nfs mount inside singularity container not working as regular user
913 views
Skip to first unread message
BHANU PRASAD GANGURU
Aug 2, 2018, 3:11:51 PM8/2/18
to singularity
Hi,
I'm trying to mount an nfs export inside a container as regular user and it's showing the following error
mount.nfs: not installed setuid - "user" NFS mounts not supported.
When I try to run the container as root, it works fine.
Here's what I'm doing
$ singularity --version2.5.2-release-2.5.b258b65
$ singularity exec CentOS7.img cat /etc/fstabnfsserver:/dev1 /n/scratch nfs vers=3,users 0 0
$ singularity exec CentOS7.img mount /n/scratchmount.nfs: not installed setuid - "user" NFS mounts not supported.
$ sudo singularity exec CentOS7.img mount /n/scratch[sudo] password for user:
$ sudo singularity exec CentOS7.img ls -l /n/scratchtotal 0
Any one know why it's not working for regular users and what needs to be done in-order to make it possible
Thanks in advance,
Bhanu
Thomas Hartmann
Aug 3, 2018, 4:16:22 AM8/3/18
to singu...@lbl.gov
Hi Bhanu,
I would guess, that it is due to the NFS client being quite close to the
kernel and your user needs setuid to run the mount with elevated
privileges. For starters, I would check if setuid is allowed in the
Singularity config [1] & if you see in the container mount.nfs and where
it comes from (if /usr/sbin or so is in the host namespace or if it is
in the containers namespace)
Cheers,
Thomas
[1]
https://www.sylabs.io/guides/2.5.1/admin-guide/the_singularity_config_file.html#allow-setuid-boolean-default-yes
On 2018-08-02 21:11, BHANU PRASAD GANGURU wrote:
> Hi,
>
> I'm trying to mount an nfs export inside a container as regular user and
> it's showing the following error
>
> mount.nfs: not installed setuid - "user" NFS mounts not supported.
>
> When I try to run the container as root, it works fine.
>
> Here's what I'm doing
>
> |
>
> $ singularity --version
> 2.5.2-release-2.5.b258b65
>
> $ singularity execCentOS7.img cat /etc/fstab
>
> $ sudo singularity execCentOS7.img mount /n/scratch
> [sudo]password foruser:
>
>
> $ sudo singularity execCentOS7.img ls -l /n/scratch
> You received this message because you are subscribed to the Google
> Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to singularity...@lbl.gov
> <mailto:singularity...@lbl.gov>.
I would guess, that it is due to the NFS client being quite close to the
kernel and your user needs setuid to run the mount with elevated
privileges. For starters, I would check if setuid is allowed in the
Singularity config [1] & if you see in the container mount.nfs and where
it comes from (if /usr/sbin or so is in the host namespace or if it is
in the containers namespace)
Cheers,
Thomas
[1]
https://www.sylabs.io/guides/2.5.1/admin-guide/the_singularity_config_file.html#allow-setuid-boolean-default-yes
On 2018-08-02 21:11, BHANU PRASAD GANGURU wrote:
> Hi,
>
> I'm trying to mount an nfs export inside a container as regular user and
> it's showing the following error
>
> mount.nfs: not installed setuid - "user" NFS mounts not supported.
>
> When I try to run the container as root, it works fine.
>
> Here's what I'm doing
>
> |
>
> $ singularity --version
> 2.5.2-release-2.5.b258b65
>
> nfsserver:/dev1 /n/scratch nfs vers=3,users 00
>
> $ singularity execCentOS7.img mount /n/scratch
> mount.nfs:notinstalled setuid -"user"NFS mounts notsupported.
>
> $ singularity execCentOS7.img mount /n/scratch
>
> $ sudo singularity execCentOS7.img mount /n/scratch
> [sudo]password foruser:
>
>
> $ sudo singularity execCentOS7.img ls -l /n/scratch
> total 0
>
> |
>
>
> Any one know why it's not working for regular users and what needs to be
> done in-order to make it possible
>
> Thanks in advance,
> Bhanu
>
> --
>
> |
>
>
> Any one know why it's not working for regular users and what needs to be
> done in-order to make it possible
>
> Thanks in advance,
> Bhanu
>
> You received this message because you are subscribed to the Google
> Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to singularity...@lbl.gov
> <mailto:singularity...@lbl.gov>.
Jason Stover
Aug 3, 2018, 11:19:14 AM8/3/18
to singu...@lbl.gov
You cannot elevate privileges in the container. mount.nfs (for me) is SUID 0.
$ ls -l /sbin/mount.nfs
-r-s--x--x 1 root root 119168 Apr 14 2016 /sbin/mount.nfs*
Even if you're using capabilities instead of SUID, on the binaries,
NO_NEW_PRIVS blocks privilege escalation in the container.
-J
> To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
$ ls -l /sbin/mount.nfs
-r-s--x--x 1 root root 119168 Apr 14 2016 /sbin/mount.nfs*
Even if you're using capabilities instead of SUID, on the binaries,
NO_NEW_PRIVS blocks privilege escalation in the container.
-J
BHANU PRASAD GANGURU
Aug 8, 2018, 3:26:41 PM8/8/18
to singularity, thomas....@desy.de
Hi Thomas,
In deed setuid is enabled in singularity config.
I've installed nfs-utils when building singularity container, so It's not getting mount.nfs from host.
Is there a way to do what I'm trying to achieve?
$ grep setuid /etc/singularity/singularity.conf # Should we allow users to utilize the setuid program flow within Singularity?allow setuid = yes
$ singularity shell CentOS7.img
Singularity CentOS7.img:~> which mount.nfs/sbin/mount.nfsSingularity CentOS7.img:~> ls -l /sbin/mount.nfs-rwsr-xr-x 1 root root 113408 Apr 12 15:52 /sbin/mount.nfsSingularity CentOS7.img:~>
Thanks,
Bhanu
> <mailto:singularity+unsub...@lbl.gov>.
Reply all
Reply to author
Forward
0 new messages