How-to guides
Edera advanced guides
Claiming devices with Edera

Claiming devices with Edera

Need to pass a device into a zone? Edera lets you claim and attach physical devices—like block storage or PCI hardware—using a simple config and CLI workflow.

This is useful when:

  • You want to use a specific block device (for example, NVMe drive)
  • You’re working with passthrough hardware like PCI-attached hardware
  • You’re experimenting with SR-IOV and need zone-level access to virtual functions (VFs)
⚠️
Devices are mounted directly into zones and are not virtualized. Use with caution.

TL;DR

  1. Add device to daemon.toml
  2. Restart the protect daemon
  3. Confirm with protect device list
  4. Use --attach-device on zone launch

Step-by-step

1. Add the device to the config

Edit /var/lib/edera/protect/daemon.toml to include your device:

[block.devices]
[block.devices.mydevice]
path = "/dev/sdb" # or your actual device path

For PCI devices (like GPUs or PCI):

[pci.devices]
[pci.devices.pci0]
locations = ["0000:11:00.0"]  # replace with actual PCI address
permissive = true
msi-translate = false
power-management = true
rdm-reserve-policy = "relaxed"

Note

For SR-IOV virtual functions, make sure you add the following options under your individual device configuration (in this case pci0)

skip-pirq-map = true
disable-managed-pciback = true

For now you will also need to hide the device using pciback and blacklist the virtual function driver

For example, edit the /etc/default/grub.d/99-edera-settings.cfg file and add the following to hide two virtual functions and blacklist the iavf driver.

GRUB_CMDLINE_LINUX_DEFAULT="<clipped> xen-pciback.hide=(03:0a.0)(03:0a.1) xen-pciback.passthrough=1 xen-pciback.permissive=1 modprobe.blacklist=iavf"
💡
You can claim multiple devices by adding more entries.

2. Restart the daemon 

sudo systemctl restart protect-daemon

3. Confirm device is available 

protect device list

Make sure mydevice or pci0 appears in the output.

4. Attach the device to a zone

For block devices:

protect zone launch --name my-zone --attach-scratch-disk mydevice

For PCI devices:

protect zone launch --name my-zone --device pci0

Note

For SR-IOV NIC virtual functions, make sure you use the passthrough network backend

protect zone launch -n test --network-backend passthrough --device pci0

This option is similar to the external backend so you will need to configure the zone networking with

protect zone configure-network <options>

5. Run workloads (optional)

Once the zone is running, you can launch a workload inside it that uses the device directly:

protect workload launch --zone my-zone --name my-app my-image:latest

Notes

  • For PCI devices, make sure iommu is enabled in the kernel cmdline.
  • Devices are re-initialized on each zone launch (for example, block devices are formatted if using scratch disk mode).
  • For SR-IOV devices, ensure the VF is visible via lspci and has a unique PCI address.
  • For SR-IOV devices, you will need to make sure the drivers exist in the zone kernel otherwise you may get an error like failed to setup zone: failed to initialize network: failed to apply network link config: Received a netlink error message inside the zone. Please see the documentation on building zone kernels.
  • This feature requires Edera v1.2.0 or later.
    • SR-IOV requires Edera v1.3.1 or later.

Further reading

GPU passthrough to an Edera zone
Using a scratch disk with Edera

Last updated on
Using a scratch disk with EderaInjecting the Edera RuntimeClass with Kyverno