website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon kubeflow

Container Images

Open rvadim opened this issue 1 year ago • 7 comments

Requirements for a runtimes are not fully described:

$ docker run --rm  -it -u 1000:1 --cap-drop=ALL kubeflownotebookswg/jupyter-pytorch-full:v1.8.0
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted

rvadim avatar Jan 29 '24 19:01 rvadim

Also SETUID and SETGID are not enough:

$ docker run --rm  -it --cap-drop=ALL --cap-add=SETUID --cap-add=SETGID  kubeflownotebookswg/jupyter-pytorch-full:v1.8.0 
s6-chown: fatal: unable to chown /run: Operation not permitted
s6-overlay-suexec: fatal: child failed with exit code 111

rvadim avatar Jan 29 '24 19:01 rvadim

https://github.com/just-containers/s6-overlay?tab=readme-ov-file#user-directive No idea how it should be runnable under non-root env.

rvadim avatar Jan 29 '24 20:01 rvadim

USER is supported by s6-overlay. I'm interested in knowing how docker run -u $uid differs from a USER directive.

skarnet avatar Mar 25 '24 12:03 skarnet

As I mentioned earlier, it is not user problem, it is linux capabilities problem, because of if you set docker run -u user it will works fine. But in case of capabilities drop(kubernetes typical environment https://kyverno.io/policies/best-practices/require-drop-all/require-drop-all/) it will not work.

rvadim avatar Mar 25 '24 16:03 rvadim

Right. What happens if you also add --cap-add=CHOWN?

skarnet avatar Mar 25 '24 23:03 skarnet 

~$ docker run --rm  -it -u 1000:1 --cap-drop=ALL --cap-add=CHOWN kubeflownotebookswg/jupyter-pytorch-full:v1.8.0
Unable to find image 'kubeflownotebookswg/jupyter-pytorch-full:v1.8.0' locally
v1.8.0: Pulling from kubeflownotebookswg/jupyter-pytorch-full
aece8493d397: Already exists 
5bc051129e13: Already exists 
c0dc552994be: Already exists 
ba8a2777b51a: Already exists 
1c695b124666: Already exists 
2aa684f59b95: Already exists 
dc9989a913ea: Already exists 
0c0fd82562a7: Already exists 
bee6977a7fd6: Already exists 
d66e22d661be: Already exists 
5c31f6c87876: Already exists 
35de76f46c69: Already exists 
9425aeb39f23: Already exists 
6ef7dca1e501: Already exists 
9883fa42965c: Already exists 
6546b01abb7e: Pull complete 
7377292d6843: Pull complete 
5c625670cce0: Pull complete 
7d64ea0e6721: Pull complete 
d100c2e80c90: Pull complete 
b1a55ffa9a8c: Pull complete 
Digest: sha256:d9ed16ec8934091c8bb155978fbfebcd4c276933c0d24eedd251ed3887f70b43
Status: Downloaded newer image for kubeflownotebookswg/jupyter-pytorch-full:v1.8.0
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted

rvadim avatar Mar 26 '24 08:03 rvadim

Well you'll need SETUID, SETGID and CHOWN...

skarnet avatar Mar 26 '24 12:03 skarnet