Singularity writable container without sudo 2.6.1 to 3.x
398 views
Skip to first unread message
TrialUser
Apr 25, 2019, 12:21:31 PM4/25/19
to singularity
Hi All,
We have been supporting docker and singularity containerization to deliver our software. We were using persistent overlay on an ext3 img format to create some scratch space needed by our software that we did not want to expose to the user. A wrapper script would take care of mounting user volumes and overlaying the ext3 img over the simg in version 2.6.1. No sudo was required for creating the writable scratch space.
With singularity 3.x I could not figure out a way to create a scratch space (such as ext3 or even a directory) and overlay without root permissions. Is there any possibility to use --overlay without sudo or how can I create some scratch space that is not easily visible as directories and files to the user of our software?
Thank you for all your help and please let me know if something is not clear. I understand that this is not aligned with singularity principles of immutable container images, but as a software vendor, I need to make sure that some parts of the software which are generated at runtime are as hard to access as possible.
Cedric Clerget
Apr 26, 2019, 7:00:42 AM4/26/19
to singu...@lbl.gov
Hi Ankit,
I don't clearly understand what you means by "not expose" because everything put in overlay image is exposed to user.
Yes v3 doesn't provide a way to generate/manipulate ext3 image.
But you can easily produce an ext3 overlay image with something like :
----------------------------------------
#!/bin/sh
umask 0022
image=$1
tmproot=`mktemp -d`
dd if=/dev/zero of=$image bs=1M count=$2
# create ext3 root directory layer
mkdir $tmproot/upper
mkdir $tmproot/work
mkfs.ext3 -d $tmproot $image
rm -rf $tmproot
----------------------------------------
Now everything you want to be in final container need to be stored in $tmproot/upper/, by example to add /etc/foo in container:
mkdir -p $tmproot/upper/etc
echo "foo" > $tmproot/upper/etc/foo
Created files/directories will be owned by user executing the script, to set different owner you still need root privileges.
Hope that helps.
Cédric
I don't clearly understand what you means by "not expose" because everything put in overlay image is exposed to user.
Yes v3 doesn't provide a way to generate/manipulate ext3 image.
But you can easily produce an ext3 overlay image with something like :
----------------------------------------
#!/bin/sh
umask 0022
image=$1
tmproot=`mktemp -d`
dd if=/dev/zero of=$image bs=1M count=$2
# create ext3 root directory layer
mkdir $tmproot/upper
mkdir $tmproot/work
mkfs.ext3 -d $tmproot $image
rm -rf $tmproot
----------------------------------------
Now everything you want to be in final container need to be stored in $tmproot/upper/, by example to add /etc/foo in container:
mkdir -p $tmproot/upper/etc
echo "foo" > $tmproot/upper/etc/foo
Created files/directories will be owned by user executing the script, to set different owner you still need root privileges.
Hope that helps.
Cédric
--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
--
Cédric Clerget Software Engineer, Sylabs, Inc https://www.sylabs.io
TrialUser
May 13, 2019, 11:33:17 AM5/13/19
to singularity
Thanks a lot for the reply Cedric. This was very helpful.
After digging some more, i think --writable-tmpfs can help me out too. However, It looks like there is a limit of 1MB on it right now.
Am I correct?
How can I increase that limit?
To unsubscribe from this group and stop receiving emails from it, send an email to singu...@lbl.gov.
Reply all
Reply to author
Forward
0 new messages