Mounting sockets in lxc

Hi everyone!

I am a new user on this forum and also fairly new to using linux containers. I have been trying to set up an unprivileged container for gaming on my proxmox server with gpu and audio passthrough. I have no issues doing hardware passthrough, however it is not a good solution since the audio hardware can not accept conflicting instructions, meaning only the host plays audio or the container plays audio but never both at the same time, giving the error message that the device is busy. This is to be expected of course.

That is why a better solution is to pass through the sockets used by the host for speaking to the hardware rather than the actual hardware devices themselves. After reading multiple guides on how to do this and following step by step without success, I figured there must be some issue with how the sockets gets mounted.

Some sockets will mount, others won’t and I can’t seem to figure out why. In my container.conf I have the following lines to mount some of my sockets in /tmp:

lxc.mount.entry: tmpfs tmp tmpfs defaults
lxc.mount.entry: /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir
lxc.mount.entry: /run/user/[UID]/pipewire-0 tmp/pipewire-0 none bind,optional,create=file

Now if I boot up my container and do ls -l on the sockets i would expect something like this:
Srw-rw-rw- 1 nobody nobody 0 Date socket-filename
which is exactly what I get on the x-server socket:
Srw-rw-rw- 1 nobody nobody 0 Date X0

On the pipewire socket however i can see that it simply created a dummy file:
---------- 1 root root 0 Date pipewire-0
Naturally I can’t connect to the audio server from my container because of this, getting the error message that the host is down which is to be expected without a working socket.

What am I doing wrong and what are the correct steps to mount a socket from host to container?

Could you do a test with your sockets mounted in /srv instead of /tmp?

/tmp is auto-cleaned by systemd on most distributions and can lead to some very weird racy behaviors.

I just tried it but it made no difference :confused: What bothers me is that it seems to happen with all sockets except X0, no matter where I mount them.

I also tried running the lxc with lxc-start instead of pct start to exclude the possibility that it had to do with pct.

Maybe there is some general options for all containers somewhere? Some security settings that refuse mounting of sockets?

I guess one difference is that in the X11 case, you’re not mounting the socket, you’re mounting the directory which contains it, maybe that’s making a difference.

I tried mounting with lxc.mount.entry: /run/user/[UID] srv/sockets none bind,optional,create=dir and it just made an empty folder. No sockets or dummy files inside.

I’d probably try removing optional so that errors aren’t being hidden.
Then posting cat /proc/self/mountinfo from inside the container may be useful to see if those mounts ended up anywhere at all.

Removing optional made the container unable to start:

safe_mount: 1220 Invalid argument - Failed to mount "/run/user/0" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/srv/sockets"
mount_entry: 2439 Invalid argument - Failed to mount "/run/user/0" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/srv/sockets"
lxc_setup: 4412 Failed to setup mount entries

cat /proc/self/mountinfo didn’t give me any useful information. To be honest I don’t know what I am looking for exactly in that file, but there are no errors listed.

And that’s with create=dir I take it? I know there are some restrictions on what exactly can be bind-mounted, specifically relating to mount propagation settings, so I wonder if that’s not what’s causing some issues here.

Can you show cat /proc/self/mountinfo on the host?

Running pct start with --debug option gave me this:

ERROR    utils - ../src/lxc/utils.c:safe_mount:1220 - Invalid argument - Failed to mount "/run/user/0" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/srv/sockets"
ERROR    conf - ../src/lxc/conf.c:mount_entry:2439 - Invalid argument - Failed to mount "/run/user/0" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/srv/sockets"

Nothing new here.

Looking into safe_mount:1220 errors I found a bunch of people having similar issues on proxmox:

Changing lxc.mount.entry: /run/user/[UID] srv/sockets none bind,create=dir to mp0: /run/user/[UID],mp=/srv/sockets apparently made it work for me. I have no idea why it wouldn’t work using lxc.mount.entry, but somebody suggested only one mount point per directory can be mounted this way, although I also tried to mount in different directories without success. Another user mentioned overlayfs, which I have no idea what it is but can apparently cause issues.

Still, even though I found a solution to my issue, the cause of the problem is still unknown, so for curiosities sake if it is still helpful you can see my /proc/self/mountifo below:

23 29 0:21 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw
24 29 0:22 / /proc rw,relatime shared:13 - proc proc rw
25 29 0:5 / /dev rw,nosuid,relatime shared:2 - devtmpfs udev rw,size=131938332k,nr_inodes=32984583,mode=755,inode64
26 25 0:23 / /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts rw,gid=5,mode=620,ptmxmode=000
27 29 0:24 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs rw,size=26398560k,mode=755,inode64
29 1 253:1 / / rw,relatime shared:1 - ext4 /dev/mapper/pve-root rw,errors=remount-ro
30 23 0:6 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 - securityfs securityfs rw
31 25 0:26 / /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw,inode64
32 27 0:27 / /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs rw,size=5120k,inode64
33 23 0:28 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:9 - cgroup2 cgroup2 rw
34 23 0:29 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:10 - pstore pstore rw
35 23 0:30 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime shared:11 - efivarfs efivarfs rw
36 23 0:31 / /sys/fs/bpf rw,nosuid,nodev,noexec,relatime shared:12 - bpf bpf rw,mode=700
37 24 0:32 / /proc/sys/fs/binfmt_misc rw,relatime shared:14 - autofs systemd-1 rw,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=64812
38 23 0:12 / /sys/kernel/tracing rw,nosuid,nodev,noexec,relatime shared:15 - tracefs tracefs rw
39 23 0:7 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime shared:16 - debugfs debugfs rw
40 25 0:19 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:17 - mqueue mqueue rw
41 25 0:33 / /dev/hugepages rw,relatime shared:18 - hugetlbfs hugetlbfs rw,pagesize=2M
42 23 0:34 / /sys/fs/fuse/connections rw,nosuid,nodev,noexec,relatime shared:19 - fusectl fusectl rw
43 23 0:20 / /sys/kernel/config rw,nosuid,nodev,noexec,relatime shared:20 - configfs configfs rw
66 27 0:35 / /run/credentials/systemd-sysusers.service ro,nosuid,nodev,noexec,relatime shared:21 - ramfs ramfs rw,mode=700
44 24 0:36 / /proc/fs/nfsd rw,relatime shared:22 - nfsd nfsd rw
70 27 0:37 / /run/credentials/systemd-tmpfiles-setup-dev.service ro,nosuid,nodev,noexec,relatime shared:23 - ramfs ramfs rw,mode=700
121 27 0:38 / /run/credentials/systemd-sysctl.service ro,nosuid,nodev,noexec,relatime shared:33 - ramfs ramfs rw,mode=700
96 29 8:34 / /home rw,relatime shared:50 - fuseblk /dev/sdc2 rw,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096
129 27 0:39 / /run/credentials/systemd-tmpfiles-setup.service ro,nosuid,nodev,noexec,relatime shared:52 - ramfs ramfs rw,mode=700
99 37 0:40 / /proc/sys/fs/binfmt_misc rw,nosuid,nodev,noexec,relatime shared:54 - binfmt_misc binfmt_misc rw
148 27 0:41 / /run/rpc_pipefs rw,relatime shared:66 - rpc_pipefs sunrpc rw
381 29 0:46 / /var/lib/lxcfs rw,nosuid,nodev,relatime shared:179 - fuse.lxcfs lxcfs rw,user_id=0,group_id=0,allow_other
799 29 0:54 / /etc/pve rw,nosuid,nodev,relatime shared:393 - fuse /dev/fuse rw,user_id=0,group_id=0,default_permissions,allow_other
548 27 0:52 / /run/user/0 rw,nosuid,nodev,relatime shared:294 - tmpfs tmpfs rw,size=26398556k,nr_inodes=6599639,mode=700,inode64
565 29 0:53 / /root/GDrive rw,nosuid,nodev,relatime shared:303 - fuse.rclone GoogleDrive: rw,user_id=0,group_id=0
531 548 0:50 / /run/user/0/doc rw,nosuid,nodev,relatime shared:262 - fuse.portal portal rw,user_id=0,group_id=0

I don’t mind trying to figure out the cause of this issue if it is useful to the community, even though I already have a solution.