ROCM Container, questions on securing containers

echoa · June 7, 2023, 9:56pm

Ive put together a a containerfile for use with podman/podman-desktop to create a container image for running ROCM opencl/ML/AI stuff on Silverblue/Kinoite

My main concern is eliminating unnecessary permissions for the container so as to minimize the attack surface within it. right now the podman run options for the actual container are

podman run --name “name of container” -it --user 1000 --userns keep-id --network=host --device=/dev/kfd --device=/dev/dri --group-add=video --ipc=host “name of image”

I eliminated --security-opt seccomp=unconfined and --cap-add=SYS_PTRACE the AMD documentation suggested as they appear unnecessary for ROCM to function. I also created a separate user from root within the container with the option of removing sudo privileges but they can be needed at times. Im fairly new to podman and containers so this was worked out through my best understanding of the Docs

The issue im running into is with --network=host and --ipc=host. These appear to be security issues and i havent figured out a way to get the GPU recognized without the --ipc=host and am not sure how i would access the containers localhost from the host if i was for instance running SD webui. So far as i can tell eliminating --network=host may not be possible for this use case.

If anyone with more experience using containers has any ideas how i can get around these two options and any other suggestions for better securing the containers I would very much appreciate it. I want to tinker with some of this stuff but the space is new and moving very quickly and there are a lot of new players in the game which means a lack of long track records for trust.

echoa · June 13, 2023, 1:26am

Little update on this for anyone that finds this

The primary issue for passing the GPU to the container without --ipc=host was with SELinux, you NEED to run

sudo setsebool -P container_use_devices=true

This allows the container to use the device without doing --ipc=host. I also believe you can publish the ports you need to access within the container to the host but i have yet to test this.

after running the previous command the current container options are

podman run --name "name" -it --network=host --group-add=video --device=/dev/kfd --device=/dev/dri --shm-size=#g "image"

echoa · June 13, 2023, 8:15pm

Final little bit here just for visability in case anyone searches for this. You can get pretty strict with a ROCM container as long as you have GPU access youre good. Depending on exactly what you need network wise it can get funky but here is my current best attempt

podman run --name "name" -it --publish="host ip":host port":"container port" --group-add=video --device=/dev/kfd --device=/dev/dri --shm-size=#g --cgroupns=private --ipc=private --pid=private --security-opt=no-new-privileges --userns=nomap --cap-drop=all --memory=#g "image"

you can use socat to deal with access to what you need in the container and map it to the port you exposed to the host. Ill continue researching further but after 2 weeks of trying to understand this i feel this is a decent attempt at wrangling in the container as much as i currently can.

boredsquirrel · May 17, 2024, 2:08pm

Added amdgpu, atomic-desktops, rocm, security and removed amd

Topic		Replies	Views
Machine learning containers Project Discussion ai-ml-sig	3	748	April 11, 2020
Podman run wrapper for common integration use cases Project Discussion silverblue-team	0	1164	June 11, 2019
How to use Nvidia container-toolkit without disabling selinux? Ask Fedora podman , selinux , nvidia , container , f40 , ollama	4	593	January 29, 2025
Strategies for using unprivileged podman as a build tool Project Discussion silverblue-team	5	1712	March 16, 2019
Create toolbox with GPU via nvidia container toolkit Ask Fedora silverblue-team , podman , toolbx , nvidia , f39 , silverblue	9	3271	January 31, 2024

ROCM Container, questions on securing containers

Related topics