I've been trying to get hardware acceleration working on rootless containers of Plex and Jellyfin and I can't get it to work the proper way.
My current workaround is having my device /dev/dri/renderD128 with permissions set to 666, but I feel like that really isn't an ideal setup.
Some things I've done:
-Currently I'm running my containers with my user with ID 1000.
-My user is part of the render group, which is the group assigned to:
/dev/dri/renderD128
-I'm passing the device to the containers as such:
--device /dev/dri:/dev/dri
-In my plex container for example, I'm passing the IDs to use as such:
-e PUID=1000 and -e PGID=1000
-I tried the option "--group-add keep-groups" and I see the groups in the container but I believe they're assigned to the root user in the container, and from my understanding, the plex and jellyfin images I've tried I think they create a user inside with the IDs I pass, in this case 1000, and so this new user doesn't get assigned my groups on the host. I'm using the LinuxServer.io images currently but I saw the official plex image creates a user named "plex". The LinuxServer.Io images create a user named "abc".
-Out of curiosity on the host I changed the group of /dev/dri/renderD128 to my user's group 1000, but that didn't work either
-I tried with the --privileged option too but that didn't seem to work either, at least running podman as my user.
-I haven't tried running podman as root for these containers, and I wonder how that compares security-wise vs having my /dev/dri/renderD128 with permissions set to 666
For some context, I've been transitioning from Docker to Podman rootless over the past 5 days maybe. I've learned a couple of things but this one has been quite a headache.
Any tips or hints would be appreciated. Thanks!
Sure. I believe that nogroup behaviour is a failsafe. Otherwise every misconfiguration would result in privilege escalation.
Unfortunately I'm not really familiar with that podman setup. I'm not sure if that
--group-add keep-groups
helps. I'm not sure what kind of groups are defined inside of the container. If the render group is even there and attached to the user that runs the process. Also I'm not sure if it's the group's name or number that counts... The numbers can be different from container to container.Maybe you can peek at the container, see how it's set up inside? Maybe something like the
--device-cgroup-rule
helps to give access to the user within the container?