# Setup deCONZ on unprivileged Proxmox container ## Preparation on host First find your Conbee with `lsusb` and note the ID. The vendor is **1cf1** and the product is **0030**. ``` Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 005: ID 1cf1:0030 Dresden Elektronik ZigBee gateway [ConBee II] Bus 001 Device 003: ID 8087:0aaa Intel Corp. Bluetooth 9460/9560 Jefferson Peak (JfP) Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub ``` Run `ls -la /dev/ttyACM0` and note cgroup, in my case it was **166** ``` crw-rw-r-- 1 root root 166, 0 Jan 3 21:45 /dev/ttyACM0 ``` To handle the permission for the device I created a new directory where I created a device file with correct permissions. Change **166** in **mknod** to the cgroup you noted in previous step. `mkdir -p /lxc/120/devices`\ `cd /lxc/120/devices/`\ `mknod -m 660 ttyACM0 c 166 0`\ `chown 100000:100020 ttyACM0`\ `ls -al /lxc/120/devices/ttyACM0` Run `nano /etc/pve/lxc/120.conf` and add the last two rows for cgroup and mount. Change **166** in **cgroup** to the cgroup you noted before. ``` arch: amd64 cores: 1 features: nesting=1 hostname: zigbee.test.com memory: 512 net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.10.1,hwaddr=52:CE:FD:D2:03:0F,ip=192.168.10.120/24,type=veth ostype: ubuntu rootfs: local:120/vm-120-disk-0.raw,size=8G swap: 512 unprivileged: 1 lxc.cgroup2.devices.allow: c 166:* rwm lxc.mount.entry: /lxc/120/devices/ttyACM0 dev/ttyACM0 none bind,optional,create=file ``` `nano /etc/udev/rules.d/50-myusb.rules` ``` SUBSYSTEM=="tty", ATTRS{idVendor}=="1cf1", ATTRS{idProduct}=="0030", MODE="0666", SYMLINK+="conbee" ``` `udevadm control --reload-rules && service udev restart && udevadm trigger`\ `ls -l /dev/ttyACM*` ## Install deCONZ in container `apt install gnupg2`\ `wget -O - http://phoscon.de/apt/deconz.pub.key | apt-key add -`\ `sh -c "echo 'deb [arch=amd64] http://phoscon.de/apt/deconz $(lsb_release -cs) main' > /etc/apt/sources.list.d/deconz.list"`\ `apt update`\ `apt install deconz` `GCFFlasher_internal -l` ``` GCFFlasher V3_17 (c) dresden elektronik ingenieurtechnik gmbh Path | Vendor | Product | Serial | Type -----------------+--------+---------+------------+------- | | | | ``` `mkdir -p /run/udev/data/` `echo "E:ID_VENDOR_ID=1cf1 E:ID_MODEL_ID=0030" > /run/udev/data/c166\:0` `GCFFlasher_internal -l` ``` GCFFlasher V3_17 (c) dresden elektronik ingenieurtechnik gmbh Path | Vendor | Product | Serial | Type -----------------+--------+---------+------------+------- /dev/ttyACM0 | 0x1CF1 | 0x0030 | | ConBee II ``` `/sbin/setcap cap_net_bind_service+ep /usr/bin/deCONZ` `getcap /usr/bin/deCONZ` ``` /usr/bin/deCONZ = cap_net_bind_service+ep ``` `useradd deconz-user` `mkdir /home/deconz-user` `chown -R deconz-user:deconz-user /home/deconz-user` `usermod -a -G dialout deconz-user` `systemctl enable deconz` ``` Created symlink /etc/systemd/system/multi-user.target.wants/deconz.service -> /lib/systemd/system/deconz.service. ``` `nano /lib/systemd/system/deconz.service` ``` [Unit] Description=deCONZ: ZigBee gateway -- REST API Wants=deconz-init.service deconz-update.service StartLimitIntervalSec=60 [Service] User=deconz-user PermissionsStartOnly=true ExecStartPre=/bin/mkdir -p /run/udev/data ExecStartPre=/sbin/setcap cap_net_bind_service+ep /usr/bin/deCONZ ExecStartPre=/bin/bash -c "/bin/echo -e 'E:ID_VENDOR_ID=1cf1\nE:ID_MODEL_ID=0030' > /run/udev/data/c166:0" ExecStart=/usr/bin/deCONZ -platform minimal --http-port=80 Restart=on-failure #AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_KILL CAP_SYS_BOOT CAP_SYS_TIME [Install] WantedBy=multi-user.target ``` `shutdown -r now` # References https://doc.turris.cz/doc/en/public/deconz_lxc_howto\ https://www.xmodulo.com/change-usb-device-permission-linux.html\ https://monach.us/automation/connecting-zwave-stick-under-lxc/\ https://blog.benoitblanchon.fr/lxc-unprivileged-container/\ https://gist.github.com/Yub0/518097e1a9d179dba19a787b462f7dd2\