The Problem
In my case, I was trying to get a YubiHSM to be accessible in a LXC-based Ubuntu 18.04 container. The Yubi was always visible in the container, but couldn't be accessed. The YubiHSM shell running in the container couldn't connect to it and would error out with this in the logs:
I tried adding devices to the container in Container Station (specifically TTY and Input), but that didn't work. I could get it all to work in a virtual machine, but couldn't get things to function in a container.WARN[0020] status failed to open usb device X-Request-ID=17c1d0b5-7f3e-453c-bd2c-b868b9166885 error='libusb: no device (code -4)'
The Solution
I found a similar situation on Github and used the instructions there to get it working on the NAS. There is probably an easier route to do this, but this is the only route I found. Steps 1 to 5 below identify the container's directory and its config files. Skip to Step 6 if you already know where all that is.
1. Login as an admin via SSH
2. Find your LXC path by running:
3. cd into the directory you just found: cd /var/lib/lxc (yours may be different)[/var/lib/lxc/YubiHSM] # lxc-config lxc.lxcpath
/var/lib/lxc
4. Each container and its config files will be in a subdirectory. Find your container using 'ls' and 'cd' into that directory. My container was named 'YubiHSM', so the command was: cd YubiHSM
5. 'ls' now will list all of the config files as well as the root file system for the container.The config settings are in qconfig:
I recommend making a backup of that file before manipulating it. Now we need to figure out what to put there.[/var/lib/lxc/YubiHSM] # cat qconfig
lxc.cgroup.cpu.cfs_quota_us = 400000
lxc.cgroup.memory.limit_in_bytes = 10485760000
lxc.cgroup.devices.allow = c 4:* rwm
lxc.cgroup.devices.allow = c 13:* rwm
lxc.start.auto = 1
lxc.utsname = YubiHSM
6. lsusb will list out the USB devices. The key parts are the Bus and Device values. In my case, I found the YubiHSM by Yubico at Bus 003, Device 002
7. List out the device info using the Bus and Device values from above:ubuntu@YubiHSM:~$ lsusb
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 002: ID 1050:0030 Yubico.com
Bus 003 Device 003: ID 0764:0601 Cyber Power System, Inc. PR1500LCDRT2U UPS
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 1005:b155 Apacer Technology, Inc.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
You want the Major ID number, which is found after 'administrators' (189 in my case).[/var/lib/lxc/YubiHSM] # ls -l /dev/bus/usb/003/002
crw------- 1 admin administrators 189, 257 2020-11-10 09:34 /dev/bus/usb/003/002
We're now ready to modify the qconfig file.
8. Append the following lines at the end of qconfig using the values you found above
The first line allows the container to access devices with the Major ID you found above. It's followed by a Minor ID, but this value can change when a device is unplugged and re-plugged back in, so the Minor ID is wildcarded with a * in this line. The final value on that line (rwm) allows the container to read-write-mount the device (you can remove a value for security reasons). The second line mounts the device in the container. It basically takes the device's location in the host OS and puts it in the exact same location in the Guest OS. Again, your values in that line are probably different, so use what you found above in Step 6.lxc.cgroup.devices.allow: c 189:* rwm
lxc.mount.entry: /dev/bus/usb/003/002 dev/bus/usb/003/002 none bind,optional,create=file
9. Reboot the container and see if it worked!
Please let me know if there's an easier way to do this! It worked, but it's messy.