Dockerfiles icon indicating copy to clipboard operation
Dockerfiles copied to clipboard

Published 20 hours ago verified publisher icon OpenVisualCloud

VCAC-A script uses privileged mode

Open dpatel257 opened this issue 3 years ago • 4 comments

dpatel257 avatar Oct 14 '21 22:10 dpatel257

Alternative: CAP_SYS_RAWIO https://man7.org/linux/man-pages/man7/capabilities.7.html

dpatel257 avatar Oct 15 '21 17:10 dpatel257

What in VCAC-A needs CAP_SYS_RAWIO?

eero-t avatar Aug 17 '22 13:08 eero-t

This was created long ago, where we didn't want to use privileged mode to access 'devices' from container that are sitting on host. Hence the option. It's an option we never really explored. :)

dpatel257 avatar Aug 17 '22 14:08 dpatel257

Are you saying that privileged mode is NOT actually used, i.e. this bug should be closed, or that you consider it acceptable to use privileged mode?

I do not think that any multi-user cloud system would allow pods with privileged mode, as it allows processes to escape the containment, and basically grants them full root access to the host (one would not want to expose such service to internet either).

Especially when e.g. using GPU device does not need privileged mode, any capabilities, nor any specific user [1]. Pod just needs to ask k8s for GPU device resource (provided by k8s GPU plugin [2]). Only some GPU metrics require extra capabilities (PERFMON), but those should not be needed by normal GPU pods.

[1] For containers wanting to access devices with random user IDs, there are some gotchas, so for now it's easiest just to set container user to 0: https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/

[2] One-liner install from DockerHub: https://github.com/intel/intel-device-plugins-for-kubernetes/blob/main/cmd/gpu_plugin/README.md#deploy-with-pre-built-container-image

eero-t avatar Aug 17 '22 15:08 eero-t

VCACA is end of support.

lylintel avatar Jun 26 '23 02:06 lylintel