Hi! I've encountered several issues trying (https://github.com/NixOS/nixpkgs/pull/279235) to use apptainer's --nvccli and libnvidia-container, both deployed without setuid but with the support for user namespaces, and run under an unprivileged user.
[ ] Could you clarify whether nvidia-container-cli configure is intended to be used in the unprivileged scenarious, now or in the long term?
[ ] Which requirements need to be satisified for nvidia-container-cli --user configure to "fly" the way singularity-ce and apptainer use it?
Hi! I've encountered several issues trying (https://github.com/NixOS/nixpkgs/pull/279235) to use apptainer's
--nvccliand libnvidia-container, both deployed without setuid but with the support for user namespaces, and run under an unprivileged user.nvidia-container-cli configureis intended to be used in the unprivileged scenarious, now or in the long term?nvidia-container-cli --user configureto "fly" the way singularity-ce and apptainer use it?capabilitiesneed to be available?usr/binto be writable? https://github.com/apptainer/apptainer/blob/dbaf1afa0e153e056c32dad2640b4d367a53ff14/internal/pkg/util/gpu/nvidia.go#L95-L97 asserts that, but I couldn't find any documentation about this inlibnvidia-containerand write access is not the error I encounter with nvidia-container-cli: https://github.com/apptainer/apptainer/issues/1893#issuecomment-1881573018Issues encountered
perm_drop_privilegesrequires non-trivial privileges:EPERMeach fail with EINVAL trying to switch from
1000:100tonobody:nogroupperm_set_capabilitieshttps://github.com/NVIDIA/libnvidia-container/blob/5c75904f9cf41bd106a0424e6d24c2854ef94c11/src/utils.c#L1018-L1019fails in the
CAP_PERIMTTEDbranch/etc/ld.so.cacheis expected to exist and be writable, tracking in https://github.com/NVIDIA/libnvidia-container/issues/234/usr/binseems to be expected to exist and be writableSorry for the short and terse description, please follow up with questions if this lacks context