RunPod•2mo ago

CAP_SYS_ADMIN privileges inside container

I am using a pytorch template and profiling some CUDA kernels. For the profiler to work inside the container, I need the container to be run with the --cap-add=CAP_SYS_ADMIN flag to docker run, as far as I can tell the runpod platform does not offer control over the flags passed to docker run. Is there any way around this issue? inside the container I see:

root@e1f71e724356:~# whoami
root
root@e1f71e724356:~# capsh --print | grep 'cap_sys_admin'
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore

root@e1f71e724356:~# whoami
root
root@e1f71e724356:~# capsh --print | grep 'cap_sys_admin'
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore

even though I am root, I do not have sys admin priviliges which is confusing

1 Reply

Madiator2011 (Work)•2mo ago

not possible as it requires provilaged docker container

Gaming

Programming

CAP_SYS_ADMIN privileges inside container