An issue about NO_NEW_PRIVS

[Edward Allen]

Hello:

  I have occurred an issue and what's making me very confused. The environment is  Redhat and 

uname -a list :

Linux psn004 2.6.32-431.29.2.lustre.el6.x86_64 #1 SMP Fri Jul 31 09:39:58 CST 2015 x86_64 x86_64 x86_64 GNU/Linux

When i run ./configure ,it print 

ERROR!!!!!!

This host does not support the NO_NEW_PRIVS prctl functions!

The kernel must be updated to support Singularity securely.

And i run NO_NEW_PRIVS.sh ,it post:

NO_NEW_PRIVS_test.c: In function 'main':

NO_NEW_PRIVS_test.c:6: error: 'PR_SET_NO_NEW_PRIVS' undeclared (first use in this function)

NO_NEW_PRIVS_test.c:6: error: (Each undeclared identifier is reported only once

NO_NEW_PRIVS_test.c:6: error: for each function it appears in.)

NO_NEW_PRIVS_test.c:12: error: 'PR_GET_NO_NEW_PRIVS' undeclared (first use in this function)

./no_new_privs.sh: line 29: ./NO_NEW_PRIVS_test: No such file or directory

After then I found a post on google group https://groups.google.com/a/lbl.gov/forum/m/#!msg/singularity/2h8KYUblVxA/A3tXTD6NCAAJ

and I change setuid =no in singularity.conf, but when I run./configure, the same error happened, I want to know how can it work, can you teach me? Thanks!

[Lars Viklund]

Hi!

Judging by that thread, your kernel is incapable of supporting Singularity in any mode, as it doesn't support an essential prctl function and pre-dates usable user namespaces. This parameter seems to be a hard requirement.

The wording is a bit unfortunate, but what they say is that by setting the configuration option, an existing vulnerable Singularity installation will be made inoperable. It cannot be used to work around this requirement.

As far as I understand it, your kernel cannot run current Singularity, and the only way forward is a newer vendor kernel with support for this, possibly with a minor OS update.

// Lars

--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.

[Dave Dykstra]

Yes that looks like a RHEL 6.5 kernel that's too old. Upgrade to a more
recent RHEL kernel. It doesn't necessarily need the rest of the
operating system upgraded, but the kernel should be continually updated
for security patches anyway.

Looks like this functionality was introduced in a 2015 security patch
https://access.redhat.com/errata/RHSA-2015:0864
in kernel 2.6.32-504.

Dave

> > <mailto:singularity...@lbl.gov>.

[Edward Allen]

Thank you for your reply. In fact,for some reason, we cannot change the kernel unless company’s leadership requires，but maybe I found another way to solve it, I found the requirement of this function is added after 2.5.0 version, so I try to install 2.4.6 and it worked.As for the upgrade, I will tell leaders . Whatever, thank you for your reply and have a nice day!

Dave Dykstra <d...@fnal.gov> 于2018年8月28日周二 上午5:12写道：

[Edward Allen]

Thank you for your reply. In fact,for some reason, we cannot change the kernel unless company’s leadership requires，but maybe I found another way to solve it, I found the requirement of this function is added after 2.5.0 version, so I try to install 2.4.6 and it worked. As for the upgrade, I will tell leaders. Whatever, thank you for your reply and have a nice day! I hope that we can communicate frequently in the future.

Dave Dykstra <d...@fnal.gov> 于2018年8月28日周二 上午5:12写道：

Yes that looks like a RHEL 6.5 kernel that's too old.  Upgrade to a more

[David Trudgian]

Hi Edward,

We *very strongly* recommend using an up-to-date version of Singularity. Before committing to running 2.4.6 for the foreseeable future please ensure you review the release notes for 2.5.0 and newer at:

https://github.com/singularityware/singularity/releases

These highlight reasons why we recommend running a newer version. The reason to require PR_SET_NO_NEW_PRIVS has also been discussed at length here:

https://www.sylabs.io/2018/05/whatsnew-singularity-2-5-why-affects-everyone-using-containers/

Cheers,

DT