search

linuxserver / docker-jellyfin

GNU General Public License v3.0
630 stars 94 forks source link

Hardware acceleration device permissions broken if host system has no group permissions set #111

Closed metronidazole closed 3 years ago

metronidazole commented 3 years ago

linuxserver.io

This docker container does not always supply sufficient permissions for the abc user (ID specified with the PUID environmental variable) to access devices under /dev/dri for hardware acceleration under some circumstances.

e.g. if the host permissions for /dev/dri/renderD128 has (0600/crw------), then docker will use these permissions for the device within the container, and the script used by this container to add the abc user to the group for hardware acceleration devices effectively does nothing.

This is because even though the user is made a member of the group that the device is owned by, there are no group permissions set, and so hardware acceleration is broken.

I believe this is probably the cause for many of the people affected by https://github.com/linuxserver/docker-jellyfin/issues/26

This issue was probably not noticed by the dev of this container because their host system has proper permissions for their hardware acceleration devices and is group-owned by e.g. render or video. On synology devices, /dev/dri/renderD128 is group-owned by root, and no group permissions are set.

Expected Behavior

This container should ensure that the abc user is a member of the group used by any hardware acceleration device, and also ensure that group permissions for hardware acceleration devices are set to rwx (chmod g+rwx)

Current Behavior

Container only adds abc user to the groups, but does not ensure there are sufficient group permissions for these devices

Steps to Reproduce

e.g. for intel quicksync

  1. On host device, chmod g-rwx /dev/dri/renderD128
  2. Restart docker-jellyfin docker container
  3. Attempt to use hardware acceleration using ffmpeg or jellyfin
  4. Within jellyfin container, chmod g+rwx /dev/dri/renderD128
  5. Verify that hardware acceleration now works

Environment

OS: Synology CPU architecture: x86_64 How docker service was installed: docker repo

Command used to create docker container (run/create/compose/screenshot)

N/A

Docker logs

N/A

github-actions[bot] commented 3 years ago

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

AndreaPro commented 3 years ago
  1. On host device, chmod g-rwx /dev/dri/renderD128

I guess that this is a typo? You should add the permission to the group with g+, not removing them with g-

metronidazole commented 3 years ago
  1. On host device, chmod g-rwx /dev/dri/renderD128

I guess that this is a typo? You should add the permission to the group with g+, not removing them with g-

No, not a typo. It is to simulate the stock permission set used by some devices (e.g. synology).

aptalca commented 3 years ago

This issue was probably not noticed by the dev of this container

We're well aware: https://github.com/linuxserver/docker-jellyfin/issues/26#issuecomment-618079838

AndreaPro commented 3 years ago

This issue was probably not noticed by the dev of this container

We're well aware: #26 (comment)

Ah ok, I've missed the part where permissions for groups were not set on Synology

metronidazole commented 3 years ago

This issue was probably not noticed by the dev of this container

We're well aware: #26 (comment)

Yes but in your post you state "There is nothing we can do for that scenario, you gotta fix the perms on host and report it to synology".

That isn't true. This commit fixes the problem as only the guest permissions on the device need to be updated to allow hardware transcoding for synology devices. The host permission set is irrelevant with this fix.

I'm not sure why this PR cannot be merged?

https://github.com/linuxserver/docker-jellyfin/pull/112