bind mount security
151 views
Skip to first unread message
Tims
Mar 28, 2019, 3:54:04 PM3/28/19
to singularity
If I bind mount -B $PWD, I would like container users only see/list this directory and children but not the parents.
Is this doable?
Gregory M. Kurtzer
Mar 29, 2019, 1:50:43 AM3/29/19
to singularity
Absolutely possible! If it isn't doing it now, it maybe because there are layered bind mounts occuring. For example, if you do a `-B $HOME/testdir`, you will see the parent directory because the home directory is automatically also bound in. I was going to suggest that you could try something like:
$ singularity shell --contain --bind $PWD container.sif
But it appears we have an issue with that in the version that I'm testing:
$ singularity shell -c -B $PWD alpine.sif
FATAL: container creation failed: mount ->/home/gmk/demo error: can't remount /home/gmk/demo: no such file or directory
... Hrmm, that might need a bug report submitted, or someone smarter than me can explain what I'm doing wrong. ;-)
Greg
On Thu, Mar 28, 2019 at 12:54 PM Tims <tims.c...@gmail.com> wrote:
If I bind mount -B $PWD, I would like container users only see/list this directory and children but not the parents.Is this doable?
--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
Gregory M. Kurtzer
CEO, Sylabs Inc.
v
Mar 29, 2019, 5:20:50 AM3/29/19
to singu...@lbl.gov
If you use an older version of Singularity (this is 2.6.2-dist) the functionality works - the directory is bound, showing the direct parents but nothing else (no parent siblings). Here is an example:
Running Docker container, pulling busybox
$ docker run --privileged --entrypoint bash -it singularityware/singularity:2.6
root@3fd22ebd66f0:/tmp# singularity pull docker://busybox
WARNING: pull for Docker Hub is not guaranteed to produce the
...
Done. Container is at: ./busybox.simg
Make a crapton of folders in /home, 0-9 on the first level, A-Z on second levels
root@3fd22ebd66f0:/home# mkdir -p /home/{0..9}/{A..Z}
root@3fd22ebd66f0:/home# ls
0 1 2 3 4 5 6 7 8 9
root@3fd22ebd66f0:/home# cd 8
root@3fd22ebd66f0:/home/8# ls
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
root@3fd22ebd66f0:/home/8# cd A
Shell in - binding PWD (/home/8/A) - not that all folders in /home and /home/8 other than 8/A are hidden
root@3fd22ebd66f0:/home/8/A# singularity shell -C -B $PWD /tmp/busybox.simg
Singularity> cd /home
Singularity> ls
8
Singularity> cd 8
Singularity> ls
A
exit
So it follows that if you bind the same folder to a place like /opt, you also can get rid of the parent folders (and truly conceal the location!) Here we are again starting in /home/8/A and we create a file to look for in the container.
root@3fd22ebd66f0:/home/8/A# touch hereiam
root@3fd22ebd66f0:/home/8/A# singularity shell -C -B $PWD:/opt /tmp/busybox.simg
Singularity: Invoking an interactive shell within container...
Singularity> ls /opt/
hereiam
So - likely it's a bug it doesn't work after 2.6, but probably should.
Jason Stover
Mar 29, 2019, 4:24:02 PM3/29/19
to singu...@lbl.gov
Hi Tims,
Assuming you are in $HOME ... you can do something like:
singularity shell --no-home ./myimage.sif
That will *not* bind your home directory in, but will bind in your
current working directory, so only that shows up in your $HOME
structure. What you have in your example should be the default
behavior. For example:
$ pwd && ls
/usr/local/singularity
2.5.2/ 2.6.1/ 3.0.1/ 3.1.0-rc4/ 3.1.0
$ ls ../bin/
hello.sh*
$ singularity shell -B $PWD ~/lolcow.sif
Singularity lolcow.sif:/usr/local/singularity> pwd && ls
/usr/local/singularity
2.5.2 2.6.1 3.0.1 3.1.0-rc4 3.1.0
Singularity lolcow.sif:/usr/local/singularity> ls ../bin/
Singularity lolcow.sif:/usr/local/singularity>
So in the above case, I changed to: /usr/local/singularity ... and I
used `-B $PWD` ... this bind mounted /usr/local/singularity into the
image at the same location. But, the host /usr/local/bin/ was not
included in this. Just the /usr/local/singularity directory and all
children.
Now, if you're wanting to cut off the entire directory structure,
you can use: `-B $PWD:/work_dir` (or similar). As Vanessa mentioned,
you can specify where you want a bind point to be mounted, otherwise
the default is just to mount it at the same path location. So, in this
example, $PWD would be mounted at `/work_dir` in the container,
instead of whatever path we actually have.
-J
Assuming you are in $HOME ... you can do something like:
singularity shell --no-home ./myimage.sif
That will *not* bind your home directory in, but will bind in your
current working directory, so only that shows up in your $HOME
structure. What you have in your example should be the default
behavior. For example:
$ pwd && ls
/usr/local/singularity
2.5.2/ 2.6.1/ 3.0.1/ 3.1.0-rc4/ 3.1.0
$ ls ../bin/
hello.sh*
$ singularity shell -B $PWD ~/lolcow.sif
Singularity lolcow.sif:/usr/local/singularity> pwd && ls
/usr/local/singularity
2.5.2 2.6.1 3.0.1 3.1.0-rc4 3.1.0
Singularity lolcow.sif:/usr/local/singularity> ls ../bin/
Singularity lolcow.sif:/usr/local/singularity>
So in the above case, I changed to: /usr/local/singularity ... and I
used `-B $PWD` ... this bind mounted /usr/local/singularity into the
image at the same location. But, the host /usr/local/bin/ was not
included in this. Just the /usr/local/singularity directory and all
children.
Now, if you're wanting to cut off the entire directory structure,
you can use: `-B $PWD:/work_dir` (or similar). As Vanessa mentioned,
you can specify where you want a bind point to be mounted, otherwise
the default is just to mount it at the same path location. So, in this
example, $PWD would be mounted at `/work_dir` in the container,
instead of whatever path we actually have.
-J
Reply all
Reply to author
Forward
0 new messages