Access usb device from systemd-nspawn container

systemd-nspawn handles permissions for devices through cgroups. By default, any container is granted with permissions only for common devices like /dev/null, /dev/zero, etc, and additionally to any device passed directly to --bind argument like --bind=/dev/vcs. This won't work with USB because /dev/bus/usb is a directory.

To grant permission for currently running container named my_container (supposedly you started it with systemd-nspawn directly from command line) execute as root:

$ echo 'c 189:* rwm' > \
 /sys/fs/cgroup/devices/machine.slice/machine-my_container/devices.allow

c 189:* rwm means read write modify permissions for any character device with type (identificator) 189 and any subtype. You can find type and subtype of device with file:

$ file /dev/bus/usb/002/002

This permission will only last while container is running.

If you are using [email protected] or want to persist permissions with it, create

/etc/systemd/system/[email protected]/override.conf

or

/etc/systemd/system/systemd-nspawn@my_container.service.d/override.conf

(depending on whether you want access to USB from any systemd-nspawn container or only from my_container correspondingly) with the following content:

[Service]
DeviceAllow=char-usb_device rwm 

usb_device is an alias. You can find other in /proc/devices.

Related videos on Youtube

45 : 35

NLUUG NJ19 - 06 - Pieter Lexis - Running containers with systemd-nspawn

Jeroen J.H.A. Jonkman

798

27 : 47

[How To] Build and Run SystemD Namespace Containers

Gerard's Curious Tech

788

01 : 51

Unix & Linux: Access usb device from systemd-nspawn container

Roel Van de Paar

46

54 : 22

Systemd-Nspawn is Chroot on Steroids - Lennart Poettering, Red Hat

The Linux Foundation

9

05 : 32

Access storage of Android device on Linux (USB)

s1n7ax

2

43 : 55

GPU, USB, NICs and Other Physical Devices in Your Containers - Stéphane Graber, Canonical Ltd.

The Linux Foundation

2

Author by

Chace Fields

Updated on September 18, 2022