meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
vm:proxmox:lxc:devices_access [2023/06/20 19:10] niziakvm:proxmox:lxc:devices_access [2024/12/07 20:07] (current) niziak
Line 20: Line 20:
 ==== unprivileged LXCs ==== ==== unprivileged LXCs ====
  
-Unprivileged LXCs has UIDs and GIDs mapped to defines subid and subgids ranges.+Unprivileged LXCs has UIDs and GIDs mapped to defined subid and subgids ranges.
  
 To get access to ''ttyUSB0'' as ''dialout'' group (GID=20) host needs to give permissions to access ''ttyUSB0'' for GID=100020. To get access to ''ttyUSB0'' as ''dialout'' group (GID=20) host needs to give permissions to access ''ttyUSB0'' for GID=100020.
Line 27: Line 27:
  
 Another method mentioned in [[https://gist.github.com/crundberg/a77b22de856e92a7e14c81f40e7a74bd|Setup deCONZ on unprivileged Proxmox container]] Another method mentioned in [[https://gist.github.com/crundberg/a77b22de856e92a7e14c81f40e7a74bd|Setup deCONZ on unprivileged Proxmox container]]
-is to do not touch ''/dev/ttyUSB0'' but create another device node with the same device major:minor. Then change owner of new device node and use it to bind mount into container.+is to do not touch ''/dev/ttyUSB0'' but create another device node with the same device ''major:minor''. Then change owner of new device node and use it to bind mount into container.
  
 ==== References ==== ==== References ====
Line 36: Line 36:
   * Zigbee2MQTT automated LXC setup scripts (privileged containers):   * Zigbee2MQTT automated LXC setup scripts (privileged containers):
     * [[https://raw.githubusercontent.com/tteck/Proxmox/main/misc/build.func|build.func]]     * [[https://raw.githubusercontent.com/tteck/Proxmox/main/misc/build.func|build.func]]
- 
  
 ====== DRI forward ====== ====== DRI forward ======
 +
  
 Host system (Proxmox): Host system (Proxmox):
  
 +<code bash>
 +$ls -ln /dev/dri
 +
 +crw-rw---- 1 0  44 226,   0 03-26 11:53 card0
 +crw-rw---- 1 0 103 226, 128 03-26 11:53 renderD128
 +</code>
 +
 +In unprivileged PCT GIDs and UIDs are shifted +100000, so if guest wants to access device with GID=44, from host point of view it is accessing it as GID=100044. 
 +So now is needed to do shift GID 44 and GID 103. 
 +Idea is to define ranges of GID mappings to map all other GID to be shifted by +100000:
 +
 +^ Container GID         ^ Host GID          ^  count  ^
 +| 0..43                 | 100000..100043    | 44      | 
 +| 44                    | 44                | 1       |
 +| 45..102               | 100045..100102    | 58      |
 +| 103                   | 103               | 1       |
 +| 104..65535            | 100104..165535    | 65431   |
 +
 +
 +Here is a tool [[https://github.com/ddimick/proxmox-lxc-idmapper|Proxmox unprivileged container/host uid/gid mapping syntax tool]]
 +
 +
 +Allow LXC (running as root) to map GID 44 and 103 to new ones:
 +
 +<file /etc/subgid>
 +root:100000:65536
 +root:44:1
 +root:103:1
 +</file>
 +
 +
 +PCT config file:
 +<file ini /etc/pve/lxc/303.conf>
 +lxc.cgroup2.devices.allow: a
 +lxc.cap.drop:
 +lxc.cgroup2.devices.allow: c 226:0 rwm
 +lxc.cgroup2.devices.allow: c 226:128 rwm
 +lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
 +lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file
 +lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file
 +lxc.idmap: u 0 100000 65536
 +lxc.idmap: g 0 100000 44
 +lxc.idmap: g 44 44 1
 +lxc.idmap: g 45 100045 58
 +lxc.idmap: g 103 103 1
 +lxc.idmap: g 104 100104 65431
 +</file>
  
 Guest system: Guest system:
Line 52: Line 99:
 </code> </code>
  
 +====== TODO - check ======
 +
 +  * [[https://forum.proxmox.com/threads/terramaster-f2-423-proxmox-n5095-igpu-passthrough-issue.123144/#post-536224]]
 +  * [[https://forum.proxmox.com/threads/plex-hw-transcoding-lxc-and-jasper-lake-igpu-passthru.116163/#post-556945]]