Weird behaviour with a rootless container that tries to access /dev/ttyACM0

[NachoMas]

Hi all,

I’ve been trying to get my ZwaveJS2MQTT container to work on a rootless podman container and I get a really weird behavior.

I start the podman container as follows:

$podman run --name=zwavejs --cgroups=no-conmon --rm --sdnotify=conmon --replace --group-add keep-groups --userns=keep-id -it -p 192.168.1.2:8091:8091 -p 192.168.1.2:3000:3000 --device=/dev/serial/by-id/usb-0658_0200-if00:/dev/zwave:rw -e TZ="Europe/Stockholm" -v /var/run/dbus:/var/run/dbus:ro -v /etc/timezone:/etc/timezone:ro -v /etc/zwavejs:/usr/src/app/store --label io.containers.autoupdate=registry docker.io/zwavejs/zwave-js-ui:latest

When the container starts , I can see the permissions and access the dev like this:
podman exec zwavejs /bin/sh -c ‘stty -a -F /dev/zwave’
speed 115200 baud;stty: /dev/zwave: Not a tty
line = 0;

But after some 20 seconds the permissions get dropped and the same command gives me a ‘stty: can’t open ‘/dev/zwave’: Permission denied’

Checking the permission right after start of the container I get:
podman exec zwavejs /bin/sh -c ‘stat /dev/zwave’
File: /dev/zwave
Size: 0 Blocks: 0 IO Block: 4096 character special file
Device: 5h/5d Inode: 1319 Links: 1 Device type: a6,0
Access: (0660/crw-rw----) Uid: (65534/ nobody) Gid: (65534/ nobody)
Access: 2024-04-11 10:40:16.843642310 +0200
Modify: 2024-04-11 10:40:16.843642310 +0200
Change: 2024-04-11 10:39:43.843642310 +0200

But after some 20 secs it changes on itself to:
File: /dev/zwave
Size: 0 Blocks: 0 IO Block: 4096 character special file
Device: 5h/5d Inode: 1343 Links: 0 Device type: a6,0
Access: (0000/c---------) Uid: (65534/ nobody) Gid: (65534/ nobody)
Access: 2024-04-11 10:47:01.290191907 +0200
Modify: 2024-04-11 10:47:01.290191907 +0200
Change: 2024-04-11 10:47:04.845254517 +0200

I’m completely baffled by this. I assume that something inside the container is changing the permission for some reason? SELinux inside the container? Any ideas on how to make it work? The host has no SELinux or AppArmor enabled and of course the podman user is a member of the dialout group in the host with the following attributes:

crw-rw---- 1 root dialout 166, 0 Apr 11 15:20 /dev/ttyACM0

Of course the container as root works flawlessly. i'm baffled by this. any ideas?

Thanks and regards,
/Nacho

[drewlsvern]

@NachoMas I ran into this same issue and came across this blog post here
The blog post is referring to using LXC containers but I figured it was worth a shot and bingo it solved the issue for me.

I created a new directory where I created the character file and then changed the group permissions to the dialout group which my container user is a member of.

sudo mkdir /mnt/devices
cd /mnt/devices
sudo mknod -m 660 ttyACM0 c 166 0
sudo chown root:dialout ttyACM0

I then added the device to my .container file like this:

AddDevice=/mnt/devices/ttyACM0:/dev/zwave

Or with podman run

podman run --device /mnt/devices/ttyACM0:/dev/zwave

I will test it out for a while and see how stable it is.

Hopefully this can help others that may run into this issue.