[lxc-users] Device node in LXC is not accessible when connected via SSH

Serge E. Hallyn serge at hallyn.com
Tue Jan 28 15:59:25 UTC 2020 

On Tue, Jan 28, 2020 at 03:47:57PM +0000, Tim Jaacks wrote:
> >On Tue, Jan 28, 2020 at 08:24:30AM +0000, Tim Jaacks wrote:
> >> Hello everyone,
> >> 
> >> I have a problem where a physical hardware device passed through to an LXC container cannot be read from or written to when I am connected via SSH.
> >> 
> >> The device node of my physical hardware device looks like this:
> >> 
> >> 	myuser at myhost:~$ ls -la /dev/usb/hiddev0
> >> 	crw-rw-rw- 1 root root 180, 0 Jul 30 10:27 /dev/usb/hiddev0
> >> 
> >> This is how I create and start my container:
> >> 
> >> 	myuser at myhost:~$ sudo lxc-create -q -t debian -n mylxc -- -r stretch
> >> 	myuser at myhost:~$ sudo lxc-start -n mylxc
> >> 
> >> Then I add the device node to the LXC:
> >> 
> >> 	myuser at myhost:~$ sudo lxc-device -n mylxc add /dev/usb/hiddev0
> >> 
> >> Afterwards the device is available in the LXC and I can read from it after having attached to the LXC:
> >> 
> >> 	myuser at myhost:~$ sudo lxc-attach -n mylxc
> >> 	root at mylxc:/# ls -la /dev/usb/hiddev0
> >> 	crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0
> >> 	root at mylxc:/# cat /dev/usb/hiddev0
> >> 	??????????^C
> >> 	root at mylxc:/#
> >> 
> >> I then enable root access via SSH without a password:
> >> 
> >> 	myuser at myhost:~$ sudo lxc-attach -n mylxc
> >> 	root at mylxc:/# sed -i 's/#\?PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config
> >> 	root at mylxc:/# sed -i 's/#\?PermitEmptyPasswords.*/PermitEmptyPasswords yes/g' /etc/ssh/sshd_config
> >> 	root at mylxc:/# sed -i 's/#\?UsePAM.*/UsePAM no/g' /etc/ssh/sshd_config
> >> 	root at mylxc:/# passwd -d root
> >> 	passwd: password expiry information changed.
> >> 	root at mylxc:/# /etc/init.d/ssh restart
> >> 	Restarting ssh (via systemctl): ssh.service.
> >> 	root at mylxc:/# exit
> >> 
> >> When I connect via SSH now, the device node is there, but I cannot access it:
> >> 
> >> 	myuser at myhost:~$ ssh root@<lxc-ip-address>
> >> 	root at mylxc:~# ls -la /dev/usb/hiddev0
> >> 	crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0
> >> 	root at mylxc:~# cat /dev/usb/hiddev0
> >> 	cat: /dev/usb/hiddev0: Operation not permitted
> >> 
> >> In both cases (lxc-attach and ssh) I am the root user (verified via whoami), so this cannot be the problem.
> >> 
> >> Why am I not allowed to access the device when I am connected via SSH?
> > 
> > Can you look at your cgroup membership in both cases?
> >
> 
> I am not sure what this means exactly. I have tried reading /proc/<pid>/cgroups of both the SSH process (upper) and the lxc-attach process (lower):
> 
> tim.jaacks at a048:~$ cat /proc/26732/cgroup
> 11:pids:/lxc/mylxc/system.slice/ssh.service
> 10:net_cls,net_prio:/lxc/mylxc
> 9:perf_event:/lxc/mylxc
> 8:freezer:/lxc/mylxc
> 7:cpuset:/lxc/mylxc
> 6:rdma:/lxc/mylxc
> 5:memory:/lxc/mylxc
> 4:cpu,cpuacct:/lxc/mylxc
> 3:devices:/lxc/mylxc/system.slice/ssh.service
> 2:blkio:/lxc/mylxc
> 1:name=systemd:/lxc/mylxc/system.slice/ssh.service
> 0::/lxc/mylxc
> 
> tim.jaacks at a048:~$ cat /proc/26600/cgroup
> 11:pids:/user.slice/user-1001.slice/session-1528.scope
> 10:net_cls,net_prio:/
> 9:perf_event:/
> 8:freezer:/user/root/0
> 7:cpuset:/
> 6:rdma:/
> 5:memory:/user/root/0
> 4:cpu,cpuacct:/user.slice
> 3:devices:/user.slice
> 2:blkio:/user.slice
> 1:name=systemd:/user/root/0
> 0::/user.slice/user-1001.slice/session-1528.scope
> 
> Does this help? I have no idea what all these fields mean.

Yes it does, thanks :)  You want to look at the devices: lines in each.
The ssh session placed you in the container's devices cgroup,
/lxc/mylxc/system.slice/ssh.service .  You could now

cat /sys/fs/cgroup/devices/lxc/mylxc/system.slice/ssh.service/devices.list

to see what devices you have access to that way.

If you look at /proc/26600/cgroup , it is in /user.slice .  Now, unless
you actually did "lxc-attach -e -n mylxc", that should not be right.  You
should be placed in the container's cgroup, but you weren't.  This may be
a bug.

Ah, I see that result when I start unprivileged containers.  Perhaps it also
happens when you start a root-owned container with subuid mappings?  Does
your container have subuid mappings?

Anyway, i suspect the answer will be to give your container lxc.devices
lines to your container config.

-serge

More information about the lxc-users mailing list