please advice attaching bluetooth to container?

[ikke-t]

/kind feature

Description

Hi, this is not a bug report, but I'm looking for advice how to use home automation devices in containers. I have e.g. bluetooth devices, and zigbee devices. Let's start with bluetooth.

What would be the recommended way to get devices into container, not running the container privileged and using host networking?

I can get the bluetooth device visible into container like this:

$ sudo podman run --name centos -ti -h centos --net=host --privileged centos:latest
dnf install -y bluez
[root@centos /]# hcitool dev
Devices:
	hci0	18:1D:EA:8A:8D:EB

But this gives lot of privileges to container. Could I somehow import the USB device into container, and start dbus in there, and bluetoothd?

I tried e.g. using ubi-init to get dbus in there easily, which didn't work:

sudo podman run --name ubi-init -ti -h ubi-init --device /dev/bus/usb/001/002 ubi8-init:latest

sudo podman exec -ti ubi-init bash

[root@ubi-init /]# lsusb
Bus 002 Device 002: ID 0bda:0328  
Bus 002 Device 001: ID 1d6b:0003  
Bus 001 Device 004: ID 06cb:009a  
Bus 001 Device 003: ID 5986:2115  
Bus 001 Device 002: ID 8087:0a2b  
Bus 001 Device 001: ID 1d6b:0002

[root@ubi-init /]# ls /dev/bus/usb/001/002 
/dev/bus/usb/001/002

[root@ubi-init /]# hciconfig hci0 up
Can't open HCI socket.: Address family not supported by protocol

[root@ubi-init /]# hcitool dev
Devices:

So you can see how it sees all the usb devices, but still the bluez can't get the hci0 device up. Any ideas what should be done or what I'm doing wrong? Or should I just give all the powers to container?

Output of podman version:

Version:            1.4.2-stable3
RemoteAPI Version:  1
Go Version:         go1.12.12
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.12.12
  podman version: 1.4.2-stable3
host:
  BuildahVersion: 1.9.0
  Conmon:
    package: podman-1.4.2-6.module+el8.1.0+4830+f49150d7.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.1-dev, commit: unknown'
  Distribution:
    distribution: '"rhel"'
    version: "8.1"
  MemFree: 2715652096
  MemTotal: 16276578304
  OCIRuntime:
    package: runc-1.0.0-61.rc8.module+el8.1.0+4873+4a24e241.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 8292134912
  SwapTotal: 8292134912
  arch: amd64
  cpus: 8
  hostname: gr8.localdomain
  kernel: 4.18.0-147.3.1.el8_1.x86_64
  os: linux
  rootless: false
  uptime: 3h 56m 23.19s (Approximately 0.12 days)
registries:
  blocked: null
  insecure: null
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - quay.io
  - docker.io
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 4
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 8
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.4.2-6.module+el8.1.0+4830+f49150d7.x86_64

[ikke-t]

Forgot to mention, I killed the bluetoothd from host (Lenovo X1 Carbon) before starting the containers.

[rhatdan]

Could you start out with --privileged and see if it works, if yes, then drop back to non-privileged and try with
SELinux disabled, Does it work?
seccomp disabled Does it work?
--cap-add all Does it work?

Basically try to figure out if this is a security thing that is blocking the access. If I had to guess, I would guess this is something in the network stack NET_ADMIN or worse SYS_ADMIN capabilities.

[ikke-t]

I did:

sudo setenforce 0
sudo podman run --name ubi-init -ti -h ubi-init --device /dev/bus/usb/001/002 --security-opt=seccomp=unconfined --cap-add all ubi8-init:latest

but no luck. If I run it with --net=host it sees the device. Perhaps this is over complicating it, and I just need to allow it the --privileged and --net=host and be done with it. TBH, I don't even know how the bluez should hook up to the given usb device from container. Thanks.

[rhatdan]

Well can you run with --net=host and locked down?

[rhatdan]

@ikke-t This is not an upstream issue, If you are still working on this, please send email to podman.io mailing list or get us on IRC on #podman on freenode.

[dezza]

@ikke-t onedr0p/containers#68

See this for a solution.