-
Notifications
You must be signed in to change notification settings - Fork 13
Running Rootless Containers
When the containers need access to device files they usually need to run as root UID/GID as 0/0. But when the device plugins make the device files available to the workload containers, it is owned by root and thus the containers need to run as root. But it is not a good security practice. So its always a good idea to run containers as rootless. Here is short tutorial on how to run the Intel Device plugins so they the workload containers can run as rootless. By default this is not turned on.
This can be easily turned on by setting a variable in CRIO config. The variable is called device_ownership_from_security_context and we just need to set this to true. The CRIO config is in /etc/crio/crio.conf. But the good thing is we don't have to manually change this setting.
In OpenShift there is a type of CR called ContainerRunTimeConfig. We can just create this CR and apply using oc apply to enable this feature.
The sample CR is shown as below:
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
metadata:
name: device-ownership
spec:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/worker: ‘’
containerRuntimeConfig:
device_ownership_from_security_context: true
To apply just do:
$ oc apply <CR Filename>
Once the step above is complete, the containers can simply use UID and GID other than 0. In OpenShift, this can be done in the securityContext section of the container yaml. An example is shown below:
containers:
- name: workload1
image: <image location>
securityContext:
runAsUser: 1000650005
runAsGroup: 1000650005
The Intel Technology Enabling for OpenShift project provides Intel Data Center hardware feature-provisioning technologies with the Red Hat OpenShift Container Platform (RHOCP). The technology to deploy and manage Intel Enterprise AI End-to-End (E2E) solutions and the related reference workloads for these features are also included in the project.
Fast GPU Provisioning technology enables GPU provisioning less than 1 second with no reboots using pre-built driver containers. The feature eliminates any dependency on machine configuration which triggers reboot, an expensive operation. Instead, the required operations are performed at runtime. This leads to a simplified and accelerated deployment process.
When the containers need access to device files they usually need to run as root UID/GID as 0/0. But when the device plugins make the device files available to the workload containers, it is owned by root and thus the containers need to run as root. But it is not a good security practice. So its always a good idea to run containers as rootless. Here is short tutorial on how to run the Intel Device plugins so they the workload containers can run as rootless. By default this is not turned on.