meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
vm:proxmox:lxc:google_coral [2024/12/08 11:18] niziakvm:proxmox:lxc:google_coral [2024/12/08 16:06] (current) niziak
Line 25: Line 25:
   * Most solution on Internet provides workarounds:   * Most solution on Internet provides workarounds:
     * ugly and unsafe solution like:''chmod 666'' by udev and unprivileged LXC     * ugly and unsafe solution like:''chmod 666'' by udev and unprivileged LXC
-    * still unsafe using LXC idmap to give access to ''video'' and ''render'' group (I don't want to give so wide access).+    * still unsafe using ''lxc.idmap'' to give access from LXC to devices in ''video'' and ''render'' group (I don't want to give so wide access).
     * one time solution - like ''chown /dev/bus/usb/002/*'' before container start by LXC hook.     * one time solution - like ''chown /dev/bus/usb/002/*'' before container start by LXC hook.
       * this solution cannot survive lots of scenarios (udev reload, usb reset, usb cable reconnect)       * this solution cannot survive lots of scenarios (udev reload, usb reset, usb cable reconnect)
Line 86: Line 86:
 ===== ERROR: Unable to poll intel GPU stats: Failed to initialize PMU! (Permission denied) ===== ===== ERROR: Unable to poll intel GPU stats: Failed to initialize PMU! (Permission denied) =====
  
-The container lacks the necessary permissions to access the performance monitoring unit.+This error is "informational"
 +Rendering on ''/dev/dri/renderD128'' **works** but container lacks the necessary permissions to access the performance monitoring unit.  
 +Frigate wants this to show GPU usage statistics.
  
-Reproduce:+Reproduce in LXC:
 <code bash> <code bash>
 # apt install intel-gpu-tools # apt install intel-gpu-tools
Line 94: Line 96:
 Failed to initialize PMU! (Permission denied) Failed to initialize PMU! (Permission denied)
 </code> </code>
 +
 +Host Kernel prevents access to performance events subsystem for unprivileged users. Security level is controller by sysctl:
 +<code bash>
 +# sysctl kernel.perf_event_paranoid
 +kernel.perf_event_paranoid = 4
 +</code>
 +
 +where values:
 +  * ''-1'' Allow use of (almost) all events by all users. Ignore mlock limit after ''perf_event_mlock_kb'' without ''CAP_IPC_LOCK''
 +  * ''>=0'' Disallow ftrace function tracepoint by users without ''CAP_SYS_ADMIN''. Disallow raw tracepoint access by users without ''CAP_SYS_ADMIN''
 +  * ''>=1'' Disallow CPU event access by users without ''CAP_SYS_ADMIN''
 +  * ''>=2'' Disallow kernel profiling by users without ''CAP_SYS_ADMIN''
 +
 +<code bash>
 +sysctl --write kernel.perf_event_paranoid=NEWVALUE
 +</code>
 +
 +I suppose this is not possible to use unpriv LXC and enable ''CAP_SYS_ADMIN'' (multiple trials with ''lxc.cap.drop'' and ''lxc.cap.keep'').
 +It works when <code bash>sysctl --write kernel.perf_event_paranoid=0</code> which is still safer (there were kernel vulnerabilities) than giving container ''CAP_SYS_ADMIN''.
 +
 +When Frigate is running and performance events are accessible in LXC, command <code bash>intel_gpu_top</code> show nicely formatted text statistics:
 +
 +{{:vm:proxmox:lxc:pasted:20241208-144931.png}}
  
 ===== references ===== ===== references =====