Local mode support in Amazon SageMaker Studio - Amazon SageMaker

Local mode support in Amazon SageMaker Studio

Important

Custom IAM policies that allow Amazon SageMaker Studio or Amazon SageMaker Studio Classic to create Amazon SageMaker resources must also grant permissions to add tags to those resources. The permission to add tags to resources is required because Studio and Studio Classic automatically tag any resources they create. If an IAM policy allows Studio and Studio Classic to create resources but does not allow tagging, "AccessDenied" errors can occur when trying to create resources. For more information, see Provide permissions for tagging SageMaker resources.

AWS Managed Policies for Amazon SageMaker that give permissions to create SageMaker resources already include permissions to add tags while creating those resources.

Amazon SageMaker Studio applications support the use of local mode to create estimators, processors, and pipelines, then deploy them to a local environment. With local mode, you can test machine learning scripts before running them in Amazon SageMaker managed training or hosting environments. Studio supports local mode in the following applications:

  • Amazon SageMaker Studio Classic

  • JupyterLab

  • Code Editor, based on Code-OSS, Visual Studio Code - Open Source

Local mode in Studio applications is invoked using the SageMaker Python SDK. In Studio applications, local mode functions similarly to how it functions in Amazon SageMaker notebook instances, with some differences. For more information about using local mode with the SageMaker Python SDK, see Local Mode.

Note

Studio applications do not support multi-container jobs in local mode. Local mode jobs are limited to a single instance for training, inference, and processing jobs. When creating a local mode job, the instance count configuration must be 1

Docker support

As part of local mode support, Studio applications support limited Docker access capabilities. With this support, users can interact with the Docker API from Jupyter notebooks or the image terminal of the application. Customers can interact with Docker using one of the following:

Studio also supports limited Docker access capabilities with the following restrictions:

  • Usage of Docker networks is not supported.

  • Docker volume usage is not supported during container run. Only volume bind mount inputs are allowed during container orchestration. The volume bind mount inputs must be located on the Amazon Elastic File System (Amazon EFS) volume for Studio Classic. For JupyterLab and Code Editor applications, it must be located on the Amazon Elastic Block Store (Amazon EBS) volume.

  • Container inspect operations are allowed.

  • Container port to host mapping is not allowed. However, you can specify a port for hosting. The endpoint is then accessible from Studio using the following URL:

    http://localhost:port

Docker operations supported

The following table lists all of the Docker API endpoints that are supported in Studio, including any support limitations. If an API endpoint is missing from the table, Studio doesn't support it.

API Documentation Limitations
SystemAuth
SystemEvents
SystemVersion
SystemPing
SystemPingHead
ContainerCreate
  • Containers cannot be run in Docker default bridge or custom Docker networks. Containers are run in the same network as the Studio application container.

  • Users can only use the following value for the network name: sagemaker. For example:

    docker run --net sagemaker parameter-values
  • Only bind mounts are allowed for volume usage. The host directory should exist on Amazon EFS for KernelGateway applications or Amazon EBS for other applications.

  • Containers cannot run in privileged mode or with elevated secure computing permissions.

ContainerStart
ContainerStop
ContainerKill
ContainerDelete
ContainerList
ContainerLogs
ContainerInspect
ContainerWait
ContainerAttach
ContainerPrune
ContainerResize
ImageCreate VPC-only mode support is limited to Amazon ECR images in allowlisted accounts.
ImagePrune
ImagePush VPC-only mode support is limited to Amazon ECR images in allowlisted accounts.
ImageList
ImageInspect
ImageGet
ImageDelete
ImageBuild
  • VPC-only mode support is limited to Amazon ECR images in allowlisted accounts.

  • Users can only use the following value for the network name: sagemaker. For example:

    docker build --network sagemaker parameter-values