Search tags:
Only need to bind mount device node.
Example PCT config:
lxc.cgroup.devices.allow = c 188:0 rwm lxc.mount.entry: /dev/ttyUSB0 dev/ttyUSB0 none bind,optional,create=file
Device major 188 is for ttyUSBx devices
Unprivileged LXCs has UIDs and GIDs mapped to defined subid and subgids ranges.
To get access to ttyUSB0
as dialout
group (GID=20) host needs to give permissions to access ttyUSB0
for GID=100020.
Simple but dirty method is to
chown 100000:100020 /dev/ttyUSB0
(TODO: consider using setfacl
)
Another method mentioned in Setup deCONZ on unprivileged Proxmox container
is to do not touch /dev/ttyUSB0
but create another device node with the same device major:minor
. Then change owner of new device node and use it to bind mount into container.
Host system (Proxmox):
$ls -ln /dev/dri crw-rw---- 1 0 44 226, 0 03-26 11:53 card0 crw-rw---- 1 0 103 226, 128 03-26 11:53 renderD128
In unprivileged PCT GIDs and UIDs are shifted +100000, so if guest wants to access device with GID=44, from host point of view it is accessing it as GID=100044. So now is needed to do shift GID 44 and GID 103. Idea is to define ranges of GID mappings to map all other GID to be shifted by +100000:
Container GID | Host GID | count |
---|---|---|
0..43 | 100000..100043 | 44 |
44 | 44 | 1 |
45..102 | 100045..100102 | 58 |
103 | 103 | 1 |
104..65535 | 100104..165535 | 65431 |
Here is a tool Proxmox unprivileged container/host uid/gid mapping syntax tool
Allow LXC (running as root) to map GID 44 and 103 to new ones:
root:100000:65536 root:44:1 root:103:1
PCT config file:
lxc.cgroup2.devices.allow: a lxc.cap.drop: lxc.cgroup2.devices.allow: c 226:0 rwm lxc.cgroup2.devices.allow: c 226:128 rwm lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file lxc.idmap: u 0 100000 65536 lxc.idmap: g 0 100000 44 lxc.idmap: g 44 44 1 lxc.idmap: g 45 100045 58 lxc.idmap: g 103 103 1 lxc.idmap: g 104 100104 65431
Guest system:
usermod -aG 44 user usermod -aG 103 user apt install drm-info drm_info