-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SageMaker inference should be able to run as non-root user. #72
Comments
If I may, could I suggest alternative paths to join( base_dir, "etc") Rationale
sagemaker-inference already uses I am not super sure about the name to choose for the leaf directory to store the config files. All Context sagemaker-inference library may be designed to be run in multi-model-endpoints and writing to the /etc path may be OK for the runtime in sagemaker endpoints. However, manipulating the /etc directory has several other problems in enterprise software packaging and delivery. In the bring your own container approach, we would like to build a container ourselves using the best practices and toolchains from our enterprise CICD stack. Due to myriad of security and compliance reasons, container build systems drop the root user and restrict many capabilities on the only allowed non-privileged user in a container. After building our container in our CICD stack, we may also like to run some integration tests on that container, which may require spawning the multi-model-server via the sagemaker-inference. The non-privileged user in those integration tests also does not have permission to modify the /etc directory. |
Any updates here? Thanks |
Coming up against this as well. However, the more fundamental issue is that sagemaker itself isn't compatible with running inference code as a non-root user, so as soon as you try to use this container on an inference endpoint, you'll hit permissions issues again, when it attempts to copy across your model etc. Worse, if you try to work around this, the solution will always be brittle. Knowing the currently required permissions isn't enough - AWS might change their implementation and deployments/autoscaling will just start failing :/ The only options I can come up with are all not great:
|
Describe the bug
When running as a non-root user within a container, sagemaker-inference fails to start the multi-model-server. This works when all packages are installed as root, and the entrypoint script is run as root. The entrypoint script starts the model server using:
sagemaker_inference.model_server.start_model_server(......)
To reproduce
NOTE: Running a CLI
Expected behavior
SageMaker MMS should start without any issues.
Screenshots or logs
Checking on my development machine as well, it doesn't seem like non-root user has access to /etc.
Can this library be updated so as to run as non-root user?
System information
sagemaker-inference==1.5.2
Custom Docker image, ubuntu based.
framework name: tensorflow
framework version: 2.3.0
Python version: 3.6
processing unit type: CPU
Additional context
I worked-around this initial problem by granting write access to the /etc folder but it would be ideal if the configuration were stored in a user-writeable directory.
The text was updated successfully, but these errors were encountered: