Help configuring SocketCAN/ip link adapter passthrough to container

I’m trying to bridge a CAN adapter which works successfully on the LXD server to a container so the container can access it.

Setting up the LXD server

The LXD server is running Ubuntu 18.04 LTS with can-utils package installed for SocketCAN support. This allows bringing up the USB CAN adapter as an ip link device.

Running ip link set can0 up type can bitrate 500000 successfully brings up the CAN port and it is shown via ip link

3: can0: <NOARP,UP,LOWER_UP,ECHO> mtu 16 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 10

Now, I verify transmission from the LXD server to a CAN device attached to the CAN bus (running Debian 9):
LXD server: cansend can0 000#1234
CAN device: candump can0

  can0  000   [2]  12 34

I can successfully do the reverse, verifying that the LXD server can receive from the device attached to the CAN bus.

Setting up the LXC container

I pass the can0 device from the LXD server through to the LXC container using:
lxc config device add <container-name> can0 nic nictype=physical name=can0 parent=can0

And, I can successfully bring it up within the container using ip link set can0 up type can bitrate 500000, the same way as was done on the LXD server. And, verify using ip link

4: can0: <NOARP,UP,LOWER_UP,ECHO> mtu 16 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 10

And, I can send from the LXC container using cansend can0 (same as above).
However, I can not receive from within the LXC container, using same methods as performed against LXD server.

It’s also worth noting that no other nictype will allow the device to be assigned to the container. The only successful type was physical.

Any ideas?

  • What am I missing in order to get the container to be able to receive data? Again, it works completely from LXD, and partially from the LXC.
  • New to LXC, how can I go about getting further information (i.e. logs, etc) on why the device can send, but not recieve from within LXC
  • Maybe a proxy type device?

With nictype: physical on LXD, the network interface disappears from the host and it can be used exclusively in a LXD container. I have tried this with other network interfaces and it worked equally well.

I am not familiar with plain LXC and I suppose that what you found is likely a bug that can be reported to the issues. Scratch that, you already did so,

Did you try with a privileged container (security.privileged=true followed by restart of container)?
Are you seeing any denials (DENIED) messages in dmesg?