Skip to content

Instantly share code, notes, and snippets.

@aleksasiriski

aleksasiriski/proxmoxlxcjellyfin.md

Last active October 15, 2024 19:02
Show Gist options
  • Save aleksasiriski/820f22fadba72815f3eaf290465611a5 to your computer and use it in GitHub Desktop.
Save aleksasiriski/820f22fadba72815f3eaf290465611a5 to your computer and use it in GitHub Desktop.
Download ZIP
Proxmox LXC Alpine Docker Jellyfin
Raw
proxmoxlxcjellyfin.md

How to setup VA-API within Proxmox LXC Unprivileged container

Proxmox configuration

No drivers need to be installed on the proxmox, from now called host.

Find GIDs of video and render group on host:

cat /etc/group | grep video

cat /etc/group | grep render

They should be 44 and 103.

Allow those GIDs to be mapped to unprivileged containers by editing /etc/subgid file and adding these lines:

root:44:1
root:103:1

Also find GIDs for those same groups on container by running the same commands inside the LXC container.

INSIDE THE CONTAINER: cat /etc/group | grep video

INSIDE THE CONTAINER: cat /etc/group | grep render

If those commands return nothing, use 27 and 103.

Replace with your container ID. Edit /etc/pve/lxc/<containerid>.conf and add these lines to bottom:

lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 27
lxc.idmap: g 27 44 1
lxc.idmap: g 28 100028 75
lxc.idmap: g 103 103 1
lxc.idmap: g 104 100104 65432
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file

Explanation:

  1. Map all UIDs, starting from 0 on container to 100000 on host. There are 65536 IDs in total.
  2. Start from container GID 0 and map to host GID 100000, also map up to the video group GID from container.
  3. Map the container GID for video to host GID for video. Only one GID is mapped.
  4. Map from the next GID on container (container video GID + 1) to 100000 + that same GID. Map up to the render group GID from container (container render GID - (container video GID + 1)).
  5. Map container GID for render to host GID for render. Only one GID is mapped.
  6. Map from the next GID on container (container render GID + 1) to 100000 + that same GID. Map all of the remaining GIDs (65536 - (container render GID + 1)).

Container configuration (Alpine Linux from template)

Check GIDs of video and render group:

cat /etc/group | grep video

cat /etc/group | grep render

If the second command returns nothing, add the render group:

addgroup -S -g 103 render

Add root user or the user that is used to run jellyfin to video and render groups:

addgroup root video

addgroup root render

Install VA-API drivers for your specific GPU (Intel specific commands below):

apk add linux-firmware-intel linux-firmware-i915 intel-media-driver libva-intel-driver

Install docker and docker-compose:

apk add docker docker-compose

Enable docker service:

rc-update add docker

Reboot the container and use this docker-compose.yml for jellyfin (note the video and render GIDs in group_add section):

version: "3.9"
services:
  jellyfin:
    image: jellyfin/jellyfin:latest
    ports:
      - "8096:8096"
    volumes:
      - jellyfin-config:/config:Z
      - jellyfin-cache:/cache:Z
      - <your media folder>:/media:ro,z
    group_add:
      - 27
      - 103
    devices:
      - /dev/dri:/dev/dri
    restart: always
@docop
Copy link

docop commented Jun 26, 2023

So we set an unpriviliged lxc and add the igpu as passthrough to this lxc .. and then proceed with this config, if i'm correct ? thanks on precision

@aleksasiriski
Copy link
Author

Proxmox configuration happens on Proxmox host, except for two INSIDE THE CONTAINER commands. Container configuration happens inside unprivileged LXC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment