Intel i7 1165G7 passthrough GPU to LXC not working (solved)

E

evotek

New Member
Nov 7, 2022
6
2
3
Proxmox Virtual Environment 7.2-3

CPU: 1165G7 passthrough GPU to LXC in linux not working

i7-1165G7 https://ark.intel.com/content/www/e...165g7-processor-12m-cache-up-to-4-70-ghz.html

First question: Should the GPU passthrough work to LXC at all?

I actually tried and here is where I am:

HOST:
root@proxmox.lan's password:
Linux proxmox 5.15.30-2-pve #1 SMP PVE 5.15.30-3 (Fri, 22 Apr 2022 18:08:27 +0200) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 6 20:35:32 2022 from 192.168.88.252
root@proxmox:~# cat /etc/group | grep video
video:x:44:
root@proxmox:~# cat /etc/group | grep render
render:x:103:
root@proxmox:~# cat /etc/subgid
root:100000:65536
root:44:1
root:103:1
root@proxmox:~# ls -la /dev/dri/renderD128
crw-rw-rw- 1 root render 226, 128 Nov 6 11:43 /dev/dri/renderD128
root@proxmox:~# vainfo
error: can't connect to X server!
libva info: VA-API version 1.10.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_10
libva info: va_openDriver() returns 0
vainfo: VA-API version: 1.10 (libva 2.10.0)
vainfo: Driver version: Intel iHD driver for Intel(R) Gen Graphics - 21.1.1 ()
vainfo: Supported profile and entrypoints
VAProfileNone : VAEntrypointVideoProc
VAProfileNone : VAEntrypointStats
VAProfileMPEG2Simple : VAEntrypointVLD
VAProfileMPEG2Main : VAEntrypointVLD
VAProfileH264Main : VAEntrypointVLD
VAProfileH264Main : VAEntrypointEncSliceLP
VAProfileH264High : VAEntrypointVLD
VAProfileH264High : VAEntrypointEncSliceLP
VAProfileJPEGBaseline : VAEntrypointVLD
VAProfileJPEGBaseline : VAEntrypointEncPicture
VAProfileH264ConstrainedBaseline: VAEntrypointVLD
VAProfileH264ConstrainedBaseline: VAEntrypointEncSliceLP
VAProfileVP8Version0_3 : VAEntrypointVLD
VAProfileHEVCMain : VAEntrypointVLD
VAProfileHEVCMain : VAEntrypointEncSliceLP
VAProfileHEVCMain10 : VAEntrypointVLD
VAProfileHEVCMain10 : VAEntrypointEncSliceLP
VAProfileVP9Profile0 : VAEntrypointVLD
VAProfileVP9Profile1 : VAEntrypointVLD
VAProfileVP9Profile2 : VAEntrypointVLD
VAProfileVP9Profile3 : VAEntrypointVLD
VAProfileHEVCMain12 : VAEntrypointVLD
VAProfileHEVCMain422_10 : VAEntrypointVLD
VAProfileHEVCMain422_12 : VAEntrypointVLD
VAProfileHEVCMain444 : VAEntrypointVLD
VAProfileHEVCMain444 : VAEntrypointEncSliceLP
VAProfileHEVCMain444_10 : VAEntrypointVLD
VAProfileHEVCMain444_10 : VAEntrypointEncSliceLP
VAProfileHEVCMain444_12 : VAEntrypointVLD
VAProfileHEVCSccMain : VAEntrypointVLD
VAProfileHEVCSccMain : VAEntrypointEncSliceLP
VAProfileHEVCSccMain10 : VAEntrypointVLD
VAProfileHEVCSccMain10 : VAEntrypointEncSliceLP
VAProfileHEVCSccMain444 : VAEntrypointVLD
VAProfileHEVCSccMain444 : VAEntrypointEncSliceLP
VAProfileAV1Profile0 : VAEntrypointVLD
VAProfileHEVCSccMain444_10 : VAEntrypointVLD
VAProfileHEVCSccMain444_10 : VAEntrypointEncSliceLP
root@proxmox:~# cd /etc/pve/lxc/
root@proxmox:/etc/pve/lxc# cat 105.conf
arch: amd64
cores: 2
features: keyctl=1,nesting=1
hostname: ubuntu2004
memory: 16384
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.88.1,hwaddr=46:FE:48:EB:FC:2B,ip=192.168.88.17/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-105-disk-0,size=100G
startup: order=4,up=5
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 62
lxc.idmap: g 107 103 1
lxc.idmap: g 108 100108 65428
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file,mode=0666
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=dir
root@proxmox:/etc/pve/lxc#


LXC : Ubuntu 20.04
root@192.168.88.17's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.15.30-2-pve x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
New release '22.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Nov 6 19:38:13 2022 from 192.168.88.252
root@ubuntu2004:~# vainfo
error: can't connect to X server!
libva info: VA-API version 1.15.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: va_openDriver() returns -1
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_1_6
libva error: /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so init failed
libva info: va_openDriver() returns -1
vaInitialize failed with error code -1 (unknown libva error),exit
root@ubuntu2004:~# ls -la /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
-rw-r--r-- 1 root root 8098968 Feb 6 2020 /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
root@ubuntu2004:~# glxinfo | grep Mesa
Error: unable to open display
root@ubuntu2004:~# ls -la /dev/dri/renderD128
total 0
drwxr-xr-x 2 root root 40 Nov 6 19:37 .
drwxr-xr-x 3 root root 80 Nov 6 19:37 ..
root@ubuntu2004:~# lshw -c video
*-display
description: VGA compatible controller
product: Intel Corporation
vendor: Intel Corporation
physical id: 2
bus info: pci@0000:00:02.0
version: 01
width: 64 bits
clock: 33MHz
capabilities: vga_controller bus_master cap_list rom
configuration: driver=i915 latency=0
resources: iomemory:600-5ff iomemory:400-3ff irq:139 memory:6000000000-6000ffffff memory:4000000000-400fffffff ioport:3000(size=64) memory:c0000-dffff memory:4010000000-4016ffffff memory:4020000000-40ffffffff
root@ubuntu2004:~# cat /etc/group | grep video
video:x:44:root
root@ubuntu2004:~# cat /etc/group | grep render
render:x:107:root,ubuntu
root@ubuntu2004:~# cat /etc/subgid
ubuntu:100000:65536
root@ubuntu2004:~#


Can you please help if i miss something? Do I need to install some drivers to the host or LXC? Will ffmpeg work with the passthrough GPU in LXC? Should I try Ubuntu 22.04 instead of 20.04?

Many thanks
 
Last edited:
thanks the method helped however it is using now privileged LXC and i have issue to use docker which is needed for me too.
Apparmor is running by default on the host but it can not be started in the LXC:


root@ubuntu2004:~# systemctl start apparmor
Job for apparmor.service failed because the control process exited with error code.
See "systemctl status apparmor.service" and "journalctl -xe" for details.
root@ubuntu2004:~# systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2022-11-07 18:44:48 UTC; 6s ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 925 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 925 (code=exited, status=1/FAILURE)
CPU: 472ms

Nov 07 18:44:48 ubuntu2004 apparmor.systemd[960]: /sbin/apparmor_parser: Unable to replace "kmod". Permission denied; attempted to load a profile while confined?
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[960]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe". Permission denied; attempted to load a profile while confined?
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[970]: /sbin/apparmor_parser: Unable to replace "/usr/bin/man". Permission denied; attempted to load a profile while confined?
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[972]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[968]: /sbin/apparmor_parser: Unable to replace "/usr/lib/NetworkManager/nm-dhcp-client.action". Permission denied; attempted to load a profile while c>
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[974]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/tcpdump". Permission denied; attempted to load a profile while confined?
Nov 07 18:44:48 ubuntu2004 apparmor.systemd[925]: Error: At least one profile failed to load
Nov 07 18:44:48 ubuntu2004 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Nov 07 18:44:48 ubuntu2004 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Nov 07 18:44:48 ubuntu2004 systemd[1]: Failed to start Load AppArmor profiles.
lines 1-19/19 (END)


and Docker needs AppArmor:


root@ubuntu2004:~# docker run --rm hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:e18f0a777aefabe047a671ab3ec3eed05414477c951ab1a6f352a06974245fe7
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default2814476680` failed with output: apparmor_parser: Unable to replace "docker-default". Permission denied; attempted to load a profile while confined?

error: exit status 243.
ERRO[0003] error waiting for container: context canceled

however I see the GPU inside the LXC, which is great, but still need docker

root@ubuntu2004:~# vainfo
error: can't connect to X server!
libva info: VA-API version 1.7.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_7
libva info: va_openDriver() returns 0
vainfo: VA-API version: 1.7 (libva 2.6.0)
vainfo: Driver version: Intel iHD driver for Intel(R) Gen Graphics - 20.1.1 ()
vainfo: Supported profile and entrypoints
VAProfileNone : VAEntrypointVideoProc
VAProfileNone : VAEntrypointStats
VAProfileMPEG2Simple : VAEntrypointVLD
VAProfileMPEG2Main : VAEntrypointVLD
VAProfileH264Main : VAEntrypointVLD
VAProfileH264Main : VAEntrypointEncSliceLP
VAProfileH264High : VAEntrypointVLD
VAProfileH264High : VAEntrypointEncSliceLP
VAProfileJPEGBaseline : VAEntrypointVLD
VAProfileJPEGBaseline : VAEntrypointEncPicture
VAProfileH264ConstrainedBaseline: VAEntrypointVLD
VAProfileH264ConstrainedBaseline: VAEntrypointEncSliceLP
VAProfileHEVCMain : VAEntrypointVLD
VAProfileHEVCMain : VAEntrypointEncSliceLP
VAProfileHEVCMain10 : VAEntrypointVLD
VAProfileHEVCMain10 : VAEntrypointEncSliceLP
VAProfileVP9Profile0 : VAEntrypointVLD
VAProfileVP9Profile1 : VAEntrypointVLD
VAProfileVP9Profile2 : VAEntrypointVLD
VAProfileVP9Profile3 : VAEntrypointVLD
VAProfileHEVCMain12 : VAEntrypointVLD
VAProfileHEVCMain422_10 : VAEntrypointVLD
VAProfileHEVCMain422_12 : VAEntrypointVLD
VAProfileHEVCMain444 : VAEntrypointVLD
VAProfileHEVCMain444 : VAEntrypointEncSliceLP
VAProfileHEVCMain444_10 : VAEntrypointVLD
VAProfileHEVCMain444_10 : VAEntrypointEncSliceLP
VAProfileHEVCMain444_12 : VAEntrypointVLD
VAProfileHEVCSccMain : VAEntrypointVLD
VAProfileHEVCSccMain10 : VAEntrypointVLD
VAProfileHEVCSccMain444 : VAEntrypointVLD

How could I make docker work with privileged LXC or in a unprivileged LXC the docker+GPU? Many thanks!
 
Last edited:
UPDATE: with the following lxc config i could start AppArmor and then the docker works too and of course the GPU is still visible in LXC. :)

root@proxmox:/etc/pve/lxc# cat 200.conf
arch: amd64
cores: 2
features: nesting=1
hostname: ubuntu2004
memory: 8064
net0: name=eth0,bridge=vmbr0,gw=192.168.88.1,hwaddr=4E:B6:7D:13:F3:40,ip=192.168.88.18/24,type=veth
ostype: ubuntu
rootfs: local-lvm:vm-200-disk-0,size=100G
startup: order=4,up=10
swap: 512
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.cgroup2.devices.allow: c 29:0 rwm
lxc.apparmor.profile: unconfined
lxc.cgroup2.devices.allow: a
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry: /dev/dri/renderD128 dev/renderD128 none bind,optional,create=file
lxc.cap.drop:
lxc.mount.auto: cgroup:rw
root@proxmox:/etc/pve/lxc#
 
  • Like
Reactions: shanreich
You must log in or register to reply here.
Top Bottom