Fix permissions causing vulkan failures

Dockerfile

@@ -38,7 +38,8 @@ FROM docker.io/${BASE_IMAGE} AS final
 ARG LLAMA_SERVER_VARIANT
 
 # Create non-root user
-RUN groupadd --system modelrunner && useradd --system --gid modelrunner --create-home --home-dir /home/modelrunner modelrunner
+RUN groupadd --system modelrunner && useradd --system --gid modelrunner -G video --create-home --home-dir /home/modelrunner modelrunner
+# TODO: if the render group ever gets a fixed GID add modelrunner to it
 
 COPY scripts/apt-install.sh apt-install.sh
 
@@ -70,13 +71,6 @@ ENV HOME=/home/modelrunner
 ENV MODELS_PATH=/models
 ENV LD_LIBRARY_PATH=/app/lib
 
-# Set environment variables for vulkan
-ENV VULKAN_SDK=/opt/vulkan
-ENV PATH=$VULKAN_SDK/bin:$PATH
-ENV LD_LIBRARY_PATH=$VULKAN_SDK/lib:$LD_LIBRARY_PATH
-ENV CMAKE_PREFIX_PATH=$VULKAN_SDK:$CMAKE_PREFIX_PATH
-ENV PKG_CONFIG_PATH=$VULKAN_SDK/lib/pkgconfig:$PKG_CONFIG_PATH
-
 # Label the image so that it's hidden on cloud engines.
 LABEL com.docker.desktop.service="model-runner"
 

cmd/cli/pkg/standalone/containers.go

@@ -8,7 +8,9 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
+	"runtime"
 	"strconv"
 	"strings"
 	"time"
@@ -301,6 +303,19 @@ func CreateControllerContainer(ctx context.Context, dockerClient *client.Client,
 		}
 	}
 
+	if runtime.GOOS == "linux" {
+		out, err := exec.CommandContext(ctx, "getent", "group", "render").CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("failed to retrieve the GID of 'render': %w", err)
+		}
+		tokens := strings.Split(string(out), ":")
+		gid, err := strconv.Atoi(tokens[2])
+		if err != nil {
+			return fmt.Errorf("failed to parse the GID of 'render': %w", err)
+		}
+		hostConfig.GroupAdd = append(hostConfig.GroupAdd, strconv.Itoa(gid))
+	}
+
 	// Create the container. If we detect that a concurrent installation is in
 	// progress (as indicated by a conflicting container name (which should have
 	// been detected just before installation)), then we'll allow the error to

scripts/apt-install.sh

@@ -6,30 +6,7 @@ main() {
   apt-get update
   local packages=("ca-certificates")
   if [ "$LLAMA_SERVER_VARIANT" = "generic" ] || [ "$LLAMA_SERVER_VARIANT" = "cpu" ]; then
-    # Install Vulkan SDK
-    local vulkan_version=1.4.321.1
-    local arch
-    arch=$(uname -m)
-    apt-get install -y wget xz-utils
-    wget -qO /tmp/vulkan-sdk.tar.xz https://sdk.lunarg.com/sdk/download/$vulkan_version/linux/vulkan-sdk-linux-"$arch"-$vulkan_version.tar.xz
-    mkdir -p /opt/vulkan
-    tar -xf /tmp/vulkan-sdk.tar.xz -C /tmp
-
-    if [ "$arch" != "x86_64" ]; then
-        # TODO: uninstall build time deps after building the SDK
-        apt-get install -y libglm-dev cmake libxcb-dri3-0 libxcb-present0 libpciaccess0 \
-            libpng-dev libxcb-keysyms1-dev libxcb-dri3-dev libx11-dev g++ gcc \
-            libwayland-dev libxrandr-dev libxcb-randr0-dev libxcb-ewmh-dev \
-            git python-is-python3 bison libx11-xcb-dev liblz4-dev libzstd-dev \
-            ocaml-core ninja-build pkg-config libxml2-dev wayland-protocols python3-jsonschema \
-            clang-format qtbase5-dev qt6-base-dev
-        pushd /tmp/"${vulkan_version}"
-        # TODO: we don't need the whole SDK to run stuff, so eventually only build necessary targets here
-        ./vulkansdk --no-deps -j "$(nproc)"
-    fi
-
-    mv /tmp/"${vulkan_version}"/"$arch"/* /opt/vulkan/
-    rm -rf /tmp/*
+    apt-get install -y libvulkan1
   fi
 
   apt-get install -y "${packages[@]}"

scripts/docker-run.sh

@@ -7,6 +7,7 @@ add_accelerators() {
       args+=("--device" "$i")
     fi
   done
+  args+=("--group-add" "$(getent group render | cut -d: -f3)")
 }
 
 add_optional_args() {