I am trying to install and configure the Memories app in Nextcloud and I ran into an issue when enabling Hardware Acceleration with VA-API:
“VA-API device (/dev/dri/renderD128) has incorrect permissions.”
This device belongs to a group called “render”, however there is no way to grant the Nextcloud user “www-data” access to the render group (membership of this builtin group may not be altered), and so there is no way to assign the required permissions to access VA-API (without permissions being reset on restart) using the TrueNAS Nextcloud app.
This issue is easily resolved with a docker compose entry for the device (at least that’s what ChatGPT told me):
devices:
- /dev/dri/renderD128:/dev/dri/renderD128 # VA-API
Nextcloud App Version: 31.0.7
Nextcloud Version: 2.0.12
TrueNAS Scale Version: 25.04
There is a checkbox if you edit the Nextcloud app for GPU Configuration “Passthrough available (non-NVIDIA) GPUs”. Enabling this does not resolve the issue.
There is a method to convert the Nextcloud app into a custom app, giving access to modify the YAML.
https://apps.truenas.com/managing-apps/installing-custom-apps/
Just to be sure as I haven’t used TrueNAS apps much in a while (since the Kubernetes → Docker migration): Does your TrueNAS actually have a user ‘www-data’ or is this just the user inside the container?
Your OS might not even have a user with the UID that the container’s “www-data” user uses.
In that case you could create a user with that UID on TrueNAS and make it a member of the render group.
Just looking at the Nextcloud Apps page it says that Nextcloud should run as root though, and that’s the owner of the render device.
It seems you have edited the compose file. Could you share it here?
My TrueNAS server does have the www-data user which I believe was created during install of the Nextcloud app. I had set the “Automatic permissions” flag. I don’t think there is anything else that manages users and permissions within the app edit menu, except “Enable ACL” for the datasets.
$ ls -l /dev/dri/renderD128
crw-rw---- 1 root render 226, 128 Jul 15 04:31 /dev/dri/renderD128
In that case, go to Credentials → Users in the TrueNAS webinterface, select the www-data user and add render as an auxiliary group.
You could also do this via usermod -aG render www-data but I am not sure if this would persist across updates.
I am getting an error when I try to change www-data’s auxiliary group. Is this something that can be bypassed?
[EINVAL] user_update.groups.0: render: membership of this builtin group may not be altered.
From what I’ve read from other forum posts on this, many fixes do not persist after reboot.
well… I’d normally say you’d probably need to run nextcloud as root which wouldn’t be as secure but I just took a look at the permissions of my jellyfin-server. It’s running as a user “media” which is of course also no member of the render group but it is still able to use the render device.
I suppose there is something special about this file that I just don’t know about. Sorry.
Your docker-compose file might still be useful though.
