Can user run sudo commands in his own container?
745 views
Skip to first unread message
Matúš Pikuliak
Mar 23, 2019, 12:09:04 PM3/23/19
to singularity
Hey, I have a question about the user privileges in singularity containers. My use-case is to use singularity basically as VMs and I would like for each user to have complete control over his VM instances. When someone builds a Ubuntu container I would like for him to have sudo privileges within this container. E.g. when the user runs his container, he can use apt install or apt remove. The only way I can use these is to run the respective singularity command with sudo, but I do not want to give them sudo permissions. I was thinking about giving them sudo permissions only on singularity commands, but I am not sure how safe it is and they would also gain access to the containers of other people.
Is there any other way to have sudo capabilities for users within their containers?
v
Mar 23, 2019, 12:49:08 PM3/23/19
to singu...@lbl.gov
To have sudo inside the container, the user needs to be sudo outside the container, and yes to run with sudo privileges
The only way I can use these is to run the respective singularity command with sudo, but I do not want to give them sudo permissions
So this is sort of a contradiction - something along the lines of having cake and eating it too :_) Do you trust your users to do this? And what is your setup? If you want them to easily develop containers with write, you might consider having them build/develop with Docker locally, and then pull the read only versions onto the cluster.
On Sat, Mar 23, 2019 at 9:09 AM Matúš Pikuliak <matusp...@gmail.com> wrote:
Hey, I have a question about the user privileges in singularity containers. My use-case is to use singularity basically as VMs and I would like for each user to have complete control over his VM instances. When someone builds a Ubuntu container I would like for him to have sudo privileges within this container. E.g. when the user runs his container, he can use apt install or apt remove. The only way I can use these is to run the respective singularity command with sudo, but I do not want to give them sudo permissions. I was thinking about giving them sudo permissions only on singularity commands, but I am not sure how safe it is and they would also gain access to the containers of other people.Is there any other way to have sudo capabilities for users within their containers?
--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
Dave Godlove
Mar 23, 2019, 9:51:02 PM3/23/19
to singularity
If you want users to be able to build containers without having sudo on the system, check out the --remote option that you can pass to the build command in Singularity >=3.0.0.
Dave Godlove
Engineering Coordinator, Sylabs Inc.
David Dykstra
Mar 27, 2019, 3:19:22 PM3/27/19
to singu...@lbl.gov
Check out the proposed --fakeroot feature
https://github.com/sylabs/singularity/pull/2718
I think it has potential for allowing unprivileged users to have sudo
inside a container, but it's not fully implemented yet and will at a
minimum have some caveats.
Dave
On Sat, Mar 23, 2019 at 09:48:52AM -0700, v wrote:
> To have sudo inside the container, the user needs to be sudo outside the
> container, and yes to run with sudo privileges
>
> The only way I can use these is to run the respective singularity command
> > with *sudo*, but I do not want to give them sudo permissions
> > run the respective singularity command with *sudo*, but I do not want to
https://github.com/sylabs/singularity/pull/2718
I think it has potential for allowing unprivileged users to have sudo
inside a container, but it's not fully implemented yet and will at a
minimum have some caveats.
Dave
On Sat, Mar 23, 2019 at 09:48:52AM -0700, v wrote:
> To have sudo inside the container, the user needs to be sudo outside the
> container, and yes to run with sudo privileges
>
> The only way I can use these is to run the respective singularity command
>
>
> So this is sort of a contradiction - something along the lines of having
> cake and eating it too :_) Do you trust your users to do this? And what is
> your setup? If you want them to easily develop containers with write, you
> might consider having them build/develop with Docker locally, and then pull
> the read only versions onto the cluster.
>
> On Sat, Mar 23, 2019 at 9:09 AM Matú?? Pikuliak <matusp...@gmail.com>
>
> So this is sort of a contradiction - something along the lines of having
> cake and eating it too :_) Do you trust your users to do this? And what is
> your setup? If you want them to easily develop containers with write, you
> might consider having them build/develop with Docker locally, and then pull
> the read only versions onto the cluster.
>
> wrote:
>
> > Hey, I have a question about the user privileges in singularity
> > containers. My use-case is to use singularity basically as VMs and I would
> > like for each user to have complete control over his VM instances. When
> > someone builds a Ubuntu container I would like for him to have sudo
> > privileges within this container. E.g. when the user runs his container, he
> > can use *apt install* or *apt remove. *The only way I can use these is to
>
> > Hey, I have a question about the user privileges in singularity
> > containers. My use-case is to use singularity basically as VMs and I would
> > like for each user to have complete control over his VM instances. When
> > someone builds a Ubuntu container I would like for him to have sudo
> > privileges within this container. E.g. when the user runs his container, he
> > run the respective singularity command with *sudo*, but I do not want to
Reply all
Reply to author
Forward
0 new messages