b5914ec0a339b9f2299f96760effe3b004489d5f348583c56fe
39020211477f5ec094f263bc9f8c6c99444f67b4416684bc1699f9167a5cabe3
90387f7e234478cd23bc2c80abe2515cbadc12fc13e66e9265f86ec57497151e


Deleted Images:
untagged: ghcr.io/home-assistant/home-assistant@sha256:a615c4a8ea9c6dd0fa8b0383b2d665d2bf03f31d35d7924662a355c3dca2bdd8
[...]
deleted: sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230

Total reclaimed space: 10.33GB

Then re-pull & restart the issue container:

Bash:
tim@debian:~/docker$ sudo docker compose -f home-assistant-compose.yml pull
tim@debian:~/docker$ sudo docker compose -f home-assistant-compose.yml up -d

which unfortunately doesn't solve the problem:

Bash:
tim@debian:~/docker$ sudo docker compose -f home-assistant-compose.yml up -d
WARN[0000] Found orphan containers ([docker-app-1 docker-db-1 pigallery2]) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
[+] Running 0/1
 ⠹ Container homeassistant  Starting                                                                                                                                                         0.2s
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error creating device nodes: mount /dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00:/var/lib/docker/overlay2/b8345e7b768de92423ef6601ce87142939dfadd18b1394a369f8c7655a48a3c4/merged/dev/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2149131-if00 (via /proc/self/fd/6), flags: 0x1000: no such file or directory: unknown
 
Last edited:
I had the same issue with a zigbee usb adaptor, ended up upgrading to proxmox 8 and used the device passthrough option from the web GUI. No issues since then.
 
I had the same issue with a zigbee usb adaptor, ended up upgrading to proxmox 8 and used the device passthrough option from the web GUI. No issues since then.
Thanks! I think device passthrough only holds for VMs, not containers (LXC) right? Even in spite of that, upgrading might cause a whole new set of headaches :rolleyes:
 
I actually thought the same and wasn't keen on upgrading but having found no other solution, I eventually gave in and went through it. Device passthrough now works with containers as well. Upgrade is pretty seamless, followed this https://pve.proxmox.com/wiki/Upgrade_from_7_to_8
 

Attachments

  • 1723232432624.png
    1723232432624.png
    73.3 KB · Views: 2
I actually thought the same and wasn't keen on upgrading but having found no other solution, I eventually gave in and went through it. Device passthrough now works with containers as well. Upgrade is pretty seamless, followed this https://pve.proxmox.com/wiki/Upgrade_from_7_to_8
ok thanks for the feedback, I found the page but didn't look into it in detail. For now I'm moving my USB-related activity out of docker, and keep the upgrade to PVE 8 in mind for a rainy day ;)
 
@pancakes, I had the same problem when moving my home assistant container to run on a LXC CT. I spent my entire Saturday morning, finally got it to work before I was able to give up.

Here what I did.
  • removed the conbee device mapping from docker-compose.yml
  • started hass without conbee
  • reconfigured ZHA to use the device directly, i.e. choose /dev/ttyACM0
and it worked magically!

Hope this helps.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!