fix: nvidia devices permissions in container

PierreBeucher · PierreBeucher · commit c4c32e016960 · 2026-05-10T13:30:15.000+02:00
diff --git a/ansible/roles/nvidia-driver/defaults/main.yml b/ansible/roles/nvidia-driver/defaults/main.yml
@@ -26,10 +26,14 @@ nvidia_driver_skip_reboot: false
 
 # NVIDIA Container Toolkit version
 # See available versions: apt-cache madison nvidia-container-toolkit
-# Pinned to avoid drift between providers (CDI vs Legacy mode behavior differences)
-# IMPORTANT: Must stay on 1.17.x - versions 1.18+ default to CDI mode which keeps
-# /dev/dri/card1 at 0660 root:root inside the container, preventing the NVIDIA Vulkan
-# driver from accessing the DRM card node, causing vkGetPhysicalDeviceSurfacePresentModesKHR
-# to fail with VK_ERROR_UNKNOWN (-13) and a black screen.
-# Legacy mode (1.17.x) sets /dev/dri/card1 to 0666, allowing proper GPU access.
+# 1.18+ defaults to JIT CDI instead of legacy mode and no longer enables the CDI
+# chmod hook by default. CDI keeps host device permissions for /dev/dri/card*,
+# /dev/dri/renderD* and /dev/nvidia-modeset, which can leave them inaccessible
+# to non-root game processes in containers and cause Vulkan black screens such as
+# VK_ERROR_UNKNOWN (-13) from vkGetPhysicalDeviceSurfacePresentModesKHR.
+# We explicitly chmod those devices at startup instead of relying on legacy mode.
+# See:
+# - https://github.com/NVIDIA/nvidia-container-toolkit/issues/1218
+# - https://github.com/NVIDIA/nvidia-container-toolkit/issues/1456
+# - https://github.com/NVIDIA/nvidia-container-toolkit/issues/1477
 nvidia_container_toolkit_version: "1.19.0-1"
diff --git a/containers/sunshine/overlay/cloudy/bin/setup-all.sh b/containers/sunshine/overlay/cloudy/bin/setup-all.sh
@@ -16,6 +16,7 @@ source setup-dirs.sh
 source setup-user.sh
 
 if [ "$NVIDIA_ENABLE" = true ]; then
+    source setup-nvidia-permissions.sh
     source setup-nvidia-driver.sh
 fi
 
diff --git a/containers/sunshine/overlay/cloudy/bin/setup-nvidia-permissions.sh b/containers/sunshine/overlay/cloudy/bin/setup-nvidia-permissions.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+#
+# Setup NVIDIA device permissions.
+# 
+
+# NVIDIA Container Toolkit 1.18+ defaults to JIT CDI mode and no longer applies
+# its CDI chmod hook by default. Keep GPU display devices usable by the
+# unprivileged cloudy user when devices are mounted with host permissions.
+echo "Setting NVIDIA device permissions for /dev/dri/card*, /dev/dri/renderD* and /dev/nvidia-modeset"
+
+chmod 0666 /dev/dri/card* /dev/dri/renderD* /dev/nvidia-modeset || true
