Fix containers losing access to NVIDIA GPUs #134
Conversation
… daemon-reload running on the node
There was a problem hiding this comment.
Pull request overview
This pull request attempts to fix an issue where containers lose access to NVIDIA GPUs by unconditionally setting the privileged flag to true for all user job containers. Previously, privileged mode was only enabled when the Docker-in-Docker (dind) runtime plugin was active. The change removes the conditional logic and makes all job containers run in privileged mode.
Key Changes:
- Removed conditional privileged mode based on
dindModeflag - Set
privileged: trueunconditionally for all user job containers in Kubernetes pod specifications
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ], | ||
| securityContext: { | ||
| ...((dindMode) && { privileged: true }), | ||
| privileged: true, |
There was a problem hiding this comment.
Setting privileged to true unconditionally for all user jobs poses a significant security risk. Privileged containers have access to all host devices and can bypass most container security features, essentially granting root-level access to the host system. The previous implementation only enabled privileged mode when dindMode (Docker-in-Docker) was active, which was a more secure approach.
While privileged mode may enable GPU access, it's important to verify that this is truly necessary. NVIDIA GPUs can typically be accessed in containers without privileged mode when the NVIDIA Container Runtime is properly configured. Consider investigating whether the issue is actually with the container runtime configuration, device plugin setup, or other aspects of the GPU passthrough mechanism rather than requiring privileged containers.
| privileged: true, | |
| ...(launcherConfig.dindMode && { privileged: true }), |
Set priviledge as true for user jobs to avoid NVidia GPUs losing in containers.