Unprivileged nvidia-container-cli --user configure

[SomeoneSerge]

Hi! I've encountered several issues trying (NixOS/nixpkgs#279235) to use apptainer's --nvccli and libnvidia-container, both deployed without setuid but with the support for user namespaces, and run under an unprivileged user.

• Could you clarify whether nvidia-container-cli configure is intended to be used in the unprivileged scenarious, now or in the long term?
• Which requirements need to be satisified for nvidia-container-cli --user configure to "fly" the way singularity-ce and apptainer use it?
  • Which capabilities need to be available?
  • Is it necessary for usr/bin to be writable? https://github.com/apptainer/apptainer/blob/dbaf1afa0e153e056c32dad2640b4d367a53ff14/internal/pkg/util/gpu/nvidia.go#L95-L97 asserts that, but I couldn't find any documentation about this in libnvidia-container and write access is not the error I encounter with nvidia-container-cli: --nvccli: unprivileged usage apptainer/apptainer#1893 (comment)

Issues encountered

• perm_drop_privileges requires non-trivial privileges:

  • libnvidia-container/src/utils.c

    Line 926 in 5c75904

    if (setgroups(1, &gid) < 0)

    fails with EPERM

  • libnvidia-container/src/utils.c

    Line 931 in 5c75904

    if (egid != gid && setregid(gid, gid) < 0)

    
    

    libnvidia-container/src/utils.c

    Line 933 in 5c75904

    if (euid != uid && setreuid(uid, uid) < 0)

    each fail with EINVAL trying to switch from 1000:100 to nobody:nogroup

• perm_set_capabilities
  

  libnvidia-container/src/utils.c

  Lines 1018 to 1019 in 5c75904

  	if (rv < 0)
  	error_set(err, "capability change failed");

  fails in the CAP_PERIMTTED branch

• /etc/ld.so.cache is expected to exist and be writable, tracking in ldconfig-free deployment #234

• /usr/bin seems to be expected to exist and be writable

Sorry for the short and terse description, please follow up with questions if this lacks context