Intel i7 1165G7 passthrough GPU to LXC not working (solved)

[evotek]

Proxmox Virtual Environment 7.2-3

CPU: 1165G7 passthrough GPU to LXC in linux not working

i7-1165G7 https://ark.intel.com/content/www/e...165g7-processor-12m-cache-up-to-4-70-ghz.html

First question: Should the GPU passthrough work to LXC at all?

I actually tried and here is where I am:

HOST:
root@proxmox.lan's password:
Linux proxmox 5.15.30-2-pve #1 SMP PVE 5.15.30-3 (Fri, 22 Apr 2022 18:08:27 +0200) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 6 20:35:32 2022 from 192.168.88.252
root@proxmox:~# cat /etc/group | grep video
video:x:44:
root@proxmox:~# cat /etc/group | grep render
render:x:103:
root@proxmox:~# cat /etc/subgid
root:100000:65536
root:44:1
root:103:1
root@proxmox:~# ls -la /dev/dri/renderD128
crw-rw-rw- 1 root render 226, 128 Nov 6 11:43 /dev/dri/renderD128
root@proxmox:~# vainfo
error: can't connect to X server!
libva info: VA-API version 1.10.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_10
libva info: va_openDriver() returns 0
vainfo: VA-API version: 1.10 (libva 2.10.0)
vainfo: Driver version: Intel iHD driver for Intel(R) Gen Graphics - 21.1.1 ()
vainfo: Supported profile and entrypoints
VAProfileNone : VAEntrypointVideoProc
VAProfileNone : VAEntrypointStats
VAProfileMPEG2Simple : VAEntrypointVLD
VAProfileMPEG2Main : VAEntrypointVLD
VAProfileH264Main : VAEntrypointVLD
VAProfileH264Main : VAEntrypointEncSliceLP
VAProfileH264High : VAEntrypointVLD
VAProfileH264High : VAEntrypointEncSliceLP
VAProfileJPEGBaseline : VAEntrypointVLD
VAProfileJPEGBaseline : VAEntrypointEncPicture
VAProfileH264ConstrainedBaseline: VAEntrypointVLD
VAProfileH264ConstrainedBaseline: VAEntrypointEncSliceLP
VAProfileVP8Version0_3 : VAEntrypointVLD
VAProfileHEVCMain : VAEntrypointVLD
VAProfileHEVCMain : VAEntrypointEncSliceLP
VAProfileHEVCMain10 : VAEntrypointVLD
VAProfileHEVCMain10 : VAEntrypointEncSliceLP
VAProfileVP9Profile0 : VAEntrypointVLD
VAProfileVP9Profile1 : VAEntrypointVLD
VAProfileVP9Profile2 : VAEntrypointVLD
VAProfileVP9Profile3 : VAEntrypointVLD
VAProfileHEVCMain12 : VAEntrypointVLD
VAProfileHEVCMain422_10 : VAEntrypointVLD
VAProfileHEVCMain422_12 : VAEntrypointVLD
VAProfileHEVCMain444 : VAEntrypointVLD
VAProfileHEVCMain444 : VAEntrypointEncSliceLP
VAProfileHEVCMain444_10 : VAEntrypointVLD
VAProfileHEVCMain444_10 : VAEntrypointEncSliceLP
VAProfileHEVCMain444_12 : VAEntrypointVLD
VAProfileHEVCSccMain : VAEntrypointVLD
VAProfileHEVCSccMain : VAEntrypointEncSliceLP
VAProfileHEVCSccMain10 : VAEntrypointVLD
VAProfileHEVCSccMain10 : VAEntrypointEncSliceLP
VAProfileHEVCSccMain444 : VAEntrypointVLD
VAProfileHEVCSccMain444 : VAEntrypointEncSliceLP
VAProfileAV1Profile0 : VAEntrypointVLD
VAProfileHEVCSccMain444_10 : VAEntrypointVLD
VAProfileHEVCSccMain444_10 : VAEntrypointEncSliceLP
root@proxmox:~# cd /etc/pve/lxc/
root@proxmox:/etc/pve/lxc# cat 105.conf
arch: amd64
cores: 2
features: keyctl=1,nesting=1
hostname: ubuntu2004
memory: 16384
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.88.1,hwaddr=46:FE:48:EB:FC:2B,ip=192.168.88.17/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-105-disk-0,size=100G
startup: order=4,up=5
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 62
lxc.idmap: g 107 103 1
lxc.idmap: g 108 100108 65428
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file,mode=0666
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=dir
root@proxmox:/etc/pve/lxc#


LXC : Ubuntu 20.04
root@192.168.88.17's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.15.30-2-pve x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
New release '22.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Nov 6 19:38:13 2022 from 192.168.88.252
root@ubuntu2004:~# vainfo
error: can't connect to X server!
libva info: VA-API version 1.15.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: va_openDriver() returns -1
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_1_6
libva error: /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so init failed
libva info: va_openDriver() returns -1
vaInitialize failed with error code -1 (unknown libva error),exit
root@ubuntu2004:~# ls -la /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
-rw-r--r-- 1 root root 8098968 Feb 6 2020 /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
root@ubuntu2004:~# glxinfo | grep Mesa
Error: unable to open display
root@ubuntu2004:~# ls -la /dev/dri/renderD128
total 0
drwxr-xr-x 2 root root 40 Nov 6 19:37 .
drwxr-xr-x 3 root root 80 Nov 6 19:37 ..
root@ubuntu2004:~# lshw -c video
*-display
description: VGA compatible controller
product: Intel Corporation
vendor: Intel Corporation
physical id: 2
bus info: pci@0000:00:02.0
version: 01
width: 64 bits
clock: 33MHz
capabilities: vga_controller bus_master cap_list rom
configuration: driver=i915 latency=0
resources: iomemory:600-5ff iomemory:400-3ff irq:139 memory:6000000000-6000ffffff memory:4000000000-400fffffff ioport:3000(size=64) memory:c0000-dffff memory:4010000000-4016ffffff memory:4020000000-40ffffffff
root@ubuntu2004:~# cat /etc/group | grep video
video:x:44:root
root@ubuntu2004:~# cat /etc/group | grep render
render:x:107:root,ubuntu
root@ubuntu2004:~# cat /etc/subgid
ubuntu:100000:65536
root@ubuntu2004:~#


Can you please help if i miss something? Do I need to install some drivers to the host or LXC? Will ffmpeg work with the passthrough GPU in LXC? Should I try Ubuntu 22.04 instead of 20.04?

Many thanks

 

[shanreich]

Theoretically it should work, have you tried the instructions from user osaether? [1]

From what I can tell there are some differences, notably the mount paths you are using. The permissions of the devices also seem to differ. Also the container is unprivileged. Maybe it works by starting from scratch and following the instructions from the post 1:1?


[1] https://forum.proxmox.com/threads/intel-rocket-lake-11th-quicksync-passthrough.98874/#post-446128

 

[evotek]

thanks the method helped however it is using now privileged LXC and i have issue to use docker which is needed for me too.
Apparmor is running by default on the host but it can not be started in the LXC:


root@ubuntu2004:~# systemctl start apparmor
Job for apparmor.service failed because the control process exited with error code.
See "systemctl status apparmor.service" and "journalctl -xe" for details.
root@ubuntu2004:~# systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2022-11-07 18:44:48 UTC; 6s ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 925 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 925 (code=exited, status=1/FAILURE)
CPU: 472ms

Nov 07 18:44:48 ubuntu2004 apparmor.systemd[960]: /sbin/apparmor_parser: Unable to replace "kmod". Permission denied; attempted to load a profile while confined?
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[960]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe". Permission denied; attempted to load a profile while confined?
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[970]: /sbin/apparmor_parser: Unable to replace "/usr/bin/man". Permission denied; attempted to load a profile while confined?
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[972]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[968]: /sbin/apparmor_parser: Unable to replace "/usr/lib/NetworkManager/nm-dhcp-client.action". Permission denied; attempted to load a profile while c>
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[974]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/tcpdump". Permission denied; attempted to load a profile while confined?
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[925]: Error: At least one profile failed to load
Nov 07 18:44:48 ubuntu2004 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Nov 07 18:44:48 ubuntu2004 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Nov 07 18:44:48 ubuntu2004 systemd[1]: Failed to start Load AppArmor profiles.
lines 1-19/19 (END)


and Docker needs AppArmor:


root@ubuntu2004:~# docker run --rm hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:e18f0a777aefabe047a671ab3ec3eed05414477c951ab1a6f352a06974245fe7
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default2814476680` failed with output: apparmor_parser: Unable to replace "docker-default". Permission denied; attempted to load a profile while confined?

error: exit status 243.
ERRO[0003] error waiting for container: context canceled

however I see the GPU inside the LXC, which is great, but still need docker

root@ubuntu2004:~# vainfo
error: can't connect to X server!
libva info: VA-API version 1.7.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_7
libva info: va_openDriver() returns 0
vainfo: VA-API version: 1.7 (libva 2.6.0)
vainfo: Driver version: Intel iHD driver for Intel(R) Gen Graphics - 20.1.1 ()
vainfo: Supported profile and entrypoints
VAProfileNone : VAEntrypointVideoProc
VAProfileNone : VAEntrypointStats
VAProfileMPEG2Simple : VAEntrypointVLD
VAProfileMPEG2Main : VAEntrypointVLD
VAProfileH264Main : VAEntrypointVLD
VAProfileH264Main : VAEntrypointEncSliceLP
VAProfileH264High : VAEntrypointVLD
VAProfileH264High : VAEntrypointEncSliceLP
VAProfileJPEGBaseline : VAEntrypointVLD
VAProfileJPEGBaseline : VAEntrypointEncPicture
VAProfileH264ConstrainedBaseline: VAEntrypointVLD
VAProfileH264ConstrainedBaseline: VAEntrypointEncSliceLP
VAProfileHEVCMain : VAEntrypointVLD
VAProfileHEVCMain : VAEntrypointEncSliceLP
VAProfileHEVCMain10 : VAEntrypointVLD
VAProfileHEVCMain10 : VAEntrypointEncSliceLP
VAProfileVP9Profile0 : VAEntrypointVLD
VAProfileVP9Profile1 : VAEntrypointVLD
VAProfileVP9Profile2 : VAEntrypointVLD
VAProfileVP9Profile3 : VAEntrypointVLD
VAProfileHEVCMain12 : VAEntrypointVLD
VAProfileHEVCMain422_10 : VAEntrypointVLD
VAProfileHEVCMain422_12 : VAEntrypointVLD
VAProfileHEVCMain444 : VAEntrypointVLD
VAProfileHEVCMain444 : VAEntrypointEncSliceLP
VAProfileHEVCMain444_10 : VAEntrypointVLD
VAProfileHEVCMain444_10 : VAEntrypointEncSliceLP
VAProfileHEVCMain444_12 : VAEntrypointVLD
VAProfileHEVCSccMain : VAEntrypointVLD
VAProfileHEVCSccMain10 : VAEntrypointVLD
VAProfileHEVCSccMain444 : VAEntrypointVLD

How could I make docker work with privileged LXC or in a unprivileged LXC the docker+GPU? Many thanks!

 

[evotek]

UPDATE: with the following lxc config i could start AppArmor and then the docker works too and of course the GPU is still visible in LXC.

root@proxmox:/etc/pve/lxc# cat 200.conf
arch: amd64
cores: 2
features: nesting=1
hostname: ubuntu2004
memory: 8064
net0: name=eth0,bridge=vmbr0,gw=192.168.88.1,hwaddr=4E:B6:7D:13:F3:40,ip=192.168.88.18/24,type=veth
ostype: ubuntu
rootfs: local-lvm:vm-200-disk-0,size=100G
startup: order=4,up=10
swap: 512
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.cgroup2.devices.allow: c 29:0 rwm
lxc.apparmor.profile: unconfined
lxc.cgroup2.devices.allow: a
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry: /dev/dri/renderD128 dev/renderD128 none bind,optional,create=file
lxc.cap.drop:
lxc.mount.auto: cgroup:rw
root@proxmox:/etc/pve/lxc#