Unprivileged `nvidia-container-cli --user configure`
SomeoneSerge opened this issue · 0 comments
Hi! I've encountered several issues trying (NixOS/nixpkgs#279235) to use apptainer's --nvccli
and libnvidia-container, both deployed without setuid but with the support for user namespaces, and run under an unprivileged user.
- Could you clarify whether
nvidia-container-cli configure
is intended to be used in the unprivileged scenarious, now or in the long term? - Which requirements need to be satisified for
nvidia-container-cli --user configure
to "fly" the way singularity-ce and apptainer use it?- Which
capabilities
need to be available? - Is it necessary for
usr/bin
to be writable? https://github.com/apptainer/apptainer/blob/dbaf1afa0e153e056c32dad2640b4d367a53ff14/internal/pkg/util/gpu/nvidia.go#L95-L97 asserts that, but I couldn't find any documentation about this inlibnvidia-container
and write access is not the error I encounter with nvidia-container-cli: apptainer/apptainer#1893 (comment)
- Which
Issues encountered
-
perm_drop_privileges
requires non-trivial privileges:-
libnvidia-container/src/utils.c
Line 926 in 5c75904
EPERM
-
libnvidia-container/src/utils.c
Line 931 in 5c75904
libnvidia-container/src/utils.c
Line 933 in 5c75904
each fail with EINVAL trying to switch from
1000:100
tonobody:nogroup
-
-
perm_set_capabilities
libnvidia-container/src/utils.c
Lines 1018 to 1019 in 5c75904
fails in the
CAP_PERIMTTED
branch -
/etc/ld.so.cache
is expected to exist and be writable, tracking in #234 -
/usr/bin
seems to be expected to exist and be writable
Sorry for the short and terse description, please follow up with questions if this lacks context