[lxc-users] Device node in LXC is not accessible when connected via SSH

Tim Jaacks tim.jaacks at garz-fricke.com
Mon Feb 3 10:02:27 UTC 2020 

> -----Ursprüngliche Nachricht-----
> Von: Serge E. Hallyn <serge at hallyn.com> 
> Gesendet: Dienstag, 28. Januar 2020 18:21
> An: Tim Jaacks <tim.jaacks at garz-fricke.com>
> Cc: Serge E. Hallyn <serge at hallyn.com>; LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Betreff: Re: [lxc-users] Device node in LXC is not accessible when connected via SSH
> 
> On Tue, Jan 28, 2020 at 04:33:32PM +0000, Tim Jaacks wrote:
> > -----Ursprüngliche Nachricht-----
> > Von: Serge E. Hallyn <serge at hallyn.com>
> > Gesendet: Dienstag, 28. Januar 2020 16:59
> > An: Tim Jaacks <tim.jaacks at garz-fricke.com>
> > Cc: Serge E. Hallyn <serge at hallyn.com>; LXC users mailing-list 
> > <lxc-users at lists.linuxcontainers.org>
> > Betreff: Re: [lxc-users] Device node in LXC is not accessible when 
> > connected via SSH
> > 
> > > On Tue, Jan 28, 2020 at 03:47:57PM +0000, Tim Jaacks wrote:
> > > > >On Tue, Jan 28, 2020 at 08:24:30AM +0000, Tim Jaacks wrote:
> > > > >> Hello everyone,
> > > > >> 
> > > > >> I have a problem where a physical hardware device passed through to an LXC container cannot be read from or written to when I am connected via SSH.
> > > > >> 
> > > > >> The device node of my physical hardware device looks like this:
> > > > >> 
> > > > >> 	myuser at myhost:~$ ls -la /dev/usb/hiddev0
> > > > >> 	crw-rw-rw- 1 root root 180, 0 Jul 30 10:27 /dev/usb/hiddev0
> > > > >> 
> > > > >> This is how I create and start my container:
> > > > >> 
> > > > >> 	myuser at myhost:~$ sudo lxc-create -q -t debian -n mylxc -- -r stretch
> > > > >> 	myuser at myhost:~$ sudo lxc-start -n mylxc
> > > > >> 
> > > > >> Then I add the device node to the LXC:
> > > > >> 
> > > > >> 	myuser at myhost:~$ sudo lxc-device -n mylxc add /dev/usb/hiddev0
> > > > >> 
> > > > >> Afterwards the device is available in the LXC and I can read from it after having attached to the LXC:
> > > > >> 
> > > > >> 	myuser at myhost:~$ sudo lxc-attach -n mylxc
> > > > >> 	root at mylxc:/# ls -la /dev/usb/hiddev0
> > > > >> 	crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0
> > > > >> 	root at mylxc:/# cat /dev/usb/hiddev0
> > > > >> 	??????????^C
> > > > >> 	root at mylxc:/#
> > > > >> 
> > > > >> I then enable root access via SSH without a password:
> > > > >> 
> > > > >> 	myuser at myhost:~$ sudo lxc-attach -n mylxc
> > > > >> 	root at mylxc:/# sed -i 's/#\?PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config
> > > > >> 	root at mylxc:/# sed -i 's/#\?PermitEmptyPasswords.*/PermitEmptyPasswords yes/g' /etc/ssh/sshd_config
> > > > >> 	root at mylxc:/# sed -i 's/#\?UsePAM.*/UsePAM no/g' /etc/ssh/sshd_config
> > > > >> 	root at mylxc:/# passwd -d root
> > > > >> 	passwd: password expiry information changed.
> > > > >> 	root at mylxc:/# /etc/init.d/ssh restart
> > > > >> 	Restarting ssh (via systemctl): ssh.service.
> > > > >> 	root at mylxc:/# exit
> > > > >> 
> > > > >> When I connect via SSH now, the device node is there, but I cannot access it:
> > > > >> 
> > > > >> 	myuser at myhost:~$ ssh root@<lxc-ip-address>
> > > > >> 	root at mylxc:~# ls -la /dev/usb/hiddev0
> > > > >> 	crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0
> > > > >> 	root at mylxc:~# cat /dev/usb/hiddev0
> > > > >> 	cat: /dev/usb/hiddev0: Operation not permitted
> > > > >> 
> > > > >> In both cases (lxc-attach and ssh) I am the root user (verified via whoami), so this cannot be the problem.
> > > > >> 
> > > > >> Why am I not allowed to access the device when I am connected via SSH?
> > > > > 
> > > > > Can you look at your cgroup membership in both cases?
> > > > >
> > > > 
> > > > I am not sure what this means exactly. I have tried reading /proc/<pid>/cgroups of both the SSH process (upper) and the lxc-attach process (lower):
> > > > 
> > > > tim.jaacks at a048:~$ cat /proc/26732/cgroup 
> > > > 11:pids:/lxc/mylxc/system.slice/ssh.service
> > > > 10:net_cls,net_prio:/lxc/mylxc
> > > > 9:perf_event:/lxc/mylxc
> > > > 8:freezer:/lxc/mylxc
> > > > 7:cpuset:/lxc/mylxc
> > > > 6:rdma:/lxc/mylxc
> > > > 5:memory:/lxc/mylxc
> > > > 4:cpu,cpuacct:/lxc/mylxc
> > > > 3:devices:/lxc/mylxc/system.slice/ssh.service
> > > > 2:blkio:/lxc/mylxc
> > > > 1:name=systemd:/lxc/mylxc/system.slice/ssh.service
> > > > 0::/lxc/mylxc
> > > > 
> > > > tim.jaacks at a048:~$ cat /proc/26600/cgroup 
> > > > 11:pids:/user.slice/user-1001.slice/session-1528.scope
> > > > 10:net_cls,net_prio:/
> > > > 9:perf_event:/
> > > > 8:freezer:/user/root/0
> > > > 7:cpuset:/
> > > > 6:rdma:/
> > > > 5:memory:/user/root/0
> > > > 4:cpu,cpuacct:/user.slice
> > > > 3:devices:/user.slice
> > > > 2:blkio:/user.slice
> > > > 1:name=systemd:/user/root/0
> > > > 0::/user.slice/user-1001.slice/session-1528.scope
> > > > 
> > > > Does this help? I have no idea what all these fields mean.
> > > 
> > > Yes it does, thanks :)  You want to look at the devices: lines in each.
> > > The ssh session placed you in the container's devices cgroup, 
> > > /lxc/mylxc/system.slice/ssh.service .  You could now
> > > 
> > > cat 
> > > /sys/fs/cgroup/devices/lxc/mylxc/system.slice/ssh.service/devices.li
> > > st
> > > 
> > > to see what devices you have access to that way.
> > 
> > Thanks for your reply. I get the following list there:
> > 
> > c *:* m
> > b *:* m
> > c 1:3 rwm
> > c 1:5 rwm
> > c 1:7 rwm
> > c 5:0 rwm
> > c 5:1 rwm
> > c 5:2 rwm
> > c 1:8 rwm
> > c 1:9 rwm
> > c 136:* rwm
> > c 10:229 rwm
> > c 254:0 rm
> > c 10:200 rwm
> > c 10:228 rwm
> > c 10:232 rwm
> > 
> > Since my USB device shows 180, 0 as major/minor-numbers, I assume I should add this to my container config:
> > 
> > lxc.cgroup.devices.allow = c 180:* rwm
> > 
> > Would that be correct?
> 
> Yes.

Thank you, I can confirm that this works. I am able to access my device from the SSH session now.

> > > If you look at /proc/26600/cgroup , it is in /user.slice .  Now, unless you actually did "lxc-attach -e -n mylxc", that should not be right.  You should be placed in the container's cgroup, but you weren't.  This may be a bug.
> > > 
> > > Ah, I see that result when I start unprivileged containers.  Perhaps it also happens when you start a root-owned container with subuid mappings?  Does your container have subuid mappings?
> > 
> > So the process should not have access to the device either, do I get this right?
> 
> Right.
> 
> > I did not use the -e flag on lxc-attach (did everything just like stated in the original question), and I do not use subuid mappings. But I used sudo, because I created the container with sudo as well.
> > 
> > In which cgroup should the process be?
> 
> You can do sudo lxc-info -n mylxc -H -p to get the pid of the container init, so (as root)
> 
> awk -F: '/device/ { print $3 }' /proc/$(lxc-info -n mylxc -H -p)/cgroup
> 
> should show the right cgroup.

OK, this shows me "/lxc/mylxc/init.scope", which sounds reasonable. So do you have any idea, which using "sudo lxc-attach" results in the wrong cgroup "/user.slice"?

> -serge
>

More information about the lxc-users mailing list