search

containers / ai-lab-recipes

Examples for building and running LLM services and applications locally with Podman
Apache License 2.0
103 stars 106 forks source link

ilab-wrapper: Run podman with sudo #713

Closed omertuc closed 1 month ago

omertuc commented 1 month ago

Solves RHELAI-740

Background

The ilab command is wrapped by an ilab script which launches ilab inside a podman container.

Issue

Since the ilab container image is pulled during the bootc image build process using the root user, the image is not accessible to non-root users.

Solution

We run the container as sudo in order to be able to access the root container storage. But for security reasons we map root UID 0 inside the container to the current user's UID (and all the other subuids to the user's /etc/subuid range) so that we're effectively running the container as the current user.

Additional changes

Changed "--env" "HOME" to "--env" "HOME=$HOME" to pass the HOME environment variable from the current shell and not from the sudo environment.

Future work

In the future, we will run podman as the current user, once we figure a reasonable way for the current user to access the root's user container storage

rhatdan commented 1 month ago

Needs rebase.

omertuc commented 1 month ago

Force pushed for rebase & resolving review comments

rhatdan commented 1 month ago

LGTM