Jellyfin in an Unprivileged LXC Container
This will allow a Jellyfin instance to run in an unprivilidged LXC Container.Container with an iGPU passed into it. Either as an install or in a Docker image.
On the Proxmox Host System
Find Device Numbers
ls -l /dev/driFind Group Numbers
cat /etc/groupAdd Group Numbers Values to subgid
Change values to map the to above ^^
nano /etc/subgidPaste at the bottom, for example:
root:44:1
root:104:1Create CT Container
Using Wizard. Edit .conf In /etc/pve/lxc
Edit your device IDs and renderD*** Ensure you match the idmap values
arch: amd64
cores: 2
cpulimit: 2
features: nesting=1
hostname: test-gpu-04
memory: 3000
mp2: /mnt/barracuda/videos,mp=mnt/media,ro=1 #This is the mount point for the jellyfin media files
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:06:18:78,ip=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-104-disk-0,size=20G
swap: 512
unprivileged: 1
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 62
lxc.idmap: g 107 104 1
lxc.idmap: g 108 100108 65428Add Root to Groups
Do this on your Proxmox Host
usermod -aG render,video rootPreliminary CT Container Work
After logging in as the root user to the newly created LXC container, make sure the system is up to dated
apt update && apt upgrade -yIf you are going to have a super user sudo should be installed
apt install sudo You may wish to add a superuser and perhaps a docker user to the Container.
adduser <username>You will also want to add the group that is mapped from the host to access the passed in mount point(s)
groupadd -g 10000 lxc_sharesAdd the super user to this group for easy naviagaion. If you are going to run Jellyin in a Docker Container the user that will run Jellyfin will require access to this group.
usermod -aG lxc_shares <username>If you are installing Jellyfin directly to the Container, the jellyfin user will require inclusion in this group after it is created by the install process.
Installing Jellyfin
We will cover two methods of installing Jellyfin in this unpriviledged container. Install Jelllyfin Directly and via Docker.
Installing Jellyfin directly as an application inside the container
To do this you will need to install the extrepo, enable the repo, then update the sources and install Jellyfin as below.
apt install extrepo
extrepo enable jellyfin
apt update && apt install jellyfin -yNote: The jellyfin user will require inclusion in the lxc_shares group as described above to access the media mount point.
You may be required to update the Jellyfin Apt Key to install Jellyfin
Doing this is as easy as re-running the command from the install docs; it will overwrite the old key with the new one:
wget -O- https://repo.jellyfin.org/jellyfin_team.gpg.key | sudo apt-key add -You can verify this worked by checking the apt-key output like so; this is a good practice anyways to verify that the key has not been altered, as its signatures and fingerprint should all match:
$ apt-key list | grep -C2 jellyfin # Notice the expires: field
Warning: apt-key output should not be parsed (stdout is not a terminal)
pub rsa3072 2018-12-16 [SC] [expires: 2020-12-15]
4918 AABC 486C A052 358D 778D 4902 3CD0 1DE2 1A7B
uid [ unknown] Jellyfin Team <[email protected]>
sub rsa3072 2018-12-16 [E] [expires: 2020-12-15]
$ wget -O- https://repo.jellyfin.org/jellyfin_team.gpg.key | sudo apt-key add -
[...]
$ apt-key list | grep -C2 jellyfin # Notice the expires: is now gone
Warning: apt-key output should not be parsed (stdout is not a terminal)
pub rsa3072 2018-12-16 [SC]
4918 AABC 486C A052 358D 778D 4902 3CD0 1DE2 1A7B
uid [ unknown] Jellyfin Team <[email protected]>
sub rsa3072 2018-12-16 [E]If you find this didn't work, try removing the key first with this command, then re-add it again:
sudo apt-key remove 1DE21A7B
Installing Jellyfin via Docker
Prerequisite;
- Install Docker as per usual
- Install Docer Compose as per usual
Create a folder for the Docker Compose file(s) for Jellyfin. In this folder create a docker_compose.yaml files and include the following, modifying as needed for your system.
version: "2"
services:
jellyfin:
image: jellyfin/jellyfin
container_name: jellyfin
group_add:
- '107' # This needs to be the group id of your GPU, e.g., `stat -c '%g' /dev/dri/renderD128` on the docker host for iGPU
environment:
- TZ=America/Toronto
- PUID=1005 # User created to run docker containers
- PGID=10000 # Group created to access the LXC_SHARES
volumes:
- /srv/containers/jellyfin/config:/config
- /srv/containers/jellyfin/cache:/cache
- /mnt/media/video:/media/video:ro # Mount point for the Jellyfin Media files mapped in from the LXC config file
# - /home/ubuntu/YOUR_NAS/Films:/Films:ro
# - /home/ubuntu/YOUR_NAS/TVShows:/TVShows:ro
# - /home/ubuntu/YOUR_NAS/Audiobooks:/Audiobooks:ro
# - /home/ubuntu/YOUR_NAS/Music:/Music:ro
ports: # You will need to uncomment if you aren't running through a proxy
- 8096:8096
#- 8920:8920 #optional
#- 7359:7359/udp #optional
#- 1900:1900/udp #optional
devices: # uncomment these and amend if you require GPU accelerated transcoding
- /dev/dri/renderD128:/dev/dri/renderD128
restart: unless-stopped
Run Docker Comose in the folder where the .yaml files it to up the jellyfin Docker Image
docker compose up -dAfter the Jellyfin Install is complete
When Jellyfin is installed with your chosen method, setup Jellyfin as you would and configure access as required.
http://<YOUR CONTAINER IP>:8096