Failed invoking the NEWUSER namespace runtime: Invalid argument

[Sandeep Sarangi]

I created a singularity image on a Linux box where I have root and upon transferring it to my University's Linux cluster to run in a Singularity container I get this error message:

$ singularity exec ubuntu.img ls
ERROR  : Failed invoking the NEWUSER namespace runtime: Invalid argument
ABORT  : Retval = 255

On the cluster I'm using Singularity 2.3.1 and the Admin installed it as root. The cluster OS info is

$ uname --all
Linux [hostname] 3.10.0-514.26.2.el7.x86_64 #1 SMP Fri Jun 30 05:26:04 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)

I saw this earlier post--

https://groups.google.com/a/lbl.gov/forum/#!searchin/singularity/NFS$20filesystem$20was$20mounted$20nosuid/singularity/EC4XKL7S-6k/Udyk5wvoAAAJ

However my Admin said that "the programs require the root SUID bit set, which means they run with root privilege (not good). This is not allowed on the NFS mounts because it's a security exposure."

I thought the whole point of Singularity is that it allows users to run containers without root and thus not create a security risk. Is there any workaround?

Thanks!

[Dave Dykstra]

Sandeep,

singularity can be run without setuid-root on RHEL systems only on the recently released EL7.4, and only if a couple of options are enabled, a boot option and a sysctl option.  I can give you details if you're interested.  There's also a couple of other restrictions in that you can't enable overlay (so bind mounts have to already exist in the image) and you have to have an image directory tree and not an image file (because image files require a loopback mount).

Dave

[Sandeep Sarangi]

Dave,

Thanks so much for your response. I ended up asking our Admin to install Singularity locally on all the cluster compute nodes (and as root) to avoid the NFS issue I referenced previously and that resolved this problem. It's good to know this might not be necessary for EL7.4 (I'll let our Admin know).

Thanks!
Sandeep

[Oliver Schulz]

Hi Dave,

I'd be very interested in the details (getting Singularity to run on EL7 without suid-flag).

Cheers,

Oliver

[Bennet Fauber]

I second that interest.

--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity+unsubscribe@lbl.gov.

[Ole Holm Nielsen]

This topic was also discussed in the thread https://groups.google.com/a/lbl.gov/forum/#!topic/singularity/HG-198TAzOQ
You have 2 options on EL7.4: 1) Install RPMs locally on each node (including setuid executables), or 2) as described in the thread by Oliver Freyermuth read http://opensciencegrid.github.io/docs/worker-node/install-singularity/#enabling-unprivileged-mode-for-singularity
plus reconfigure singularity.
I opted to install the RPMs locally for simplicity, despite the setuid executables. I wrote some notes about this in https://wiki.fysik.dtu.dk/niflheim/Singularity_installation

[Oliver Schulz]

Thanks for the infos and the links, Ole!

[Richard Powell]

A tip on how I installed Singularity...I installed all files to local default locations on each compute node.  After installation, I moved the /etc/singularity/singularity.conf file to a central nfs mount point and replaced the local singularity.conf file on each node with a symlink to the nfs file.  This strategy kept my suid bin files localized but gave me centralized control over settings.  This worked in my test environment at 2.2, 2.3, and now at 2.4.

--