fix: remove unnecessary setcap CAP_NET_BIND_SERVICE from MPI runtime docker file#3286
fix: remove unnecessary setcap CAP_NET_BIND_SERVICE from MPI runtime docker file#3286kapil27 wants to merge 1 commit intokubeflow:masterfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
kapil27
changed the title
…Dockerfiles sshd in the MPI runtime listens on port 2222 (non-privileged), so CAP_NET_BIND_SERVICE is not needed. Also removes libcap2-bin which was only installed to provide the setcap binary. Fixes kubeflow#3254 Signed-off-by: kapil27 <knema@redhat.com>
kapil27
force-pushed
the
remove-setcap-cap-net-bind
branch
from
d8be6aa to
117d1fb
Compare
There was a problem hiding this comment.
Pull request overview
This PR hardens the MPI runtime container images by removing an unnecessary Linux capability grant for sshd, aligning the Dockerfiles with the runtime’s non-privileged SSH port usage (2222) and reducing installed packages.
Changes:
- Remove
setcap CAP_NET_BIND_SERVICEfrom the MPI runtime Dockerfiles. - Drop
libcap2-binfrom image dependencies sincesetcapis no longer used.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| cmd/runtimes/mlx/Dockerfile | Removes libcap2-bin and the setcap step, keeping the runtime aligned with non-privileged SSH usage. |
| cmd/runtimes/deepspeed/Dockerfile | Same removal of libcap2-bin and setcap to avoid unnecessary capabilities. |
remove unnecessary setcap CAP_NET_BIND_SERVICE from MPI runtime …
sshd in the MPI runtime listens on port 2222 (non-privileged), so CAP_NET_BIND_SERVICE is not needed. Also removes libcap2-bin which was only installed to provide the setcap binary.
Fixes #3254