Skip to content

Podman updates & More Competition container security #1871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Didayolo merged 31 commits into from
Oct 7, 2025
Merged

Podman updates & More Competition container security #1871

Didayolo merged 31 commits into from
Oct 7, 2025

Conversation

@ObadaS
Copy link
Collaborator

@ObadaS ObadaS commented Jun 10, 2025
edited by Didayolo
Loading

A brief description of the purpose of the changes contained in this PR.

This PR updates the Containerfile.compute_worker_podman and Containerfile.compute_worker_podman_gpu.
Updated base image version to get the latest security fixes, removed all the unnecessary lines to create lighter images (especially the GPU image)

I also updated the compute_worker.py file to add more security and make it more compatible to Podman.

Checklist for hand testing

For Docker compute workers (compute_worker.py updates)

  • Test a submission on any competition

For Podman

  • Enable the podman service which will create the socket : systemctl --user enable --now podman
  • Build images : podman build -t codalab/codabench_worker_podman:latest -f Containerfile.compute_worker_podman
  • Create the /codabench folder
  • Create the data folder inside the /codabench
  • Chown it to the user that will run the podman container ( sudo chown -R user:user /codabench)
  • Create the .env file
  • Launch a container using the podman image we generated with the following command (either execute the command where the .env file is, or change the launch command below to have the full path of the .env):
podman run -d \
 --volume /run/user/$(id -u)/podman/podman.sock:/run/user/1000/podman/podman.sock:U \
 --env-file .env \
 --name compute_worker \
 --security-opt="label=disable" \
 --userns host \
 --restart unless-stopped \
 --log-opt max-size=50m \
 --log-opt max-file=3 \
 --cap-drop all \
 --volume /codabench:/codabench:U,z \
 codalab/codabench_worker_podman:latest

GPU command :

podman run -d \
    --env-file .env \
    --device nvidia.com/gpu=all \
    --name gpu_compute_worker \
    --device /dev/fuse \
    --security-opt="label=disable" \
    --restart unless-stopped \
    --log-opt max-size=50m \
    --log-opt max-file=3 \
    --hostname ${HOSTNAME} \
    --userns host \
    --volume /home/codalab/worker/codabench:/codabench:z,U \
    --cap-drop=all \
    --volume /run/user/$(id -u)/podman/podman.sock:/run/user/1000/podman/podman.sock:U \
    codalab/codabench_worker_podman_gpu:latest
  • Test the compute worker by submitting something on a competition

Checklist

  • Code review by me
  • Hand tested by me
  • I'm proud of my work
  • Code review by reviewer
  • Hand tested by reviewer
  • Include Podman in CircleCi tests
  • CircleCi tests are passing
  • Ready to merge

Obada Haddad and others added 12 commits May 28, 2025 10:36
Podman images update + fixed; containers.conf update to allow podman …
8bc667e 
…container to launch containers on host instead of inside the container
Podman fixes
977008d
Added podman-connection.json for the CPU containerfile to fix podman …
fc262c7 
…socket connections issues
Added podman-connections.json file
40d3c80
Changed user from Worker to Root, added some commands like cap-drop a…
4622eeb 
…ll to the submission container launch options, changed volume mounting option for podman
@ihsaan-ullah
code removed that was copying submission files to predictions dir
41ce0b7
@curious-broccoli
fix Caddyfile indentation
60d36a5
Some cleanup
aa58a31
Cleaned up Podman GPU Containerfile (based on the CPU version then ad…
af8cd32 
…d what's needed
Cleanup
fb69e96
Added GPU specific code for Podman in compute_worker.json
8af193b
Some more cleanup
5515e06
@ObadaS
Copy link
Collaborator Author

ObadaS commented Jun 12, 2025

I also wanted to note that I don't think the Circle-CI tests does anything with podman images, I am pretty sure that it only uses docker images build from Dockerfiles

@ObadaS ObadaS changed the title Podman updates Podman updates & More Competition container security Jun 18, 2025
@ihsaan-ullah
Copy link
Collaborator

ihsaan-ullah commented Aug 14, 2025

✅ Test 1: Test if submission works using docker container (testing changes in compute_worker.py)

@Didayolo Didayolo mentioned this pull request Sep 23, 2025
Merged
@wlln
Copy link
Collaborator

wlln commented Sep 25, 2025

It works on a fresh Almalinux 9.6 install with podman 5.4.0.
It also works on Archlinux with podman 5.4.0.

I haven't tested it with GPUs at the moment, though.

@Didayolo Didayolo mentioned this pull request Oct 7, 2025
Open
3 tasks
@Didayolo Didayolo merged commit 30791eb into develop Oct 7, 2025
1 check passed
@Didayolo Didayolo deleted the podmanUpdates branch October 7, 2025 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ihsaan-ullah ihsaan-ullah

@wlln wlln

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ObadaS @ihsaan-ullah @wlln @Didayolo @curious-broccoli