USB Passthrough Override Script - to ensure usb-policy.conf consistency
-
@stormi I have added a use case to the GitHub issue on the XAPI repository. One which is very likely to be happening possibly often as VMs can be used in software development release cycle, in this case building and digitally signing software.
I also added a link to a specific item which in the use case, which would need to be able to be passed through.
-
@stormi said in USB Passthrough Override Script - to ensure usb-policy.conf consistency:
What we could do short term would be diverging from XenServer's packaging of usb-policy.conf in two ways:
-stop overwriting the file when it has customizations
-add a big warning on top of file stating that were you to modify it, you would not get updates of this file anymore lest you manually watch for usb-policy.conf.rpmnew files to appear after an update, manually merge changes,, and not get support regarding USB matters anymore
This would achieve what your script does, in a much simpler way, but still give us some level of control. Configuration would still be overwritten when you upgrade to a newer release of XCP-ng, which whould also be mentioned in the warning.IMHO, this is not exactly a solution. User Information will still get overwritten and you would need to manage to store it elsewhere and copy paste it on every update.
The above solution is messy and I believe will cause even more tickets as user might 'forget' to re-install his changes and/or update manually.
Better solution IMHO, would be :
- Have a separate user config which probably says
#Start User configand ends with#End user config. - Build usb-policy.conf by removing default filters and injecting the above user config file at the appropriate place every-time you guys update and also re-build/inject when the file changes.
In the above way, the user-config will be saved and there should be no tickets stemming from this.
- Have a separate user config which probably says
-
I have another suggestion:
We can simply make a usb-policy.conf builder in XO; where the user can add/remove/edit the filters using GUI and the XO pushes the file after re-building it at every update ?
This should be simple enough and the base XCP-ng would not be touched at all (still be close to upstream Xen!
Of course the caveat is that the user has to update using XO; not directly run
yum updatesince in that case XO would not know. (We can build a manual push-override in XO for that like you do for VxLAN certificates)This is assuming pushing a custom file through XAPI is possible .....
-
@gb-123 said in USB Passthrough Override Script - to ensure usb-policy.conf consistency:
This is assuming pushing a custom file through XAPI is possible .....
That's the whole point : it isn't until we code support for it in XAPI.
-
I ran into the same issue (usb-policy.conf overwritten by update) and found this conversation. Sad to see that the script was removed, so I was not able to use/improve it and had to build something new.
You were saying something about cronjob not being ideal, this workaround is using systemd.path as trigger. The script also just re-inserts your change at the top of the file in case the VID/PID combination is missing, so possible security fixes are not un-fixed.
/root/modify-usb-policy.sh(or put it wherever seems reasonable for you):#!/bin/bash USBPOL=/etc/xensource/usb-policy.conf VID= # insert VendorId in hex PID= # insert ProductId in hex if ! grep -q "vid=${VID}.*pid=${PID}" "$USBPOL"; then sed -i "1s/^/ALLOW: vid=${VID} pid=${PID} # manually added\n/" "$USBPOL" fi/etc/systemd/system/modify-usb-policy.service[Unit] Description=Modify usb-policy.conf to restore custom changes [Service] Type=oneshot ExecStart=/root/modify-usb-policy.sh [Install] WantedBy=multi-user.target/etc/systemd/system/modify-usb-policy.path[Path] PathChanged=/etc/xensource/usb-policy.conf [Install] WantedBy=multi-user.targetEnable the path file:
systemctl enable modify-usb-policy.path systemctl start modify-usb-policy.pathLicense CC0
-
@zeropointer said in USB Passthrough Override Script - to ensure usb-policy.conf consistency:
I ran into the same issue (usb-policy.conf overwritten by update) and found this conversation. Sad to see that the script was removed, so I was not able to use/improve it and had to build something new.
You were saying something about cronjob not being ideal, this workaround is using systemd.path as trigger. The script also just re-inserts your change at the top of the file in case the VID/PID combination is missing, so possible security fixes are not un-fixed.
/root/modify-usb-policy.sh(or put it wherever seems reasonable for you):#!/bin/bash USBPOL=/etc/xensource/usb-policy.conf VID= # insert VendorId in hex PID= # insert ProductId in hex if ! grep -q "vid=${VID}.*pid=${PID}" "$USBPOL"; then sed -i "1s/^/ALLOW: vid=${VID} pid=${PID} # manually added\n/" "$USBPOL" fi/etc/systemd/system/modify-usb-policy.service[Unit] Description=Modify usb-policy.conf to restore custom changes [Service] Type=oneshot ExecStart=/root/modify-usb-policy.sh [Install] WantedBy=multi-user.target/etc/systemd/system/modify-usb-policy.path[Path] PathChanged=/etc/xensource/usb-policy.conf [Install] WantedBy=multi-user.targetEnable the path file:
systemctl enable modify-usb-policy.path systemctl start modify-usb-policy.pathLicense CC0
This is no longer needed if you have Xen Orchestra version 5.93 or later, alternatively if using in home lab and from source then any commit dated after 29th March 2024 (or current head on GitHub Main - Master). The reason being that Xen Orchestra from version 5.93 has official support for USB Passthrough and later from version 5.95 you can do PCI Passthrough.
https://xen-orchestra.com/blog/xen-orchestra-5-93/
https://xen-orchestra.com/blog/xen-orchestra-5-95/ -
@john-c Nice to see progress there, I did not update to that version yet. Did you already check if the shown USB devices are independent of the usb-policy.conf (so that you see really all devices there)? The blogpost did not get specific about this detail. As @stormi stated above, controlling the usb-policy is not available via XAPI for now.
-
@john-c said in USB Passthrough Override Script - to ensure usb-policy.conf consistency:
This is no longer needed if you have Xen Orchestra version 5.93 or later, alternatively if using in home lab and from source then any commit dated after 29th March 2024 (or current head on GitHub Main - Master). The reason being that Xen Orchestra from version 5.93 has official support for USB Passthrough and later from version 5.95 you can do PCI Passthrough.
This is unfortunately still needed, as otherwise the XO simply does not show the PUSB in the host, so it cannot be assigned as a VUSB for the VM.
@zeropointer thanks for the idea, this seems to be the most pragmatic solution.
-
@zeropointer @numo68
I have added my script back seeing so many people might require a solution.
I have also added automatic backup and change detection. -
G gb.123 referenced this topic
-
@exetico
I have updated my script.
Please use your previous install file (if you have it saved) to remove your previous version (remember to save your config before running uninstall), before you proceed to install the new version.
