Skip to content

Instantly share code, notes, and snippets.

@FenixC4

FenixC4/notes.md

Last active July 31, 2023 11:17
Show Gist options
  • Save FenixC4/f261e8d30af6562830f02ca4217f2526 to your computer and use it in GitHub Desktop.
Save FenixC4/f261e8d30af6562830f02ca4217f2526 to your computer and use it in GitHub Desktop.
Download ZIP
Proxmox device passthrough
Raw
notes.md

Recently I have been on a journey to use block devices like a HDD partition in unprivilaged containers safely. After many different methods and struggels i have come to a, in my opinion balanced resolution.

  1. Block devices Here my solution is to create a mount directory and changing it's ownership to 100000:100000. Those settings translated to lxc container permissions make it be owned by root:root, because every uid and gid in container in Proxmox by default is created by adding 100000 to it's original uid and gid more here. Mounting of course can be achieved by manually mounting for example /dev/sdc2 in /mnt/storage which has correctly set ownership or adding a new rule in /etc/fstab. After all that a mount point can be added to container's configuration file
--mp[n] [volume=]<volume> ,mp=<Path> [,acl=<1|0>] [,backup=<1|0>] [,mountoptions=<opt[;opt...]>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]
Use volume as container mount point. Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume.

more here

  1. Character devices (serial device example) In this situation all we have to do is to create a suitable udev rule which will set owner and group of our /dev/tty device to 100000 and 100000. A built in utility called udevadm is very helpfull in creating udev rules. I suggest udevadm info /dev/(your device) or udevadm info -a /dev/(your device). Here is an example of such a rule
KERNEL=="ttyCH343USB0", SUBSYSTEM=="tty", MODE="0664", GROUP="100000", OWNER="100000"

When our rule is ready we can add a mount entry in container's configuration file. This time it's done by an lxc configuration. Here is an exaple of such a line:

lxc.mount.entry: /dev/ttyCH343USB0 dev/ttyCH343USB0 none bind,optional,create=file 0 0

And it all would be to rainbowy if it worked. The catch is it works untill a device is disconnected and reconnected, at that point it looses all it's permissions inside the container and is unusable. The only known to me workaround is to create a privilaged container or simply reboot the container

@mikolajwojcicki
Copy link

mikolajwojcicki commented Jul 30, 2023

Probably changing udev rule’s mode to 0666 would make the device still usable after its reconnected

@FenixC4
Copy link
Author

FenixC4 commented Jul 31, 2023

It doesn't change anything. I think it's because of how containers work. The mount point for a device is created upon startup and when the device is disconnected that mount is broken and won't be back unless the entire container reboots

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment