Linus Lüssing
2022-Jul-18 00:29 UTC
[Nut-upsuser] Running NUT within an unprivileged LXD container?
Hi,
I'm trying to set up NUT within an unprivileged LXD container.
So within the container there is its own user namespace with
a root user with UID 0, which does not actually have overall
system root rights.
Both the host and the container run Debian Bullseye.
NUT is version 2.7.4-13.
The UPS I'm using is an APC Back-UPS Pro 900 and its connected via
USB to the host. The USB device is passed through to the
container.
This is what I see from within the container:
```
root at nut:~# lsusb | grep "Power"
Bus 001 Device 004: ID 051d:0002 American Power Conversion Uninterruptible Power
Supply
root at nut:~# lsusb -D /dev/bus/usb/001/004
Device: ID 051d:0002 American Power Conversion Uninterruptible
Power Supply
[...]
root at nut:~# nut-scanner -U
SNMP library not found. SNMP search disabled.
Neon library not found. XML search disabled.
IPMI library not found. IPMI search disabled.
Scanning USB bus.
[nutdev1]
driver = "usbhid-ups"
port = "auto"
vendorid = "051D"
productid = "0002"
product = "Back-UPS RS 900G FW:879.L4 .I USB FW:L4"
serial = "xxxxx"
vendor = "American Power Conversion"
bus = "001"
```
Configuration looks as follows:
```
root at nut:~# cat /etc/nut/ups.conf
[apc-back-ups-rs-900g]
driver = "usbhid-ups"
port = "auto"
vendorid = "051D"
productid = "0002"
desc = "APC Back-UPS RS 900G FW:879.L4 .I USB FW:L4"
root at nut:~# cat /etc/nut/nut.conf
MODE=netserver
root at nut:~# cat /etc/nut/upsd.conf
LISTEN 127.0.0.1 3493
LISTEN ::1 3493
root at nut:~#
```
However trying to start the driver so far fails:
```
root at nut:~# upsdrvctl start
Network UPS Tools - UPS driver controller 2.7.4
Network UPS Tools - Generic HID driver 0.41 (2.7.4)
USB communication driver 0.33
device->Product is NULL so it is not possible to determine whether to
activate max_report_size workaround
Can't claim USB device [051d:0002]: could not detach kernel driver from
interface 0: Operation not permitted
Driver failed to start (exit status=1)
root at nut:~#
```
Both on the host and in the container I see
/sys/class/usbmisc/hiddev0/. /dev/hidraw0 is only visible on the
host.
Is there a specific kernel module I would need to load on the host
first for usbhid-ups in NUT? And is this kernel module capable of
being used in an unprivileged container?
Regards, Linus
Linus Lüssing
2022-Jul-18 01:09 UTC
[Nut-upsuser] Running NUT within an unprivileged LXD container?
On Mon, Jul 18, 2022 at 02:29:18AM +0200, Linus L?ssing wrote:> Hi, > > I'm trying to set up NUT within an unprivileged LXD container. > So within the container there is its own user namespace with > a root user with UID 0, which does not actually have overall > system root rights. > > Both the host and the container run Debian Bullseye. > NUT is version 2.7.4-13. > [...]PS: During installation of NUT via apt in the container I got some errors, leaving the package in an uncompleted state. Not sure if they would matter (other than being a bit annoying for future use of apt, as apt now continously complains). Other than that generally all files from the NUT installation seem to be there. ``` root at nut:~# apt-get install nut-server Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: bash-completion libltdl7 libnspr4 libnss3 libnutscan1 libsqlite3-0 libupsclient4 libusb-0.1-4 nut-client Suggested packages: nut-monitor nut-cgi nut-ipmi nut-snmp nut-xml The following NEW packages will be installed: bash-completion libltdl7 libnspr4 libnss3 libnutscan1 libsqlite3-0 libupsclient4 libusb-0.1-4 nut-client nut-server 0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded. Need to get 4191 kB of archives. After this operation, 14.2 MB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://deb.debian.org/debian bullseye/main arm64 libnspr4 arm64 2:4.29-1 [105 kB] Get:2 http://deb.debian.org/debian bullseye/main arm64 libsqlite3-0 arm64 3.34.1-3 [750 kB] Get:3 http://deb.debian.org/debian bullseye/main arm64 libnss3 arm64 2:3.61-1+deb11u2 [1210 kB] Get:4 http://deb.debian.org/debian bullseye/main arm64 libupsclient4 arm64 2.7.4-13 [186 kB] Get:5 http://deb.debian.org/debian bullseye/main arm64 nut-client arm64 2.7.4-13 [249 kB] Get:6 http://deb.debian.org/debian bullseye/main arm64 libltdl7 arm64 2.4.6-15 [390 kB] Get:7 http://deb.debian.org/debian bullseye/main arm64 libnutscan1 arm64 2.7.4-13 [191 kB] Get:8 http://deb.debian.org/debian bullseye/main arm64 libusb-0.1-4 arm64 2:0.1.12-32 [21.5 kB] Get:9 http://deb.debian.org/debian bullseye/main arm64 nut-server arm64 2.7.4-13 [855 kB] Get:10 http://deb.debian.org/debian bullseye/main arm64 bash-completion all 1:2.11-2 [234 kB] Fetched 4191 kB in 3s (1217 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package libnspr4:arm64. (Reading database ... 14573 files and directories currently installed.) Preparing to unpack .../0-libnspr4_2%3a4.29-1_arm64.deb ... Unpacking libnspr4:arm64 (2:4.29-1) ... Selecting previously unselected package libsqlite3-0:arm64. Preparing to unpack .../1-libsqlite3-0_3.34.1-3_arm64.deb ... Unpacking libsqlite3-0:arm64 (3.34.1-3) ... Selecting previously unselected package libnss3:arm64. Preparing to unpack .../2-libnss3_2%3a3.61-1+deb11u2_arm64.deb ... Unpacking libnss3:arm64 (2:3.61-1+deb11u2) ... Selecting previously unselected package libupsclient4:arm64. Preparing to unpack .../3-libupsclient4_2.7.4-13_arm64.deb ... Unpacking libupsclient4:arm64 (2.7.4-13) ... Selecting previously unselected package nut-client. Preparing to unpack .../4-nut-client_2.7.4-13_arm64.deb ... Unpacking nut-client (2.7.4-13) ... Selecting previously unselected package libltdl7:arm64. Preparing to unpack .../5-libltdl7_2.4.6-15_arm64.deb ... Unpacking libltdl7:arm64 (2.4.6-15) ... Selecting previously unselected package libnutscan1:arm64. Preparing to unpack .../6-libnutscan1_2.7.4-13_arm64.deb ... Unpacking libnutscan1:arm64 (2.7.4-13) ... Selecting previously unselected package libusb-0.1-4:arm64. Preparing to unpack .../7-libusb-0.1-4_2%3a0.1.12-32_arm64.deb ... Unpacking libusb-0.1-4:arm64 (2:0.1.12-32) ... Selecting previously unselected package nut-server. Preparing to unpack .../8-nut-server_2.7.4-13_arm64.deb ... Unpacking nut-server (2.7.4-13) ... Selecting previously unselected package bash-completion. Preparing to unpack .../9-bash-completion_1%3a2.11-2_all.deb ... Unpacking bash-completion (1:2.11-2) ... Setting up libsqlite3-0:arm64 (3.34.1-3) ... Setting up libusb-0.1-4:arm64 (2:0.1.12-32) ... Setting up libnspr4:arm64 (2:4.29-1) ... Setting up bash-completion (1:2.11-2) ... Setting up libltdl7:arm64 (2.4.6-15) ... Setting up libnutscan1:arm64 (2.7.4-13) ... Setting up libnss3:arm64 (2:3.61-1+deb11u2) ... Setting up libupsclient4:arm64 (2.7.4-13) ... Setting up nut-client (2.7.4-13) ... Created symlink /etc/systemd/system/multi-user.target.wants/nut-monitor.service ? /lib/systemd/system/nut-monitor.service. Job for nut-monitor.service failed because the service did not take the steps required by its unit configuration. See "systemctl status nut-monitor.service" and "journalctl -xe" for details. Setting up nut-server (2.7.4-13) ... Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-0:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.2/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.2/1-1.2.4/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.2/1-1.2.4/1-1.2.4:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.2/1-1.2:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.4/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.4/1-1.4:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-0:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-1/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-1/2-1:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.2/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.2/2-2.2:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.3/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.3/2-2.3:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/2-2.4.1/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/2-2.4.1/2-2.4.1:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/2-2.4.2/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/2-2.4.2/2-2.4.2:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/2-2.4.3/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/2-2.4.3/2-2.4.3:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/2-2.4.4/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/2-2.4.4/2-2.4.4:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2.4/2-2.4:1.0/uevent': Permission denied Failed to write 'change' to '/sys/devices/platform/scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb2/2-2/2-2:1.0/uevent': Permission denied dpkg: error processing package nut-server (--configure): installed nut-server package post-installation script subprocess returned error exit status 1 Processing triggers for libc-bin (2.31-13+deb11u3) ... Errors were encountered while processing: nut-server E: Sub-process /usr/bin/dpkg returned an error code (1) root at nut:~# ```
Linus Lüssing
2022-Jul-18 22:53 UTC
[Nut-upsuser] Running NUT within an unprivileged LXD container?
On Mon, Jul 18, 2022 at 02:29:18AM +0200, Linus L?ssing wrote:> Hi, > > I'm trying to set up NUT within an unprivileged LXD container. > So within the container there is its own user namespace with > a root user with UID 0, which does not actually have overall > system root rights. > > Both the host and the container run Debian Bullseye. > NUT is version 2.7.4-13. > [...]Found my issue: I wasn't aware that when /lib/nut/usbhid-ups is started as root that it drops its user privileges from root to the "nut" user: ``` root at nut:~# ps -Af | grep usb nut 91 1 0 22:10 ? 00:00:02 /lib/nut/usbhid-ups -a apc-back-ups-rs-900g ``` So I needed to add the "uid" and "gid" attributes here: ``` $ lxc start nut [ nut needs to be installed in the container before, so that the user+group "nut" are available ] $ lxc config device add nut apcusbhid usb vendorid=051d productid=0002 uid="$(lxc exec nut -- /bin/id -u nut)" gid="$(lxc exec nut -- /bin/id -g nut)" $ lxc exec nut -- /usr/bin/systemctl enable nut-server $ lxc restart nut ``` upsc now returns just fine, with valid values: ``` $ lxc exec nut -- /usr/bin/upsc apc-back-ups-rs-900g at localhost battery.charge Init SSL without certificate database 100 ``` Some more background information from my debugging, especially the output from strace, can be found here in the forum post: https://discuss.linuxcontainers.org/t/issue-usb-passthrough-using-network-ups-tools-nut-within-a-container-for-an-apc-ups/14641/1 Regards, Linus