Closed eero-t closed 2 months ago
On quick test after disabling hostIPC: sed -i 's/hostIPC: true/hostIPC: false/' *.yaml
ChatQnA Xeon variant performance seemed to unaffected.
@yinghu5 Could you add some security tag to this?
It's not a security bug itself, but has security implications (does not conform to k8s security baseline, see link above).
@yinghu5 Why you assigned this to me? I'm not a member in any of the OPEA projects.
Thank you for letting me know. I thought you were the developers with good insight on the topics :)
I don't think this bug is valid any more. We've already deleted the hostIPC settings in this v0.8 release.
I don't think this bug is valid any more. We've already deleted the hostIPC settings in this v0.8 release.
@lianhao while hostIPC
usage is gone from the manifests in "GenAIExamples", it's still used in manifest files in "GenAIInfra":
GenAIInfra$ git grep -i hostipc
manifests/ChatQnA/chaqna-xeon-backend-server.yaml: hostIPC: true
manifests/ChatQnA/embedding.yaml: hostIPC: true
manifests/ChatQnA/llm.yaml: hostIPC: true
manifests/ChatQnA/reranking.yaml: hostIPC: true
manifests/ChatQnA/retriever.yaml: hostIPC: true
manifests/ChatQnA/tgi_gaudi_service.yaml: hostIPC: true
manifests/ChatQnA/tgi_service.yaml: hostIPC: true
Please remove those too.
I'll file an issue in GenAIInfra to delete those
Related to #258, why services are using
hostIPC
option [1]:Although they all use just a single replica and have no affinity rules that would make sure pods needing
hostIPC
interaction get scheduled to a same node:?
[1] which has security implications: https://kubernetes.io/docs/concepts/security/pod-security-standards/