nano /etc/pve/nodes/pveblack/lxc/100.conf
Add
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
On proxmox host:
chmod 666 /dev/dri/renderD128 /dev/dri/renderD129
echo 'SUBSYSTEM=="drm", KERNEL=="renderD*", MODE="0666"' | sudo tee /etc/udev/rules.d/99-drm-render.rules
sudo udevadm control --reload-rules
Example config
root@pveblack:/etc/pve/nodes/pveblack/lxc# cat 103.conf
arch: amd64
cores: 12
features: nesting=1
hostname: video2
memory: 16384
net0: name=eth0,bridge=pocketbear,firewall=1,hwaddr=BC:24:11:7C:B9:BC,ip=dhcp,ip6=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-103-disk-0,size=256G
swap: 16384
unprivileged: 1
lxc.mount.entry: /tank/video2 tank none bind,create=dir
lxc.cgroup2.devices.allow: c 226:* rwm
lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file
lxc.mount.entry: /dev/dri/card1 dev/dri/card1 none bind,optional,create=file
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file
lxc.mount.entry: /dev/dri/renderD129 dev/dri/renderD129 none bind,optional,create=file
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
In guest:
sudo apt install -y intel-media-va-driver libva2 libva-drm2 vainfo
vainfo --display drm --device /dev/dri/renderD128
# Download and install the CUDA keyring
wget https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64/cuda-keyring_1.1-1_all.deb
sudo dpkg -i cuda-keyring_1.1-1_all.deb
# Update package list and install CUDA drivers
sudo apt-get update
sudo apt install cuda-drivers
Check secure boot disabled: mokutil --sb-state, then build
apt install pve-headers-$(uname -r)
dkms autoinstall
modprobe nvidia
nvidia-smi
Enable persistanced (performance in VM):
systemctl enable nvidia-persistenced
systemctl start nvidia-persistenced
Guest config. The 195/510 are found with ls -la /dev/nvidia*
lxc.cgroup2.devices.allow: c 195:* rwm
lxc.cgroup2.devices.allow: c 510:* rwm
lxc.mount.entry: /dev/nvidia0 dev/nvidia0 none bind,optional,create=file
lxc.mount.entry: /dev/nvidiactl dev/nvidiactl none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-uvm dev/nvidia-uvm none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-uvm-tools dev/nvidia-uvm-tools none bind,optional,create=file
The 1660 is at 05:00 with four functions. You'll want to isolate all of them for clean passthrough.
Create /etc/modprobe.d/vfio.conf:
options vfio-pci ids=10de:2184,10de:1aeb,10de:1aec,10de:1aed
And /etc/modprobe.d/nvidia.conf:
softdep nvidia pre: vfio-pci
Then:
bashupdate-initramfs -u
reboot
After reboot, verify the 1660 is bound to vfio-pci:
bashlspci -nnk | grep -A 3 "05:00"
apt install ifupdown
nano /etc/network/interfaces.d/main
Add:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
Reboot.
systemctl disable --now ubuntu-advantage
Then restart pct restart 100
Add to 100.conf on host:
lxc.apparmor.profile: unconfined
(Can remove nesting)
# Create docker daemon config to disable AppArmor
mkdir -p /etc/docker
cat > /etc/docker/daemon.json << 'EOF'
{
"storage-driver": "overlay2",
"no-new-privileges": false
}
EOF
# Disable AppArmor for Docker service
mkdir -p /etc/systemd/system/docker.service.d
cat > /etc/systemd/system/docker.service.d/override.conf << 'EOF'
[Service]
Environment="DOCKER_OPTS=--security-opt apparmor=unconfined"
EOF
# Reload and restart
systemctl daemon-reload
systemctl restart docker