Permissions problem on render device with rootless podman container

[grifferz]

Hi,

I'm a complete novice with both Jellyfin and Podman so I was expecting this to be a challenge but your documentation is very good and it's mostly been an easy install. One thing I can't work out though seems to be a permissions problem on /dev/dri/renderD128.

This is Jellyfin 10.11.0 installed on a Debian 13 host using a podman rootless container and the official docker.io image.

I am using systemd units to control the container but the podman run invocation looks like this:

Code:

podman run \
    --name jellyfin \
    --replace \
    --rm \
    --group-add keep-groups \
    -d \
    --device /dev/dri/:/dev/dri/ \
    --user 990:989 \
    --userns keep-id \
    -v /home/jellyfin/cache:/cache:Z \
    -v /home/jellyfin/config:/config:Z \
    --label io.containers.autoupdate=registry \
    --publish 8096:8096/tcp \
    --publish 7359:7359/udp \
    --mount type=bind,source=/srv/media,destination=/media,readonly=true,relabel=private \
    docker.io/jellyfin/jellyfin:latest

On the host this is run by user jellyfin. jellyfin user is added to group render, because on the host:

Code:

$ ls -l /dev/dri
total 0
drwxr-xr-x 2 root root        80 Oct 25 22:06 by-path
crw-rw---- 1 root video  226,  0 Oct 25 22:06 card0
crw-rw---- 1 root render 226, 128 Oct 25 22:06 renderD128

I had read that--group-add keep-groups would allow use of supplemental groups (i.e., render, in this case) within the container.

This is a Ryzen 9 7900 system so it's set to use VA-API for hardware acceleration with the relevant supported file types chosen for hardware decode, and HEVC chosen for hardware encode.

Hardware decoding appears to work. Any time it wants to transcode though, it fails with this error in the jellyfin-ffmpeg log:

Code:

Failed to set value '[0:2]scale,scale=1920:1080:fast_bilinear[sub];[0:0]setparams=color_primaries=bt709:color_trc=bt709:colorspace=bt709,scale_vaapi=format=nv12:extra_hw_frames=24,hwdownload,format=nv12[main];[main][sub]overlay=eof_action=pass:repeatlast=0,hwupload_vaapi' for option 'filter_complex': Generic error in an external library

Error parsing global options: Generic error in an external library

A bit of searching suggested this was a permissions problem, so on the host I did:

Code:

$ sudo chmod -c a+rw /dev/dri/renderD128
mode of '/dev/dri/renderD128' changed from 0660 (rw-rw----) to 0666 (rw-rw-rw-)

Now it all works. It is able to transcode. So it definitely was a permissions problem. I don't understand why though, and I can't work out how to make it work without making the device world writeable.

Reverting what I did with chmod there, here's what it looks like inside the container:

Code:

$ podman exec -it jellyfin /bin/bash
jellyfin@e0dec4e11544:/$ id; ls -l /dev/dri
uid=990(jellyfin) gid=989(jellyfin) groups=989(jellyfin),65534(nogroup)
total 0
crw-rw---- 1 nobody nogroup 226,  0 Oct 25 22:06 card0
crw-rw---- 1 nobody nogroup 226, 128 Oct 25 22:06 renderD128

So I'm in this extra group with id 65534 which I understand to be the render group, it's just that host's render group id of 105 is not one I have permission to use so it clips it to 65534. However, the device node is group writeable to group 65534, so why doesn't it work?

If anyone does know what I am missing please do let me know!

Thanks,
Andy