Command line for mm-renderer

Updated: May 06, 2022

Start mm-renderer and configure context handle policies, PPS directories, logging, and permissions


mm-renderer [-cefk] [-N nobody] [-oq] -r statepath -s serverpath
    [-U mmruser] [-v[v...]]


Destroy a context when the primary handle is closed.
Log to stderr instead of slog2info.
Stay in the foreground.
Clean up any stale PPS objects from the previous instantiation of mm-renderer.
-N nobody
Switch to the user ID (uid) and group IDs (gids) of the current client when processing a media request, and run as user nobody at all other times. This way, mm-renderer can play (or record to) only files that the client has permission to read (or write) directly.

You should choose a user who can't open any files, to prevent unwanted access when a client tries to open a file unexpectedly. Because mm-renderer spends as long as possible executing as nobody, this option reduces the time window during which an attacker with knowledge of security vulnerabilities (e.g., bugs in open source codecs) can damage the files of other users.

Disallow the opening of existing contexts (also implies -c).
Decrease output verbosity. This option works opposite to -v.
-r statepath
The location of the PPS state directory, which stores the objects used by the mm-renderer process. The default location is /pps/services/multimedia/renderer.
If you want to run multiple mm-renderer instances, you must provide different paths in their -r options. Running multiple instances can improve security. For example, you could run one instance accessible to only privileged system processes and another accessible to client applications. This way, no client could overwrite system memory with buggy or harmful code.
Note: This option could change in a future mm-renderer release if the service is redesigned to not use PPS.
-s serverpath
The path of the control PPS object. The default path is /pps/services/multimedia/renderer/control.
We strongly recommend that the specified path does not contain a slash (/). If the path starts with this character, it's interpreted as an absolute path and is either unsafe, because mm-renderer won't find the object when event API functions are called, or redundant, because you must specify the default PPS state directory or the same one as in the -r option. If the path doesn't start with a slash (but still contains one), it's interpreted as a relative path within the state directory, but this too breaks the event API functions.
You can safely specify a path without a slash because this names only the file and so, the control PPS object will be kept in the default state directory or the one given in -r. The only constraint is that serverpath can't be the same name as another object that mm-renderer creates in that directory, such as context or component.
Note: If you specify a non-default path, your client code must provide that same path when calling mmr_connect().

This option could change in a future mm-renderer release if the service is redesigned to not use PPS.

-U mmruser
Switch to the user ID (uid) and group IDs (gids) of mmruser during initialization. If you didn't manually create the PPS state directory and control object beforehand (which can be done as explained in the Prerequisites subsection), mm-renderer will create this directory and this object as mmruser.
Because clients need read-write access to only the control PPS object and read-only access to all other PPS objects used by mm-renderer, mmruser should be a dedicated user that no other process runs as. If you run applications as this user, they could accidentally or intentionally modify or delete PPS objects (which disrupts mm-renderer's operation).
If you don't use -N as well, mm-renderer will access all of its inputs and outputs as mmruser, regardless of the client's credentials. It may be reasonable to let untrusted clients talk to mm-renderer, but you should choose an mmruser that can access only a specific set of media files that you want to let untrusted clients play.
Note: This option could change in a future mm-renderer release if the service is redesigned to not use PPS.
Increase output verbosity. Messages are written to the slog2info log.
The -v option is handy when you're trying to understand the operation of mm-renderer, but when lots of -v arguments are used, the logging becomes quite significant and can change timing noticeably. The verbosity setting is good for systems under development but should probably not be used in production systems or when performance testing.


The mm-renderer command line starts the multimedia renderer. This service responds to media playback requests and delivers events so clients can monitor media operations. Through command options, you can adjust the policies for playback context handles and logging, choose non-default PPS control object and state directories, set quiet or verbose mode, and set the process's default uid and gid.