[SOLVED] [Solved] iGPU passthrough into unprivileged LXC

[Altorvo]

Hi all,
________________________________________________________
Solution:
Requirement: iGPU passthrough to an unprivileged LXC running Jellyfin in docker

• I used the Web UI 'Add Device Passthrough' functionality (in the resources section of the LXC) to passthrough: /dev/dri/renderD128 (iGPU) with mode: 0666
  • If someone wanted to add it manually to the /etc/pve/lxc/<xyz>.conf, they could use the following: dev0: /dev/dri/renderD128,mode=0666 to achieve the same.

Many thanks to @leesteken for the solution - hope this can help someone else.

Original post below:
________________________________________________________

Context:
I am running Jellyfin docker in an unprivileged LXC - I am currently having an issue passing through the iGPU for transcoding. I have used every guide/forum I could find, to no avail (yet), so looking for help from more experienced minds!

- I initially had transcoding working (confirmed using intel_gpu_top) via adding the below into my /etc/pve/lxc/<xyz>.conf

lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.cgroup2.devices.allow: c 29:0 rwm
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file
lxc.mount.entry: /dev/dri/renderD128 dev/renderD128 none bind,optional,create=file

However, as you may have guessed, it stopped working (assumedly due to not having the correct permissions)
I have tried many attempts to get this working and may have borked things in the process (I am still learning)

Current Situation:
Running getent group | grep -Ei "render|video" in the host, gives me:

video:x:44:root
render:x:104:root

Running the above in the 'Jellyfin' LXC:

video:x:44:root
render:x:108:root

Therefore, perhaps mistakenly, I added the following to my /etc/pve/lxc/<xyz>.conf file:

lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 62
lxc.idmap: g 108 104 1
lxc.idmap: g 109 100108 65428

Then ran a combo of usermod -aG render,video root & usermod -G render,video root & usermod --append --groups video,render root, hoping to see 'root' marked as having access to the 'Jellyfin' LXC renderD128 device.

However, the host now shows:

ls -l /dev/dri
total 0
drwxr-xr-x 2 root root 80 Nov 28 11:57 by-path
crw-rw---- 1 root video 226, 0 Nov 28 11:57 card0
crw-rw---- 1 root 100989 226, 128 Nov 28 11:57 renderD128

and the 'Jellyfin' LXC shows:

ls -l /dev/dri
total 0
drwxr-xr-x 2 nobody nogroup 80 Nov 28 11:57 by-path
crw-rw---- 1 nobody video 226, 0 Nov 28 11:57 card0
crw-rw---- 1 nobody 990 226, 128 Nov 28 11:57 renderD128

When searching for 100989 & 990 in their respective /etc/subgid's, I can't find anything attached to those values.

System Specs:

• CPU/APU: Intel 12400
• Proxmox: v8.3.0
• Ubuntu: v22.04
• Jellyfin: v10.10.3

How do I passthrough the iGPU to the unprivileged LXC and keep the permissions?
Any help would be massively appreciated, until then I'll keep trying!

 

[leesteken]

I am running Jellyfin docker in an unprivileged LXC

There is a warning about this in the manual: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pct

- I initially had transcoding working (confirmed using intel_gpu_top) via adding the below into my /etc/pve/lxc/<xyz>.conf

Instead of the manual lxc.mount and lxc.idmap, maybe try the Device Passthrough (under Add in the container Resources) for containers in the Proxmox web GUI? You can specify user and group IDs and Access Mode under Advanced.

I don't have experience with your specific setup but I do find the new Device Passthrough much more convenient. Maybe someone else here knows more about iGPU passthrough to Jellyfin on Docker.

 

[strauss2]

I have passed though my gpu to a jellyfin lxc not running docker. The native install is definitely easier than doing docker in lxc. I had a working idmap setup like you are trying, but as stated above the Device Passthrough is easier. Just pass through the gpu, click on advanced, and assign it GID of the render group in the lxc. Make sure if you are running jellyfin as a user that that user is part of the render group.

 

[Altorvo]

Thank you both!

try the Device Passthrough

This^ Perfectly fixed it first try - thank you! I wasn't aware this was a feature other than in (QEMU) VMs - I owe you a beer

Can confirm it's working smoothly transcoding multiple 4k videos:

There is a warning about this in the manual

I knew about this, but had never found the section in the manual covering it - thank you!

native install is definitely easier than doing docker in lxc

I had previously used tteck's script (bless his soul), but never got the passthrough working (mainly due to having an Nvidia GPU at the time). Docker passthrough is easy, all you need is the following:

devices:
- /dev/dri:/dev/dri # QuickSync

I switched to docker mainly so I could use something like portainer to be able to update my containers even between separate LXCs (easier for me to manage at a glance over tens of containers)

Thank you both again! I'll update the thread to solved with the solution.