====== Google Coral USB in LXC ======
to Frigate container
===== Google Coral =====
After power-up Google Coral is in boot mode:
Bus 002 Device 005: ID 1a6e:089a Global Unichip Corp.
It needs software to run. So Proxmox host or LXC must upload firmware.
After successful init Google Coral changes its USB id to:
Bus 002 Device 006: ID 18d1:9302 Google Inc.
Frigate contains Coral firmware and can init it.
===== Issues to solve =====
Coral:
* Frigate needs access to e.g.: ''/dev/bus/usb/002/005''
* Most solution on Internet provides workarounds:
* ugly and unsafe solution like:''chmod 666'' by udev and unprivileged LXC
* still unsafe using ''lxc.idmap'' to give access from LXC to devices in ''video'' and ''render'' group (I don't want to give so wide access).
* one time solution - like ''chown /dev/bus/usb/002/*'' before container start by LXC hook.
* this solution cannot survive lots of scenarios (udev reload, usb reset, usb cable reconnect)
iGPU acceleration:
* Frigate needs access to ''/dev/dri/renderD128'' - givin access to LXC simply works
iGPU performance monitors:
===== Setup =====
==== docker-compose ====
services:
frigate:
privileged: true # still in unpriv LXC so don't care
devices:
- /dev/bus/usb:/dev/bus/usb # Passes the USB bus
- /dev/dri/renderD128:/dev/dri/renderD128 # For intel hwaccel
==== LXC ====
features: fuse=1, nesting=1
unprivileged: 1
lxc.cgroup2.devices.allow: c 226:128 rwm # iGPU
lxc.cgroup2.devices.allow: c 189:* rwm # USB Coral TPU
lxc.mount.entry: /dev/bus/usb/002 dev/bus/usb/002 none bind,optional,create=dir,mode=664 # USB Coral TPU
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file 0,0 # iGPU (u=root g=render)
In Frigate's LXC shell:
groupadd -g 11000 lxc_gpu_shares
groupadd -g 11002 lxc_usb2_shares
usermod -aG lxc_gpu_shares,lxc_usb2_shares root
==== Host ====
On Proxmox host:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1a6e", ATTRS{idProduct}=="089a", MODE="0664", OWNER="100000", GROUP="111002"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="9302", MODE="0664", OWNER="100000", GROUP="111002"
KERNEL=="renderD128", MODE="0664", OWNER="100000", GROUP="111000"
udevadm control --reload-rules && udevadm trigger
===== ERROR: Unable to poll intel GPU stats: Failed to initialize PMU! (Permission denied) =====
This error is "informational".
Rendering on ''/dev/dri/renderD128'' **works** but container lacks the necessary permissions to access the performance monitoring unit.
Frigate wants this to show GPU usage statistics.
Reproduce in LXC:
# apt install intel-gpu-tools
# intel_gpu_top
Failed to initialize PMU! (Permission denied)
Host Kernel prevents access to performance events subsystem for unprivileged users. Security level is controller by sysctl:
# sysctl kernel.perf_event_paranoid
kernel.perf_event_paranoid = 4
where values:
* ''-1'' Allow use of (almost) all events by all users. Ignore mlock limit after ''perf_event_mlock_kb'' without ''CAP_IPC_LOCK''
* ''>=0'' Disallow ftrace function tracepoint by users without ''CAP_SYS_ADMIN''. Disallow raw tracepoint access by users without ''CAP_SYS_ADMIN''
* ''>=1'' Disallow CPU event access by users without ''CAP_SYS_ADMIN''
* ''>=2'' Disallow kernel profiling by users without ''CAP_SYS_ADMIN''
sysctl --write kernel.perf_event_paranoid=NEWVALUE
I suppose this is not possible to use unpriv LXC and enable ''CAP_SYS_ADMIN'' (multiple trials with ''lxc.cap.drop'' and ''lxc.cap.keep'').
It works when sysctl --write kernel.perf_event_paranoid=0
which is still safer (there were kernel vulnerabilities) than giving container ''CAP_SYS_ADMIN''.
When Frigate is running and performance events are accessible in LXC, command intel_gpu_top
show nicely formatted text statistics:
{{:vm:proxmox:lxc:pasted:20241208-144931.png}}
===== references =====
* [[https://github.com/Bytelake/Coral-in-LXC|Coral-in-LXC]]
* [[https://www.reddit.com/r/frigate_nvr/comments/1cr9akm/frigate_inside_lxc_on_proxmox_google_coral_usb/|Frigate inside LXC on Proxmox [Google Coral USB, iGPU passthrough] ]]
* [[https://github.com/google-coral/edgetpu/issues/536|Coral USB changing ID and Vendor
#536]]