fix(v2,sdk.v2): Remove need for base image root access to write artifacts #6530
Conversation
|
Hi @judahrand. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
judahrand
changed the title
judahrand
changed the title
| _GCS_LOCAL_MOUNT_PREFIX = '/gcs/' | ||
| _MINIO_LOCAL_MOUNT_PREFIX = '/minio/' | ||
| _S3_LOCAL_MOUNT_PREFIX = '/s3/' | ||
| _GCS_LOCAL_MOUNT_PREFIX = '/tmp/gcs/' |
There was a problem hiding this comment.
This needs to be /gcs/ for GCS Fuse support on Vertex Pipelines.
The content you write to the local path /gcs/my_project/bucket/blob would be automatically synced to gs://my_project/bucket/blob.
There was a problem hiding this comment.
Do you have an alternate solution for being able to execute in non-root images? Or is this something for which additional compatibility is needed elsewhere.
Looking at the gcsfuse docs it looks like the mount path is arbitrary.
There was a problem hiding this comment.
I think it is an implementation decision by Vertex Pipelines backend. Following that, we probably have multiple places in code where we rely on this conversation between local path and gs uri.
Another example:
pipelines/v2/component/launcher.go
Line 655 in 3a621fb
There was a problem hiding this comment.
This PR does also change those.
But you're probably right that it's actually probably a problem closer to how Vertex uses gcsfuse and the file permissions which are set there in my case.
However, do you not think that trying to create these directories on at the root of the filesystem is an unnecessary hurdle in the way of non-root containers?
|
I've opened a similar issue with Vertex Pipelines: |
Thank you for opening the issue. I'll pass it along to the Vertex Pipelines team. Meanwhile, I am curious is there any specific reason you want to avoid running container as root user? Or it is an image out of your control? |
It is an image which we also use in our GKE cluster and our policy there is to use non root containers wherever possible. It would be possible to create a different image for Vertex... But that seems unnecessary. |
Got it.
I wonder if these changes may address your concerns behind the policy of avoiding root containers. That said, I'll still pass your concern to the team, and see if we could make a change. |
|
Unfortunately, I don't set the rules 😉 I also suspect that we'll continue to see many K8s installations using the Docker shim for quite a while to come. I appreciate that there is progress being made on the security side of containerization which may make non-root less important but it still just strikes me as an odd failure mode (especially as it isn't documented). Thank you very much for passing the issue along - I can't imagine a small file permission tweak is that big a change to enable non-root 😛 |
|
FYI, there were a similar request raised for v2 compatible mode: #5673 |
Ah! I missed this - might as well close this in that case. Or alternatively I can use this PR to have a go at making your suggested changes if you think they are likely to be mergable? Though, I might need some pointers of where to look to implement the changes (eg. where is the container spec defined) |
|
Here is where some some these changes are needed I think? pipelines/v2/compiler/container.go Line 134 in a0b18eb |
judahrand
force-pushed
the
feat/non-root-artifact
branch
from
6cc4d03
to
65ad66b
Compare
judahrand
force-pushed
the
feat/non-root-artifact
branch
from
65ad66b
to
d380b28
Compare
judahrand
force-pushed
the
feat/non-root-artifact
branch
2 times, most recently
from
453d7bb
to
93a205b
Compare
judahrand
force-pushed
the
feat/non-root-artifact
branch
2 times, most recently
from
fa0f00b
to
217c3d8
Compare
|
/test kubeflow-pipelines-samples-v2 |
|
Is there anything else here that needs to be done to make this mergeable? |
|
/lgtm |
|
/assign @chensun |
|
Thank you @judahrand! |
|
/approve Thanks! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: capri-xiyue, chensun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
chensun
added
the
cherrypick-approved
|
/retest |
|
Does there have any updates? |
|
/assign @chensun @zijianjoy |
|
This looks to be close to the finish line. What work is still needed to get it across, and do we have a timeline? |
|
Hello @judahrand , would you like to resolve the merge conflict and run test again? This PR has been approved so we don't expect much changes required beyond that. |
|
@judahrand: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/close |
|
@rimolive: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Description of your changes:
The changes in this PR are based on @Bobgy's design here.
Custom base images may be built specifically to avoid granting root privileges. Without these privileges the local mount points cannot be created if they live at the root of the filesystem.
/gcsmust remain where it is for now as it is currently a contract for KFP v2 python component wrappers. Therefore, this directory is also mounted as anemptyDirso that it already exists and is accessible to all users.Checklist: