[Support]: Frigate 0.12 does not start in LXC unprivileged enviroment

[ivlis]

Describe the problem you are having

Frigate cannot start after updating to 0.12. The same setup works perfectly for 0.11.1

Docker compose config:

  frigate:
    restart: unless-stopped
    image: ghcr.io/blakeblackshear/frigate:0.12.0
    # privileged: true
    shm_size: "512mb" 
    devices:
      - /dev/dri/renderD128 # for intel hwaccel, needs to be updated for your hardware
      - /dev/bus/usb # usb for coral
    user: root
    group_add:
      - "105"
    volumes:
      - /etc/localtime:/localtime:ro
      - /config.yml:/config/config.yml:ro
      - /frigate:/media/frigate
      - type: tmpfs # Optional: 1GB of memory, reduces SSD/SD Card wear
        target: /tmp/cache
        tmpfs:
          size: 1000000000
    ports:
      - "9999:5000"
      - "1935:1935" # RTMP feeds
    environment:
      FRIGATE_RTSP_PASSWORD: "<>"
      LIBVA_DRIVER_NAME: "iHD"
      TZ: America/New_York

Version

0.12.0

Frigate config file

NA

Relevant log output

frigate-frigate-1  | s6-rc: info: service s6rc-fdholder: starting
frigate-frigate-1  | s6-rc: info: service s6rc-oneshot-runner: starting
frigate-frigate-1  | s6-rc: info: service s6rc-oneshot-runner successfully started
frigate-frigate-1  | s6-rc: info: service fix-attrs: starting
frigate-frigate-1  | s6-rc: info: service s6rc-fdholder successfully started
frigate-frigate-1  | s6-rc: info: service fix-attrs successfully started
frigate-frigate-1  | s6-rc: info: service legacy-cont-init: starting
frigate-frigate-1  | s6-rc: info: service legacy-cont-init successfully started
frigate-frigate-1  | s6-rc: info: service log-prepare: starting
frigate-frigate-1  | chown: changing ownership of '/dev/shm/logs/frigate': Invalid argument
frigate-frigate-1  | chown: changing ownership of '/dev/shm/logs/go2rtc': Invalid argument
frigate-frigate-1  | chown: changing ownership of '/dev/shm/logs/nginx': Invalid argument
frigate-frigate-1  | s6-rc: warning: unable to start service log-prepare: command exited 1

FFprobe output from your camera

NA

Frigate stats

NA

Operating system

Proxmox

Install method

Docker Compose

Coral version

USB

Network connection

Wired

Camera make and model

NA

Any other information that may be helpful

No response

[NickM-27]

This seems like it might be an issue similar to the one listed in the breaking changes of the release notes. Many users are running proxmox without issue so it must be something related to that.

[ivlis]

Thanks for responding, I checked my PATH variable and it appears to be correct:

echo $PATH
/usr/lib/btbn-ffmpeg/bin:/usr/local/go2rtc/bin:/usr/local/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

I think the issue is related to this:

frigate/docker/rootfs/etc/s6-overlay/s6-rc.d/log-prepare/run

Line 10 in 02df2a8

chown nobody:nogroup "${dirs[@]}"

In an unprivileged LXC environment root is not really a root. Since /dev/shm is owned by the "real" root, the init script cannot change the ownership to nobody.

I removed that line of code and everything seems to work just fine, except the log is polluted with:

s6-applyuidgid: fatal: unable to setuid: Invalid argument

I'm not really familiar with s6 so I don't know what to fix :)

If you can explain why ownership of the file needs to be changed, I probably can fix this problem.

Edit: as expected logs tab is showing nothing in the UI.

[NickM-27]

Frigate needs to run as root, you can see a similar conversation on the feature request #3108

[ivlis]

That means it's another breaking change because 0.11.1 runs in an unprivileged LXC just fine. I wonder if there is an option running everything as root within the container without dropping to nobody? This adds no benefit for LXC because the root is already dropped.

[NickM-27]

Hmm, maybe I'm misunderstanding, this requirement was the case before in 0.11 as far as I know.

[ivlis]

There is the whole guide to how run in LXC in this repo :)
#5773

[NickM-27]

That's not official documentation to be clear. In any case, other users have followed that and not had this issue during the beta or full releases.

[tkffaul]

I'm running in an LXC but using a privileged container. I'm also using Nvidia passthru... so to each their own, but I've had no issues with doing this. Been using this setup since version 8 with no issues (as far as passthru of storage and hardware). Even transitioned back and forth with a coral TPU and nvidia, both (for decode), and back to nvidia for everything. I understand wanting to keep it unprivileged, but i pass storage and hardware in and its just easier to keep it privileged. I have several LXC's accessing the same hardware and I didn't want to deal with the permission game that you're going to face trying to do this unprivileged.

[ivlis]

Mystery solved. It turns out that when I was messing with lxc.idmap I mapped fewer users than I should have, so the nobody user (uid 65535) was not correctly mapped. After I added:

lxc.idmap: u 0 100000 65535

everything worked.

Thanks everyone for help with this non-trivial bug.