Quicksync permission problems when channels-dvr service runs as root

backdoc · May 18, 2022, 4:10pm

I am running a Debian unprivileged LXC container and having a permission problem accessing /dev/dri/rederD128. It appears that the channels-dvr service is configured to run as root user and group.

The character device /dev/dri/renderD128 is owned by nobody:render. And, "root" belongs to the render group. (see screenshot below).

But, when I test with curl as either a regular user or root, the logs say I don't have permission to access renderD128.

backdoc@MediaApps:~$ curl -XPOST http://localhost:8089/hls/hwaccel

2022/05/18 10:50:26.393634 [HWE] Cannot access /dev/dri/renderD128: permission denied

I have temporarily worked around this by changing the channels-dvr service to run as plex:plex and then recursively changed the ownership of the channels-dvr directory.

chown -R plex:plex /usr/local/channels-dvr

I suppose I could create a new channels-dvr user and add them to the render and video group. But, I feel like I'm hacking things up.

Can you possibly help me figure out why the default root:root configuration for channels won't work?

tmm1 · May 18, 2022, 4:13pm

I'm not sure how you installed channels in your container, but whatever user the setup.sh is run as is what the service will be run as.

I believe the vaapi drivers started discouraging render usage as root, and perhaps newer kernel versions now fully disallow it.

backdoc · May 18, 2022, 4:19pm

I installed as root. If the newer kernels disallow it, I guess my plex:plex workaround or creating a channels specific user are my best options, would you agree?

My only issue with leaving it as plex:plex is that if I ever removed plex, I'd break channels and I'd have to remember to go back and update the service and file permissions.

tmm1 · May 18, 2022, 9:38pm

Yea I would create a user.

I guess I misremembered, and the limitations of root were related to using the device node not the render node. va_getDriverName() fails if vaapi already in use · Issue #20 · intel/libva · GitHub

Perhaps you have to do more work to wire up the DRI nodes to your container, and that is already in place for the plex user? With docker you have to make sure to map the devices.

It's been quite a while since I used LXC directly so I'm not really sure. Maybe LXC GPU Access | swigg

backdoc · May 18, 2022, 10:42pm

That's interesting. Although, I don't fully understand. The concept of a node loses me. But, it sounded like one of the comments said to create a "service user", if I understood correctly. I guess that's essentially what my plex user is. If my understanding is correct, I guess the best solution (if I want to rock the boat since it's all working atm) would be to create an "igpu" user and add that to the render and video group. Then, run all of my services as this user, Plex, Channels and whatever else I end up installing.

I actually have that link bookmarked. It's one of the 2 links that I found helpful configuring my LXC user and group mapping. The other link that I found helpful is this one.