Skip to content

Fix permissions causing vulkan failures #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
p1-0tr merged 3 commits into from
Oct 10, 2025
Merged

Fix permissions causing vulkan failures #210

p1-0tr merged 3 commits into from
Oct 10, 2025

Conversation

@p1-0tr
Copy link

@p1-0tr p1-0tr commented Oct 10, 2025
edited by sourcery-ai bot
Loading

Summary by Sourcery

Simplify Vulkan setup and ensure containers run with appropriate group permissions to fix Vulkan failures

Enhancements:

  • Replace manual Vulkan SDK download and build with libvulkan1 package
  • Add host 'render' group to container GroupAdd in both CLI and runtime commands
  • Add modelrunner user to video group in Dockerfile and remove obsolete Vulkan SDK environment variables

Piotr Stankiewicz added 2 commits October 10, 2025 11:04
Add modelrunner to the video group
ff92e40 
In order for Vulkan to work the modelrunner user needs to be a member
of the video and render groups (needed to access nodes in /dev/dri). So
add modelrunner to video when creating the user. Unfortunately render
does not have a fixed GID currently, so we'll have to deal with this
another way.

Signed-off-by: Piotr Stankiewicz <[email protected]>
Add modelrunner to render when executing DMR
1b65fb4 
The modelrunner user needs to be a member of the render group for
Vulkan to work. Unfortunately render does not have a fixed GID, so we
can't reliably handle this in the Dockerfile. So have the CLI query the
hosts render GID and add it when starting the DMR container.

Signed-off-by: Piotr Stankiewicz <[email protected]>
@sourcery-ai
Copy link
Contributor

sourcery-ai bot commented Oct 10, 2025
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

On Linux hosts, this PR retrieves the host 'render' group GID at runtime and adds it to container permissions in both the Go container setup and the docker-run script; it simplifies the Vulkan installation by using the libvulkan1 package; and it adjusts the Dockerfile to add the modelrunner user to the video group and remove obsolete Vulkan environment settings.

Sequence diagram for adding host 'render' group to container permissions on Linux

sequenceDiagram
    participant Controller as "CreateControllerContainer()"
    participant OS as "Linux Host OS"
    participant Docker as "Docker Container"
    Controller->>OS: exec getent group render
    OS-->>Controller: return group info (GID)
    Controller->>Docker: append GID to GroupAdd
    Docker-->>Controller: container runs with host 'render' group permissions
Loading

Sequence diagram for docker-run.sh adding host 'render' group

sequenceDiagram
    actor User
    participant Script as "docker-run.sh"
    participant OS as "Linux Host OS"
    participant Docker as "Docker Container"
    User->>Script: Run docker-run.sh
    Script->>OS: getent group render | cut -d: -f3
    OS-->>Script: return GID
    Script->>Docker: --group-add <GID>
    Docker-->>Script: container runs with host 'render' group permissions
Loading

File-Level Changes

Change Details Files
Simplified Vulkan installation in apt-install.sh
  • Removed manual download, extraction, and build of the Vulkan SDK
  • Replaced with apt-get install -y libvulkan1
 scripts/apt-install.sh
Auto-add host 'render' group to container config in Go code
  • Added Linux-specific block to call getent group render
  • Parsed the GID and appended it to hostConfig.GroupAdd
 cmd/cli/pkg/standalone/containers.go
Include host 'render' group in docker-run.sh
  • Appended `--group-add $(getent group render
 cut -d: -f3)` in the accelerator args
Update Dockerfile user groups and remove Vulkan env settings
  • Added modelrunner user to the video group
  • Removed outdated Vulkan SDK environment variable definitions
 Dockerfile
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

Use in-distro Vulkan package
dd7ca43 
Signed-off-by: Piotr Stankiewicz <[email protected]>
@p1-0tr p1-0tr marked this pull request as ready for review October 10, 2025 10:03
sourcery-ai[bot]
sourcery-ai bot reviewed Oct 10, 2025
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes - here's some feedback:

  • Consider using Go’s os/user.LookupGroup instead of shelling out to getent for more portable and testable group lookups.
  • Add error handling or a fallback in docker-run.sh around the getent render lookup so the script won’t fail if the render group is absent.
  • You’ve duplicated the render GID lookup logic in both Go and bash—consider centralizing it into a shared utility or function to reduce maintenance overhead.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- Consider using Go’s os/user.LookupGroup instead of shelling out to getent for more portable and testable group lookups.
- Add error handling or a fallback in docker-run.sh around the getent render lookup so the script won’t fail if the render group is absent.
- You’ve duplicated the render GID lookup logic in both Go and bash—consider centralizing it into a shared utility or function to reduce maintenance overhead.

## Individual Comments

### Comment 1
<location> `scripts/docker-run.sh:10-11` </location>
<code_context>
       args+=("--device" "$i")
     fi
   done
+  args+=("--group-add" "$(getent group render | cut -d: -f3)")
 }

</code_context>

<issue_to_address>
**suggestion (bug_risk):** No error handling if 'render' group is missing could lead to runtime failures.

Add a check to verify the 'render' group exists before using its ID to prevent passing an invalid value to docker.

```suggestion
  render_gid="$(getent group render | cut -d: -f3)"
  if [ -n "$render_gid" ]; then
    args+=("--group-add" "$render_gid")
  fi
}
```
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

scripts/docker-run.sh
Comment on lines +10 to 11
args+=("--group-add" "$(getent group render | cut -d: -f3)")
}
Copy link
Contributor

@sourcery-ai sourcery-ai bot Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): No error handling if 'render' group is missing could lead to runtime failures.

Add a check to verify the 'render' group exists before using its ID to prevent passing an invalid value to docker.

Suggested change
args+=("--group-add" "$(getent group render | cut -d: -f3)")
}
render_gid="$(getent group render | cut -d: -f3)"
if [ -n "$render_gid" ]; then
args+=("--group-add" "$render_gid")
fi
}

@p1-0tr p1-0tr merged commit 7b529fd into main Oct 10, 2025
9 checks passed
@p1-0tr p1-0tr deleted the ps-fix-vulkan branch October 10, 2025 10:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@ericcurtin ericcurtin ericcurtin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@p1-0tr @ericcurtin