You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello all, I am evaluating whether the device plugin can be run without SYS_ADMIN capabilities for mixed mode MIG. Currently the capability is needed to query the MIG slice's memory info. But this also increases the security surface area of the Pod and I am considering if we can reduce it.
Based on @klueskacomment, it seems possible to pass the capabilities directly into the container without having to explicitly add SYS_ADMIN. I tried to bind mount the host's /proc/driver/nvidia/capabilities/mig/monitor into container but running into pod error. Using a build from release-0.13
Warning Failed 13s (x5 over 110s) kubelet Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/proc/driver/nvidia/capabilities/mig/monitor" to rootfs at "/proc/driver/nvidia/capabilities/mig/monitor": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/nvidia-device-plugin-ctr/rootfs/proc/driver/nvidia/capabilities/mig/monitor" cannot be mounted because it is inside /proc: unknown
Has anyone made this working? Any examples would definitely help.
Thanks
The text was updated successfully, but these errors were encountered:
This issue is stale because it has been open 90 days with no activity. This issue will be closed in 30 days unless new comments are made or the stale label is removed.
Hello all, I am evaluating whether the device plugin can be run without SYS_ADMIN capabilities for mixed mode MIG. Currently the capability is needed to query the MIG slice's memory info. But this also increases the security surface area of the Pod and I am considering if we can reduce it.
Based on @klueska comment, it seems possible to pass the capabilities directly into the container without having to explicitly add
SYS_ADMIN
. I tried to bind mount the host's/proc/driver/nvidia/capabilities/mig/monitor
into container but running into pod error. Using a build fromrelease-0.13
Has anyone made this working? Any examples would definitely help.
Thanks
The text was updated successfully, but these errors were encountered: