Hello
We want to use Rootless Docker from a security perspective. However, when trying to access the GPU from Rootless Docker, it fails due to an error.
[Steps We tried]
First, stop the original Docker service
sudo systemctl stop docker.socket
sudo systemctl stop docker
sudo systemctl disable docker
Create a directory for Docker
sudo mkdir -p /mnt/docker
sudo chown -R name:name /mnt/docker
Install Rootless Docker
sudo apt install uidmap
curl -fsSL https://get.docker.com/rootless | sh
mkdir -p ~/.config/docker
vi ~/.config/docker/daemon.json
sudo vi /etc/nvidia-container-runtime/config.toml
systemctl --user enable docker
sudo loginctl enable-linger $(whoami)
~/.config/docker/daemon.json:
{
"data-root": "/mnt/docker",
"default-runtime": "nvidia",
"runtimes": {
"nvidia": {
"args": [],
"path": "nvidia-container-runtime"
}
}
}
/etc/nvidia-container-runtime/config.toml (change no_cgroups=false
to true
):
#accept-nvidia-visible-devices-as-volume-mounts = false
#accept-nvidia-visible-devices-envvar-when-unprivileged = true
disable-require = false
#swarm-resource = "DOCKER_RESOURCE_GPU"
[nvidia-container-cli]
#debug = "/var/log/nvidia-container-toolkit.log"
environment = []
#ldcache = "/etc/ld.so.cache"
ldconfig = "@/sbin/ldconfig.real"
load-kmods = true
no-cgroups = true
#path = "/usr/bin/nvidia-container-cli"
#root = "/run/nvidia/driver"
#user = "root:video"
[nvidia-container-runtime]
#debug = "/var/log/nvidia-container-runtime.log"
log-level = "info"
mode = "auto"
runtimes = ["docker-runc", "runc"]
[nvidia-container-runtime.modes]
[nvidia-container-runtime.modes.csv]
mount-spec-path = "/etc/nvidia-container-runtime/host-files-for-container.d"
Creating a Docker container
docker run -itd --runtime nvidia --name gputest nvcr.io/nvidia/l4t-jetpack:r35.4.1
The container is now created, but…
Executing commands inside the container
docker exec -it gputest bash
From here, inside the container
cd /usr/local/cuda-11.4/samples/1_Utilities/deviceQuery
make
./deviceQuery
↓Execution result:
./deviceQuery Starting…
CUDA Device Query (Runtime API) version (CUDART static linking)
NvRmMemInitNvmap failed with Permission denied
549: Memory Manager Not supported
NvRmMemInit failed error type: 196626
*** NvRmMemInit failed NvRmMemConstructor
cudaGetDeviceCount returned 801
→ operation not supported
Result = FAIL