Permission issue when connecting USB stick via Spice

I set up an windows VM following this tutorial: https://ubuntu.com/tutorials/how-to-install-a-windows-11-vm-using-lxd#1-overview

It works great for me except, as soon as I try to connect a USB stick via Spice using the dedicated button in the upper left corner of the window:

image

I receive the following error in the UI:

“USB redirection error: Could not redirect Kingston NAME_OF_MY_USB_STICK: Error Libusb_open: Access denied (insufficient permissions)[-3]”

In the terminal, where I started the VM following errors appear:

libusb: error [get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/002/003, errno=13
libusb: error [get_usbfs_fd] libusb requires write access to USB device nodes

I guess I have messed up the permissions somewhere but am rather new to linux containers. Any idea what I might have messed up? My configuration currently looks like this:

architecture: x86_64
config:
  limits.cpu: "4"
  limits.memory: 8GiB
  raw.qemu: -device intel-hda -device hda-duplex -audio spice
  volatile.cloud-init.instance-id: xxx
  volatile.eth0.host_name: xxx
  volatile.eth0.hwaddr: xxx
  volatile.last_state.power: RUNNING
  volatile.last_state.ready: "false"
  volatile.uuid: xxx
  volatile.uuid.generation: xxx
  volatile.vsock_id: "42"
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  itunes:
    path: itunes
    source: /home/johndoe/Music/iTunes
    type: disk
  root:
    path: /
    pool: default
    size: 80GiB
    type: disk
  vtpm:
    path: /dev/tpm0
    type: tpm
ephemeral: false
profiles:
- default
stateful: false
description: ""

The same issue arises for other USB devices, webcams, headsets etc. (I know that webcams should not be connected via Spice at all).

Right after writing this post, even though I had tried before for a considerable amount of time, I found the solution… I will not delete this thread, just in case someone else encounters the same issue:

I have checked my USB devices via lsusb and checked bus and device number, which in my case were

Bus 002 Device 004

I then checked the permissions:

ls -l /dev/bus/usb/002/003

which were

crw-rw-r-- 1 root root 189, 130 Sep 18 17:39 /dev/bus/usb/002/003

I noticed that the corresponding group was root. I, thus, created a firewall rule:

sudo vim /etc/udev/rules.d/50-usb.rules

with following content

SUBSYSTEM=="usb", MODE="0664", GROUP="plugdev"

setting the group to plugdev to which I had added my user before already. After reloading and triggering

sudo udevadm control --reload
sudo udevadm trigger

permissions are now:

crw-rw-r-- 1 root plugdev 189, 131 Sep 18 18:19 /dev/bus/usb/002/004

and the connection works like a charm.

Glad to hear its working.

You could also try connecting the usb device directly to the VM (if its connected to the same host where the VM is running) using the usb device type:

https://documentation.ubuntu.com/lxd/en/latest/reference/devices_usb/

1 Like

In fact that was the first option I tried for hours for my iPhone but it always yielded errors. However, I see that they are really iPhone specific – it works like a charm when I do the same thing for a simple USB stick (without modifying any firewall rules as above):


For anyone interested:

lsusb

will give you something like

Bus 002 Device 002: ID 0101:0202 My USB Device

with 0101 being the vendor ID and 0202 being the product ID. With that you can connect the USB device directly via

lxc config device add win11 foo usb vendorid=0101 productid=0202

From what I read this has better performance than Spice. Hence, I will use this for things that require low latency (webcam, mic etc.).

@tomp Thanks a lot for pointing this out, much appreciated, that helped me!

1 Like