Claiming devices with Edera

3 min read · Advanced

Platform Engineer
ℹ️
Kubernetes users: See Using block devices in Kubernetes instead.

This guide covers claiming devices for standalone Edera zones using the protect CLI.

Edera lets you claim and attach physical devices—like block storage or PCI hardware—using a simple config and CLI workflow. This is useful when:

  • You’re working with passthrough hardware like PCI-attached hardware
  • You’re experimenting with SR-IOV and need zone-level access to virtual functions (VFs)
  • You want to use a specific block device (for example, NVMe drive) outside of Kubernetes
⚠️
Devices are mounted directly into zones and are not virtualized. Use with caution.

TL;DR

  1. Add device to daemon.toml
  2. Restart the protect daemon
  3. Confirm with protect device list
  4. Use --attach-device on zone launch

Step-by-step

1. Add the device to the config

Edit /var/lib/edera/protect/daemon.toml to include your device:

[block.devices]
[block.devices.mydevice]
path = "/dev/sdb" # or your actual device path

For PCI devices (like GPUs or PCI):

[pci.devices]
[pci.devices.pci0]
locations = ["0000:11:00.0"]  # replace with actual PCI address
permissive = true
msi-translate = false
power-management = true
rdm-reserve-policy = "relaxed"
ℹ️

For SR-IOV virtual functions, make sure you add the following options under your individual device configuration (in this case pci0)

skip-pirq-map = true
disable-managed-pciback = true

For now you will also need to hide the device using pciback and blacklist the virtual function driver

For example, edit the /etc/default/grub.d/99-edera-settings.cfg file and add the following to hide two virtual functions and blacklist the iavf driver.

GRUB_CMDLINE_LINUX_DEFAULT="<clipped> xen-pciback.hide=(03:0a.0)(03:0a.1) xen-pciback.passthrough=1 xen-pciback.permissive=1 modprobe.blacklist=iavf"
💡
You can claim multiple devices by adding more entries.

2. Restart the daemon 

sudo systemctl restart protect-daemon

3. Confirm device is available 

protect device list

Make sure mydevice or pci0 appears in the output.

4. Attach the device to a zone

For block devices:

protect zone launch --name my-zone --attach-scratch-disk mydevice

For PCI devices:

protect zone launch --name my-zone --device pci0
ℹ️

For SR-IOV NIC virtual functions, make sure you use the passthrough network backend

protect zone launch -n test --network-backend passthrough --device pci0

This option is similar to the external backend so you will need to configure the zone networking with

protect zone configure-network <options>

5. Run workloads (optional)

Once the zone is running, you can launch a workload inside it that uses the device directly:

protect workload launch --zone my-zone --name my-app my-image:latest

Notes

  • For PCI devices, make sure iommu is enabled in the kernel cmdline.
  • Devices are re-initialized on each zone launch (for example, block devices are formatted if using scratch disk mode).
  • For SR-IOV devices, ensure the VF is visible via lspci and has a unique PCI address.
  • For SR-IOV devices, you will need to make sure the drivers exist in the zone kernel otherwise you may get an error like failed to setup zone: failed to initialize network: failed to apply network link config: Received a netlink error message inside the zone. Please see the documentation on building zone kernels.
  • This feature requires Edera v1.2.0 or later.
    • SR-IOV requires Edera v1.3.1 or later.

Further reading

GPU passthrough to an Edera zone Using a scratch disk with Edera

Last updated on