Use case GPU devs

i am a little bit stuck for this use case, more specifically, a bunch of AI developers want to access GPU(s). Before, they all worked on several machines, but with no real control of what they were doing. Of course LXD to the rescue :smile: i already used lxd containers for websites and stuff, and i already tested it on a GPU server, works OK. My question is more on how to let the devs work with the containers. Do i add them all to the lxd group, so they have full control? Or do i create the containers myself, and let them login and do their stuff? They also have to bind mount their homedirs, to put all their data on. All the users are in een openldap db. Ideally I should create their containers, but they should be able to play with it (copy, delete).




You could add each developer to the lxd Unix group, and they have full control to the LXD installation.
Obviously, they can start/stop/delete containers, and you can prepare specific LXD profiles so that they can use when they need to create a fresh GPU container.
The downside here is that

  1. they can remove a container by accident when they should not have, etc.
  2. being a member of the lxd Unix group on a working LXD host means that it is possible to become root. Same with Docker, and it is a known issue. That is, a full admin of a system with containers can do too many things to make sense to add restrictions.

LXD should be able to provide access control so that some users can launch and remove their own containers, while others are full admins. There is support for such external authentication in LXD, using the Candid identity management service.

Landscape can give you a ready-made setup with Candid, and you can create user roles as needed. You pay for this service.

You can also do Candid on your own, here is a tutorial: Candid authentication for LXD and discussion on Candid authentication for LXD on how to setup.

1 Like