Comments (5)
Please could you give a bit more context:
- Are the failing commands run inside a Docker container, or are they run on the host at this point? If in a Docker container, do they work instead on the host?
- What is the overall goal here... i.e. why do you need to use Singularity with FUSE mounts insides an unprivileged Docker container? Can you explain why singularity must be run inside an unprivileged Docker container, and what FUSE mounts are needed... do you mean Singularity's FUSE mounts or external FUSE mounts?
from singularity.
Did some quick digging, and may be able to solve this without additional context.
For the unshare -r
case the following patch should solve the issue, and will be included in the next release:
diff --git a/internal/pkg/ociimage/unpack.go b/internal/pkg/ociimage/unpack.go
index fdbc132d7..55cbd0736 100644
--- a/internal/pkg/ociimage/unpack.go
+++ b/internal/pkg/ociimage/unpack.go
@@ -16,7 +16,9 @@ import (
umocilayer "github.com/opencontainers/umoci/oci/layer"
"github.com/opencontainers/umoci/pkg/idtools"
"github.com/sylabs/singularity/v4/internal/pkg/util/fs"
+ "github.com/sylabs/singularity/v4/pkg/util/namespaces"
"github.com/sylabs/singularity/v4/pkg/sylog"
+
)
// isExtractable checks if we have extractable layers in the image. Shouldn't be
@@ -69,7 +71,8 @@ func UnpackRootfs(_ context.Context, srcImage v1.Image, destDir string) (err err
}
// Allow unpacking as non-root
- if os.Geteuid() != 0 {
+ insideUserNs, _ := namespaces.IsInsideUserNamespace(os.Getpid())
+ if os.Geteuid() != 0 || insideUserNs {
mapOptions.Rootless = true
uidMap, err := idtools.ParseMapping(fmt.Sprintf("0:%d:1", os.Geteuid()))
from singularity.
The unshare -c
case is a separate issue.
With unshare -c
you will need to use the -u flag
for singularity - this is required to tell a setuid installation of singularity to run in usernamespace mode, instead of setuid mode.
unshare -c singularity run -u alpine_latest.sif
At present this is not working, as a wrapped extraction of an image is failing to honour the -u
flag. I'll track this as a separate issue.
You can workaround this issue, at present, via creating a sandbox dir and then running with -u
, e.g.:
$ singularity build -s test-sandbox docker://ubuntu:latest
$ unshare -c singularity run -u test-sandbox/
Singularity> echo "HELLO"
HELLO
Singularity>
from singularity.
Hi, thanks for the quick response!
* Are the failing commands run inside a Docker container, or are they run on the host at this point? If in a Docker container, do they work instead on the host?
I first encountered this issue when running the commands inside a Docker container, but was able to reproduce the exact same issue on a host machine. Neither the container or the host work, but the host seemed more easily reproducible so I included that as the bug report instead.
* What is the overall goal here... i.e. why do you need to use Singularity with FUSE mounts insides an unprivileged Docker container? Can you explain why singularity must be run inside an unprivileged Docker container, and what FUSE mounts are needed... do you mean Singularity's FUSE mounts or external FUSE mounts?
I'm trying to create a Docker container with an application preinstalled. The app is a workflow engine and uses Singularity as one of it's container backends to run tasks. I noticed that sandboxing images could take up a small amount of time for each task, so I wanted to see how much of a difference having Singularity mount with FUSE would be. In theory the container could be set up as privileged, which would allow it to work, but it would be better if that weren't the case.
I applied the patch and unshare -r
and unshare -c
work properly on my host machine and within the Docker container. Making Singularity use FUSE with unshare -c --keep-caps -m singularity -v -d run -u docker://hello-world
does return an error on cleanup:
DEBUG [U=1000,P=508312] UnmountWithFuseLazy() Executing FUSE unmount command: /usr/bin/fusermount3 -z -u /tmp/rootfs-3641030937/root
/usr/bin/fusermount3: failed to unmount /tmp/rootfs-3641030937/root: Invalid argument
ERROR [U=1000,P=508312] CleanupHost() While running host cleanup tasks: while unmounting fuse directory: /tmp/rootfs-3641030937/root: exit status 1
DEBUG [U=1000,P=508312] CleanupHost() Exiting CleanupHost - Cleanup failure
ERROR [U=1000,P=508199] Master() Unprivileged host cleanup failed: host cleanup failed
My guess is because Singularity tries to cleanup twice as the same unmount command appears above:
DEBUG [U=1000,P=508311] UnmountWithFuseLazy() Executing FUSE unmount command: /usr/bin/fusermount3 -z -u /tmp/rootfs-3641030937/root
This is probably a separate issue, but it doesn't break Singularity's functionality since the /tmp/rootfs-*
folder is properly cleaned up. But everything looks to be working properly now, thanks!
from singularity.
Thanks for the feedback. The fusermount error is indeed something that will need to be addressed differently / separately. I'll open a separate issue for that, and we can tackle it a bit later on.
from singularity.
Related Issues (20)
- add extfs overlay to OCI-SIF via `singularity overlay`
- default r/o mount of extfs overlay in --oci mode
- optional --writable mount of extfs overlay in --oci mode
- `singularity overlay seal` conversion of overlay to r/o layer in OCI-SIF
- overlay seal and conversion in `singularity push` of OCI-SIF as tar layers
- OCI-SIF data container creation command HOT 1
- Support OCI-SIF data-container in --bind & --mount
- Support squashfs->tar in push of an OCI-SIF data container
- Remove CentOS 7 from CI matrix:
- Remove EL7, SLES 11 examples
- Remove Yum CentOS7 bootstrap tests
- Remove CentOS 7 regression test for issue 5250 HOT 1
- Remove CentOS 7 install specifics:
- Remove kernel version as proxy requirement for OCSP test
- Remove EL7 test case / handling of old ld listing HOT 1
- oci: fixed descriptor capacity for OCI-SIF prevents pulling some images
- singularity build --fakeroot fails with free(): invalid pointer while spawning RPC server HOT 3
- Pip install uses too much disk space - error with /tmp as tmpfs HOT 2
- Unknown image format/type in nextflow pipeline HOT 5
- Drop remaining direct containers/common usage
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from singularity.