Feature: add privileged supported in function #1238
Comments
|
Hi thank your for your interest in the project. Please could you elaborate and give some concrete examples about why you need privileged containers for your functions? Alex |
|
Since function cannot support mount volume to the container. I just want to understand if openfass can expose privileged option to the container, so that function owner can take the risk to mount external nfs as needed. Thanks! |
|
Could you answer my original question please? |
|
Some command/libraries in another shared NFS server, the host name is shared-tools To implement a function, we need to call the command/libraries. Suppose the command/libraries cannot be move to s3 or minio. In the function container, I need to do:
For above mount command, it requires container has privileged. That's the case. Please let me know if anything is unclear. Thanks! |
|
I would not recommend using OpenFaaS to schedule containers that are privileged and I think we are unlikely to add that option at present due to the security risks it presents. We have already discussed volume support in #1232 which appears to be what this request is about. I think you may be served better by using a Kubernetes Job - you can use a volume/mount with this approach. You are free to fork faas-netes and add privileged support for your own use in the deployment handler (I would not recommend this). If you need any help with creating a Kubernetes job to mount an NFS volume, you could try the CNCF or Kubernetes Slack? https://slack.k8s.io https://slack.cncf.io Alex |
|
Is there any way I can give --privileged=true to a function? But, is there a smarter way of updating functions without restarting the Pod or in a proactive way so that once a function is deployed an agent patches it? |
|
Giving any container "privileged" mode is probably the worst and most insecure thing you could do in a Kubernetes cluster. To mount a USB device, you should be able to do this without needing "privileged", I'd suggest looking into devices in Kubernetes and see what you can find out. I used sysfs when doing similar with Docker Swarm to access GPIO What about this that I found by googling? https://github.com/adaptant-labs/edgetpu-exporter/blob/master/edgetpu-daemonset.yaml Or this https://artifacthub.io/packages/helm/k8s-at-home/frigate/4.0.0? |
|
I'm using faasd in a Raspberry, and i wanna deploy a function that access to the GPIO pins to read the data of a DTH11 sensor. is there any way to do it without been in privileged mode. I don't know if it's important, but i'm not using Docker, to build the imageses i'm using builtkitd. |
My actions before raising this issue
Expose option privileged to function, so that the function owner can decide if enable privileged or not.
Expected Behaviour
Able to configure privileged in function container
Current Behaviour
Not support
Possible Solution
N/A
Steps to Reproduce (for bugs)
Context
I'd like to run container with privileged mode, so that I can do some nfs mounts in the container.
Your Environment
FaaS-CLI version ( Full output from:
faas-cli version):CLI:
commit: 25cada08609e00bed526790a6bdd19e49ca9aa63
version: 0.8.14
Docker version
docker version(e.g. Docker 17.0.05 ):Client: Docker Engine - Community
Version: 18.09.0
API version: 1.39
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:47:43 2018
OS/Arch: darwin/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.0
API version: 1.39 (minimum version 1.12)
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:55:00 2018
OS/Arch: linux/amd64
Experimental: false
Are you using Docker Swarm or Kubernetes (FaaS-netes)?
FaaS-netes
Operating System and version (e.g. Linux, Windows, MacOS):
MacOS
Code example or link to GitHub repo or gist to reproduce problem: N/A
Other diagnostic information / logs from troubleshooting guide N/A
Next steps
You may join Slack for community support.
The text was updated successfully, but these errors were encountered: