ffmpeg icon indicating copy to clipboard operation
ffmpeg copied to clipboard
verified publisher icon jrottenberg

Outputting files as another user (www-data)

Open dseeker opened this issue 7 years ago • 3 comments

I'm using the vaapi enabled docker via node.js spawn shell, it's working perfectly with HW acceleration. However the output encoded files are output as root:root, and so I cannot continue modifying the output with other applications that are running as www-data:www-data instead of root.

Upon using the user option the vaapi docker loses the privilege to access the vaapi device, here's the terminal log

docker run --device /dev/dri:/dev/dri -v /home/autoingest/:/autoingest --user 33:33 jrottenberg/ffmpeg:4.0-vaapi -stats -vaapi_device /dev/dri/renderD128 -hwaccel vaapi -hwaccel_output_format vaapi -hide_banner -t 30 -i "/autoingest/films/source.mov" -y -filter_complex 'format=nv12|vaapi..... 

[AVHWDeviceContext @ 0x55b407756400] No VA display found for device: /dev/dri/renderD128.
Device creation failed: -22.
Failed to set value '/dev/dri/renderD128' for option 'vaapi_device': Invalid argument
Error parsing global options: Invalid argument

Is there any other way I can force ffmpeg to output as a specific user?

dseeker avatar Oct 23 '18 15:10 dseeker

Not tested but I think if you add more capabilities to your run, you should be able to use the gpu while keeping www-data as writer.

--cap-add=SYS_ADMIN, so your command becomes

docker run --cap-add=SYS_ADMIN --device /dev/dri:/dev/dri -v /home/autoingest/:/autoingest --user 33:33 jrottenberg/ffmpeg:4.0-vaapi -stats -vaapi_device /dev/dri/renderD128 -hwaccel vaapi -hwaccel_output_format vaapi -hide_banner -t 30 -i "/autoingest/films/source.mov" -y -filter_complex 'format=nv12|vaapi.....

Let me know if that does the trick, I'll add it to the readme.

jrottenberg avatar Nov 23 '18 02:11 jrottenberg

@jrottenberg I tried adding --cap-add=SYS_ADMIN like you suggested, I tried adding both --cap-add=SYS_ADMIN and --cap-add= SYS_PTRACE like the Intel docs asked me to, and I tried --privileged=true.

None of them worked, I still have the same error

[AVHWDeviceContext @ 0x559ca5f18480] No VA display found for device: .
Device creation failed: -22.
[h264 @ 0x559ca5f28440] No device available for decoder: device type vaapi needed for codec h264.
Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> h264 (h264_vaapi))
  Stream #0:1 -> #0:1 (eac3 (native) -> aac (native))
Device setup failed for decoder on input stream #0:0 : Invalid argument

What now?

thirstyraven avatar Apr 06 '20 00:04 thirstyraven

It's likely a permission issue on the device. I should preface that I'm using my own Dockerfile with libmfx (no vaapi), but I had a similar problem, which I solved by adding - inside the container, so in the Dockerfile - the user to the group owning the device:

RUN groupadd -g ${PGID} ffmpeg \
 && groupadd -g ${render_gid} render \
 && useradd -u ${PUID} -g ffmpeg -G video,render ffmpeg

where render_gid is the group id owning the render device on the host (likely /dev/dri/renderD128):

render_gid=$(stat -c '%g' /dev/dri/renderD128)

Then you can just docker run --user ${PUID} --device ..., no need for --privileged or --cap-add.

Note that you shouldn't pass a group id to docker run, or it'll override the other group(s) defined in the Dockerfile and you'll get the same issue again.

Hope this helps.

lowne avatar Jun 26 '20 16:06 lowne