[Feature-Request] docker support without volume sharing

[patrickwasp]

Feature Request: Enable OAK Camera Access Without Volume Sharing

Why

Currently, accessing OAK cameras in Docker requires mounting /dev/bus/usb as a volume. This prevents usage in environments that don't allow volume mounting, such as Balena OS - a popular edge device management platform. This limitation blocks potential industrial and IoT applications where Balena would be the ideal deployment solution.

What

Add support for accessing OAK cameras in containerized environments without requiring volume mounts. This would enable:

• Deployment on Balena OS
• Better security by reducing privileged access requirements
• Simplified container configuration
• Broader compatibility with restricted container environments

How

Proposed implementation approaches:

1. Native USB Access Layer:

   • Implement direct USB communication through libusb/hidapi
   • Package necessary udev rules within container image
   • Configure device access through container runtime permissions

2. Alternative Device Access Method:

   • Create a device node interface that doesn't rely on volume mounts
   • Implement USB device discovery through sysfs interface
   • Use device cgroup rules for access control

The exact implementation details would need to be determined by the DepthAI team based on the codebase architecture.

Current Workaround Limitations

Attempted solutions like installing udev rules in the container or creating USB device directories do not resolve the fundamental need for volume access to USB devices.

[brmarkus]

Can you sare the docker run command line you are using, please?
I usually use the same for different RealSense and OAK cameras, which contain e.g.

    --device=/dev/usb \
    --device=/dev/dri \
    --device-cgroup-rule "c 81:* rmw" \
    --device-cgroup-rule "c 189:* rmw" \

[patrickwasp]

I'm just trying out the example in the docs right now. I know there's still a volume for the display, but that's not the important one, since I won't be using a display.

https://docs.luxonis.com/software/depthai/manual-install#Manual%20DepthAI%20installation-Installing%20dependencies-Docker

this works:

docker run --rm \
    --privileged \
    -v /dev/bus/usb:/dev/bus/usb \
    --device-cgroup-rule='c 189:* rmw' \
    -e DISPLAY=$DISPLAY \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    luxonis/depthai-library:latest \
    python3 /depthai-python/examples/ColorCamera/rgb_preview.py

this doesn't:

docker run --rm \
 --privileged \
 --device=/dev/bus/usb \
 --device=/dev/usb \
 --device=/dev/dri \
 --device-cgroup-rule="c 81:* rmw" \
 --device-cgroup-rule="c 189:* rmw" \
 -e DISPLAY=$DISPLAY \
 -v /tmp/.X11-unix:/tmp/.X11-unix \
 luxonis/depthai-library:latest \
 python3 /depthai-python/examples/ColorCamera/rgb_preview.py

Traceback (most recent call last):
  File "/depthai-python/examples/ColorCamera/rgb_preview.py", line 24, in <module>
    with dai.Device(pipeline) as device:
RuntimeError: Failed to find device after booting, error message: X_LINK_DEVICE_NOT_FOUND

The camera is an OAK-D-S2-FF

[brmarkus]

Ah ok, I see.
X_LINK_DEVICE_NOT_FOUND occurs after the device switches (from USB-high-speed to USB-super-speed) and couldn't be found again afterwards.
Yeah, OpenVINO and Myriad-X (NCS, NCS2) needed to add libUSB without udev-support compiled within the container to solve it.

[patrickwasp]

I'm not sure how to prepare an image with the correct prerequisites, do you have an example of what worked for you? This is what I tried.

FROM luxonis/depthai-library:latest

# Install build dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    pkg-config \
    wget \
    udev \
    libudev-dev

# Download and build libusb without udev support
RUN wget https://github.com/libusb/libusb/releases/download/v1.0.26/libusb-1.0.26.tar.bz2 \
    && tar xf libusb-1.0.26.tar.bz2 \
    && cd libusb-1.0.26 \
    && ./configure --disable-udev \
    && make \
    && make install \
    && ldconfig

# Add udev rules for OAK devices
RUN echo 'SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", ACTION=="add", MODE="0666"' > /etc/udev/rules.d/80-movidius.rules \
    && echo 'SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", ACTION=="remove", MODE="0666"' >> /etc/udev/rules.d/80-movidius.rules \
    && echo 'SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666", GROUP="users"' >> /etc/udev/rules.d/80-movidius.rules

# Clean up
RUN apt-get clean && \
    rm -rf /var/lib/apt/lists/* /libusb-1.0.26*

# Set library path to use the new libusb
ENV LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH

# Create necessary device directories
RUN mkdir -p /dev/bus/usb \
    && mkdir -p /dev/dri

services:
  oak:
    build:
      context: .
      dockerfile: oak.dockerfile
    privileged: true
    device_cgroup_rules:
      - 'c 189:* rmw'
      - 'c 81:* rmw'
    devices:
      - "/dev/bus/usb"
      - "/dev/dri"
    cap_add:
      - SYS_RAWIO
    command: python3 /depthai-python/examples/ColorCamera/rgb_preview.py

this pull request apparently fixed the issue on RealSense: IntelRealSense/librealsense#11900

[brmarkus]

Hmm, I think I mixed something up... my old records show that I added a couple of devices with --device=... ..., but also that I used -v /dev/bus/usb \.

It's some time ago already when OpenVINO stopped supporting Movidius-Myriax-X. The old Dockerfile should still be in a Github repo, but your reference to RealSense seems changed in the software for device-enumeration is/was needed...

[patrickwasp]

with realsense it was possible to run it before the merge linked above using privileged mode and sharing the whole /dev in devices.

  realsense:
    build:
      context: ./docker
      dockerfile: ros-realsense.dockerfile
    privileged: true
    devices:
      - "/dev:/dev"

IntelRealSense/realsense-ros#1104 (comment)

but that doesn't work the oak.