[Podman] Re: GPU devices in rootless

Note: I'm not an expert, but I know enough to be dangerous. Dan would know for sure, but my best guess is "no", you probably need a SELinux policy module to allow this activity.  The other option is to run the container unconfined, maybe the "protections" provided by being rootless are "good enough" for your use-case? In case it helps, the (maybe) good news is, (at least as of a few years ago) there were some handy tools available for generating these policies based on SELinux denials.  The workflow (use to) look something like: 1. Go into permissive mode 2. Do the container thing 3. Run the script that scrapes audit.log and generates policy-module code. 4. Compile & install the new module. 5. Repeat from step 2, until the thing is working as expected. --- Chris Evich (he/him), RHCA III Senior Quality Assurance Engineer If there's a "hard-way", I'm the first one to implement it. On 2/17/24 08:31, lejeczek via Podman wrote: > Hi guys > > I have _rootless_ container with PyTorch from ROCm > > -> $ { export _NAME="pytorch_rocm"; export > _PATH=${HOME}/containers/FLATfiles/${_NAME}; echo; mkdir -p > ${_PATH}/{,root,dockerx}; }; podman run -dt --device=/dev/kfd > --device=/dev/dri --group-add video --shm-size 8G --security-opt > seccomp=unconfined --volume ${_PATH}/root:/root:z --volume > ${_PATH}/dockerx:/dockerx:z -w /dockerx --name ${_NAME/\//_} > rocm/pytorch:latest > > which fails to: > root@4bc3c2ec2ab3:/dockerx# python3 -c 'import torch; > print(torch.cuda.is_available())' > False > > Such _rootful_ container seems a okey but rootless "suffers" such > failures due to SELinux denials I think: > ... > SELinux is preventing /opt/conda/envs/py_3.9/bin/python3.9 from > 'read, write' accesses on the chr_file kfd. For complete SELinux > messages run: sealert -l 6b3db344-2ffc-4ecd-aa2c-2c1a2bfe23e4 > SELinux is preventing /opt/conda/envs/py_3.9/bin/python3.9 from > 'read, write' accesses on the chr_file kfd. > > Would you know if this can be fixed, possibly without building extra > SE module(s)? > many thanks, L. > > _______________________________________________ > Podman mailing list -- podman(a)lists.podman.io > To unsubscribe send an email to podman-leave(a)lists.podman.io _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io