github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2447] mpv: nvdec HW decoder cannot load even with --noprofile #1619

New issue
Closed
opened 2026-05-05 08:16:28 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 08:16:28 -06:00
Owner
Copy link

Originally created by @Ryujinra on GitHub (Feb 23, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2447

mpv is unable to access the nvdec decoder even with --noprofile.

Steps to reproduce (must have an nvidia GPU):

firejail --noprofile mpv -hwdec=nvdec {SOMEVIDEOFILE}

mpv error:

[vo/gpu/cuda-nvdec] cu->cuInit(0) failed -> CUDA_ERROR_UNKNOWN: unknown error

Expected behavior: mpv loads with the VO decoder listed as [nv12] in stdout.

Does not work with the mpv.profile loaded either, obviously.

Tested on Arch w/ nvidia-vulkan-dkms driver version 418.31.03. mpv version mpv 0.29.0-134-g8b563a0346 (latest build from git).

Originally created by @Ryujinra on GitHub (Feb 23, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2447 mpv is unable to access the nvdec decoder even with --noprofile. Steps to reproduce (must have an nvidia GPU): `firejail --noprofile mpv -hwdec=nvdec {SOMEVIDEOFILE}` mpv error: `[vo/gpu/cuda-nvdec] cu->cuInit(0) failed -> CUDA_ERROR_UNKNOWN: unknown error` Expected behavior: mpv loads with the VO decoder listed as [nv12] in stdout. Does not work with the mpv.profile loaded either, obviously. Tested on Arch w/ nvidia-vulkan-dkms driver version 418.31.03. mpv version mpv 0.29.0-134-g8b563a0346 (latest build from git).
gitea-mirror 2026-05-05 08:16:28 -06:00
gitea-mirror commented 2026-05-05 08:16:32 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 23, 2019):

I don't have an NVIDIA GPU, so this is all speculation. Some remarks/questions. I do notice you have a single - in your command for mpv's --hwdec flag. Assuming this is a typo and not your actual command, a firejailed ffmpeg might be causing breakage here, even when running mpv with --noprofile. As I understand things, nvdec uses FFmpeg decoders (see the online mpv manual). Try taking out /etc/firejail/ffmpeg.profile temporarily to rule out any interference, or add ffmpeg commands to the mpv private-bin option. Does it work when also specifying --vo=gpu on the commandline, as is required for --hwdec=nvdec? Does it work with other hwdec/vo options for mpv, e.g. vdpau (which by the way is still a very able hardware decoding combo I do use personally)? Rather difficult to debug this without any logs.

Commands you might try:
$ firejail --debug --noprofile mpv --vo=gpu --hwdec=nvdec {SOMEVIDEOFILE} | tee my-debug.log 2>&1
$ firejail --debug --private-bin=ffmpeg,ffprobe,qt-faststart mpv --vo=gpu --hwdec=nvdec {SOMEVIDEOFILE} | tee my-other-debug.log 2>&1
$ firejail --debug --private-bin=ffmpeg,ffprobe,qt-faststart mpv --vo=vdpau --hwdec=vdpau {SOMEVIDEOFILE} | tee yet-another-debug.log 2>&1

<!-- gh-comment-id:466610979 --> @ghost commented on GitHub (Feb 23, 2019): I don't have an NVIDIA GPU, so this is all speculation. Some remarks/questions. I do notice you have a single `-` in your command for mpv's `--`hwdec flag. Assuming this is a typo and not your actual command, a `firejailed` `ffmpeg` might be causing breakage here, even when running mpv with --noprofile. As I understand things, nvdec uses FFmpeg decoders (see the [online mpv manual](https://mpv.io/manual/master/#options-hwdec)). Try taking out /etc/firejail/ffmpeg.profile temporarily to rule out any interference, or add ffmpeg commands to the mpv private-bin option. Does it work when also specifying --vo=gpu on the commandline, as is required for --hwdec=nvdec? Does it work with other hwdec/vo options for mpv, e.g. vdpau (which by the way is still a very able hardware decoding combo I do use personally)? Rather difficult to debug this without any logs. Commands you might try: $ firejail --debug --noprofile mpv --vo=gpu --hwdec=nvdec {SOMEVIDEOFILE} | tee my-debug.log 2>&1 $ firejail --debug --private-bin=ffmpeg,ffprobe,qt-faststart mpv --vo=gpu --hwdec=nvdec {SOMEVIDEOFILE} | tee my-other-debug.log 2>&1 $ firejail --debug --private-bin=ffmpeg,ffprobe,qt-faststart mpv --vo=vdpau --hwdec=vdpau {SOMEVIDEOFILE} | tee yet-another-debug.log 2>&1
gitea-mirror commented 2026-05-05 08:16:33 -06:00
Author
Owner
Copy link

@Ryujinra commented on GitHub (Feb 23, 2019):

Does NOT work:

-Moving out ffmpeg.profile
-Adding vo=gpu (this vo was already selected automatically anyway)

DOES work:

-vdpau acceleration works as expected; however, nvdec does work without firejail and supposedly supercedes vdpau so I would like to get to the bottom of this if possible.

-A very strange thing I've noticed is that if I run mpv without firejail once, it will work with firejail (and even with the mpv.profile) until I reboot. Then it can't use the nvdec decoder until I run mpv without firejail again. So it seems that some file has to be created that enables access to the nvdec cuda decoder, and which is currently read-only for firejail and only survives until reboot. Maybe something in /tmp/ ?

Is there any way for me to disable or bisect the built-in firejail settings (the stuff beyond --noprofile)? I will post the requested logs soon. Thanks for the suggestions.

<!-- gh-comment-id:466613178 --> @Ryujinra commented on GitHub (Feb 23, 2019): Does NOT work: -Moving out ffmpeg.profile -Adding vo=gpu (this vo was already selected automatically anyway) DOES work: -vdpau acceleration works as expected; however, nvdec does work without firejail and supposedly supercedes vdpau so I would like to get to the bottom of this if possible. **-A very strange thing I've noticed is that if I run mpv without firejail once, it will work with firejail (and even with the mpv.profile) until I reboot. Then it can't use the nvdec decoder until I run mpv without firejail again. So it seems that some file has to be created that enables access to the nvdec cuda decoder, and which is currently read-only for firejail and only survives until reboot. Maybe something in /tmp/ ?** Is there any way for me to disable or bisect the built-in firejail settings (the stuff beyond --noprofile)? I will post the requested logs soon. Thanks for the suggestions.
gitea-mirror commented 2026-05-05 08:16:34 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 23, 2019):

Correct, nvdec supersedes VDPAU, allthough the latter is still supported by NVIDIA (and mesa). I do understand you wanting to use nvdec. Hopefully other people chime in to look at your logs, I will be offline for the weekend. Besides the debug options mentioned in man firejail there's nothing I'm aware OTOH. I'll look at your logs the first chance I get, this being a rather interesting issue. Sooner or later my oldie laptop will grind to a halt and mpv + nvdec would be a combination I'd want to get firejailed too.

Happy hunting

<!-- gh-comment-id:466614602 --> @ghost commented on GitHub (Feb 23, 2019): Correct, nvdec supersedes VDPAU, allthough the latter is still supported by NVIDIA (and mesa). I do understand you wanting to use nvdec. Hopefully other people chime in to look at your logs, I will be offline for the weekend. Besides the debug options mentioned in man firejail there's nothing I'm aware OTOH. I'll look at your logs the first chance I get, this being a rather interesting issue. Sooner or later my oldie laptop will grind to a halt and mpv + nvdec would be a combination I'd want to get firejailed too. Happy hunting
gitea-mirror commented 2026-05-05 08:16:35 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 24, 2019):

-A very strange thing I've noticed is that if I run mpv without firejail once, it will work with firejail (and even with the mpv.profile) until I reboot. Then it can't use the nvdec decoder until I run mpv without firejail again. So it seems that some file has to be created that enables access to the nvdec cuda decoder, and which is currently read-only for firejail and only survives until reboot. Maybe something in /tmp/ ?

I don't see anything in mpv.profile that limits access to /tmp (unless you have an mpv.local that does so). BUT there's a note mentioning nogroups sometimes causing issues with NVIDIA. Might be related to https://github.com/netblue30/firejail/issues/1945.

<!-- gh-comment-id:466751665 --> @ghost commented on GitHub (Feb 24, 2019): > -A very strange thing I've noticed is that if I run mpv without firejail once, it will work with firejail (and even with the mpv.profile) until I reboot. Then it can't use the nvdec decoder until I run mpv without firejail again. So it seems that some file has to be created that enables access to the nvdec cuda decoder, and which is currently read-only for firejail and only survives until reboot. Maybe something in /tmp/ ? I don't see anything in mpv.profile that limits access to /tmp (unless you have an mpv.local that does so). BUT there's a note mentioning `nogroups` sometimes causing issues with NVIDIA. Might be related to https://github.com/netblue30/firejail/issues/1945.
gitea-mirror commented 2026-05-05 08:16:36 -06:00
Author
Owner
Copy link

@Ryujinra commented on GitHub (Feb 24, 2019):

I don't see anything in mpv.profile that limits access to /tmp (unless you have an mpv.local that does so). BUT there's a note mentioning nogroups sometimes causing issues with NVIDIA. Might be related to #1945.

The issue occurs even with --noprofile so I think it must be one of the hardcoded restrictions built into firejail interfering here. Once I run mpv without firejail though, I can then run mpv with the stock mpv.profile with nvdec working perfectly, which led me to believe it is a write permissions issue that is resolved after some relevant file is created that is needed for nvdec access. Not persisting on boot made me think it is /tmp, but perhaps there is other short-lived files involved in activating cuda.

If I could only enable/disable the builtin firejail restrictions individually I could probably bisect the built-in configuration until I find the issue, but I don't know of any way to override those.

<!-- gh-comment-id:466799145 --> @Ryujinra commented on GitHub (Feb 24, 2019): > I don't see anything in mpv.profile that limits access to /tmp (unless you have an mpv.local that does so). BUT there's a note mentioning `nogroups` sometimes causing issues with NVIDIA. Might be related to #1945. The issue occurs even with --noprofile so I think it must be one of the hardcoded restrictions built into firejail interfering here. Once I run mpv without firejail though, I can then run mpv with the stock mpv.profile with nvdec working perfectly, which led me to believe it is a write permissions issue that is resolved after some relevant file is created that is needed for nvdec access. Not persisting on boot made me think it is /tmp, but perhaps there is other short-lived files involved in activating cuda. If I could only enable/disable the builtin firejail restrictions individually I could probably bisect the built-in configuration until I find the issue, but I don't know of any way to override those.
gitea-mirror commented 2026-05-05 08:16:36 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 21, 2019):

@Ryujinra, did you ever get this figured out? My mpv apparently doesn't support nvdec, so I'm not able to test this 😕

[edit] Never mind. If I run firejail mpv --hwdec=nvdec <youtube link>, for example, then it "just works"™️

What exactly happens when it fails to work for you?

<!-- gh-comment-id:494298345 --> @chiraag-nataraj commented on GitHub (May 21, 2019): @Ryujinra, did you ever get this figured out? My `mpv` apparently doesn't support nvdec, so I'm not able to test this :confused: [edit] Never mind. If I run `firejail mpv --hwdec=nvdec <youtube link>`, for example, then it "just works":tm: What exactly happens when it fails to work for you?
gitea-mirror commented 2026-05-05 08:16:37 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 29, 2019):

I'm going to close this for now due to inactivity. @Ryujinra, please feel free to re-open if you are still running into this and can provide more info.

<!-- gh-comment-id:496969534 --> @chiraag-nataraj commented on GitHub (May 29, 2019): I'm going to close this for now due to inactivity. @Ryujinra, please feel free to re-open if you are still running into this and can provide more info.
gitea-mirror commented 2026-05-05 08:16:37 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 10, 2020):

UPDATE: The OP has added important information in #3335 affecting firejail users who use our mpv profile with nvdec HW decoder. Please follow the discussion there awaiting a more permanent fix to this issue.

<!-- gh-comment-id:612036461 --> @ghost commented on GitHub (Apr 10, 2020): UPDATE: The OP has added important information in #3335 affecting firejail users who use our mpv profile with nvdec HW decoder. Please follow the discussion there awaiting a more permanent fix to this issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1619
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?