USB controller passthrough LXC

[proximity]

Hi,

Is it possible to passthrough a USB controller so it gets initialized by the container itself and not by the host (just like is possible with a KVM). I need to add firmware etc and prefer it to not bother the host. Also I noticed that when I give the container access to the devices I need to give 'other' right as well otherwise the container can't access it (maybe there's another way, please let me know if so). What I tried thus far is setting the access with chmod 777 /dev/dvb and put in the container:

unprivileged: 1
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: c 212:* rwm
lxc.mount.entry: /dev/dvb dev/dvb none bind,optional,create=dir

Please let me know how this should me done properly.

thx.

 

[Stefan_R]

Also I noticed that when I give the container access to the devices I need to give 'other' right as well otherwise the container can't access it

That's to be expected, since the container's 'root' is not root on the host (since you're using an unprivileged container). I.e. the UID with which the container accesses the /dev/x node is actually specified in /etc/subuid, and not just '0' as seen from inside the CT.

unprivileged: 1
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: c 212:* rwm
lxc.mount.entry: /dev/dvb dev/dvb none bind,optional,create=dir

Setting the AppArmor profile to 'unconfined' breaks all security guarantees of using an unprivileged container - might as well use a privileged one and avoid the issue above entirely at that point.

Is it possible to passthrough a USB controller so it gets initialized by the container itself and not by the host (just like is possible with a KVM).

No. An LXC container shares the kernel with the host, and hardware-level initialization cannot be done from userspace. You can allow mediated access to the device from a container (just like you can allow any other user-space program access), but firmware and hardware initialization are baked into the kernel or kernel drivers (modules).