-----Ursprüngliche Nachricht----- Von: Serge E. Hallyn <se...@hallyn.com> Gesendet: Dienstag, 28. Januar 2020 16:59 An: Tim Jaacks <tim.jaa...@garz-fricke.com> Cc: Serge E. Hallyn <se...@hallyn.com>; LXC users mailing-list <lxc-users@lists.linuxcontainers.org> Betreff: Re: [lxc-users] Device node in LXC is not accessible when connected via SSH
> On Tue, Jan 28, 2020 at 03:47:57PM +0000, Tim Jaacks wrote: > > >On Tue, Jan 28, 2020 at 08:24:30AM +0000, Tim Jaacks wrote: > > >> Hello everyone, > > >> > > >> I have a problem where a physical hardware device passed through to an > > >> LXC container cannot be read from or written to when I am connected via > > >> SSH. > > >> > > >> The device node of my physical hardware device looks like this: > > >> > > >> myuser@myhost:~$ ls -la /dev/usb/hiddev0 > > >> crw-rw-rw- 1 root root 180, 0 Jul 30 10:27 /dev/usb/hiddev0 > > >> > > >> This is how I create and start my container: > > >> > > >> myuser@myhost:~$ sudo lxc-create -q -t debian -n mylxc -- -r stretch > > >> myuser@myhost:~$ sudo lxc-start -n mylxc > > >> > > >> Then I add the device node to the LXC: > > >> > > >> myuser@myhost:~$ sudo lxc-device -n mylxc add /dev/usb/hiddev0 > > >> > > >> Afterwards the device is available in the LXC and I can read from it > > >> after having attached to the LXC: > > >> > > >> myuser@myhost:~$ sudo lxc-attach -n mylxc > > >> root@mylxc:/# ls -la /dev/usb/hiddev0 > > >> crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0 > > >> root@mylxc:/# cat /dev/usb/hiddev0 > > >> ??????????^C > > >> root@mylxc:/# > > >> > > >> I then enable root access via SSH without a password: > > >> > > >> myuser@myhost:~$ sudo lxc-attach -n mylxc > > >> root@mylxc:/# sed -i 's/#\?PermitRootLogin.*/PermitRootLogin yes/g' > > >> /etc/ssh/sshd_config > > >> root@mylxc:/# sed -i 's/#\?PermitEmptyPasswords.*/PermitEmptyPasswords > > >> yes/g' /etc/ssh/sshd_config > > >> root@mylxc:/# sed -i 's/#\?UsePAM.*/UsePAM no/g' /etc/ssh/sshd_config > > >> root@mylxc:/# passwd -d root > > >> passwd: password expiry information changed. > > >> root@mylxc:/# /etc/init.d/ssh restart > > >> Restarting ssh (via systemctl): ssh.service. > > >> root@mylxc:/# exit > > >> > > >> When I connect via SSH now, the device node is there, but I cannot > > >> access it: > > >> > > >> myuser@myhost:~$ ssh root@<lxc-ip-address> > > >> root@mylxc:~# ls -la /dev/usb/hiddev0 > > >> crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0 > > >> root@mylxc:~# cat /dev/usb/hiddev0 > > >> cat: /dev/usb/hiddev0: Operation not permitted > > >> > > >> In both cases (lxc-attach and ssh) I am the root user (verified via > > >> whoami), so this cannot be the problem. > > >> > > >> Why am I not allowed to access the device when I am connected via SSH? > > > > > > Can you look at your cgroup membership in both cases? > > > > > > > I am not sure what this means exactly. I have tried reading > > /proc/<pid>/cgroups of both the SSH process (upper) and the lxc-attach > > process (lower): > > > > tim.jaacks@a048:~$ cat /proc/26732/cgroup > > 11:pids:/lxc/mylxc/system.slice/ssh.service > > 10:net_cls,net_prio:/lxc/mylxc > > 9:perf_event:/lxc/mylxc > > 8:freezer:/lxc/mylxc > > 7:cpuset:/lxc/mylxc > > 6:rdma:/lxc/mylxc > > 5:memory:/lxc/mylxc > > 4:cpu,cpuacct:/lxc/mylxc > > 3:devices:/lxc/mylxc/system.slice/ssh.service > > 2:blkio:/lxc/mylxc > > 1:name=systemd:/lxc/mylxc/system.slice/ssh.service > > 0::/lxc/mylxc > > > > tim.jaacks@a048:~$ cat /proc/26600/cgroup > > 11:pids:/user.slice/user-1001.slice/session-1528.scope > > 10:net_cls,net_prio:/ > > 9:perf_event:/ > > 8:freezer:/user/root/0 > > 7:cpuset:/ > > 6:rdma:/ > > 5:memory:/user/root/0 > > 4:cpu,cpuacct:/user.slice > > 3:devices:/user.slice > > 2:blkio:/user.slice > > 1:name=systemd:/user/root/0 > > 0::/user.slice/user-1001.slice/session-1528.scope > > > > Does this help? I have no idea what all these fields mean. > > Yes it does, thanks :) You want to look at the devices: lines in each. > The ssh session placed you in the container's devices cgroup, > /lxc/mylxc/system.slice/ssh.service . You could now > > cat /sys/fs/cgroup/devices/lxc/mylxc/system.slice/ssh.service/devices.list > > to see what devices you have access to that way. Thanks for your reply. I get the following list there: c *:* m b *:* m c 1:3 rwm c 1:5 rwm c 1:7 rwm c 5:0 rwm c 5:1 rwm c 5:2 rwm c 1:8 rwm c 1:9 rwm c 136:* rwm c 10:229 rwm c 254:0 rm c 10:200 rwm c 10:228 rwm c 10:232 rwm Since my USB device shows 180, 0 as major/minor-numbers, I assume I should add this to my container config: lxc.cgroup.devices.allow = c 180:* rwm Would that be correct? > If you look at /proc/26600/cgroup , it is in /user.slice . Now, unless you > actually did "lxc-attach -e -n mylxc", that should not be right. You should > be placed in the container's cgroup, but you weren't. This may be a bug. > > Ah, I see that result when I start unprivileged containers. Perhaps it also > happens when you start a root-owned container with subuid mappings? Does > your container have subuid mappings? So the process should not have access to the device either, do I get this right? I did not use the -e flag on lxc-attach (did everything just like stated in the original question), and I do not use subuid mappings. But I used sudo, because I created the container with sudo as well. In which cgroup should the process be? > Anyway, i suspect the answer will be to give your container lxc.devices lines > to your container config. > > -serge > _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
