remove privileged permission requirment

Signed-off-by: bingshen.wbs <[email protected]>

Author: BSWANG

deploy/helm/templates/daemonset.yaml

@@ -27,7 +27,12 @@ spec:
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            privileged: true
+            capabilities:
+              add:
+                - SYS_MODULE
+                - SYS_ADMIN
+                - NET_ADMIN
+                - SYS_PTRACE
           command:
             - /usr/local/bin/agent
             {{ if .Values.agent.preferDriver }}
@@ -59,7 +64,7 @@ spec:
           - mountPath: /var/lib/kubelet/pod-resources/
             name: pod-resource-dir
           - mountPath: /var/run/
-            name: docker
+            name: var-run
       volumes:
       - name: pod-resource-dir
         hostPath:
@@ -70,10 +75,12 @@ spec:
       - name: cri-dir
         hostPath:
           path: /run/containerd
+          type: "Directory"
       - name: device-plugin
         hostPath:
           path: /var/lib/kubelet/device-plugins
-      - name: docker
+          type: "Directory"
+      - name: var-run
         hostPath:
           path: /var/run/
       {{- with .Values.nodeSelector }}

internal/deviceplugin/deviceplugin.go

@@ -143,6 +143,12 @@ func (m *ERDMADevicePlugin) PreStartContainer(ctx context.Context, req *pluginap
 			}
 			return nil
 		}
+		ensureSysctlFSRW, err := exec.Command("bash", "-c",
+			"mount | grep ' /proc/sys ' | grep rw || mount -o remount,rw /proc/sys").CombinedOutput()
+		if err != nil {
+			return nil, fmt.Errorf("can not ensure sysctl fs rw permission %s, err: %v", ensureSysctlFSRW, err)
+		}
+
 		err = configSysctl("net.smc.tcp2smc=1")
 		if err != nil {
 			return &pluginapi.PreStartContainerResponse{}, err