search

kubeflow / website

Kubeflow's public website
Creative Commons Attribution 4.0 International
145 stars 752 forks source link

Container Images #3666

Open rvadim opened 5 months ago

rvadim commented 5 months ago

Requirements for a runtimes are not fully described:

$ docker run --rm  -it -u 1000:1 --cap-drop=ALL kubeflownotebookswg/jupyter-pytorch-full:v1.8.0
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted
rvadim commented 5 months ago

Also SETUID and SETGID are not enough:

$ docker run --rm  -it --cap-drop=ALL --cap-add=SETUID --cap-add=SETGID  kubeflownotebookswg/jupyter-pytorch-full:v1.8.0 
s6-chown: fatal: unable to chown /run: Operation not permitted
s6-overlay-suexec: fatal: child failed with exit code 111
rvadim commented 5 months ago

https://github.com/just-containers/s6-overlay?tab=readme-ov-file#user-directive No idea how it should be runnable under non-root env.

skarnet commented 3 months ago

USER is supported by s6-overlay. I'm interested in knowing how docker run -u $uid differs from a USER directive.

rvadim commented 3 months ago

As I mentioned earlier, it is not user problem, it is linux capabilities problem, because of if you set docker run -u user it will works fine. But in case of capabilities drop(kubernetes typical environment https://kyverno.io/policies/best-practices/require-drop-all/require-drop-all/) it will not work.

skarnet commented 3 months ago

Right. What happens if you also add --cap-add=CHOWN?

rvadim commented 3 months ago 
~$ docker run --rm  -it -u 1000:1 --cap-drop=ALL --cap-add=CHOWN kubeflownotebookswg/jupyter-pytorch-full:v1.8.0
Unable to find image 'kubeflownotebookswg/jupyter-pytorch-full:v1.8.0' locally
v1.8.0: Pulling from kubeflownotebookswg/jupyter-pytorch-full
aece8493d397: Already exists 
5bc051129e13: Already exists 
c0dc552994be: Already exists 
ba8a2777b51a: Already exists 
1c695b124666: Already exists 
2aa684f59b95: Already exists 
dc9989a913ea: Already exists 
0c0fd82562a7: Already exists 
bee6977a7fd6: Already exists 
d66e22d661be: Already exists 
5c31f6c87876: Already exists 
35de76f46c69: Already exists 
9425aeb39f23: Already exists 
6ef7dca1e501: Already exists 
9883fa42965c: Already exists 
6546b01abb7e: Pull complete 
7377292d6843: Pull complete 
5c625670cce0: Pull complete 
7d64ea0e6721: Pull complete 
d100c2e80c90: Pull complete 
b1a55ffa9a8c: Pull complete 
Digest: sha256:d9ed16ec8934091c8bb155978fbfebcd4c276933c0d24eedd251ed3887f70b43
Status: Downloaded newer image for kubeflownotebookswg/jupyter-pytorch-full:v1.8.0
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted
skarnet commented 3 months ago

Well you'll need SETUID, SETGID and CHOWN...