USB camera passthrough to unprivileged LXC


#1

Hi folks,
As the topic title suggests, I’m trying to pass a USB webcam through to an unprivileged LXC container.
On the HOST machine (running Arch Linux)

[root@IXTREME ~]# ls -lh /dev/vid*
crw-rw----+ 1 root video 81, 0 Jul  6 05:48 /dev/video0
[root@IXTREME ~]# v4l2-ctl -l -d /dev/video0
                     brightness 0x00980900 (int)    : min=0 max=255 step=1 default=128 value=128
                       contrast 0x00980901 (int)    : min=0 max=255 step=1 default=128 value=128
                     saturation 0x00980902 (int)    : min=0 max=255 step=1 default=128 value=128
 white_balance_temperature_auto 0x0098090c (bool)   : default=1 value=1
                           gain 0x00980913 (int)    : min=0 max=255 step=1 default=0 value=0
           power_line_frequency 0x00980918 (menu)   : min=0 max=2 default=2 value=2
      white_balance_temperature 0x0098091a (int)    : min=2000 max=6500 step=1 default=4000 value=6102 flags=inactive
                      sharpness 0x0098091b (int)    : min=0 max=255 step=1 default=128 value=128
         backlight_compensation 0x0098091c (int)    : min=0 max=1 step=1 default=0 value=0
                  exposure_auto 0x009a0901 (menu)   : min=0 max=3 default=3 value=3
              exposure_absolute 0x009a0902 (int)    : min=3 max=2047 step=1 default=250 value=83 flags=inactive
         exposure_auto_priority 0x009a0903 (bool)   : default=0 value=1
                   pan_absolute 0x009a0908 (int)    : min=-36000 max=36000 step=3600 default=0 value=0
                  tilt_absolute 0x009a0909 (int)    : min=-36000 max=36000 step=3600 default=0 value=0
                 focus_absolute 0x009a090a (int)    : min=0 max=250 step=5 default=0 value=0 flags=inactive
                     focus_auto 0x009a090c (bool)   : default=1 value=1
                  zoom_absolute 0x009a090d (int)    : min=100 max=500 step=1 default=100 value=100
[root@IXTREME ~]#

In my container config file I have this …

#USB Camera Passthrough
lxc.mount.entry = /dev/video0 dev/video0 none bind,optional,create=file
lxc.cgroup.devices.allow = c 81:* rwm

and I also have …

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

Also, both /etc/subuid & /etc/subgid contain …
root:100000:65536

Inside the container …

[root@zm ~]# ls -lh /dev/vid*
crw-rw----+ 1 nobody nobody 81, 0 Jul  6 05:48 /dev/video0
[root@zm ~]# v4l2-ctl -l -d /dev/video0
Failed to open /dev/video0: Permission denied

How can I allow the container to access the camera? Is there anything I can add to the container config, or do with device file permissions?

Thanks!


#2

I am not familiar with LXC. I think that the uid/gid of /dev/video0 in the container mean that there has not been proper ID remapping. The device has a uid/gid that is not accessible inside the container.


#3

Yes, I understand that “nobody” has permissions to access the device inside the container at the moment - this is the issue. On the host machine I have followed the Arch Linux “LXC” guide to setup for unprivileged containers. I’ve added some detail to my original post on this. So my question now is - how can I get the device to show up inside the container with root:root permissions instead of nobody:nobody? I already tried simply adding uid 100000 to the /dev/video0 files ACL with read permissions using setfacl -m u:100000:r /dev/video0 and I also tried this with “nobody” instead of “100000” but this did not work. Not sure if this is a good idea anyway! Perhaps there is some lxc confirguration line I can add? Perhaps it’s not possible at all?