New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[openmpi] support non-root users run jobs (introducing runAsUser
, runAsGroup
, supplementalGroups
)
#820
Conversation
@everpeace, please autoformat_jsonnet.sh. |
Review status: 0 of 7 files reviewed at latest revision, all discussions resolved, some commit checks failed. components/openmpi-controller/Dockerfile, line 7 at r1 (raw file):
Can you move it to /kubeflow/openmpi/openmpi-controller? Just be consistent with other artifacts (like assets) deployed by this package. kubeflow/openmpi/assets/init.sh, line 61 at r1 (raw file):
nit: all constants declared at the top of the file. Comments from Reviewable |
@everpeace Sorry I'm unable to move the package to kubeflow due to #197. I'll publish new package once this is merged. |
Review status: 0 of 7 files reviewed at latest revision, 2 unresolved discussions, some commit checks failed. kubeflow/openmpi/assets/init.sh, line 64 at r1 (raw file):
Consider moving this into a helper function. kubeflow/openmpi/prototypes/openmpi.jsonnet, line 28 at r1 (raw file):
nit: one space Comments from Reviewable |
1fa9a71
to
cd2d3b6
Compare
Review status: 0 of 7 files reviewed at latest revision, 4 unresolved discussions. components/openmpi-controller/Dockerfile, line 7 at r1 (raw file): Previously, jiezhang (Jie Zhang) wrote…
Done. kubeflow/openmpi/assets/init.sh, line 61 at r1 (raw file): Previously, jiezhang (Jie Zhang) wrote…
Done. kubeflow/openmpi/assets/init.sh, line 64 at r1 (raw file): Previously, jiezhang (Jie Zhang) wrote…
Done. kubeflow/openmpi/prototypes/openmpi.jsonnet, line 28 at r1 (raw file): Previously, jiezhang (Jie Zhang) wrote…
Done. Comments from Reviewable |
@jiezhang I fixed my pr about your feedback and rebased it. Would you mind reviewing it again?
@jiezhang Ok. I understood the situation. I'll wait for it. Thank you in advance.
@pdmack apologies 🙇 I did it. |
/lgtm Putting a hold on this because I think someone more familiar with this should approve. |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jiezhang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
/test kubeflow-presubmit |
/retest |
Review status: 0 of 7 files reviewed at latest revision, 4 unresolved discussions. kubeflow/openmpi/util.libsonnet, line 16 at r2 (raw file):
I just realized that resource limits are not set properly when customResources is null. Thanks for fixing this. Comments from Reviewable |
/test kubeflow-presubmit |
Review status: 0 of 7 files reviewed at latest revision, 5 unresolved discussions. kubeflow/openmpi/util.libsonnet, line 16 at r2 (raw file): Previously, jiezhang (Jie Zhang) wrote…
no worry. sorry for fixing this without mentioning... Comments from Reviewable |
…runAsGroup`, `supplementalGroups`) (kubeflow#820) * openmpi: support non-root user in `init.sh` * openmpi: change openmpi-controller path outside of /root so non-root users can read * openmpi: support `runAsUser`, `runAsGroup`, `supplementalGroups`.
* Add tfjob and pytorch examples to e2e * Fix tests * Fix tests * Fix tests * Fix tests * Install crds before katib * Fix tests * Adding timeout to 30 min
Fixes #793
Changes
runAsUser
,runAsGroup
,supplementalGroups
parameters.securityContext
to the master/worker pods.init.sh
to support non-root users can spawn sshd servers./root
to/openmpi-controller
so that non-root users can execute the controllerNote
new openmpi-controller's docker image needs to be published before merging this.
@jiezhang I need your assistance. Could you build and publish
jiezhang/openmpi-controller:0.0.3
before this pr is approved 🙇 ??This change is