Proxmox 9 made unprivileged LXCs pointless for QuickSync users
7 hours ago
- #LXC
- #AppArmor
- #Proxmox
- Proxmox 9.0 introduced AppArmor 4.1, causing issues with Intel GPU passthrough in unprivileged LXC containers.
- Unprivileged containers use UID/GID mapping for security, but AppArmor 4.1 blocks access to Intel's PMU via perf_events.
- Workarounds include host-wide kernel changes, disabling AppArmor, or using privileged containers, each with security trade-offs.
- Proxmox's shift towards enterprise use cases prioritizes security, impacting homelab users running media servers with QuickSync.
- The most pragmatic solution is running intel_gpu_top on the host or using privileged containers, as unprivileged containers lose their security benefits with current workarounds.