How do you mount a USB thumbdrive in a LXD container

I discovered that I can lsusb at the LXD host and inside the container. LSUSB lists all the USB devices in either case. I cannot mount a USB thumb drive from inside a container presumably because “fdisk -l” doesn’t see the drive or its partitions. The fdisk returns nothing at all. So, I tried three approaches to connect my USB thumbdrive and none of them make it accessible.

lxc config device add test myusbstick usb vendorid=13fe productid=5200

lxc config device add test thumbdrive unix-block source=/dev/bus/usb/002/004

lxc config device add test myusb disk source=/dev/sdc path=/mnt/myusb

Still, none of the above seemed to have allowed me to fdisk or mount the device. Any ideas?
My LXD version is 5.1

You cannot safely mount inside an unprivileged container due to the possibility that a bad fs can crash the host kernel. So mount syscall is not allowed by default.

You can mount the drive in the host somewhere and then share it using a ‘disk’ device though.

You could also allow mounting using the syscall intercept feature System call interception - LXD documentation

So, none of the three commands I did above made the device accessible. Let’s assume that the thumb drive or USB dongle is mounted in the host OS. How can I access it? An lsusb from the container shows the device, but I can’t simply access it because there is no path. If I can’t mount it, how can I get to it?

Then you can do:

lxc config device add <instance> mydisk disk source=/path/to/where/usb/is/mounted path=/path/to/mount/inside/instance

See Instance configuration - LXD documentation

Suppose I wanted to share a Ubikey at:

Bus 001 Device 005: ID 1050:0402 Yubikey 4/5 U2F

According to the documentation, I would:

lxc config device add test yubico usb vendorid=1050 productid=0402

So, when I am inside container “test”, how would I reference the yubico key?

Does the yubikey present a unix char/block device on the host in /dev?

If it does, I am not sure how to identify it:

How do you use a yubikey? that will normally tell you want the application needs to be passed through.

Normally the app that uses the Yubikey will just prompt for it if it does not find it. It doesn’t prompt for an app. It must be scanning the bus and looking for it.

Have you consulted the discussion here?

I missed that thread. Thanks. That’s very helpful. I had not read about the hot plug option before.

1 Like