In docker, as well as in Kubernetes, the default for running containers is running as 'root'. The implication of running as root is that processes running within the container have enough permissions to change anything on the machine itself.
This gives a lot of power to containers, but does not sit well with modern security standards. Specifically enterprise security.
There are two runai submit flags which limit this behavior at the Researcher level:
- The flag
--run-as-userstarts the container without root access.
- The flag
--prevent-privilege-escalationprevents the container from elevating its own privileges into root (e.g. running
sudoor changing system files.). For more information see Privilege Escalation.
However, these flags are voluntary. They are not enforced by the system.
It is possible to set these flags as a cluster-wide default for the Run:AI CLI, such that all CLI users will be limited to non-root containers.
Setting a Cluster-Wide Default¶
Save the following in a file (cluster-config.yaml)
apiVersion: v1 data: config: | enforceRunAsUser: true enforcePreventPrivilegeEscalation: true kind: ConfigMap metadata: name: cluster-config namespace: runai labels: runai/cluster-config: "true"
kubectl apply -f cluster-config.yaml
This configuration limits non-root for all Run:AI CLI users. However, it does not prevent users or malicious actors from starting containers directly via Kubernetes API (e.g. via YAML files). There are third-party enterprise tools that can provide this level of security.
Creating a Temporary Home Directory¶
For containers to run as a specific user, the user needs to have a pre-created home directory within the image. This can be a daunting IT task.
To overcome this, Run:AI provides an additional flag
--create-home-dir. Adding this flag creates a temporary home directory for the user within the container.
- Data saved in this directory will not be saved when the container exits.
- This flag is set by default to true when the
--run-as-userflag is used, and false if not.