aws-samples / sagemaker-studio-custom-image-samples

This repository contains examples of Docker images that can be used as custom images for KernelGateway Apps in SageMaker Studio
MIT No Attribution
128 stars 89 forks source link

Why should I run custom images as sagemaker-user? #20

Open peter-wimsey opened 2 years ago

peter-wimsey commented 2 years ago

The examples in this repo and the image configuration in SageMaker Studio assume that custom images are run as user sagemaker-user with UID 1000 and GUID 100.

However, at least some of SageMaker's own images (Data Science and PyTorch for example, have not tested all) run as root.

Running as something other than root makes installing into the kernel image at runtime difficult:

$ pip install some-package
Defaulting to user installation because normal site-packages is not writeable
...

and I end up with files in the user's home directory where they don't get cleaned up.

Why should I not just run as root like SageMaker's built-in images?

otmcevoy commented 6 months ago

A few years late but adding a comment in case it's helpful, while reading some documentation I stumbled across this:

GID/UID limits
Amazon SageMaker Studio Classic only supports the following DefaultUID and DefaultGID combinations:

DefaultUID: 1000 and DefaultGID: 100, which corresponds to a non-priveleged user.

DefaultUID: 0 and DefaultGID: 0, which corresponds to root access.

So I think the SageMaker built in images must be setting the IDs to 0 which grants the users root access. These examples set the IDs to 1000/100, which could be useful if you wanted more fine-grained permission controls and to limit the administrative capabilities of common users.