New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explore the feasibility of using fuse inside running jupyter sessions #1589
Comments
Timeboxed to 3 days |
The smarter device manager works. But to make this possible I had to increase permissions on the pod:
This repo https://github.com/samos123/gke-gcs-fuse-unprivileged shows how you can create and load a custom AppArmor profile so that it is not as bad as fully turning off AppArmor. But I am not certain what the implications of this are or how good the suggested custom AppArmor profile is. I think there is a risk here that if we mess something up we could allow a user to "spy" or impersonate other users on the same node. It could be interesting though to see if a sidecar could be using the above setup. The sidecar could mount inside a volume mounted on both the sidecar and the user session. Then the sidecar can expose a rpc server to perform the mounts and nothing else and the user will not be able to have the same permissions as the sidecar but they can get anything mounted. I am not sure what permissions/features are required to make the sidecar successfully mount fuse stuff in a PV shared with the main container. |
Trying to do the fuse mount in a sidecar container and then use them in another (i.e. main) container with a lot less privileges. Attempt 1:
Attempt 2:
Attempt 3:
|
Overall conclusion: lets just stick to using a csi driver for this and restart the pod when we need to mount something. Mounting can also provide only so many benefits because the IO performance when things are mounted will never be that good anyhow. |
closing this based on the conclusion |
Something that may be beneficial/useful is this project:
In theory this could allow users to access and use fuse mounts without elevated permissions. We should check whether using this in our cluster would enable us to do fuse mounts without modifying our pod security policies and escalating permissions.
The text was updated successfully, but these errors were encountered: