feat: enable ai-services to run in non-root mode by Shubhamag12 · Pull Request #682 · IBM/project-ai-services

Shubhamag12 · 2026-04-27T15:05:14Z

Non-root user implementation based on proposal: #683

mkumatag · 2026-04-28T03:52:33Z

        type: Directory
  containers:
    - name: instruct
+      securityContext:


you don't need I believe, all the containers will have this label

and same comment applies for all the other places where you have these labels.

Okay, I will verify this and remove if not required

mkumatag · 2026-04-28T03:58:33Z

+}
+
+// buildAndInstallSELinuxPolicy builds and installs the SELinux policy module.
+func buildAndInstallSELinuxPolicy(tmpDir string) error {


may be we need to make this generic for other policy like podman socket, will do in a follow up PR

mkumatag · 2026-04-28T06:13:12Z

+}
+
+// updateSELinuxFileContext updates the SELinux file context database.
+func updateSELinuxFileContext() error {


This function explicitly labels the device file with but this needs to be run every time when new devices are created(hotplug etc.) to avoid this we can enhance the existing udev rule which will add the labels automatically when there is a new device onboard.

e.g:

# Example udev rule SUBSYSTEM=="vfio", ACTION=="add", SECLABEL{selinux}="system_u:object_r:vfio_device_t:s0"

explore adding the content to the already existing udev rule

mkumatag · 2026-04-28T06:13:58Z

+}
+
+// applySELinuxLabels applies SELinux labels to existing VFIO devices.
+func applySELinuxLabels() error {


even this is not required if we handle them via udev rule which I mentioned above.

mkumatag · 2026-04-28T06:22:00Z

@@ -25,10 +25,18 @@ func (r *RootRule) Description() string {
 func (r *RootRule) Verify() error {


this becomes info only check instead of a blocking one?! correct if I'm wrong!

I think you are right
That leaves us with one confusion, for bootstrap we require either sudo or root privileges. Also, this function is called while creating application as well (via validate), there this function will fail if user is non-root.

I'm little worried about the below modification you are making that is it! IMO we should just remove this root validator itself considering we don't need root anymore..

Signed-off-by: sagarwal-ibm <sagarwal@ibm.com>

Signed-off-by: Shubham Agarwal <49315586+Shubhamag12@users.noreply.github.com>

Signed-off-by: sagarwal-ibm <sagarwal@ibm.com>

mkumatag · 2026-04-29T11:05:21Z

+	if euid != 0 && os.Getenv("XDG_RUNTIME_DIR") == "" {
+		uid := os.Getuid()
+		logger.Infoln("running command as %s", uid, logger.VerbosityLevelDebug)
+		if err := os.Setenv("XDG_RUNTIME_DIR", fmt.Sprintf("/run/user/%d", uid)); err != nil {


If we set it here, it will only apply to that specific shell. I'm not sure why we're setting this environment variable here at all.

Should I move it to create cmd in that case?
because while creating application, I was facing this error

failed to pull image registry.redhat.io/rhaiis/vllm-spyre-rhel9:3.2.5: reading JSON file "/run/containers/1001/auth.json": open /run/containers/1001/auth.json: permission denied

Even though the above error says permission denied, it was because of the fact that podman was not able to access the runtime files.

So thought of exporting this var here since we call validate function everytime we create application

remove this validator and fix this permission somewhere else

and fix this somewhere else wher

mkumatag · 2026-04-29T11:10:52Z


-const (
-	// dirPermissions is the default permission for creating directories.
-	dirPermissions = 0755


These permissions are for tow different things, let us keep this variable here as well for the local consumption.

mkumatag requested changes Apr 28, 2026

View reviewed changes

Shubhamag12 added 3 commits April 28, 2026 16:21

feat: enable ai-services to run in non-root mode

68167b7

Signed-off-by: sagarwal-ibm <sagarwal@ibm.com>

fix: ulimit, udev reload, and resource limits configuration

9d403fd

Signed-off-by: sagarwal-ibm <sagarwal@ibm.com>

fix: vfio permissions, selinux, and security context

3663aa6

Signed-off-by: sagarwal-ibm <sagarwal@ibm.com>

Shubhamag12 force-pushed the non_root branch from a5d206b to 3663aa6 Compare April 28, 2026 11:00

Shubhamag12 and others added 2 commits April 29, 2026 15:12

Merge branch 'main' into non_root

883e92b

Signed-off-by: Shubham Agarwal <49315586+Shubhamag12@users.noreply.github.com>

Address comments - 1

3afb05b

Signed-off-by: sagarwal-ibm <sagarwal@ibm.com>

Shubhamag12 requested a review from mkumatag April 29, 2026 09:57

Shubhamag12 marked this pull request as ready for review April 29, 2026 09:57

Shubhamag12 requested review from manju956, mayuka-c and yussufsh April 29, 2026 09:57

mkumatag requested changes Apr 29, 2026

View reviewed changes

		@@ -25,10 +25,18 @@ func (r *RootRule) Description() string {
		func (r *RootRule) Verify() error {

Conversation

Shubhamag12 commented Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Shubhamag12 Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Shubhamag12 commented Apr 27, 2026 •

edited

Loading

Shubhamag12 Apr 29, 2026 •

edited

Loading