USB passthrough to a container LXC?

[TCS]

Hi guys,

I searched over the internet and on this forum, without finding the good way.
Sorry for this long thread, that's my first one for proxmox ;-)

Here is what I have:
- a nuc intel with proxmox and a RFXcom + Conbee ii plugged on usb 3.0 (no usb 2...)
- I have a container lxc ubuntu for my domoticz
- I cannot make the usb work inside my lxc :-(

Here is what I have on my nuc:

# lsusb
Bus 001 Device 003: ID 1cf1:0030 Dresden Elektronik ZigBee gateway [ConBee II]
Bus 001 Device 002: ID 0403:6001 Future Technology Devices International, Ltd FT232 Serial (UART) IC

# nano /etc/udev/rules.d/49-usb-serial.rules
KERNEL=="ttyACM[0-9]*", SUBSYSTEM=="tty", ATTRS{idVendor}=="1cf1", ATTRS{idProduct}=="0030", SYMLINK="ttyConbee", OWNER="root", GROUP="dialout", MODE="0666", RUN+="/usr/bin/chmod o+rw /dev/ttyConbee"
KERNEL=="ttyUSB[0-9]*", SUBSYSTEMS=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", SYMLINK="ttyRFXcom", OWNER="root", GROUP="dialout", MODE="0666", RUN+="/usr/bin/chmod o+rw /dev/ttyRFXcom"
# is it subsystem or sbsystems?

# nano /etc/pve/lxc/xxx.conf
lxc.cgroup.devices.allow: c 166:* rwm
lxc.cgroup.devices.allow: c 188:* rwm
lxc.mount.entry: /dev/ttyConbee dev/ttyConbee none bind,optional,create=file
lxc.mount.entry: /dev/ttyRFXcom dev/ttyRFXcom none bind,optional,create=file

# ls -l /dev/tty* /dev/bus/usb/001/0*
crw-rw-rw-  1 root dialout 188,     0 Dec 20 15:28 ttyUSB0
crw-rw-rw-  1 root dialout 166,     0 Dec 20 15:28 ttyACM0
lrwxrwxrwx  1 root root             7 Dec 20 15:28 ttyConbee -> ttyACM0
lrwxrwxrwx  1 root root             7 Dec 20 15:28 ttyRFXcom -> ttyUSB0

# ls -la /dev/serial/by-id/
lrwxrwxrwx 1 root root 13 Dec 20 15:28 usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2471148-if00 -> ../../ttyACM0
lrwxrwxrwx 1 root root 13 Dec 20 15:28 usb-RFXCOM_RFXtrx433_A1Z58RWG-if00-port0 -> ../../ttyUSB0

And here is what I have for my container lxc:

$ lsusb
Bus 001 Device 003: ID 1cf1:0030 Dresden Elektronik ZigBee gateway [ConBee II]
Bus 001 Device 002: ID 0403:6001 Future Technology Devices International, Ltd FT232 Serial (UART) IC

$ sudo ls -l /dev/
crw-rw-rw-  1 nobody nogroup 166, 0 déc.  20 15:28 ttyConbee
crw-rw-rw-  1 nobody nogroup 188, 0 déc.  20 15:28 ttyRFXcom
#==> why is it nobody / nogroup ?

$ sudo ls -la /dev/serial/by-id/
ls: cannot access '/dev/serial/by-id/': No such file or directory

$ groups xxx
xxx : xxx dialout

$ GCFFlasher_internal -l
GCFFlasher V3_17 (c) dresden elektronik ingenieurtechnik gmbh
Path             | Vendor | Product | Serial     | Type
-----------------+--------+---------+------------+-------
# I should see my both devices !?

Not enough cause I cannot see my devices in domoticz

I also tried:

$ mkdir -p /run/udev/data/
cd /run/udev/data/

$ echo "E:ID_VENDOR_ID=1cf1
E:ID_MODEL_ID=0030" > c166\:0

$ echo "E:ID_VENDOR_ID=0403
E:ID_MODEL_ID=6001" > c188\:0

$ GCFFlasher_internal -l
GCFFlasher V3_17 (c) dresden elektronik ingenieurtechnik gmbh
Path             | Vendor | Product | Serial     | Type
-----------------+--------+---------+------------+-------
/dev/ttyUSB0     | 0x0403 | 0x6001  |            | Generic FTDI
/dev/ttyACM0     | 0x1CF1 | 0x0030  |            | ConBee II

ls -lah /dev/ttyACM0 /dev/ttyUSB0
crw-rw---- 1 nobody nogroup 166, 0 déc.  20 13:24 /dev/ttyACM0
crw-rw---- 1 nobody nogroup 188, 0 déc.  20 12:25 /dev/ttyUSB0

But I still cannot see my devices in domoticz ...

I tried a lot of stop/start of my lxc and restart of my nuc, no way...

Please help me, I think I'm mad ?
I miss something, but don't find what, sure some of you already encountered this kind of problem ^^
Thanks a lot.

TCS

 

[crundberg]

Hi!

I had the same problem as you, but now I have finally solved it! You have not right permissions for ttyUSB0 and ttyACM0. Run these in the host and the permissions will be correct in the containers.

chown 100000:100020 /dev/ttyACM0
chown 100000:100020 /dev/ttyUSB0

 

[olepinguin]

Hi!

I had the same problem as you, but now I have finally solved it! You have not right permissions for ttyUSB0 and ttyACM0. Run these in the host and the permissions will be correct in the containers.

chown 100000:100020 /dev/ttyACM0
chown 100000:100020 /dev/ttyUSB0

Hi,

I have exactly the same issue as TCS, but with a zwave stick.
The stick runs for years on buster / proxmox 6.x.

After the upgrade to 7.1-8 it doesn't work anymore - target container is the same as before.

I changed to 100000:100020 as you mentioned but even 777 for /dev/ttyACM0 and container link /dev/zwave (in my case)
doesn't work.

how does your udev rule looks like?
Do you see something under sudo ls -la /dev/serial/by-id/ in the lxc?

Thanks
Ole

 

[crundberg]

I have started on a guide on how i solved it.

https://gist.github.com/crundberg/a77b22de856e92a7e14c81f40e7a74bd

 

[olepinguin]

Wow, much appreciated ! Will work trough !
What proxmox version do you running?

and finally, did you see the device under /dev/serial/by-id/ in the lxc?

 

[crundberg]

I haven't mounted /dev/serial/by-id/ to LXC.

 

[olepinguin]

what do I need to be sure that the stick is mounted to the lxc correctly?
the mounted device in lxc looks like:
crw-rw---- 1 100000 100020 166, 0 Jan 5 10:11 /dev/ttyACM0

(By the way I changed the Group in udev rule to 100020 to refer the same as the crated folder is assigned to)

anyway: thanks once again, I'm pretty sure know to pass through the device and authorization correctly ...following your guide.
Need to reach out to the iobroker zwave add-on developer, to get more info's about what he "expect"

 

[olepinguin]

I have started on a guide on how i solved it.

https://gist.github.com/crundberg/a77b22de856e92a7e14c81f40e7a74bd

from 7.1-8 you may want to use cgroup2 => lxc.cgroup2.devices.allow: c 166:* rwm

 

[crundberg]

what do I need to be sure that the stick is mounted to the lxc correctly?
the mounted device in lxc looks like:
crw-rw---- 1 100000 100020 166, 0 Jan 5 10:11 /dev/ttyACM0

For me it looks like this. Are you also using an unprivileged container? crw-rw---- 1 root dialout 166, 0 Jan 5 18:32 /dev/ttyACM0

from 7.1-8 you may want to use cgroup2 => lxc.cgroup2.devices.allow: c 166:* rwm

Thank you!

 

[TCS]

Hi guys,

I finally created a vm to avoid these problems of usb passthrough and to replace asap my old pi3

Thanks a lot for your contributions, I will certainly test it soon, and the lxc.cgroup2.devices.allow instead of lxc.cgroup.devices.allow is perhaps the good way to make it working.
I use several usb keys: rfxcom, teleinfo, zwave (zstick) and I just received my conbee ii
@crundberg, for sure I will use your guide

 

[Jannoo]

@crundberg I spent a lot of time trying to solve the problem, unfortunately without success. Your guide made it possible for me. Thank you so much for that

 

[drissslim]

Hi, I'm trying to map my RFplayer to my LXC without success. I've followed the guide here https://gist.github.com/crundberg/a77b22de856e92a7e14c81f40e7a74bd but still not able to see any /dev/ttyUSB0 on my LXC.

Here the changes made on Host :
root@nuc:~# ls /dev/serial/by-id/ -al total 0 drwxr-xr-x 2 root root 120 Nov 12 17:16 . drwxr-xr-x 4 root root 80 Nov 12 17:16 .. lrwxrwxrwx 1 root root 13 Nov 12 17:29 usb-0658_0200-if00 -> ../../ttyACM0 lrwxrwxrwx 1 root root 13 Nov 12 17:29 usb-1a86_USB_Serial-if00-port0 -> ../../ttyUSB2 lrwxrwxrwx 1 root root 13 Nov 12 17:29 usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_d88ed4071b3bec1191999e957a0af07f-if00-port0 -> ../../ttyUSB0 lrwxrwxrwx 1 root root 13 Nov 12 17:29 usb-Ziblue_RFPLAYER_A143M639-if00-port0 -> ../../ttyUSB1


root@nuc:~# ls /dev/ttyUSB1 -al crw-rw-rw- 1 root dialout 188, 1 Nov 12 18:18 /dev/ttyUSB1

Last 2 lines of my lxc container config located in /etc/pve/lxc/104.conf
... lxc.cgroup2.devices.allow: c 188:* rwm lxc.mount.entry: /lxc/104/devices/ttyUSB1 dev/ttyUSB1 none bind,optional,create=file

After that I've used the command:
udevadm control --reload-rules && service udev restart && udevadm trigger

Any advice? Thanks for your help.

 

[giovannivl]

I have started on a guide on how i solved it.

https://gist.github.com/crundberg/a77b22de856e92a7e14c81f40e7a74bd

Thanks!!! It's work for my ESPHome on Docker!

 

[pancakes]

I tried this and it works (thanks!), however this is fragile as it depends on the order at which USB devices are added. On linux this is why /dev/serial/by-id/* exist, which is

Is there a way to use the identification that /dev/serial/by-id/* provides in mapping to the guest container? I can think of two approaches, both not perfect:

1. chmod the /dev/ttyUSB* on the host and then pass the by-id to the container. Pro: probably works. Con: might give trouble on the host if you use these devices (maybe you shouldn't in the first place?)
2. Have the process that populates /dev/serial/by-id also create mappings for our own mknod repository? Pro: would be cleaner. Con: not sure how this would work.

 

[pancakes]

Ok I found a moderately elegant solution to the problem:

First we create udev rules to create symlinks that I can programmatically find (suffix with `container-link`). I use the same `udev` rule to run a script after usb devices are online.

cat << 'EOF' | sudo tee /etc/udev/rules.d/65-usb-for-containers.rules
SUBSYSTEM=="tty", ENV{ID_SERIAL}=="FTDI_FT232R_USB_UART_AC2FBEEF", SYMLINK+="FTDI_FT232R_USB_UART_AC2FBEEF-container-link", RUN+="/usr/local/bin/mk_usb-for-containers.sh"
EOF

In the script I copy the devices to a separate location. Copying nodes can be done with tar or can be done with cp -R.

cat << 'EOF' | sudo tee /usr/local/bin/mk_usb-for-containers.sh
#!/usr/bin/env bash
sudo rm -f /lxc/201/devices/*container-link && sudo cp -Lrp /dev/*-container-link /lxc/201/devices/ && sudo chown 100000:100020 /lxc/201/devices/*
EOF
sudo chmod 0750 /usr/local/bin/mk_usb-for-containers.sh

Then reload rules to test this is working

sudo udevadm control --reload-rules && sudo service udev restart && sudo udevadm trigger

Then create the lxc mount points based on the new links in my separate location:

lxc.cgroup2.devices.allow: c 188:* rwm
lxc.mount.entry: /lxc/201/devices/FTDI_FT232R_USB_UART_AC2FBEEF-container-link dev/usb-FTDI_FT232R_USB_UART_AC2FBEEF-if00-port0 none bind,optional,create=file

 

[optical]

This sure is confusing!

Is there any easier way to do this through the web interface? I am trying to pass a USB harddrive through to an Arch LXC and it is listed as device 006 in lsusb.

 

[manuelkamp]

@crundberg: I already fail at this step:

ls: cannot access '/dev/ttyACM0': No such file or directory