Running command using sudo during %post [for Arch Linux's makepkg]
202 views
Skip to first unread message
Remy Prechelt
May 20, 2018, 4:33:02 AM5/20/18
to singularity
What's the simplest method of running a command using sudo during %post?
I'm trying to build an Arch Linux based recipe (using `Bootstrap: arch`) and want to install some packages provided by the AUR using the standard `makepkg` suite. However, `makepkg` must be run as a regular user (with sudo) as opposed to root (it will exit immediately if run as root). For our current Docker builds we create a user, give them sudo permissions, do the necessary installations using `makepkg`, and then delete the user. However, my first pass using this method during %post fails because all the available filesystems are mounted with `nosuid` (at least according to `mount` run during %post). Short of binding an external filesystem and using that as a suid environment, is there a way that I can make this work? I have tried remounting the root filesystem during %post but still get a `nosuid` error. Since there is already an Arch recipe on Github I am imagining that someone has encountered this before and has a method of getting `makepkg` working in a recipe.
Thanks in advance!
v
May 20, 2018, 11:11:18 PM5/20/18
to singu...@lbl.gov
Hey Remy,
Could you share what you have so far so others can reproduce and build off that? My intuition would be to run the command as a different user (e.g., su - vanessthemess -c "command") but I haven't tried much with the arch bootstrap. Anyway, if you share what you have so far others can maybe build / help off that!
Best,
Vanessa
--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity+unsubscribe@lbl.gov.
Remy Prechelt
May 20, 2018, 11:54:30 PM5/20/18
to singularity
Hi Vanessa,
Thanks for the quick response. I was actually able to make this work last night but the solution is less than ideal. I create a new user during the build, remount the root filesystem with `suid` (missing step when I posted my above answer), use that user to install whatever packages I need, remount the root filesystem with `nosuid`, and then delete the user. This is working for our current builds but is a little cumbersome.
I have included the code below in case anyone stumbles across this post in the future.
# create a singularity group
groupadd -f singularity
# remount the root filesystem so we can use sudo
# this is the CRUCIAL step otherwise everything will fail
mount -o remount,rw,exec,suid /
# create a singularity user
if [ ! $(id -u singularity) ]
then
useradd singularity -m -g singularity
echo "singularity ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/singularity && \
chmod 0440 /etc/sudoers.d/singularity
fi
# build and install cower from the AUR (for example - change this to whatever package you want)
if [ ! -n "$(pacman -Qs cower)" ]; then
su - singularity -c "curl -o PKGBUILD https://aur.archlinux.org/cgit/aur.git/plain/PKGBUILD?h=cower"
su - singularity -c "makepkg PKGBUILD --skippgpcheck --install --needed"
su - singularity -c "rm -f PKGBUILD"
fi
# and finally remount the filesystem with nosuid
mount -o remount,rw,nosuid /
# delete the singularity user
userdel -r singularity
groupdel singularity
# and get rid of sudo prermissions in case someone recreates a singularity user
rm -f /etc/sudoers.d/singularity
Thanks again!
Remy Prechelt
To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
v
May 21, 2018, 11:45:48 AM5/21/18
to singu...@lbl.gov
Hey Remy!
Thanks for the follow up - and I'm glad that you shared the complete recipe because I can almost assure you others will run into the issue, do a Google search, find your solution, and then save the hassle of figuring it out (again!) When I did this previously (to install packages with homebrew) I did something similar, but nowhere near as cleanly / documented as your example. Until we know some more optimal solution, it's good to have this one in the ARCHive, hehe.
Best,
Vanessa
To unsubscribe from this group and stop receiving emails from it, send an email to singularity+unsubscribe@lbl.gov.
Reply all
Reply to author
Forward
0 new messages