this post was submitted on 16 Apr 2024
40 points (93.5% liked)

Selfhosted

40329 readers
253 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I've been trying to get hardware acceleration working on rootless containers of Plex and Jellyfin and I can't get it to work the proper way.

My current workaround is having my device /dev/dri/renderD128 with permissions set to 666, but I feel like that really isn't an ideal setup.

Some things I've done:

-Currently I'm running my containers with my user with ID 1000.

-My user is part of the render group, which is the group assigned to:

    /dev/dri/renderD128

-I'm passing the device to the containers as such:

  --device /dev/dri:/dev/dri

-In my plex container for example, I'm passing the IDs to use as such:

   -e PUID=1000 and -e PGID=1000

-I tried the option "--group-add keep-groups" and I see the groups in the container but I believe they're assigned to the root user in the container, and from my understanding, the plex and jellyfin images I've tried I think they create a user inside with the IDs I pass, in this case 1000, and so this new user doesn't get assigned my groups on the host. I'm using the LinuxServer.io images currently but I saw the official plex image creates a user named "plex". The LinuxServer.Io images create a user named "abc".

-Out of curiosity on the host I changed the group of /dev/dri/renderD128 to my user's group 1000, but that didn't work either

-I tried with the --privileged option too but that didn't seem to work either, at least running podman as my user.

-I haven't tried running podman as root for these containers, and I wonder how that compares security-wise vs having my /dev/dri/renderD128 with permissions set to 666

For some context, I've been transitioning from Docker to Podman rootless over the past 5 days maybe. I've learned a couple of things but this one has been quite a headache.

Any tips or hints would be appreciated. Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] h3ndrik@feddit.de 3 points 7 months ago* (last edited 7 months ago) (3 children)

Have you verified it is a permission issue? Maybe you're looking at the wrong place. Does it work if you set them 666?

[–] Kekin@lemy.lol 2 points 7 months ago (2 children)

Yeah I'm fairly certain it's a permission issue. Having the gpu with permissions 666 makes it work inside the containers.

The thing is also that these container images (plex and jellyfin) create a separate user inside, instead of using the root user, and this new user ("abc" for lsio images) doesn't get added to the same groups as the root user.

Also the render group that gets passed to the container appears as "nogroup", so I thought of adding user abc to "nogroup" but still didn't seem to work.

[–] h3ndrik@feddit.de 3 points 7 months ago* (last edited 7 months ago)

Sure. I believe that nogroup behaviour is a failsafe. Otherwise every misconfiguration would result in privilege escalation.

Unfortunately I'm not really familiar with that podman setup. I'm not sure if that --group-add keep-groups helps. I'm not sure what kind of groups are defined inside of the container. If the render group is even there and attached to the user that runs the process. Also I'm not sure if it's the group's name or number that counts... The numbers can be different from container to container.

Maybe you can peek at the container, see how it's set up inside? Maybe something like the --device-cgroup-rule helps to give access to the user within the container?

load more comments (1 replies)
load more comments (1 replies)