Hi! I've encountered several issues trying (https://github.com/NixOS/nixpkgs/pull/279235) to use apptainer's --nvccli and libnvidia-container, both deployed without setuid but with the support for user namespaces, and run under an unprivileged user.
[ ] Could you clarify whether nvidia-container-cli configure is intended to be used in the unprivileged scenarious, now or in the long term?
[ ] Which requirements need to be satisified for nvidia-container-cli --user configure to "fly" the way singularity-ce and apptainer use it?
Hi! I've encountered several issues trying (https://github.com/NixOS/nixpkgs/pull/279235) to use apptainer's
--nvccli
and libnvidia-container, both deployed without setuid but with the support for user namespaces, and run under an unprivileged user.nvidia-container-cli configure
is intended to be used in the unprivileged scenarious, now or in the long term?nvidia-container-cli --user configure
to "fly" the way singularity-ce and apptainer use it?capabilities
need to be available?usr/bin
to be writable? https://github.com/apptainer/apptainer/blob/dbaf1afa0e153e056c32dad2640b4d367a53ff14/internal/pkg/util/gpu/nvidia.go#L95-L97 asserts that, but I couldn't find any documentation about this inlibnvidia-container
and write access is not the error I encounter with nvidia-container-cli: https://github.com/apptainer/apptainer/issues/1893#issuecomment-1881573018Issues encountered
perm_drop_privileges
requires non-trivial privileges:EPERM
each fail with EINVAL trying to switch from
1000:100
tonobody:nogroup
perm_set_capabilities
https://github.com/NVIDIA/libnvidia-container/blob/5c75904f9cf41bd106a0424e6d24c2854ef94c11/src/utils.c#L1018-L1019fails in the
CAP_PERIMTTED
branch/etc/ld.so.cache
is expected to exist and be writable, tracking in https://github.com/NVIDIA/libnvidia-container/issues/234/usr/bin
seems to be expected to exist and be writableSorry for the short and terse description, please follow up with questions if this lacks context