Devices support

[mythi]

@AkihiroSuda I have a question about the KEP. It says:

Device controller cannot be supported as well, but it is not a huge deal, because non-root users
don't have permission to access insecure devices anyway.

What is the problem with the device controller? I've been working on getting non-root containers + devices to work in the "non-rootless "mode and would like to understand what is needed for the rootless mode.

I understand the UID/GID for permissions but it's not clear why the eBPF device controller cannot be supported (is it more than capabilities, e.g. CAP_BPF?)

I think it is a valid use-case to get access to devices, e.g., GPUs, as non-root user.

[AkihiroSuda]

I understand the UID/GID for permissions but it's not clear why the eBPF device controller cannot be supported (is it more than capabilities, e.g. CAP_BPF?)

Yes, restricting devices require CAP_BPF.

Anyway, GPUs could be supported as long as the GPU device is chowned/chmodded

[mythi]

@AkihiroSuda thanks for the prompt reply

Yes, restricting devices require CAP_BPF.

Is it possible to get rootless runc working with this?

Anyway, GPUs could be supported as long as the GPU device is chowned/chmodded

is it enough that the "rootless UID" belongs to that device group or the container process needs to have it part of the additionalGids too?