Package: base-passwd Version: 3.5.52build1 Severity: normal X-Debbugs-Cc: [email protected]
Dear Maintainer, * What led up to the situation? The transition of /dev/dri/renderD* from the video to the render group in SystemD has led to issues due to the lack of a fixed GID for render. This has impacted various projects and forced the community to adopt workarounds some workarounds are potentially security hazard (e.g. enabling privilege mode or root access to mitigate this issue) This impacts Docker users and VM users the most. Reference commit ID: github.com/systemd/systemd/commit/4e15a7343cb389e97f3eb4f49699161862d8b8b2 Some examples of issues around this: https://github.com/blakeblackshear/frigate/issues/7640 https://unix.stackexchange.com/questions/747523/docker-permissions-issue-accessing-dev-dri-device https://github.com/linuxserver/docker-plex/issues/211 https://support.xilinx.com/s/question/0D52E00006mfsHaSAI/permission-denied-when-running-hardware https://github.com/jellyfin/jellyfin/issues/9229 As `render` group is crucial for GPUs as render group is now associated with `/dev/dri/renderD*` it means that currently this GPU GID is randomly set. * What exactly did you do (or not do) that was effective (or ineffective)? Existing community's approach is either to set in root mode, privilege mode, or if they have access to the host, it would be to run --group-add=$(stat -c "%g" /dev/dri/render*) on the host to launch Docker but this is assuming host access is provided. * What was the outcome of this action? It does work but with lots of compromise either from security pov or limited access to host or requiring external scripts to figure out the GID of `render` group for GPU access. * What outcome did you expect instead? Before this change from SystemD, `/dev/dri/renderD*` used to be under `video` group which is fixed and this allowed users to use the GPU without experience permission denied issues. Having a fixed GID for `render` group would have the same effect and would allow GPU based applications to avoid running in root or privileged mode or requiring to run on host. -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.2.0-37-generic (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages base-passwd depends on: ii libc6 2.35-0ubuntu3.5 ii libdebconfclient0 0.261ubuntu1 Versions of packages base-passwd recommends: ii debconf [debconf-2.0] 1.5.79ubuntu1 base-passwd suggests no packages. -- debconf information excluded
