I am trying to run command dmidecode in my docker container,
docker run --device /dev/mem:/dev/mem -it jin/ubu1604
However, it claims that there is no permission
root#bd1062dfd8ab:/# dmidecode
# dmidecode 3.0
Scanning /dev/mem for entry point.
/dev/mem: Operation not permitted
root#bd1062dfd8ab:/# ls -l /dev
total 0
crw--w---- 1 root tty 136, 0 Jan 7 03:21 console
lrwxrwxrwx 1 root root 11 Jan 7 03:20 core -> /proc/kcore
lrwxrwxrwx 1 root root 13 Jan 7 03:20 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 Jan 7 03:20 full
crw-r----- 1 root kmem 1, 1 Jan 7 03:20 mem
drwxrwxrwt 2 root root 40 Jan 7 03:20 mqueue
crw-rw-rw- 1 root root 1, 3 Jan 7 03:20 null
lrwxrwxrwx 1 root root 8 Jan 7 03:20 ptmx -> pts/ptmx
drwxr-xr-x 2 root root 0 Jan 7 03:20 pts
crw-rw-rw- 1 root root 1, 8 Jan 7 03:20 random
drwxrwxrwt 2 root root 40 Jan 7 03:20 shm
lrwxrwxrwx 1 root root 15 Jan 7 03:20 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 Jan 7 03:20 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 Jan 7 03:20 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root 5, 0 Jan 7 03:20 tty
crw-rw-rw- 1 root root 1, 9 Jan 7 03:20 urandom
crw-rw-rw- 1 root root 1, 5 Jan 7 03:20 zero
This confused me. Since I was able to run dmidecode -t system on the host (ubuntu 14.04) fine.
I even followed some advice and set the permission on dmidecode executable
setcap cap_sys_rawio+ep /usr/sbin/dmidecode
It still doesn't work.
Any ideas?
UPDATE
Based on David Maze's answer, the command should be
run --device /dev/mem:/dev/mem --cap-add SYS_RAWIO -it my/ubu1604a
Do this only when you are going to trust what runs in container. For example, if you are test installation procedure on a pristine OS.
Docker provides an isolation layer, and one of the major goals of Docker is to hide details of the host's hardware from containers. The easiest, most appropriate way to query low-level details of the host's hardware is from a root shell on the host, ignoring Docker entirely.
The actual mechanism of this is by restricting Linux capabilities. capabilities(7) documents that you need CAP_SYS_RAWIO to access /dev/mem, so in principle you can launch your container with --cap-add SYS_RAWIO. You might need other capabilities and/or device access to make this actually work, because Docker is hiding the details of what you're trying to access as a design goal.
Related
I'm curious about how dockerized processes interact with the terminal from which you run docker run.
From some research I done, I found that when you run a container without -t or -i, the file descriptors of the process are:
// the PID of the containerized process is 16198
~$ sudo ls -l /proc/16198/fd
total 0
lrwx------ 1 root root 64 Jan 18 09:28 0 -> /dev/null
l-wx------ 1 root root 64 Jan 18 09:28 1 -> 'pipe:[242758]'
l-wx------ 1 root root 64 Jan 18 09:28 2 -> 'pipe:[242759]'
I see that the other ends of those pipes are of the containerd-shim process that spawned the containerized process. We know that once that process will write something to its STDOUT, it will show up on the terminal from which you ran docker run. Further, when you run a container with -t and look at the open FDs of the process:
~$ sudo ls -l /proc/17317/fd
total 0
lrwx------ 1 root root 64 Jan 18 09:45 0 -> /dev/pts/0
lrwx------ 1 root root 64 Jan 18 09:45 1 -> /dev/pts/0
lrwx------ 1 root root 64 Jan 18 09:45 2 -> /dev/pts/0
So now the container has a pseudo-tty slave as STDIN, STDOUT and STDERR. Who has the master side of that slave? Listing the FDs of the parent containerd-shim we can now see that it has a /dev/ptmx open:
$ sudo ls -l /proc/17299/fd
total 0
lr-x------ 1 root root 64 Jan 18 09:50 0 -> /dev/null
l-wx------ 1 root root 64 Jan 18 09:50 1 -> /dev/null
lrwx------ 1 root root 64 Jan 18 09:50 10 -> 'socket:[331340]'
l--------- 1 root root 64 Jan 18 09:50 12 -> /run/docker/containerd/afb8b7a1573c8da16943adb6f482764bb27c0973cf4f51279db895c6c6003cff/init-stdin
l--------- 1 root root 64 Jan 18 09:50 13 -> /run/docker/containerd/afb8b7a1573c8da16943adb6f482764bb27c0973cf4f51279db895c6c6003cff/init-stdin
lrwx------ 1 root root 64 Jan 18 09:50 14 -> /dev/pts/ptmx
...
So I suppose that the containerd-shim process interacts with the container process using this pseudo-terminal system. By the way, even in this case you can't interact with the process, since I didn't ran the container with -i.
So one question is: what difference does it make if containerd-shim interacts with the process using a pipe or using a pseudo-terminal subsystem?
Another question is, how do containerd-shim rolls this data to the terminal from which I ran docker run
I would like to program the (MB1355C and/or MB1293C) devices from an STM32WB55 Nucleo Pack on my (Ubuntu 18.04.3 LTS) machine - preferably with the convenience of an eclipse based IDE that supports debugging features.
I installed
STM32CubeProgrammer (version 2.2.1)
Atolic TrueStudio (version 9.3.0)
STM32CubeIDE (version 1.1.0)
and I now have the following udev rules
chandran#chandran-OptiPlex-9020:~$ ll /etc/udev/rules.d/
total 160
drwxr-xr-x 2 root root 4096 Dec 13 14:11 ./
drwxr-xr-x 4 root root 4096 Dec 4 13:44 ../
-rw-rw-r-- 1 root root 270 Oct 14 18:10 49-stlinkv1.rules
-rw-rw-r-- 1 root root 270 Oct 14 18:10 49-stlinkv1.rules.O
-rw-rw-r-- 1 root root 464 Oct 14 18:10 49-stlinkv2-1.rules
-rw-rw-r-- 1 root root 464 Oct 14 18:10 49-stlinkv2-1.rules.O
-rw-rw-r-- 1 root root 278 Oct 14 18:10 49-stlinkv2.rules
-rw-rw-r-- 1 root root 278 Oct 14 18:10 49-stlinkv2.rules.O
-rw-r--r-- 1 root root 458 Dec 11 17:26 49-stlinkv3loader.rules
-rw-rw-r-- 1 root root 845 Oct 14 18:10 49-stlinkv3.rules
-rw-rw-r-- 1 root root 845 Oct 14 18:10 49-stlinkv3.rules.O
-rw-r--r-- 1 root root 381 Dec 6 17:10 '#61-msp430uif.rules#'
-rw-r--r-- 1 root root 381 Dec 4 15:09 61-msp430uif.rules
-rwxr-xr-x 1 root root 2145 Dec 4 15:09 70-mm-no-ti-emulators.rules*
-rw-r--r-- 1 root root 58549 Dec 4 12:29 70-snap.core.rules
-rw-r--r-- 1 root root 79 Dec 5 12:11 77-msp430-blacklist.rules
-rw-r--r-- 1 root root 0 Dec 5 12:10 77-msp430-blacklist.rules~
-rw-rw-r-- 1 root root 18450 Oct 14 17:33 99-jlink.rules
-rw-rw-r-- 1 root root 18450 Oct 14 17:33 99-jlink.rules.O
I am in the dialout group
chandran#chandran-OptiPlex-9020:~$ groups chandran
chandran : chandran adm dialout cdrom sudo dip plugdev lpadmin sambashare
I downloaded an example project called STM32100E-EVAL_USART_IrDA_Transmit and it builds successfully, but I get the following error message when I connect the evaluation board(s) and click on debug to flash the micro controller
ST-Link enumeration failed
Error in initializing ST-Link device.
Reason: (2) ST-Link DLL error.
I get the same error message when I try the above with STM32CubeIDE.
I have tried shifting JP1 as described in section 7.6 of the users manual but to no avail.
A previous question on stack overflow deals with the same error message so I got STM32CubeProgrammer to launch and tried making the changes suggested by #IsaBostan, but the development boards don't seem to be detected
How can I proceed to resolve this problem and program the boards?
Debugging ideas or suggestions are welcome, even if they haven't been tested...
It was just a question of permissions as suggested by KamilCuk
Launching TrueStudio as root and then clicking on debug solved the problem.
This is what worked on my machine:
sudo su
/opt/Atollic_TrueSTUDIO_for_STM32_x86_64_9.3.0/ide/./TrueSTUDIO
STM32CubeIDE's debugger also works when launched as follows on my machine:
sudo su
/opt/st/stm32cubeide_1.1.0/./stm32cubeide
and STM32CubeProgrammer connects to the device straight away when launched as follows:
sudo su
/usr/local/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/./STM32CubeProgrammer
My device shows up under /dev/ttyACM0 with the following permissions:
crw-rw----+ 1 root dialout 166, 0 Dec 28 11:56 ttyACM0
openocd and st-flash were not required.
The command mkdir creates a file rather than a directory on a mounted network drive on a windows 10 system operating under the Windows sub-system for linux, using the Ubuntu app.
After installing the ubuntu app and putting the windows machine into developer mode I successfully mounted a remote network drive using the command:
sudo mount -t drvfs '\\networkdrive\sharename' /mnt/U
which successfully mounts the network drive at the mount point. I can see the files on the remote drive. However when looking at a directory on the remote machine and issuing the command
mkdir Source
a file called Source is created on the remote drive rather than a directory.
I tried this on two completely different laptops running windows 10, which I set up in exactly the same way and the same problem happens. The windows 10 machines are in developer mode and running the latest version of the ubuntu app. This is a pretty fundamental thing to have go wrong so I'm guessing it's a bug of some sort.
The snippet below is the terminal output which illustrates the problem.
username#~$ pwd
/home/username
username#~$ sudo mount -t drvfs '\\networkdrive.host\sharename\' /mnt/U
[sudo] password for username:
username#~$ cd /mnt/U/People/username/projects/Vesiform
username#Vesiform$ ls -al
total 0
drwxrwxrwx 0 root root 512 Mar 29 2018 .
drwxrwxrwx 0 root root 512 Mar 28 12:04 ..
drwxrwxrwx 0 root root 512 Mar 28 11:12 Builder
drwxrwxrwx 0 root root 512 Mar 28 11:42 Library
drwxrwxrwx 0 root root 512 Mar 28 11:42 NPack
drwxrwxrwx 0 root root 512 Mar 28 11:42 PDBProc
drwxrwxrwx 0 root root 512 Mar 28 11:55 Projects
drwxrwxrwx 0 root root 512 Mar 28 11:55 SpacePack
drwxrwxrwx 0 root root 512 Mar 28 11:55 Utilities
username#Vesiform$ mkdir Source
username#Vesiform$ ls -al
total 0
drwxrwxrwx 0 root root 512 Mar 29 2018 .
drwxrwxrwx 0 root root 512 Mar 28 12:04 ..
drwxrwxrwx 0 root root 512 Mar 28 11:12 Builder
drwxrwxrwx 0 root root 512 Mar 28 11:42 Library
drwxrwxrwx 0 root root 512 Mar 28 11:42 NPack
drwxrwxrwx 0 root root 512 Mar 28 11:42 PDBProc
drwxrwxrwx 0 root root 512 Mar 28 11:55 Projects
-rwxrwxrwx 1 root root 0 Mar 29 2018 Source
drwxrwxrwx 0 root root 512 Mar 28 11:55 SpacePack
drwxrwxrwx 0 root root 512 Mar 28 11:55 Utilities
username#Vesiform$ cd Source
-bash: cd: Source: Not a directory
username#Vesiform$
When I run script as regular user manually, everything is OK. But if an email is received and piped into Go script, I can not open serial port because file does not exist.
postfix 1239 1025 0 13:20 ? 00:00:00 pipe -n watchParadox -t unix flags=F user=watch argv=/usr/local/bin/watch -paradox
watch 1240 1239 0 13:20 ? 00:00:00 /usr/local/bin/watch -paradox
Script is running under watch user who has been added to dialout group, postfix user, just to be sure, is in dialout also.
In my script I ran ls -la command to find out which files do truly exist:
drwxr-xr-x 6 root root 380 Feb 25 13:19 .
dr-xr-xr-x. 18 root root 4096 Feb 22 17:53 ..
lrwxrwxrwx 1 root root 11 Feb 25 13:19 core -> /proc/kcore
lrwxrwxrwx 1 root root 13 Feb 25 13:19 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 Feb 25 13:19 full
drwxr-xr-x 2 root root 0 Feb 25 13:19 hugepages
lrwxrwxrwx 1 root root 28 Feb 25 13:19 log -> /run/systemd/journal/dev-log
drwxrwxrwt 2 root root 40 Feb 25 13:19 mqueue
crw-rw-rw- 1 root root 1, 3 Feb 25 13:19 null
lrwxrwxrwx 1 root root 8 Feb 25 13:19 ptmx -> pts/ptmx
drwxr-xr-x 2 root root 0 Feb 25 13:19 pts
crw-rw-rw- 1 root root 1, 8 Feb 25 13:19 random
drwxrwxrwt 2 root root 40 Feb 25 13:19 shm
lrwxrwxrwx 1 root root 15 Feb 25 13:19 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 Feb 25 13:19 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 Feb 25 13:19 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root 5, 0 Feb 25 13:19 tty
crw-rw-rw- 1 root root 1, 9 Feb 25 13:19 urandom
I am certain following file exists but is not shown when postfix pipe is executed.
crw-rw---- 1 root dialout 166, 0 25. úno 13.19 ttyACM0
I tried chmod 777 on the file but no luck in that department. Opening file via https://github.com/tarm/serial library which uses Go function:
os.OpenFile("ttyACM0", syscall.O_RDWR|syscall.O_NOCTTY|syscall.O_NONBLOCK, 0666)
results with
ttyACM0: no such file or directory
The problem is not the path because I tried relative (using chdir) and absolute with same exact outcome.
I even disabled SELinux which is not what I want to do but in search of solution I try anything.
Code is OK because manual execution of the script passes through properly. I think there is something wrong with Linux settings.
The correct path the ttyACM0 is /dev/ttyACM0. You define a udev rules to set the file mode when it attaches.
If that is not reachable from your program, it might be the case that your program runs chrooted().
It seems like it was truly Linux problem and some underlying fabrics of it which I do not understand. I was running Fedora25 but the problem does not occur on Debian8.
If a have a /dev device node and its major/minor numbers how do i know the kernel module name that exported this node?
Short answer :
cd /sys/dev/char/major:minor/device/driver/
ls -al | grep module
Each device is generally associated with a driver, and this is all what the "device model" is about. The sysfs filesystem contains a representation of this devices and their associated driver. Unfortuantely, it seems not all sysfs have a representation of the device nodes, so this applyd only if your /sys directory contains a /dev directory.
Let's take an example, with /dev/video0
On my board, ls -al /dev/video0 output is
crw------- 1 root root 81, 0 Jan 1 00:00 video0
So major number is 81 and minor number is 0.
Let's dive into sysfs :
# cd /sys
# ls
block class devices fs module
bus dev firmware kernel
The sys/dev directory contains entry for the char and block devices of the system :
# cd dev
# cd char
# ls
10:61 13:64 1:3 1:8 249:0 252:0 29:0 4:65 81:0 89:1
10:62 1:1 1:5 1:9 250:0 253:0 29:1 5:0 81:2
10:63 1:11 1:7 248:0 251:0 254:0 4:64 5:1 81:3
What the hell are this links with strange names ?
Remember the major and minor number, 81 and 0 ?
Let's follow this link :
#cd major:minor (ie 81:0)
#ls -al
drwxr-xr-x 2 root root 0 Jan 1 01:56 .
drwxr-xr-x 3 root root 0 Jan 1 01:56 ..
-r--r--r-- 1 root root 4096 Jan 1 01:56 dev
lrwxrwxrwx 1 root root 0 Jan 1 01:56 device -> ../../../vpfe-capture
-r--r--r-- 1 root root 4096 Jan 1 01:56 index
-r--r--r-- 1 root root 4096 Jan 1 01:56 name
lrwxrwxrwx 1 root root 0 Jan 1 01:56 subsystem -> ../../../../../class/video4linux
-rw-r--r-- 1 root root 4096 Jan 1 01:56 uevent
Now we can see that this device nod, which is how the device is presented to userspace, is associated with a kernel device. This association is made through a link. If we follow this link, we end up in a directory, with a driver link. The name of the driver is usually the name of the module :
# ls -al
drwxr-xr-x 3 root root 0 Jan 1 01:56 .
drwxr-xr-x 25 root root 0 Jan 1 00:00 ..
lrwxrwxrwx 1 root root 0 Jan 1 01:56 driver -> ../../../bus/platform/drivers/vpfe-capture
-r--r--r-- 1 root root 4096 Jan 1 01:56 modalias
lrwxrwxrwx 1 root root 0 Jan 1 01:56 subsystem -> ../../../bus/platform
-rw-r--r-- 1 root root 4096 Jan 1 01:56 uevent
drwxr-xr-x 3 root root 0 Jan 1 01:56 video4linux
So here the name of the module is vpfe_capture
The answer to this question is most likely different based on a number of factors. For example, if you're running udev, devfs, pre-devfs, etc.
If you're using Ubuntu (or another equally modern distro) the udevadm command might be what you want.
% udevadm info -q path -n /dev/cdrom
/devices/pci0000:00/0000:00:1f.1/host3/target3:0:0/3:0:0:0/block/sr0
So, my /dev/cdrom is provided by the sr driver, which resides in the sr_mod kernel module. I don't know of a command that takes /dev/cdrom as an argument and prints sr_mod as output.