linuxvirtualizationlxc

Device node in LXC is not accessible when connected via SSH


I have a problem where a physical hardware device passed through to an LXC container cannot be read from or written to when I am connected via SSH.

The device node of my physical hardware device looks like this:

myuser@myhost:~$ ls -la /dev/usb/hiddev0
crw-rw-rw- 1 root root 180, 0 Jul 30 10:27 /dev/usb/hiddev0

This is how I create and start my container:

myuser@myhost:~$ sudo lxc-create -q -t debian -n mylxc -- -r stretch
myuser@myhost:~$ sudo lxc-start -n mylxc

Then I add the device node to the LXC:

myuser@myhost:~$ sudo lxc-device -n mylxc add /dev/usb/hiddev0

Afterwards the device is available in the LXC and I can read from it after having attached to the LXC:

myuser@myhost:~$ sudo lxc-attach -n mylxc
root@mylxc:/# ls -la /dev/usb/hiddev0
crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0
root@mylxc:/# cat /dev/usb/hiddev0
����������^C
root@mylxc:/#

I then enable root access via SSH without a password:

myuser@myhost:~$ sudo lxc-attach -n mylxc
root@mylxc:/# sed -i 's/#\?PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config
root@mylxc:/# sed -i 's/#\?PermitEmptyPasswords.*/PermitEmptyPasswords yes/g' /etc/ssh/sshd_config
root@mylxc:/# sed -i 's/#\?UsePAM.*/UsePAM no/g' /etc/ssh/sshd_config
root@mylxc:/# passwd -d root
passwd: password expiry information changed.
root@mylxc:/# /etc/init.d/ssh restart
Restarting ssh (via systemctl): ssh.service.
root@mylxc:/# exit

When I connect via SSH now, the device node is there, but I cannot access it:

myuser@myhost:~$ ssh root@<lxc-ip-address>
root@mylxc:~# ls -la /dev/usb/hiddev0
crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0
root@mylxc:~# cat /dev/usb/hiddev0
cat: /dev/usb/hiddev0: Operation not permitted

In both cases (lxc-attach and ssh) I am the root user (verified via whoami), so this cannot be the problem.

Why am I not allowed to access the device when I am connected via SSH?


EDIT

In the meantime I found out that the error disappears when I call all the LXC initialization commands directly one after another in a script, i.e.:

sudo lxc-create -q -t debian -n mylxc -- -r stretch
sudo lxc-start -n mylxc
sudo lxc-device -n mylxc add /dev/usb/hiddev0
...

And then all the SSH configuration as described above. The device is correctly accessible via SSH then.

As soon as some time passes between lxc-start and lxc-device, the error appears, e.g.:

sudo lxc-create -q -t debian -n mylxc -- -r stretch
sudo lxc-start -n mylxc
sleep 1
sudo lxc-device -n mylxc add /dev/usb/hiddev0
...

Why is the timing relevant here? What happens during the first second within the LXC that makes the device become unaccessible?


Solution

  • With help from the lxc-users mailing list I found out that the restriction is intended. Access to devices has to be allowed explicitly in the LXC's config using their major/minor numbers:

    lxc.cgroup.devices.allow = c 180:* rwm
    

    The unrestricted access using lxc-attach seems to be some bug in my case. Devices should never be accessible in the LXC if not explicitly allowed.