Device access

Search tags:

  • GPU forwarding
  • serial port forwarding

serial port

privileged LXCs

Only need to bind mount device node.

Example PCT config:

100.conf
lxc.cgroup.devices.allow = c 188:0 rwm
lxc.mount.entry: /dev/ttyUSB0       dev/ttyUSB0       none bind,optional,create=file

Device major 188 is for ttyUSBx devices

unprivileged LXCs

Unprivileged LXCs has UIDs and GIDs mapped to defined subid and subgids ranges.

To get access to ttyUSB0 as dialout group (GID=20) host needs to give permissions to access ttyUSB0 for GID=100020.

Simple but dirty method is to

chown 100000:100020 /dev/ttyUSB0

(TODO: consider using setfacl)

Another method mentioned in Setup deCONZ on unprivileged Proxmox container is to do not touch /dev/ttyUSB0 but create another device node with the same device major:minor. Then change owner of new device node and use it to bind mount into container.

References

DRI forward

Host system (Proxmox):

$ls -ln /dev/dri
 
crw-rw---- 1 0  44 226,   0 03-26 11:53 card0
crw-rw---- 1 0 103 226, 128 03-26 11:53 renderD128

In unprivileged PCT GIDs and UIDs are shifted +100000, so if guest wants to access device with GID=44, from host point of view it is accessing it as GID=100044. So now is needed to do shift GID 44 and GID 103. Idea is to define ranges of GID mappings to map all other GID to be shifted by +100000:

Container GID Host GID count
0..43 100000..100043 44
44 44 1
45..102 100045..100102 58
103 103 1
104..65535 100104..165535 65431

Here is a tool Proxmox unprivileged container/host uid/gid mapping syntax tool

Allow LXC (running as root) to map GID 44 and 103 to new ones:

root:100000:65536
root:44:1
root:103:1

PCT config file:

/etc/pve/lxc/303.conf
lxc.cgroup2.devices.allow: a
lxc.cap.drop:
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file
lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 58
lxc.idmap: g 103 103 1
lxc.idmap: g 104 100104 65431

Guest system:

usermod -aG 44 user
usermod -aG 103 user
apt install drm-info
drm_info

TODO - check