I have a USB webcam on
/dev/video0 that I’m trying to access before a user logs in (to be precise, I have an Azure IoT Edge container running on an Ubuntu 18.04 instance that needs to run in headless mode, and the box needs to be able to be power cycled without someone having to physically log in every time).
If I first physically log in on the box, the ACLs are set properly for
/dev/video0, and my container (which runs under
myuser) can happily access
[email protected]:~$ sudo getfacl /dev/video0 getfacl: Removing leading '/' from absolute path names # file: dev/video0 # owner: root # group: video user::rw- user:myuser:rw- group::rw- mask::rw- other::---
But if I do not physically log in on the box (e.g. right after a reboot), my user’s account (
myuser) never gets ACL access to
/dev/video0 (instead, the
gdm user gets it).
[email protected]:~$ sudo getfacl /dev/video0 getfacl: Removing leading '/' from absolute path names # file: dev/video0 # owner: root # group: video user::rw- user:gdm:rw- group::rw- mask::rw- other::---
I’m 99% sure this is an ACL problem, because when I ssh into the box (before physically logging in), and manually add
myuser to the ACL list for
/dev/video0, my container can again happily access
My question: how can I ensure that on startup, when
/dev/video0 is mounted, that this automatically happens:
sudo setfacl -m u:myuser:rw /dev/video0
Adding myuser to the video group does not work (ACLs seem broken on Ubuntu in this respect):
sudo usermod -a -G video myuser
I’ve tried every variation I can possibly think of RE: groups, with no impact. It seems like I really need to automatically add
myuser to the ACL for
/dev/video0 when Ubuntu starts, but I am unsure how to do that. Any ideas?
To be extremely precise, you need to start this before Docker starts your container.
So you can add a drop-in for the Docker systemd unit, to run whatever you wish prior to Docker starting.
For instance, I would create a systemd drop-in like this:
sudo mkdir -p /etc/systemd/system/docker.service.d cat <<EOF | sudo tee /etc/systemd/system/docker.service.d/video-permissions.conf [Service] ExecStartPre=/usr/bin/setfacl -m u:myuser:rw /dev/video0 EOF
At this point, whenever Docker starts, the indicated command will be run beforehand.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.