Marc's Public Blog - Linux Hacking

Problem:You want to use devices like /dev/ttyUSB0 or need to access raw USB devices under /dev/bus/usb in a docker container

Before I go there, yes, giving --privileged will "fix" all your problems but it will also give full access to everything in your container, where the container can wipe the host device, steal password from memory outside the container and so forth. Maybe that's ok for you anyway, but if not, read on:

/dev/ttyUSB0 does not show up under /dev in the container

This does 2 things: 1) create the device in the container, and 2) give the container write access to the block device (more or that later)

docker run --device=/dev/ttyUSB0 -i -t --entrypoint /bin/bash --cap-add SYS_PTRACE debian:amd64

I added SYS_PTRACE so that you can use strace -e trace=file command to debug access problems

/dev/bus or /dev/serial do not show up under /dev in the container

docker run -v /dev/bus:/dev/bus:ro -v /dev/serial:/dev/serial:ro -i -t --entrypoint /bin/bash --cap-add SYS_PTRACE debian:amd64

This will make /dev/bus and /dev/serial show up as bind mounts in your container. Yet you will find that _fastboot devices or adb_ will not work. Strace will show you permission denied. What you want instead is this:

docker run --device=/dev/bus -v /dev/serial:/dev/serial:ro -i -t --entrypoint /bin/bash --cap-add SYS_PTRACE debian:amd64

See https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

This mounts /dev/bus in your container and gives you access to all the block/character devices in there. Now, fastboot will work. Well, it will work until...

/dev/bus, fastboot/adb work until I disconnect/reconnect the device

Yeah, this is where things get more hairy. what the --device command above did was give access to all the block/character devices that existed when your container was created. If new ones appear (unplugging and replugging a device or rebooting it), those don't work.
I have not found a way to get docker to make them work after the container has started.

Thankfully there is a clue here: https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt

You want to go back to running

docker run -v /dev/bus:/dev/bus:ro -v /dev/serial:/dev/serial:ro -i -t --entrypoint /bin/bash --cap-add SYS_PTRACE debian:amd64

Then, grab the container ID in $A:

A=$( docker ps |awk '/bin.bash/ { print $1 }' )

Note the major number of your device:

root@fuchsia-tests-x64-lab01-0002:/sys/fs/cgroup# l /dev/bus/usb/004/* | head -1
crw-rw-r-- 1 root root 189, 384 Dec 18 17:51 /dev/bus/usb/004/001

Finally, tell the linux container via an opaque cgroup interface, that all character devices of major number 189, are allowed:

root@fuchsia-tests-x64-lab01-0002:~# echo 'c 189:* rwm' > /sys/fs/cgroup/devices/docker/$A*/devices.allow 

After that, things should work.

My /dev/ttyUSB device keeps changing and the new one isn't allowed

root@fuchsia-tests-x64-lab01-0002:~# echo 'c 188:* rwm' > /sys/fs/cgroup/devices/docker/$A*/devices.allow 

Then inside the container, create them all:

root@f47dbbab392b:/dev# for i in $(seq 1 255); do mknod ttyUSB$i c 188 $i; done

Hope this helps!