Container fails to start properly when a USB device is attached to the container before start up

I’m running Arch Linux on both the containers and the host. Using version 4.13. The container has security.idmap.isolated: "true" and security.nesting: "true" in its config and it’s unprivileged.

My goal is to create an LXD container to use for running saned, creating a shared network scanner. A scanner is connected to the computer using USB.

I add the device with the following addition to the container’s config while the container is already running:

devices:
  $scanner-name:
    productid: $product-id
    type: usb
    vendorid: $vendor-id

I can use the USB device in the container now and it works fine. But when I restart the container, it starts but it’s messed up:

  • This shows up in # lxc info --show-log $container-name:
lxc $container-name $date ERROR    utils - utils.c:open_devnull:1286 - Operation not permitted - Can't open /dev/null
lxc $container-name $date WARN     start - start.c:do_start:1358 - Failed to ajust stdio permissions
  • Running # htop in the container:
    PID USER      PRI  NI  VIRT   RES   SHR S CPU%-MEM%   TIME+  Command
      1 root       20   0 16352  5892  3940 S  0.0  0.1  0:00.96 /sbin/init
    269 root       20   0  7484  3596  3120 S  0.0  0.0  0:00.00 bash
    272 root       20   0  8692  4324  3220 R  0.0  0.1  0:00.02 htop
    275 root       20   0 16356  4272  2316 S  0.0  0.1  0:00.00 (journald)
    276 root       20   0 16356  4144  2188 S  0.0  0.1  0:00.00 (md-udevd)
  • $ ls -al /dev:
total 4.0K
drwxr-xr-x 10 root   root        520 Apr 12 14:09 .
drwxr-xr-x  1 root   root        122 Apr  8 21:11 ..
drwxr-xr-x  4 root   root         80 Apr 12 14:09 .lxc
-r--r--r--  1 root   root         37 Apr 12 14:09 .lxc-boot-id
drwx--x--x  2 nobody nobody       40 Apr 12 13:52 .lxd-mounts
drwxr-xr-x  3 root   root         60 Apr 12 14:09 bus
c--x--x---  1 root   root   136,   2 Apr 12 14:09 console
lrwxrwxrwx  1 root   root         11 Apr 12 14:09 core -> /proc/kcore
lrwxrwxrwx  1 root   root         13 Apr 12 14:09 fd -> /proc/self/fd
crw-rw-rw-  1 nobody nobody   1,   7 Apr 12 13:48 full
crw-rw-rw-  1 nobody nobody  10, 229 Apr 12 13:48 fuse
lrwxrwxrwx  1 root   root         28 Apr 12 14:09 log -> /run/systemd/journal/dev-log
drwxr-xr-x  2 nobody nobody       60 Apr 12 13:51 lxd
drwxrwxrwt  2 nobody nobody       40 Apr 12 13:48 mqueue
drwxr-xr-x  2 root   root         60 Apr 12 14:09 net
crw-rw-rw-  1 nobody nobody   1,   3 Apr 12 13:48 null
crw-rw-rw-  1 root   root     5,   2 Apr 12 14:29 ptmx
drwxr-xr-x  2 root   root          0 Apr 12 14:09 pts
crw-rw-rw-  1 nobody nobody   1,   8 Apr 12 13:48 random
drwxrwxrwt  2 root   root         40 Apr 12 14:09 shm
lrwxrwxrwx  1 root   root         15 Apr 12 14:09 stderr -> /proc/self/fd/2
lrwxrwxrwx  1 root   root         15 Apr 12 14:09 stdin -> /proc/self/fd/0
lrwxrwxrwx  1 root   root         15 Apr 12 14:09 stdout -> /proc/self/fd/1
crw-rw-rw-  1 nobody nobody   5,   0 Apr 12 14:26 tty
crw-rw-rw-  1 nobody nobody   1,   9 Apr 12 13:48 urandom
crw-rw-rw-  1 nobody nobody   1,   5 Apr 12 13:48 zero
  • Everything in /proc and /sys including the directories themselves are owned by the user nobody and the group nobody.
  • # systemctl --failed:
  UNIT                               LOAD   ACTIVE SUB    DESCRIPTION
● tmp.mount                          loaded failed failed Temporary Directory (/tmp)
● systemd-remount-fs.service         loaded failed failed Remount Root and Kernel File Systems
● systemd-sysctl.service             loaded failed failed Apply Kernel Variables
● systemd-tmpfiles-setup-dev.service loaded failed failed Create Static Device Nodes in /dev
● systemd-journald-audit.socket      loaded failed failed Journal Audit Socket

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
5 loaded units listed.

I can’t view the logs of those services via systemctl status or journalctl -u, though.

  • $ cat /dev/random /dev/urandom /dev/zero /dev/null
cat: /dev/random: Operation not permitted
cat: /dev/urandom: Operation not permitted
cat: /dev/zero: Operation not permitted
cat: /dev/null: Operation not permitted

If I unplug the USB device from the computer or start the container without the USB device in the config, then it starts fine. The gid, uid, mode, and required: true options don’t fix the issue. I use some of them anyway.

I used to do this in the past (maybe 2-5 months ago) and it worked fine. Then I stopped doing it and wanted to do it again now and it doesn’t work anymore, so I believe that maybe a new update broke it. I am using a different computer for this but I tried it on the old one now (which has updated LXD version) and it didn’t work anymore.

Having the same issue - popped up this week. LXD Version 4.12. Host is Kernel 5.11 on OpenSUSE, container is Debian Buster.

Any ideas @brauner @monstermunchkin?

I think this bug report might be the same issue: https://github.com/lxc/lxd/issues/8608

1 Like

I’ll take another look.

https://github.com/lxc/lxd/pull/8677 should fix this