Open mythi opened 3 years ago
I understand the UID/GID for permissions but it's not clear why the eBPF device controller cannot be supported (is it more than capabilities, e.g. CAP_BPF?)
Yes, restricting devices require CAP_BPF.
Anyway, GPUs could be supported as long as the GPU device is chowned/chmodded
@AkihiroSuda thanks for the prompt reply
Yes, restricting devices require CAP_BPF.
Is it possible to get rootless runc working with this?
Anyway, GPUs could be supported as long as the GPU device is chowned/chmodded
is it enough that the "rootless UID" belongs to that device group or the container process needs to have it part of the additionalGids
too?
@AkihiroSuda I have a question about the KEP. It says:
What is the problem with the device controller? I've been working on getting non-root containers + devices to work in the "non-rootless "mode and would like to understand what is needed for the rootless mode.
I understand the UID/GID for permissions but it's not clear why the eBPF device controller cannot be supported (is it more than capabilities, e.g.
CAP_BPF
?)I think it is a valid use-case to get access to devices, e.g., GPUs, as non-root user.