/dev/dri/renderD128 owned by "render" group on some hosts

[nattvard]

I'm using Intel VAAPI to enable hardware acceleration on decoding the streams. For this to work, /dev/dri/ must be available to the container, and the www-data user must be in the group owning /dev/dri/renderD128.

In newer versions of Ubuntu (19+ ?) /dev/dri/renderD128 is owned by render instead of video. www-data is added to video, but not to the render group (that doesn't exist). As seen below, the render group 109 is not known inside the container.

Host ownership:

$ ls -l /dev/dri
total 0
drwxr-xr-x 2 root root         80 Jul  7 14:20 by-path
crw-rw---- 1 root video  226,   0 Jul  7 14:20 card0
crw-rw---- 1 root render 226, 128 Jul  7 14:20 renderD128

Container ownership:

$ docker exec zoneminder ls -l /dev/dri
total 0
crw-rw---- 1 root video 226,   0 Jul  7 16:20 card0
crw-rw---- 1 root   109 226, 128 Jul  7 16:20 renderD128

The groups of www-data inside the container:

$ docker exec zoneminder groups www-data
www-data : www-data mail video

My fix to this was to create the render group and add the www-data user to it in userscript.sh:

echo "Creating render group"
groupadd -g 109 render
echo "Adding www-data to render group"
usermod -a -G render www-data

My docker-compose.yml:

version: '3.1'
services:
    zoneminder:
        container_name: zoneminder
        image: dlandon/zoneminder:latest
        restart: unless-stopped
        ports:
            - 8080:80/tcp
            - 8443:443/tcp
            - 9000:9000/tcp
        network_mode: "bridge"
        privileged: true
        environment:
            - TZ=Europe/Stockholm
            - SHMEM=50%
            - PUID=1000
            - PGID=1000
            - INSTALL_HOOK=0
            - INSTALL_FACE=0
            - INSTALL_TINY_YOLO=0
            - INSTALL_YOLO=0
            - MULTI_PORT_START=0
            - MULTI_PORT_END=0
            - ADVANCED_SCRIPT=1
        devices:
            - /dev/dri:/dev/dri
        volumes:
            - ~/zoneminder/config:/config:rw
            - ~/zoneminder/data:/var/cache/zoneminder:rw

It seems like there was a similar issue with Plex in Docker, as seen here: linuxserver/docker-plex#211

[kevkid]

@nattvard Could you please tell me how you got HW acceleration to work? Did you have to install intel-media-va-driver-non-free -y?

[joselito11]

I had to add command: sudo chmod 666 /dev/dri/renderD128
Then the error for setting hardware acceleration disappeared.
For persistent fix on reboot, had to make script and cronjob:

sudo nano video.sh

#!/bin/bash
# check for the existence of a video device
if [ -e /dev/dri ]; then
    echo "Running: sudo chmod a+rw /dev/dri/renderD128"
    sudo chmod a+rw /dev/dri/renderD128
else
    exit 1
fi


sudo chmod +x video.sh


sudo crontab -e

@reboot /home/t/video.sh

[kabadisha]

I have been investigating this and found a really elegant solution to the permissions issue that the guys over at linuxserver used for their Plex image.

The script is a direct clone of their version, I have just added some echos to show what is going on and changed the user to the www-data one we use for ZoneMinder.

It adds the www-data user to the appropriate group(s) if they already exist or creates new groups as required.
This has the benefit of meaning that you don't have to mess with the permissions of the /dev/dri/* devices on the host.

To apply this workaround, add this to your user script:

#!/bin/bash
#
# Script to set up permissions on hardware devices for GPU support.
# Inspired by how the guys over at linuxserver did this for their Plex image:
# https://github.com/linuxserver/docker-plex/blob/master/root/etc/cont-init.d/50-gid-video
#

echo "Granting permissions on /dev/dri/* devices..."

FILES=$(find /dev/dri /dev/dvb -type c -print 2>/dev/null)

for i in $FILES
do
	VIDEO_GID=$(stat -c '%g' "$i")
	if id -G www-data | grep -qw "$VIDEO_GID"; then
		echo "The www-data user already has appropriate permissions on $i"
		touch /groupadd
	else
		if [ ! "${VIDEO_GID}" == '0' ]; then
			VIDEO_NAME=$(getent group "${VIDEO_GID}" | awk -F: '{print $1}')
			if [ -z "${VIDEO_NAME}" ]; then
				VIDEO_NAME="video$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c8)"
				groupadd "$VIDEO_NAME"
				groupmod -g "$VIDEO_GID" "$VIDEO_NAME"
				echo "Generated a new group called: $VIDEO_NAME with id: $VIDEO_GID to match existing group on: $i"
			fi
			usermod -a -G "$VIDEO_NAME" www-data
			echo "Added user www-data to group $VIDEO_NAME so that it has permission to use: $i"
			touch /groupadd
		fi
	fi
done

if [ -n "${FILES}" ] && [ ! -f "/groupadd" ]; then
	usermod -a -G root www-data
	echo "Added user www-data to root group for lack of a better option."
fi

I'm going to raise a PR with dlandon and see if he/she wants to roll this approach into the build.

[kabadisha]

Opened a PR here: #146

[dlandon]

Fixed in the next release.