From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 72A929C70F for ; Tue, 24 Oct 2023 14:56:04 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 65E1483A7 for ; Tue, 24 Oct 2023 14:56:04 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 24 Oct 2023 14:56:03 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 93D0644B74 for ; Tue, 24 Oct 2023 14:56:03 +0200 (CEST) From: Filip Schauer To: pve-devel@lists.proxmox.com Date: Tue, 24 Oct 2023 14:55:53 +0200 Message-Id: <20231024125554.131800-2-f.schauer@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231024125554.131800-1-f.schauer@proxmox.com> References: <20231024125554.131800-1-f.schauer@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.202 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH v2 container 1/1] Add device passthrough X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2023 12:56:04 -0000 Add a dev[n] argument to the container config to pass devices through to a container. A device can be passed by its path. Alternatively a mapped USB device can be passed through with usbmapping=. Signed-off-by: Filip Schauer --- src/PVE/LXC.pm | 34 +++++++++++++++++++++++- src/PVE/LXC/Config.pm | 60 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 1 deletion(-) diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm index c9b5ba7..a3ddb62 100644 --- a/src/PVE/LXC.pm +++ b/src/PVE/LXC.pm @@ -5,7 +5,8 @@ use warnings; use Cwd qw(); use Errno qw(ELOOP ENOTDIR EROFS ECONNREFUSED EEXIST); -use Fcntl qw(O_RDONLY O_WRONLY O_NOFOLLOW O_DIRECTORY); +use Fcntl qw(O_RDONLY O_WRONLY O_NOFOLLOW O_DIRECTORY :mode); +use File::Basename; use File::Path; use File::Spec; use IO::Poll qw(POLLIN POLLHUP); @@ -639,6 +640,37 @@ sub update_lxc_config { $raw .= "lxc.mount.auto = sys:mixed\n"; } + # Clear passthrough directory from previous run + my $passthrough_dir = "/var/lib/lxc/$vmid/passthrough"; + File::Path::rmtree($passthrough_dir); + + PVE::LXC::Config->foreach_passthrough_device($conf, sub { + my ($key, $sanitized_path) = @_; + + my $absolute_path = "/$sanitized_path"; + my ($mode, $rdev) = (stat($absolute_path))[2, 6]; + die "Could not find major and minor ids of device $absolute_path.\n" + unless ($mode && $rdev); + + my $major = PVE::Tools::dev_t_major($rdev); + my $minor = PVE::Tools::dev_t_minor($rdev); + my $device_type_char = S_ISBLK($mode) ? 'b' : 'c'; + my $passthrough_device_path = "$passthrough_dir/$sanitized_path"; + File::Path::make_path(dirname($passthrough_device_path)); + PVE::Tools::run_command([ + '/usr/bin/mknod', + '-m', '0660', + $passthrough_device_path, + $device_type_char, + $major, + $minor + ]); + chown 100000, 100000, $passthrough_device_path if ($unprivileged); + + $raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor rw\n"; + $raw .= "lxc.mount.entry = $passthrough_device_path $sanitized_path none bind,create=file\n"; + }); + # WARNING: DO NOT REMOVE this without making sure that loop device nodes # cannot be exposed to the container with r/w access (cgroup perms). # When this is enabled mounts will still remain in the monitor's namespace diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm index 56e1f10..edd813e 100644 --- a/src/PVE/LXC/Config.pm +++ b/src/PVE/LXC/Config.pm @@ -29,6 +29,7 @@ mkdir $lockdir; mkdir "/etc/pve/nodes/$nodename/lxc"; my $MAX_MOUNT_POINTS = 256; my $MAX_UNUSED_DISKS = $MAX_MOUNT_POINTS; +my $MAX_DEVICES = 256; # BEGIN implemented abstract methods from PVE::AbstractConfig @@ -908,6 +909,49 @@ for (my $i = 0; $i < $MAX_UNUSED_DISKS; $i++) { } } +PVE::JSONSchema::register_format('pve-lxc-dev-string', \&verify_lxc_dev_string); +sub verify_lxc_dev_string { + my ($dev, $noerr) = @_; + + if ( + $dev =~ m@/\.\.?/@ || + $dev =~ m@/\.\.?$@ || + $dev !~ m!^/dev/! + ) { + return undef if $noerr; + die "$dev is not a valid device path\n"; + } + + return $dev; +} + +my $dev_desc = { + path => { + optional => 1, + type => 'string', + default_key => 1, + format => 'pve-lxc-dev-string', + format_description => 'Path', + description => 'Device to pass through to the container', + verbose_description => 'Path to the device to pass through to the container' + }, + usbmapping => { + optional => 1, + type => 'string', + format => 'pve-configid', + format_description => 'mapping-id', + description => 'The ID of a cluster wide USB mapping.' + } +}; + +for (my $i = 0; $i < $MAX_DEVICES; $i++) { + $confdesc->{"dev$i"} = { + optional => 1, + type => 'string', format => $dev_desc, + description => "Device to pass through to the container", + } +} + sub parse_pct_config { my ($filename, $raw, $strict) = @_; @@ -1255,6 +1299,22 @@ sub parse_volume { return; } +sub parse_device { + my ($class, $device_string, $noerr) = @_; + + my $res; + eval { $res = PVE::JSONSchema::parse_property_string($dev_desc, $device_string) }; + if ($@) { + return undef if $noerr; + die $@; + } + + die "Either path or usbmapping has to be defined" + unless (defined($res->{path}) || defined($res->{usbmapping})); + + return $res; +} + sub print_volume { my ($class, $key, $volume) = @_; -- 2.39.2