Re: [Singularity] Include custom python PATH
600 views
Skip to first unread message
David Godlove
Jan 30, 2018, 12:52:38 AM1/30/18
to singu...@lbl.gov
Hi JS,
I think what you are asking for is a security issue. In other words, a user may be able to add an executable called python to their path and then there is a possibility that it would be executed with elevated privs by Singularity. This is the reason we sanitize the path.
I know that several users experienced a similar issue with mksquashfs being installed in a non-standard location when we released v2.4. I have a PR that addresses this issue by allowing an admin to specify the location of the mksquashfs binary in the singularity.conf file. I'm not sure if a similar strategy would work in your situation or not. Presumably you have a single singularity installed per conda environment, so you could use this kind of feature if it existed?
Dave
On Tue, Jan 23, 2018 at 8:41 PM, JS Legare <jsle...@gmail.com> wrote:
--
I'm installing and using singularity inside a conda environment. When this conda environment is activated, a specific version of python executables is added to PATH.
The main singularity binary shell script overwrites the PATH environment variable with:
PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin}"
( https://github.com/vsoch/singularity/blob/5acfa9c7084814358e98b23f17b38413240a9780/bin/singularity.in#L40 )
Which, on a system without python installed to one of these results in ENOENT when trying to execve() any of the other singularity python helper scripts, e.g. via "singularity import FOO" (in which case "#!/usr/bin/env python" fails to find a suitable executable in import.py)
Could we at least include in the PATH, $(dirname "$(which python)"), if it's not in the other paths?
Regards,
JS
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity+unsubscribe@lbl.gov.
Jean-Sébastien Légaré
Jan 30, 2018, 12:11:10 PM1/30/18
to singu...@lbl.gov
In my case, the singularity is also installed as my regular user. So both the singularity binary and python would be owned by the same user. Conda is similar to virtualenv, if you're familiar with that, in that most packages get installed in a non-standard (i.e. non-/usr/local) "per-project environment" directory. It sounds like the feature you describe would be useful for the python binary as well.
Being able to run singularity as a non-root user (and without setuid) has limitations, but it has uses. I'm not 100% familiar with the security model, but it looks like, at least, I could run containers in user namespaces without root access. Being able to pick up a custom python would help.
JS
To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
v
Jan 30, 2018, 12:37:24 PM1/30/18
to singu...@lbl.gov
It would be nice to let a user choose on the fly, but we have to favor security. There should be no special needs, library wise, for the Python, so I don't see a compelling use case to want to use your own. The only reasonable option I see here is having it be a custom setting when Singularity is installed (with sudo) in the first place.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity+unsubscribe@lbl.gov.
Priedhorsky, Reid
Jan 30, 2018, 12:43:55 PM1/30/18
to singu...@lbl.gov
FWIW, Charliecloud runs containers in user namespaces and doesn’t manipulate your path. Perhaps it is a better fit for your use case.
Full disclosure: I lead the Charliecloud project.
Thanks,
Reid
david hon
Jan 30, 2018, 1:56:43 PM1/30/18
to singu...@lbl.gov
Hi Reid,
I'm curious about your choice of the name Charliecloud ...
Last time I visited Los Alamos, I was dealing with EPICS,
and I wonder if it has been container-ized?
Cheers,
--david
--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity+unsubscribe@lbl.gov.
apologies if my text lacks upper-case -- the shift
key aggravates my carpal tunnel & tendinitis.
david...@gmail.com cell: 352-275-7438
key aggravates my carpal tunnel & tendinitis.
david...@gmail.com cell: 352-275-7438
v
Jan 30, 2018, 2:22:28 PM1/30/18
to singu...@lbl.gov
One of my favorite songs... <3
To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
--apologies if my text lacks upper-case -- the shift
key aggravates my carpal tunnel & tendinitis.
david...@gmail.com cell: 352-275-7438
--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity+unsubscribe@lbl.gov.
Priedhorsky, Reid
Feb 2, 2018, 1:39:49 PM2/2/18
to singu...@lbl.gov
Hello David,
> I'm curious about your choice of the name Charliecloud ...
It’s named after Charlie McMillan, LANL director until about a month ago.
> Last time I visited Los Alamos, I was dealing with EPICS,
> and I wonder if it has been container-ized?
I’m not familiar with EPICS, unfortunately.
HTH,
Reid
p.s. I set the reply-to to charli...@groups.io in case anyone wants to continue this conversation, since it’s gone OT for this list.
> I'm curious about your choice of the name Charliecloud ...
> Last time I visited Los Alamos, I was dealing with EPICS,
> and I wonder if it has been container-ized?
HTH,
Reid
p.s. I set the reply-to to charli...@groups.io in case anyone wants to continue this conversation, since it’s gone OT for this list.
Reply all
Reply to author
Forward
0 new messages