To use GPU acceleration with rootless podman, I need to be a member of the video and render groups, /dev/dri must be passed into the container, and the container user must also have access to the video and render groups.
The problem is that in rootless mode, --group-add creates a group in the user-namespace but the device nodes maintain their ownership in the host namespace. That means that although the 'video' and 'render' groups are added to the container, they have a different gid than on the host, and there is no access to the /dev/dri paths.
The fix for this is to use the 'crun' runtime, and to specify --group-add keep-groups and to NOT specify --group-add for any other groups (apparently only crun supports the keep-groups option). This results in a weird container namespace where groups show as nobody (because they have no names) but the user's groupids from the host are maintained and the container user can now access /dev/dri. More info can be found here:
I've hacked x11docker so that it only passes --group-add keep-groups and it does indeed seem to be working properly. I'm not sure of the best way to implement this in x11docker though.
The specific requirement is to be able to use:
x11docker --backend=podman --rootless=yes --xorg --gpu <some image> vainfo
In practice, my actual invocation looks like:
./x11docker --runtime=crun --keep-groups --xc=no --backend=podman --xorg --gpu --pulseaudio
(--keep-groups is the hack I applied to x11docker, --xc=no is needed for podman-rootless)
I need the refresh-rate switching from X11 so I didn't test wayland
To use GPU acceleration with rootless podman, I need to be a member of the video and render groups, /dev/dri must be passed into the container, and the container user must also have access to the video and render groups. The problem is that in rootless mode, --group-add creates a group in the user-namespace but the device nodes maintain their ownership in the host namespace. That means that although the 'video' and 'render' groups are added to the container, they have a different gid than on the host, and there is no access to the /dev/dri paths.
The fix for this is to use the 'crun' runtime, and to specify
--group-add keep-groupsand to NOT specify--group-addfor any other groups (apparently only crun supports the keep-groups option). This results in a weird container namespace where groups show asnobody(because they have no names) but the user's groupids from the host are maintained and the container user can now access /dev/dri. More info can be found here:https://github.com/containers/podman/issues/10166#issuecomment-832614629
I've hacked x11docker so that it only passes
--group-add keep-groupsand it does indeed seem to be working properly. I'm not sure of the best way to implement this in x11docker though.The specific requirement is to be able to use:
x11docker --backend=podman --rootless=yes --xorg --gpu <some image> vainfoIn practice, my actual invocation looks like:
./x11docker --runtime=crun --keep-groups --xc=no --backend=podman --xorg --gpu --pulseaudio(--keep-groupsis the hack I applied to x11docker,--xc=nois needed for podman-rootless)I need the refresh-rate switching from X11 so I didn't test wayland