40-gid-video won't create and add group to abc

[gauth-fr]

Expected Behavior

Necessary groups for HW acceleration are create and added to user abc.

Current Behavior

On my setup (LXC container on proxmox running docker), this is not the case. find /dev/dri /dev/dvb /dev/vchiq /dev/vc-mem /dev/video1? -type c -print 2>/dev/null won't return the devices. However, checking manually with stats or ls or whatever, they (card0 & renderD128) show as character special file.

My Bypass

I create a 90-add-group, which is a modified version of 40-gid-video, using find to find regular file then filter in the loop if it's a char special file.

#!/usr/bin/with-contenv bash

FILES=$(find /dev/dri /dev/dvb /dev/vchiq /dev/vc-mem /dev/video1? -type f -print 2>/dev/null)

for i in $FILES
do
        if [ -c $i ]; then
                VIDEO_GID=$(stat -c '%g' "$i")
                if ! id -G abc | grep -qw "$VIDEO_GID"; then
                        VIDEO_NAME=$(getent group "${VIDEO_GID}" | awk -F: '{print $1}')
                        if [ -z "${VIDEO_NAME}" ]; then
                                VIDEO_NAME="video$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c8)"
                                echo "Creating group $VIDEO_NAME with id $VIDEO_GID"
                                groupadd "$VIDEO_NAME"
                                groupmod -g "$VIDEO_GID" "$VIDEO_NAME"
                        fi
                        echo "Add group $VIDEO_NAME to abc"
                        usermod -a -G "$VIDEO_NAME" abc
                        if [ $(stat -c '%A' "${i}" | cut -b 5,6) != "rw" ]; then
                                echo -e "**** The device ${i} does not have group read/write permissions, which might prevent hardware transcode from functioning correctly. To fix it, you can run the following on your docker host: ****\nsudo chmod g+rw ${i}\n"
                        fi
                fi
        fi
done

Steps to Reproduce

1. connect in the container, then groups abc
2. try to transcode fails

Environment

OS: Proxmox / LXC Ubunto 20.04.4 CPU architecture: x86_64 How docker service was installed: Official repo

Command used to create docker container (run/create/compose/screenshot)

cat docker-compose.yaml
version: "3"

services:
  jellyfin:
    image: linuxserver/jellyfin:latest
    container_name: jellyfin
    restart: unless-stopped
    environment:
     - PUID=$PUID
     - PGID=$PGID
     - TZ=$TZ
    devices:
     - /dev/dri:/dev/dri
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    networks:
      proxy:
    ports:
      - 8096:8096
    expose:
      - 8096
    volumes:
      - $CONFIGFOLDER/jellyfin/config:/config
      - $CONFIGFOLDER/jellyfin/cache:/cache
      - $LOCAL_MEDIAFOLDER:/data/video

networks:
  proxy:
    external:
      name: proxy

Docker logs (which also contains my custom-cont script)

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 01-migrations: executing...
[migrations] started
[migrations] no migrations found
[cont-init.d] 01-migrations: exited 0.
[cont-init.d] 02-tamper-check: executing...
[cont-init.d] 02-tamper-check: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/

Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Jellyfin: https://opencollective.com/jellyfin

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    1000
User gid:    1000
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-gid-video: executing...
[cont-init.d] 40-gid-video: exited 0.
[cont-init.d] 90-custom-folders: executing...
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] files found in /config/custom-cont-init.d executing
[custom-init] 90-add-group: executing...
Creating group videoBHXXyuDV with id 107
Add group videoBHXXyuDV to abc
Add group video to abc
[custom-init] 90-add-group: exited 0
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[12:06:24] [INF] [1] Main: Jellyfin version: 10.7.7
[12:06:24] [INF] [1] Main: Environment Variables: ["[JELLYFIN_CACHE_DIR, /config/cache]", "[JELLYFIN_LOG_DIR, /config/log]", "[JELLYFIN_DATA_DIR, /config/data]", "[JELLYFIN_CONFIG_DIR, /config]"]
[12:06:24] [INF] [1] Main: Arguments: ["/usr/lib/jellyfin/bin/jellyfin.dll", "--ffmpeg=/usr/lib/jellyfin-ffmpeg/ffmpeg", "--webdir=/usr/share/jellyfin/web"]
[12:06:24] [INF] [1] Main: Operating system: Linux
[12:06:24] [INF] [1] Main: Architecture: X64
[12:06:24] [INF] [1] Main: 64-Bit Process: True
[12:06:24] [INF] [1] Main: User Interactive: True
[12:06:24] [INF] [1] Main: Processor count: 2
[12:06:24] [INF] [1] Main: Program data path: /config/data
[12:06:24] [INF] [1] Main: Web resources path: /usr/share/jellyfin/web
[12:06:24] [INF] [1] Main: Application directory: /usr/lib/jellyfin/bin/

[github-actions[bot]]

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

[calebj]

I have the same issue (on an identical setup), although the fix was simpler. Instead of -type f, I used -xtype c. Using a loop over all files and filtering by test is probably more robust, since I don't know if the rendering device nodes are symlinks on some systems.

My theory is that since not even root can get read access to a file owned by nobody, find is unable to determine some bit of key information, and so bails out. I have no theory as for why adding -L to find causes it to suddenly see the nodes with -type c. There are no symlinks involved, so that shouldn't change the behavior, yet it does.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[nopper]

I am also affected by this. I would say that the easy fix would be to change the following line, from:

https://github.com/linuxserver/docker-jellyfin/blob/f24d7a57b65a2da84c1591ff17ce6b282aebe9eb/root/etc/s6-overlay/s6-rc.d/init-jellyfin-video/run#L3

To something like:

FILES=$(find /dev/dri /dev/dvb /dev/vchiq /dev/vc-mem /dev/video1? -type c -o -type f -print 2>/dev/null)

Here's what happen when I attach a console in the container:

root@test:/# find /dev/dri /dev/dvb /dev/vchiq /dev/vc-mem /dev/video1? -type f
/dev/dri/renderD128
/dev/dri/card0
find: ‘/dev/dvb’: No such file or directory
find: ‘/dev/vchiq’: No such file or directory
find: ‘/dev/vc-mem’: No such file or directory
find: ‘/dev/video1?’: No such file or directory
root@test:/# find /dev/dri /dev/dvb /dev/vchiq /dev/vc-mem /dev/video1? -type c
find: ‘/dev/dvb’: No such file or directory
find: ‘/dev/vchiq’: No such file or directory
find: ‘/dev/vc-mem’: No such file or directory
find: ‘/dev/video1?’: No such file or directory

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[nopper]

I tried sending out a PR but after a month of waiting I decided to give up. I just added a script to fix this at boot.

Terrible experience for a simple contribution.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[aptalca]

I tried sending out a PR but after a month of waiting I decided to give up. I just added a script to fix this at boot. Terrible experience for a simple contribution.

We always appreciate PRs, however it's important to try and see things from the maintainer's perspective. I believe there is a mismatch in expectations vs reality.

For you, an individual user with an edge case issue (running in an unsupported manner like docker in lxc, aka container in cointainer), this PR may seem to be a simple contribution. However, what you probably don't realize is, we have dozens of images using this exact logic. What seems like a simple contribution to you is actually a very significant change for us that requires dozens of PRs. That's assuming the behavior change is not going to negatively impact other users for whom things may break.

All these things require a lot of thought, testing and troubleshooting. Sure, we could simply merge your PR and fix your specific issue, but we may break it for thousands of other users and you wouldn't be on the hook for providing support to them.

In any case, one of our team members spun up a container in lxc (jammy) on a debian bullseye VM on esxi and confirmed that as long as the lxc container is running privileged (it really should for docker to work properly) the devices are found by the init script we are using and are listed as character special files.

[nopper]

Just saying that my setup is currently an unprivileged LXC container on proxmox with id mapping for sharing the dri device. It's not true that you need a privileged setup to run docker. And this is still an issue. It's solved with the workaround I suggested.

[aptalca]

my setup is currently an unprivileged LXC container

It's your decision to run things in an unsupported manner. Downside is, we won't provide support. To be frank, even the Proxmox team is recommending against running docker inside an lxc container (let alone an unprivileged one): https://forum.proxmox.com/threads/podman-in-lxc-what-do-overlay-not-support-file-handles-and-conflicting-options-userxattr-metacopy-mean.121825/#post-529565

[nopper]

Sure. Fair point. Just sharing all the information needed to possible reproduce the setup in case you are interested. I also understand your decision to not fix this, if it's problematic for others.

[github-actions[bot]]

This issue is locked due to inactivity