From 117d1fb05b4437acbabae6606a3595a60b0cca35 Mon Sep 17 00:00:00 2001
From: kapil27 <knema@redhat.com>
Date: Mon, 9 Mar 2026 13:22:31 +0530
Subject: [PATCH] fix: remove unnecessary setcap CAP_NET_BIND_SERVICE from MPI
 runtime Dockerfiles

sshd in the MPI runtime listens on port 2222 (non-privileged),
so CAP_NET_BIND_SERVICE is not needed. Also removes libcap2-bin
which was only installed to provide the setcap binary.

Fixes #3254

Signed-off-by: kapil27 <knema@redhat.com>
---
 cmd/runtimes/deepspeed/Dockerfile | 6 +-----
 cmd/runtimes/mlx/Dockerfile       | 6 +-----
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/cmd/runtimes/deepspeed/Dockerfile b/cmd/runtimes/deepspeed/Dockerfile
index 7d7ccd65ab..0c0dcb44b5 100644
--- a/cmd/runtimes/deepspeed/Dockerfile
+++ b/cmd/runtimes/deepspeed/Dockerfile
@@ -3,14 +3,10 @@ FROM nvidia/cuda:13.1.1-devel-ubuntu22.04
 
 # Install libraries required for OpenMPI to work. Image installs OpenMPI 5.0.7
 RUN apt update && apt install -y --no-install-recommends \
-    openssh-server openssh-client libcap2-bin \
+    openssh-server openssh-client \
     g++ libopenmpi-dev \
     python3-dev pip && rm -f /usr/bin/python && ln -s /usr/bin/python3 /usr/bin/python && rm -rf /var/lib/apt/lists/*
 
-# Add capability to run sshd as non-root.
-RUN setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/sshd
-RUN apt remove libcap2-bin -y
-
 # Configure mpiuser and home directory.
 RUN useradd -m mpiuser
 WORKDIR /home/mpiuser
diff --git a/cmd/runtimes/mlx/Dockerfile b/cmd/runtimes/mlx/Dockerfile
index 49a251439e..ec400ae6b3 100644
--- a/cmd/runtimes/mlx/Dockerfile
+++ b/cmd/runtimes/mlx/Dockerfile
@@ -3,14 +3,10 @@ FROM nvidia/cuda:13.1.1-devel-ubuntu22.04
 
 # Install libraries required for OpenMPI to work. Image installs OpenMPI 5.0.7
 RUN apt update && apt install -y --no-install-recommends \
-    openssh-server openssh-client libcap2-bin \
+    openssh-server openssh-client \
     g++ libopenmpi-dev libblas-dev liblapack-dev liblapacke-dev \
     python3-dev pip && rm -f /usr/bin/python && ln -s /usr/bin/python3 /usr/bin/python && rm -rf /var/lib/apt/lists/*
 
-# Add capability to run sshd as non-root.
-RUN setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/sshd
-RUN apt remove libcap2-bin -y
-
 # Configure mpiuser and home directory.
 RUN useradd -m mpiuser
 WORKDIR /home/mpiuser