Skip to content

Running Rootless Containers

Jump to bottom
Manish Regmi edited this page Jun 21, 2024 · 4 revisions

Introduction

When the containers need access to device files they usually need to run as root UID/GID as 0/0. But when the device plugins make the device files available to the workload containers, it is owned by root and thus the containers need to run as root. But it is not a good security practice. So its always a good idea to run containers as rootless. Here is short tutorial on how to run the Intel Device plugins so they the workload containers can run as rootless. By default this is not turned on.

Enabling rootless mode.

This can be easily turned on by setting a variable in CRIO config. The variable is called 'device_ownership_from_security_context' and we just need to set this to true. The CRIO config is in '/etc/crio/crio.conf'. But the good thing is we don't have to manually change this setting.

In OpenShift there is a type of CR called 'ContainerRunTimeConfig'. We can just create this CR and apply using 'oc apply' to enable this feature. The sample CR is shown as below:

apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
metadata:
name: device-ownership
spec:
machineConfigPoolSelector:
matchLabels:
     	pools.operator.machineconfiguration.openshift.io/worker: ‘’ 
    containerRuntimeConfig:
      device_ownership_from_security_context: true

To apply just do:

$ oc apply <CR Filename>

Running Containers in Rootless Mode

Once the step above is complete, the containers can simply use UID and GID other than 0. In OpenShift, this can be done in the securityContext section of the container yaml. An example is shown below:

containers:
     - name: workload1
       image: <image location>
       securityContext:
           runAsUser: 1000650005
           runAsGroup: 1000650005

Intel Technology Enabling for OpenShift Architecture and Working Scope

The Intel Technology Enabling for OpenShift project provides Intel Data Center hardware feature-provisioning technologies with the Red Hat OpenShift Container Platform (RHOCP). The technology to deploy and manage Intel Enterprise AI End-to-End (E2E) solutions and the related reference workloads for these features are also included in the project.

Fast GPU Provisioning Technology

Fast GPU Provisioning technology enables GPU provisioning less than 1 second with no reboots using pre-built driver containers. The feature eliminates any dependency on machine configuration which triggers reboot, an expensive operation. Instead, the required operations are performed at runtime. This leads to a simplified and accelerated deployment process.

Running Rootless Containers

When the containers need access to device files they usually need to run as root UID/GID as 0/0. But when the device plugins make the device files available to the workload containers, it is owned by root and thus the containers need to run as root. But it is not a good security practice. So its always a good idea to run containers as rootless. Here is short tutorial on how to run the Intel Device plugins so they the workload containers can run as rootless. By default this is not turned on.

Clone this wiki locally