fix(agent): container has to run as root so it can do the chroot

Author: ayuskauskas

agent/skyhook_agent/tests/test_controller.py

@@ -45,5 +45,8 @@ FROM nvcr.io/nvidia/distroless/python:3.12-v3.4.10
 COPY --from=builder /code/venv/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
 COPY --from=builder /code/venv/bin/controller /usr/local/bin/
 
+# Run as root so we can chroot
+USER 0:0
+
 # Use Python to run the controller script
 ENTRYPOINT [ "python", "-m", "skyhook_agent.controller" ]

containers/agent.Dockerfile

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: debug-pod
+  namespace: default
+spec:
+  containers:
+  - args:
+      - -c
+      - import time; time.sleep(100000)
+      #- import os; print("hello"); os.chroot("/root"); os.makedirs("/root/test")
+    command:
+      - python
+    image: ghcr.io/nvidia/skyhook/agent:25.04.12-000534-
+    imagePullPolicy: Always
+    name: debug
+    resources:
+      limits:
+        cpu: 500m
+        memory: 256Mi
+      requests:
+        cpu: 500m
+        memory: 256Mi
+    securityContext:
+      privileged: true
+    terminationMessagePath: /dev/termination-log
+    terminationMessagePolicy: File
+    volumeMounts:
+    - mountPath: /home/nvs/root
+      mountPropagation: HostToContainer
+      name: root-mount
+  dnsPolicy: ClusterFirst
+  enableServiceLinks: true
+  hostNetwork: true
+  hostPID: true
+  imagePullSecrets:
+  - name: node-init-secret
+  preemptionPolicy: PreemptLowerPriority
+  priority: 0
+  restartPolicy: Never
+  schedulerName: default-scheduler
+  securityContext: #{}
+    runAsUser: 0
+    runAsGroup: 0
+    #runAsNonRoot: true
+  serviceAccount: default
+  serviceAccountName: default
+  terminationGracePeriodSeconds: 30
+  tolerations:
+  - key: node.kubernetes.io/unschedulable
+    operator: Exists
+  - effect: NoExecute
+    key: node.kubernetes.io/not-ready
+    operator: Exists
+    tolerationSeconds: 300
+  - effect: NoExecute
+    key: node.kubernetes.io/unreachable
+    operator: Exists
+    tolerationSeconds: 300
+  volumes:
+  - hostPath:
+      path: /
+      type: ""
+    name: root-mount

demos/debug_pod.yaml

@@ -0,0 +1,41 @@
+# 
+# LICENSE START
+#
+#    Copyright (c) NVIDIA CORPORATION.  All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# LICENSE END
+# 
+
+apiVersion: skyhook.nvidia.com/v1alpha1
+kind: Skyhook
+metadata:
+  labels:
+    app.kubernetes.io/part-of: skyhook-operator
+    app.kubernetes.io/created-by: skyhook-operator
+  name: demo
+spec:
+  packages:
+    baz:
+      version: 1.1.0
+      image: ghcr.io/nvidia/skyhook-packages/shellscript
+      configMap:
+        config.yaml: |-
+          #!/bin/bash
+          sleep 30
+          echo "Hello, config!"
+        config_check.yaml: |-
+          #!/bin/bash
+          sleep 30
+          echo "Hello, config check!"