TD;DR
I would like to know if there is a way to get AP_NETLINK/NETLINK_KOBJECT_UEVENT messages in a docker container without using --net host. So I can make libusb hotplug feature to work...
Partially answer, read Edit 1 and Edit 2
I am trying to dockerize an app (DSView) which uses libusb to detect when a device is connected. It uses the libusb hotplug capabilities to do so.
After analyse libusb code I can see that, on Linux, the hotplug capabilities are based on libudev monitors, which relies on AP_NETLINK/NETLINK_KOBJECT_UEVENT messages coming from the kernel to detect new USB devices connections.
I have read other post suggesting to run docker with this:
--net host -v /run/udev/control:/run/udev/control
This works perfectly, the problem is this creates a lot of security concerns.
After a deeper inspection of libudev monitors implementation, I can say that -v /run/udev/control:/run/udev/control is not needed since libudev monitors doesn't use that socket at all. libudev only check if that file is accessible, which means I can just do -v $HOME/dummy:/run/udev/control or even create an empty /run/udev/control file in the container to bypass this check.
On the other hand --net host is required to keep the container in the same namespace than the host (main namespace). This is required because AP_NETLINK/NETLINK_KOBJECT_UEVENT messages are only send to the main namespace (← WRONG!!!) probably is a udev requirement.
Again this is far from being ideal because by adding --net host we are presenting all host network resources to the container.
I was considering to patch libusb to add NETLINK_LISTEN_ALL_NSID option to the socket used by the libudev monitor (udev_monitor.monitor.sock) but I would like to know if there is any easier way to get AP_NETLINK/NETLINK_KOBJECT_UEVENT messages in all namespaces (← Not needed, see Edit 1).
PS: -v /run/udev/control:/run/udev/control would be required in case we want to control host udev from the container (reset,add rules?, etc) which looks not that much safe at all.
PS2: In case you are curious this is the project github
EDIT 1: I have written a proof of concept reading the netlink socket directly and my surprise was that I can see AP_NETLINK/NETLINK_KOBJECT_UEVENT messages in the container without adding NETLINK_LISTEN_ALL_NSID and without --net host.
EDIT 2: Ok I manage to find a work around to my problem. I have compiled libusb without udev support (../configure --disable-udev) and now DSView works.
It looks like udev doesn't play nice with docker. Reading libudev code I can see that there is plenty of staff preventing you to run it on a container but I really cannot see which part prevent libudev to show up the hotplug event on the monitor and/or why it does that when using the host network....
I say that this is partially answer because I would like to know why.
