diff --git a/snakemake_executor_plugin_kubernetes/__init__.py b/snakemake_executor_plugin_kubernetes/__init__.py index b987541..72e674d 100644 --- a/snakemake_executor_plugin_kubernetes/__init__.py +++ b/snakemake_executor_plugin_kubernetes/__init__.py @@ -260,29 +260,6 @@ def run_job(self, job: JobExecutorInterface): "Must be 'nvidia' or 'amd'." ) - # capabilities - if ( - job.is_containerized - and DeploymentMethod.APPTAINER - in self.workflow.deployment_settings.deployment_method - ): - # TODO this should work, but it doesn't currently because of - # missing loop devices - # singularity inside docker requires SYS_ADMIN capabilities - # see - # https://groups.google.com/a/lbl.gov/forum/#!topic/singularity/e9mlDuzKowc - # container.capabilities = kubernetes.client.V1Capabilities() - # container.capabilities.add = ["SYS_ADMIN", - # "DAC_OVERRIDE", - # "SETUID", - # "SETGID", - # "SYS_CHROOT"] - - # Running in priviledged mode always works - container.security_context = kubernetes.client.V1SecurityContext( - privileged=True - ) - # Add service account name if provided if self.k8s_service_account_name: pod_spec.service_account_name = self.k8s_service_account_name @@ -370,7 +347,10 @@ def run_job(self, job: JobExecutorInterface): if not scale_value: container.resources.limits["nvidia.com/gpu"] = gpu_count # Privileged mode - if self.privileged: + if self.privileged or ( + DeploymentMethod.APPTAINER + in self.workflow.deployment_settings.deployment_method + ): container.security_context = kubernetes.client.V1SecurityContext( privileged=True )