Rootless Frigate container (with Podman) #9440
-
Greetings, since this was asked before and I think I managed to achieve it, I would like to share the configuration I am using for a rootless Frigate container I am testing. DISCLAIMER: with rootless I mean that the container is run by an unprivileged system user and not by the root user (UID 0) itself; that being said, some isolation layers sholud be removed to make things still work. If you are using SystemD Quadlet to manage Podman containers, the following is the snippet to put in the .container "unit" file:
If you are using the good old interactive CLI to run Podman containers, the following should mimic the configuration I provided above (I am still excluding the port forwards and volume mounts): podman run --detach \
--name frigate \
--label io.containers.autoupdate=registry \
--shm-size 256m \
--sdnotify container \
--privileged \
--group-add keep-groups \
--cap-add PERFMON \
--device /dev/dri/renderD128 \
--env LIBVA_DRIVER_NAME=i965 \
--env FRIGATE_RTSP_PASSWORD=suchsecure \
# remember to add port and volume mounts
ghcr.io/blakeblackshear/frigate:stable Do you have any suggestion regarding this use case? Have you done the same in a different/interesting way? |
Beta Was this translation helpful? Give feedback.
Replies: 8 comments 20 replies
-
Thanks for the example - quite fortuitous timing, as I'm just in the process of switching to podman. Unfortunately, I'm not having the same luck. While Frigate loads, none of the streams are working. I believe I've tracked the issue down to rootless podman not having proper access to my USB coral at /dev/bus/usb/003/002. If I either run as root or change my detector to a CPU, everything works. The Coral shows up in Frigate's system page, and inference time, CPU, and memory use are being reported, but apparently there is a permissions issue. I created a group "coral" and added a udev rule that allowed it access to the device, then added my user to the coral group and rebooted. Together with That still didn't work. I thought it could be a SELinux issue, but podman 4.8.3
|
Beta Was this translation helpful? Give feedback.
-
Hey fellow podman rootless folks :) @reidprichard
Phil |
Beta Was this translation helpful? Give feedback.
-
I tried a bunch of different distros and had various problems on all until
I landed on Ubuntu 22.04. I think my main issue with Debian at the time was
the packaged version of Podman (trying to go with prebuilt as much as
possible) but maybe something else :D
The Coral/Apex drivers were a slight mare I think but the only minor
challenge now is signing the kernel modules after a kernel update,
otherwise it’s chugging along nicely.
Had to chmod the apex device so my mapped group could r/w it but not much
else.
…On Sun, 28 Jan 2024 at 10:29 AM, robotgoat ***@***.***> wrote:
Which OS are you on? When I tried rootless in Debian 12, I could not
access the PCIe Coral at all after following the default driver install.
—
Reply to this email directly, view it on GitHub
<#9440 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACQI37N7CCNNUBD6JK64FB3YQVWU5AVCNFSM6AAAAABCK3MYL6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DENRXGY2TC>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
“Required” or “easier”? It would be interesting to know what actions from
the container are prevented.
https://docs.fedoraproject.org/en-US/quick-docs/selinux-troubleshooting/#_selinux_denials_in_the_audit_log
…On Wed, 31 Jan 2024 at 10:38 PM, Lorenzo Prosseda ***@***.***> wrote:
At least on RHEL-based distros, the privileged option is necessary in
Podman if SELnux is in "Enforcing" state and using the default policies
—
Reply to this email directly, view it on GitHub
<#9440 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACQI37IXZA3A26U2O2KRA53YRIGKPAVCNFSM6AAAAABCK3MYL6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DGMJXGE2DG>
.
You are receiving this because you were mentioned.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
For anyone still looking out, without enabling privileged mode, here is my config. For reference I use Fedora 39, Podman. I never turn off SELinux
docker-compose.yml
|
Beta Was this translation helpful? Give feedback.
-
Hi, any clue why I get I'm using @Procsiab's container config
My
Removing this chown script causes another error: #3108 (comment), and #3108 (comment) (March 08, 2024) doesn't fix the issue for me |
Beta Was this translation helpful? Give feedback.
-
Hi, I am able to run frigate successfully from cli, but when I try to enable frigate with podman quadlet, ffmpeg fails because it's not able to find the gpu for hwaccel giving the following error
My quadlet config is as follows:
When I do a dryrun and use the generated podman command directly in the cli, it works flawlessly:
I am not able to figure out why it would work from cli but not when started as systemd service using quadlet. Any idea what I am missing? Podman version is 4.9.3 on debian bookworm. |
Beta Was this translation helpful? Give feedback.
-
This is my working rootless podman setup for a Raspberry Pi 4:
enable_uart=1
# https://wiki.gentoo.org/wiki/Raspberry_Pi_VC4
dtoverlay=vc4-kms-v3d
gpu_mem=128
[Unit]
Description=Frigate
[Container]
ContainerName=frigate
Image=ghcr.io/blakeblackshear/frigate:stable
AutoUpdate=registry
Environment=FRIGATE_RTSP_PASSWORD=XXXXXX
ShmSize=256m
Notify=true
PublishPort=9094:5000
# share all devices
Volume=/dev/dri:/dev/dri
# external exFAT hard drive
Volume=/hdd/frigate:/media/frigate
# internal EXT4 hard drive
Volume=%h/containers/storage/frigate:/config
Volume=/etc/localtime:/etc/localtime:ro
[Service]
Restart=on-failure
TimeoutStartSec=0
[Install]
WantedBy=default.target
mqtt:
enabled: False
telemetry:
version_check: False
ui:
use_experimental: True
ffmpeg:
hwaccel_args: preset-rpi-64-h264
input_args: preset-rtsp-generic
output_args:
#record: preset-record-generic
record: -f segment -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -an -c:v copy
detectors:
cpu1:
type: cpu
num_threads: 0
audio:
enabled: False
detect:
enabled: False
record:
enabled: True
retain:
days: 30
mode: all
snapshots:
enabled: False
retain:
default: 30
birdseye:
enabled: False
restream: False
cameras:
Entrance:
enabled: True
ffmpeg:
inputs:
- path: rtsp://192.168.1.1:554/stream0
roles:
- record
record:
enabled: True
detect:
enabled: False
Box:
enabled: True
ffmpeg:
inputs:
- path: rtsp://192.168.1.2:554/channel1
roles:
- record
record:
enabled: True
detect:
enabled: False
Gate:
enabled: True
ffmpeg:
inputs:
- path: rtsp://192.168.1.3:554/1
roles:
- record
- path: rtsp://192.168.1.3:554/12
roles:
- detect
record:
enabled: True
detect:
enabled: False
Backyard:
enabled: True
ffmpeg:
inputs:
- path: rtsp://192.168.1.4:554/1
roles:
- record
- path: rtsp://192.168.1.4:554/12
roles:
- detect
record:
enabled: True
detect:
enabled: False |
Beta Was this translation helpful? Give feedback.
@phillym
Thank you!!! Together with
--group-add keep-groups
that corrected udev did the trick. Man did I butcher that originally.I had a bit of difficulty getting
--group-add keep-groups
set on other methods besidepodman run
(e.g.podman-compose
orpodman kube play
), but setting it up with podlet wasn't too hard: