Support for device_cgroup_rules in rootless mode

[loxoron218]

Feature request description

When using Podman in rootless mode, configurations involving device_cgroup_rules and hardware acceleration (e.g., GPUs, Intel OpenVINO, ARM Mali) are not supported. This limits the ability to run machine learning workloads or other applications that require access to hardware devices in a rootless environment.

For example, when using the Immich Machine Learning service with an extends file that includes hardware acceleration configurations (e.g., device_cgroup_rules, devices, or volumes for /dev/dri, /dev/bus/usb, etc.), the following error occurs:

Error: device cgroup rules are not supported in rootless mode or in a user namespace

Error: no container with name or ID "immich_machine_learning" found: no such container

Suggest potential solution

Implement support for device_cgroup_rules and related device configurations in rootless mode. This could involve:

• Allowing limited access to specific devices (e.g., /dev/dri, /dev/bus/usb) in a user namespace.
• Providing a way to map devices securely in rootless mode.

Have you considered any alternatives?

Commenting out device_cgroup_rules, the container builds as expected.
Running it with sudo (or with Docker) works too, but defeats the purpose I guess of using Podman

Additional context

Add any other context or screenshots about the feature request here.

[Luap99]

Well we do not make the rules about the permissions, the kernel does. And AFAIK device_cgroup_rules are converted to an ebpf program and such programs are only allowed by the kernel when created as real root.

As such podman can do nothing about this and we return this error to make it clear that this will not work. Though looking at our man page it is not mentioned there so it should be documented there as well.

cc @giuseppe In case I am wrong about the ebpf part.

[loxoron218]

Well we do not make the rules about the permissions, the kernel does. And AFAIK device_cgroup_rules are converted to an ebpf program and such programs are only allowed by the kernel when created as real root.

As such podman can do nothing about this and we return this error to make it clear that this will not work. Though looking at our man page it is not mentioned there so it should be documented there as well.

cc @giuseppe In case I am wrong about the ebpf part.

Thanks for your answer!

Would it be possible to just ignore it when running Podman rootless (and maybe show a short message on the terminal) instead of just aborting the composing? :)

[giuseppe]

@Luap99 you are right about ebpf. Only root in the initial user namespace can use that. Rootless users can't configure the devices cgroup.

@loxoron218 I don't think we can just ignore it, if the user specifies to block access to some devices and we just ignore it, that can be considered a security vulnerability.

Can you show me how the device_cgroup_rules look like? Maybe we can be smarter and ignore it when it is made only of "allow rules"

[loxoron218]

@giuseppe The one used by Immich's machine learning looks like something like this:

services:
---
  openvino:
    device_cgroup_rules:
      - 'c 189:* rmw'
    devices:
      - /dev/dri:/dev/dri
    volumes:
      - /dev/bus/usb:/dev/bus/usb
...