Open abhinavg6 opened 1 week ago
In config.go file, ensure that paths used by the application point to directories where the non-root user (UID: 2000) has write access.
var DefaultConfig = LocalConfig{
ContainerEnvironmentPath: "/home/wandb/container_environment",
EnvironmentDefaultsPath: "/home/wandb/environment_defaults/env.txt",
OriginalVariablesPath: "/home/wandb/original_variables/env.txt",
UserSettingsErrorCachePath: "/home/wandb/user_settings_error_cache.json",
}
Ensure the /home/wandb directory is owned by the non-root user (UID: 2000) Link: https://github.com/wandb/core/blob/81affcd2206ce554cb12c35317c75632abc140e2/onprem/local/Dockerfile
RUN chown -R 2000:2000 /home/wandb
RUN chmod -R 755 /home/wandb
IMPORTANT: This task is only to investigate what is possible and to identify what needs to be changed.
Today:
W&B requires root privileges to run. In (shared) enterprise environments that is not allowed.
Examples:
Starting wandb-app as nonRoot and unprivileged results in the following:
or
Expectation:
The following SecurityContext should be possible to configure and all W&B pods run without issues:
The result of this tasks should be a list of changes that are required to be implemented to make the above security context possible.