LXC Id Mapping

[marissachan]

Edit: I solved the issue myself, see the first reply in this thread

I am currently trying to get the iGPU to work in an unpriviliged lxc container, which runs Jellyfin.

I am trying to figure out what exactly I need to do, and used the following links as a basic:

• Hardware Acceleration (Jellyfin Documentation) (https://jellyfin.org/docs/general/a...d-qsv-hardware-acceleration-on-lxc-on-proxmox)
• Intel iGPU VAAPI in Unprivileged LXC 4.0 Container (https://yoursunny.com/t/2022/lxc-vaapi/)
• Unprivileged LXC containers (Proxmox documentation) (https://pve.proxmox.com/wiki/Unprivileged_LXC_containers)

I do struggle with the ID-Mapping. The gpu device appears in the lxc container, but belongs to nobody:nobody (65534:65534). The solution to this issue seems to setting up id-mapping.

With the command getent group render I was able to figure out the Id of the group "render" in both the host and guest:
host: getent group render -> 107
container: getent group render -> 989

Because of this I decided to modify the file /etc/subgid and added root:107:1 to the end of the file. This should allow lxc-containers to have access to the host-group 107 from my understanding. (I did not touch /etc/subuid)

Besides a few other things I added the following to my /etc/pve/lxc/205.conf (205 ofc being the container with Jellyfin)

lxc.idmap = g 0 100000 989
lxc.idmap = g 989 107 1
lxc.idmap = g 990 100990 64546

But sadly, I get the following error:

lxc_drop_groups: 1366 Operation not permitted - Failed to drop supplimentary groups
chown_cgroup_wrapper: 1285 Invalid argument - Failed to setresgid(0, 0, 0)
cgfsng_chown: 1354 No such file or directory - Error requesting cgroup chown in new user namespace
__lxc_start: 2074 Failed to spawn container "205"
startup for container '205' failed

What exactly am I forgetting?

 

[marissachan]

I found the isse, I had to add lxc.idmap: u 0 100000 65536 to the container config.