Building image with unpriviledge runner
15 views
Skip to first unread message
Joseph Manel Andres Moscardo
Nov 12, 2021, 7:03:31 AM11/12/21
to singularity
Hi,
I am trying to build Singularity images through a Gitlab runner that runs unpriviledge (for security reasons) and I get the following error:
ERROR : Failed to create user namespace: user namespace disabled
Is there a way that I can run a build inside the container that wouldn't require priviledge runner?
Thanks.
Joseph Manel Andres Moscardo
Nov 12, 2021, 7:40:46 AM11/12/21
to singularity, Joseph Manel Andres Moscardo
it fails if I use %post section, but not with the %runscript or %startscript
Dave Dykstra
Nov 12, 2021, 12:30:46 PM11/12/21
to singu...@lbl.gov, Joseph Manel Andres Moscardo
You haven't provided much detail, but it sounds like perhaps
unprivileged user namespaces are disabled on the machine that executes
the Runner. Singularity requires either setuid or unprivileged
usernamespaces for most things. For the singularity build command to
run unprivileged the --fakeroot option can be used, but that also
requires some setup by the system administrator:
https://singularity.hpcng.org/user-docs/master/fakeroot.html
Although it looks like the documentation doesn't mention it, I'm pretty
sure this can work with unprivileged singularity if newuidmap and
newgidmap are installed with sufficient privileges (in addition to setting
up /etc/subuid and /etc/subgid).
Bottom line: work with the administrator of your gitlab.
Dave
On Fri, Nov 12, 2021 at 04:40:46AM -0800, Joseph Manel Andres Moscardo wrote:
> it fails if I use %post section, but not with the %runscript or %startscript
>
> On Friday, 12 November 2021 at 13:03:31 UTC+1 Joseph Manel Andres Moscardo
> wrote:
>
> > Hi,
> > I am trying to build Singularity images through a Gitlab runner that runs
> > unpriviledge (for security reasons) and I get the following error:
> >
> > *ERROR : Failed to create user namespace: user namespace disabled*
> You received this message because you are subscribed to the Google Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
> To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/singularity/3e5d3a6c-301b-42a7-b251-9ddd1e520d40n%40lbl.gov .
unprivileged user namespaces are disabled on the machine that executes
the Runner. Singularity requires either setuid or unprivileged
usernamespaces for most things. For the singularity build command to
run unprivileged the --fakeroot option can be used, but that also
requires some setup by the system administrator:
https://singularity.hpcng.org/user-docs/master/fakeroot.html
Although it looks like the documentation doesn't mention it, I'm pretty
sure this can work with unprivileged singularity if newuidmap and
newgidmap are installed with sufficient privileges (in addition to setting
up /etc/subuid and /etc/subgid).
Bottom line: work with the administrator of your gitlab.
Dave
On Fri, Nov 12, 2021 at 04:40:46AM -0800, Joseph Manel Andres Moscardo wrote:
> it fails if I use %post section, but not with the %runscript or %startscript
>
> On Friday, 12 November 2021 at 13:03:31 UTC+1 Joseph Manel Andres Moscardo
> wrote:
>
> > Hi,
> > I am trying to build Singularity images through a Gitlab runner that runs
> > unpriviledge (for security reasons) and I get the following error:
> >
> >
> > Is there a way that I can run a build inside the container that wouldn't
> > require priviledge runner?
> > Thanks.
> >
>
> --
> > Is there a way that I can run a build inside the container that wouldn't
> > require priviledge runner?
> > Thanks.
> >
>
> You received this message because you are subscribed to the Google Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
> To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/singularity/3e5d3a6c-301b-42a7-b251-9ddd1e520d40n%40lbl.gov .
Josep Manel Andrés Moscardó
Nov 12, 2021, 12:57:20 PM11/12/21
to singu...@lbl.gov
Thanks a lot. I will try, but the runners are on a kubernetes cluster
without privileged , so that is gonna be hard to change. But I will
check the fakeroot option.
Cheers.
--
Josep Manel Andrés Moscardó
Systems Engineer, IT Operations
EMBL Heidelberg
T +49 6221 387-8394
without privileged , so that is gonna be hard to change. But I will
check the fakeroot option.
Cheers.
Josep Manel Andrés Moscardó
Systems Engineer, IT Operations
EMBL Heidelberg
T +49 6221 387-8394
Dave Dykstra
Nov 12, 2021, 2:04:23 PM11/12/21
to Josep Manel Andrés Moscardó, singu...@lbl.gov
Oh, then newuidmap/newgidmap are also unlikely to work since they also
need additional privilege.
Dave
> To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/singularity/61f5d57d-e69b-33ca-e5be-2b9033eefc7c%40embl.de .
need additional privilege.
Dave
Reply all
Reply to author
Forward
0 new messages