permission denied in debian bookworm

[Yamacore]

Hello there i currently try to link an zigbee stick with your great workaround, sadly i get errored out the stick is recognized but cant be talked to:

System: Debian 12 all updated, default installed docker, joined a swarm. yaml part: `version: "3.8"

services: dmm: image: docker entrypoint: docker restart: unless-stopped privileged: true command: | run -i --rm --privileged --cgroupns=host --pid=host --userns=host -v /sys:/host/sys -v /var/run/docker.sock:/var/run/docker.sock -v /dev:/dev ghcr.io/allfro/allfro/device-mapping-manager:latest volumes: - /var/run/docker.sock:/var/run/docker.sock deploy: mode: global`

tested the one linked here aswell (where it does not find the repo) and nightly version

the error i get: `2023-08-18T13:40:29.068805881Z Status: Downloaded newer image for ghcr.io/allfro/allfro/device-mapping-manager:nightly

2023-08-18T13:40:30.080766794Z 2023/08/18 13:40:30 The cgroup version for process 1735168 is: 2

2023-08-18T13:40:30.080780249Z 2023/08/18 13:40:30 Checking mounts for process 1735168

2023-08-18T13:40:30.080782748Z 2023/08/18 13:40:30 da796728f12ab9f41cc119ab4711348fef9d73d8fe3356a7333763cf47e04191/1735168 requested a volume mount for /sys at /host/sys

2023-08-18T13:40:30.080784857Z 2023/08/18 13:40:30 /sys is not a device... skipping

2023-08-18T13:40:30.080786685Z 2023/08/18 13:40:30 da796728f12ab9f41cc119ab4711348fef9d73d8fe3356a7333763cf47e04191/1735168 requested a volume mount for /var/run/docker.sock at /var/run/docker.sock

2023-08-18T13:40:30.080788600Z 2023/08/18 13:40:30 /var/run/docker.sock is not a device... skipping

2023-08-18T13:40:30.080790486Z 2023/08/18 13:40:30 da796728f12ab9f41cc119ab4711348fef9d73d8fe3356a7333763cf47e04191/1735168 requested a volume mount for /dev/ttyUSB0 at /dev/ttyUSB0

2023-08-18T13:40:30.080839391Z 2023/08/18 13:40:30 The cgroup path for process 1735168 is at /host/sys/fs/cgroup

2023-08-18T13:40:30.080935410Z 2023/08/18 13:40:30 Found device: /dev/ttyUSB0 c 188:0

2023-08-18T13:40:30.080940831Z 2023/08/18 13:40:30 Adding device rule for process 1735168 at /host/sys/fs/cgroup

2023-08-18T13:40:30.081078604Z 2023/08/18 13:40:30 unable to generate new device filter program with no existing programs: unable to create new device filters program: load program: permission denied: 10: (95) exit: R0 !read_ok (10 line(s) omitted)

2023-08-18T13:40:30.081085720Z 2023/08/18 13:40:30 unable to generate new device filter program with no existing programs: unable to create new device filters program: load program: permission denied: 10: (95) exit: R0 !read_ok (10 line(s) omitted)`

[allfro]

Unfortunately, Docker on Debian and Ubuntu on cgroupv2 still enforces certain rules in seccomp and friends under Docker swarm setups. The fix is to run the program outside the container and set it up as a systemctl service.

[luisfavila]

@allfro Could you please provide instructions on how to run it outside of docker? (And which program exactly) I know how to make it a systemctl service :D

[n1nj4888]

Hi @allfro - any update on this? It would be great to get some more information on how to run this outside of container for Debian/Ubuntu on cgroup2 ... Thanks!

[aronsky]

You need the program dvd from the container in this repository. You can grab it like this:

1. In your shell, run docker run --rm -it -v $PWD:/out --entrypoint /bin/sh ghcr.io/allfro/device-mapping-manager:latest.
2. In the resulting docker shell, run cp dvd out/, followed by exit. Now you'll have the dvd program in your current directory.
3. Next, verify that /host/sys points to sys (it probably doesn't exist, so you'll need to symlink it: sudo ln -s /sys /host/sys.
4. Finally, run dvd with root privileges (sudo ./dvd) to test that everything works correctly (try mounting a device into docker as a volume in another shell).
5. Once you verified everything works as expected, create a service to run dvd when the system starts.