Quadlet with permissions to access GPIO on a Pi?

[torntrousers]

How can i run a Quadlet in a way that it can access the GPIO pins on a Raspbery Pi?

This without sudo fails:

podman run --cap-add SYS_RAWIO --device /dev/gpiomem docker.io/antelder/rpiblink
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/gpiozero/pins/native.py", line 155, in __init__
    self.fd = os.open('/dev/gpiomem', os.O_RDWR | os.O_SYNC)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/dev/gpiomem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/gpiozero/pins/native.py", line 158, in __init__
    self.fd = os.open('/dev/mem', os.O_RDWR | os.O_SYNC)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/dev/mem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/app/blink.py", line 12, in <module>
    factory = NativeFactory()
              ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gpiozero/pins/native.py", line 395, in __init__
    self.mem = GPIOMemory(self.board_info.soc)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gpiozero/pins/native.py", line 160, in __init__
    raise IOError(
OSError: unable to open /dev/gpiomem or /dev/mem; upgrade your kernel or run as root

wheras running with sudo works:

sudo podman run --cap-add SYS_RAWIO --device /dev/gpiomem docker.io/antelder/rpiblink
hello2 - blue

so now with a Quadlet:

podman container create --name my-rpiblink-container --replace --device /dev/gpiomem --cap-add SYS_RAWIO
 docker.io/antelder/rpiblink
52cfaaf411fbcb895adb7bb41f3598a13ea73369978919820f86d09716b0a406
ant@pizero2:~ $ podman start 52cfaaf411fbcb895adb7bb41f3598a13ea73369978919820f86d09716b0a406
52cfaaf411fbcb895adb7bb41f3598a13ea73369978919820f86d09716b0a406
ant@pizero2:~ $ podman ps -a
CONTAINER ID  IMAGE                               COMMAND               CREATED         STATUS                    PORTS       NAMES
52cfaaf411fb  docker.io/antelder/rpiblink:latest  python3 /app/blin...  16 seconds ago  Exited (1) 6 seconds ago              my-rpiblink-container
ant@pizero2:~ $ podman logs 52
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/gpiozero/pins/native.py", line 155, in __init__
    self.fd = os.open('/dev/gpiomem', os.O_RDWR | os.O_SYNC)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/dev/gpiomem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/gpiozero/pins/native.py", line 158, in __init__
    self.fd = os.open('/dev/mem', os.O_RDWR | os.O_SYNC)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/dev/mem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/app/blink.py", line 12, in <module>
    factory = NativeFactory()
              ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gpiozero/pins/native.py", line 395, in __init__
    self.mem = GPIOMemory(self.board_info.soc)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/gpiozero/pins/native.py", line 160, in __init__
    raise IOError(
OSError: unable to open /dev/gpiomem or /dev/mem; upgrade your kernel or run as root

So how do i get the "podman container create" to give the container permissions to access /dev/gpiomen?

Thanks for any help!

[rhatdan]

Does this work in rootful containers? Is this an SELinux issue?

[ygalblum]

In addition, can you access /dev/gpiomem without root permissions outside of the container?

[torntrousers]

yes, this works ok:

ant@pizero2:~ $ whoami
ant
ant@pizero2:~ $ groups ant
ant : ant adm dialout cdrom sudo audio video plugdev games users input render netdev spi i2c gpio lpadmin
ant@pizero2:~ $ ls -al /dev/gpiomem
crw-rw---- 1 root gpio 238, 0 Jan 30 09:24 /dev/gpiomem
ant@pizero2:~ $ python
Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from gpiozero.pins.native import NativeFactory
>>> from gpiozero import LED
>>> factory = NativeFactory()
>>> led = LED(17, pin_factory=factory)
>>> led.on()
>>>

[torntrousers]

@rhatdan - i'm quite new to podman, can you tell me how to try "rootful containers"?
@ygalblum - i will go try ...

[ygalblum]

According to this:

sudo podman run --cap-add SYS_RAWIO --device /dev/gpiomem docker.io/antelder/rpiblink
hello2 - blue

it does work with rootful containers. (@rhatdan this is what you meant, right?)

[torntrousers]

Also chatting about this in Discord: https://discord.com/channels/852634929845239818/852634929845239824/1201823834848624640

podman run -it --cap-add SYS_RAWIO --device /dev/gpiomem docker.io/antelder/rpiblink /bin/bash
root@352009bde0d5:/opt/app# whoami
root
root@352009bde0d5:/opt/app# ls -al /dev/gpiomem
crw-rw---- 1 nobody nogroup 238, 0 Jan 30 09:24 /dev/gpiomem
root@352009bde0d5:/opt/app#

versus running with sudo:

sudo podman run -it --cap-add SYS_RAWIO --device /dev/gpiomem docker.io/antelder/rpiblink /bin/bash
root@d013407c3814:/opt/app# whoami
root
root@d013407c3814:/opt/app# ls -al /dev/gpiomem
crw-rw---- 1 root 993 238, 0 Jan 30 09:38 /dev/gpiomem
root@d013407c3814:/opt/app#

What does that mean - nobody nogroup???

[torntrousers]

Suggestion from Discord was trying --group-add and that fixes it: podman run --device /dev/gpiomem --group-add=keep-groups docker.io/antelder/rpiblink

[ygalblum]

Regarding your second question, see the man page for podman run: https://docs.podman.io/en/stable/markdown/podman-run.1.html#device-host-device-container-device-permissions.
Read the note about --device and --group-add keep-groups

[torntrousers]

I do want a Quadlet! Struggling a bit to work it all out, various guides seem to say different things - has what to do changed over releases? So i create that ~/.config/containers/systemd/rpiblink.container file, and then what?

[ygalblum]

Quadlet is a systemd-generator. So, once you created the file you need to run:

systemctl --user daemon-reload

Note that systemd will load it automatically also upon the creation of the user session. So, this call is only needed when you do it for the first time and don't want to have to reboot.

Once the systemd daemon is reloaded, you will have a systemd service ready to be started:

systemctl --user start rpiblink.service

Please note that you can pass other systemd keys in your Quadlet file and they will be copied also to the service file. For example, to enable the service you can the following to your rpiblink.container file.

[Install]
WantedBy=default.target

[torntrousers]

Perfect, thanks.

How to I get it to restart on reboot - is that the WantedBy=default.target bit? Do i need sudo loginctl enable-linger that some guides mention?

[ygalblum]

The WantedBy=default.target part will enable the service having systemd start it upon user session creation.
If you want to have the service running upon reboot, you will need to enable the user lingering as you've mentioned sudo loginctl enable-linger <username>

[torntrousers]

Great, thanks everyone for the help.

[torntrousers]

Trying this again now on a new Pi with a new install of Podman and it doesn't work anymore. Now its using Podman 4.9.3 instead of 4.9.0

podman --version
podman version 4.9.3

ant@pizeroups:~ $ whoami
ant
ant@pizeroups:~ $ groups ant
ant : ant adm dialout cdrom sudo audio video plugdev games users input render netdev spi i2c gpio docker
ant@pizeroups:~ $ ls -al /dev/gpiochip0
crw-rw---- 1 root gpio 254, 0 Feb 19 15:30 /dev/gpiochip0
ant@pizeroups:~ $ podman run -it --rm --cap-add SYS_RAWIO --group-add=keep-groups --device /dev/gpiochip0 -e redpin=12 -e greenpin=16 -e bluepin=20 docker.io/antelder/pi-blink /bin/bash
root@bc45beae6800:/# whoami
root
root@bc45beae6800:/# groups root
root : root
root@bc45beae6800:/# ls -al /dev/gpio*
crw-rw---- 1 nobody nogroup 254, 0 Feb 19 15:30 /dev/gpiochip0
root@bc45beae6800:/# exit
exit
ant@pizeroups:~ $ podman run -it --rm --cap-add SYS_RAWIO --group-add=keep-groups --device /dev/gpiochip0 -e redpin=12 -e greenpin=16 -e bluepin=20 docker.io/antelder/pi-blink
Traceback (most recent call last):
  File "//blink.py", line 34, in <module>
    chip = gpiod.Chip('gpiochip0')
           ^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied

It works fine running with sudo:

ant@pizeroups:~ $ sudo podman run -it --rm --cap-add SYS_RAWIO --group-add=keep-groups --device /dev/gpiochip0 -e redpin=12 -e greenpin=16 -e bluepin=20 docker.io/antelder/pi-blink /bin/bash
root@9c8068b66826:/# ls -al /dev/gpio*
crw-rw---- 1 root 993 254, 0 Feb 21 09:09 /dev/gpiochip0
root@9c8068b66826:/# exit
exit
ant@pizeroups:~ $ sudo podman run -it --rm --cap-add SYS_RAWIO --group-add=keep-groups --device /dev/gpiochip0 -e redpin=12 -e greenpin=16 -e bluepin=20 docker.io/antelder/pi-blink
Blinking: Colour.RGB, speed=1.0, and pi5=False

Any ideas?

[rhatdan]

Yes SELinux is blocking the access. You can allow this with
SecurityLabelDisable=true

What does /dev/gipochip0 do?
matchpathcon /dev/gpiochip0
/dev/gpiochip0 system_u:object_r:gpio_device_t:s0

SELinux labels it as a gpio device? Should this be allowed to all containers by default?

A more security mechanism for running the container in lock down mode would be to execute:

sudo setsebool -P container_use_devices=true

This only needs to be done, and then containers would be allowed to use any device mounted into the container.

[torntrousers]

Hello @rhatdan thanks for replying! bit too cryptic for me though, where or how could i set SecurityLabelDisable=true?

I don't know what you are asking with this bit, are they question to me?

matchpathcon /dev/gpiochip0
/dev/gpiochip0 system_u:object_r:gpio_device_t:s0

On the Raspberry Pi i can connect external things to GPIO pins. To access those from the running container i need to give it access to the GPIO controller with that --device /dev/gipochip0 (for me this came from this issue: gpiozero/gpiozero#1117)

I tried the setsebool command but its not there:

ant@pizeroups:~ $ sudo setsebool -P container_use_devices=true
sudo: setsebool: command not found
ant@pizeroups:~ $

[torntrousers]

Oh, and also, it works with docker without sudo:

ant@pizeroups:~ $ docker run --device /dev/gpiochip0 -e redpin=12 -e greenpin=16 -e bluepin=-1 docker.io/quarklinkdev/pi
-blink
Blinking: Colour.RGB, speed=1.0, and pi5=False

[torntrousers]

I found this old issue #10166 and that talked about using crun instead of runc. I don't really understand but after some googling I did sudo apt install crun and then added --runtime /usr/bin/crun to the podman run command and now it works -

podman run --device /dev/gpiochip0 --group-add=keep-groups --runtime /usr/bin/crun -e redpin=12 -e greenpin=16 -e bluepin=20 docker.io/antelder/pi-blink

Can you help me understand this and the implications of using crun?

[rhatdan]

crun is the upstream default, now so you are fine.

[rhatdan]

Docker is still running in rootful mode, I would bet. If it is listening on /var/run/docker.sock and writable by the docker group, and your user is in the docker group, you are running rootful containers.

[rhatdan]

Also keep-groups is only supported by crun not runc.

[torntrousers]

Also keep-groups is only supported by crun not runc.

that does seem to be the case. wouldn't it be a bit more user friendly to get some error or warning if you try to use keep-groups with runc?