nixos/jellyfin: better defaults for hardware acceleration

[Mic92]

Description of changes

I have not tested any of that. I just changed this based on recent additions to the wiki: https://nixos.wiki/wiki/index.php?oldid=7605&rc_id=7898

cc @makefu for testing

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[Mic92]

The wiki also suggests render. However I don't think nixos has such a group.

[minijackson]

On my system, /dev/dri/render* devices belongs to the render group (and /dev/dri/card* to the video group), so I think it is needed.

[06kellyjac]

Same

$ ls /dev/dri/render* -l
crw-rw-rw- 1 root render 226, 128 May 28 22:38 /dev/dri/renderD128

[Mic92]

Not so sure what to do with this one? Do I still need to pass an empty DeviceAllow before I make additions?

[Mic92]

I guess its not relevant anymore because we are already dropped ProtectClock before that.

[minijackson]

I would personally replace this line with ProtectClock = true, now. I think I remember putting that comment here because there was a conflict between ProtectClock = true and DeviceAllow = "" / PrivateDevices = true, but it shouldn't bother us anymore. In any case, I don't see a usecase for jellyfin to modify the hardware / system clock.

[Mic92]

It cannot do this anyway because the system call filter below blocks such system calls. I don't think an unprivileged user could do this anyway and setuid is not allowed either.

[Artturin]

@peperunas

[makefu]

The "render" group came from the jellyfin documentation, just added it ( https://jellyfin.org/docs/general/administration/hardware-acceleration.html )

I thought about adding a flag for enabling access to /dev/dri, however i am unsure if it would really provide some security benefits in contrast to the complexity of users trying to find out why hardware transcode does not work.

[minijackson]

Is there a reason to explicitly set it to false here? I'm not aware of an option set here that sets PrivateDevices = true.

[makefu]

The main reason was that when keeping it set to true still does not work for me ... i have not investigated further

[06kellyjac]

as a note we should probably keep the comment original

Disabled to allow Jellyfin to access hw accel devices endpoints

[minijackson]

I think my wording was a bit ambiguous: I don't mind having PrivateDevices set to false, but since it should be the default behavior, why not remove this line entirely?

[minijackson]

I haven't tested this yet, but in principle I'm all for it. One thing to note is from the systemd.resource-control(5) man page, under the DeviceAllow= section:

The device group is matched according to filename globbing rules, you may hence use the "*" and "?" wildcards. (Note that such globbing wildcards are not available for device node path specifications!)

From what I understand, this would mean that DeviceAllow = [ "/dev/dri/*" ]; isn't understood by systemd? We might need to put DeviceAllow = [ "char-drm rw" ]; instead.

[makefu]

@minijackson i will test your proposal

[06kellyjac]

see also:

#108224 (comment)

[makefu]

I checked the different parameters, however i have not managed to get jellyfin to transcode without setting privateDevices=false

Upstream also essentially gave up: jellyfin/jellyfin@dd8b9e9#diff-3d806a09406ac27e205da315a5f9ad987eec663f657b3dda296b4712c8a73d73R27

according to #163491 (comment) adding nvidia-specific whitelisting works, however i cannot get it running for vaapi with my intel card.

Error:

[AVHWDeviceContext @ 0x1d119c0] No VA display found for device /dev/dri/renderD128.
Device creation failed: -22.
Failed to set value '/dev/dri/renderD128' for option 'vaapi_device': Invalid argument
Error parsing global options: Invalid argument

adding "render" supplementaryGroup is mandatory for transcoding to work

[Artturin]

we should use upstream settings unless we need to do something nixos specific
https://github.com/jellyfin/jellyfin/blob/master/debian/jellyfin.service

[Mic92]

we should use upstream settings unless we need to do something nixos specific https://github.com/jellyfin/jellyfin/blob/master/debian/jellyfin.service

I synced this up now with upstream.

[Mic92]

Those are the only settings we add. Everything else should be pretty much the same as upstream.

[minijackson]

Did you mean https://github.com/jellyfin/jellyfin/blob/master/fedora/jellyfin.service (fedora instead of debian)? I got confused because following the link I saw no hardening

[Mic92]

Looks like they dropped stuff again from debian.

[minijackson]

@ofborg test jellyfin

[minijackson]

Thanks a lot!