issues with --fakeroot

[Haopeng Han]

Hi,

I am using singularity on my company's server. So far I am pretty happy about its capabilities and performance.

I got two issues with the --fakeroot option:

1:couldn't delete all the sandbox files:

singularity build --fakeroot --sandbox demo docker://ubuntu:20.04

singularity shell --fakeroot --writable demo

        singularity->./to_install.sh

        singularity->./startxfce.sh

        singularity-> ctrl+c, ctrl+d

rm -rf demo/ > rmdemo.log

ll demo/var/cache

drwxr-xr-x. 25 100005 100011 4096 Dec  6 12:33 man

2:--fakeroot doesn't work with Nviida docker images

singularity build --fakeroot --sandbox nvdemo docker://nvcr.io/nvidia/cuda:11.3.1-devel-ubuntu16.04

singularity shell --fakeroot --writable nvdemo 

        singularity-> apt update

Ign:1 http://security.ubuntu.com/ubuntu xenial-security InRelease              

Ign:2 http://archive.ubuntu.com/ubuntu xenial InRelease                        

Ign:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease                

Err:4 https://developer.download.nvidia.com/compute/cuda/repos/ubuntu1604/x86_64  InRelease

  Could not open file /var/lib/apt/lists/partial/developer.download.nvidia.com_compute_cuda_repos_ubuntu1604_x86%5f64_InRelease - open (13: Permission denied)

Ign:5 http://archive.ubuntu.com/ubuntu xenial-backports InRelease              

Err:6 http://archive.ubuntu.com/ubuntu xenial Release                       

  Could not open file /var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_Release - open (13: Permission denied) [IP: 91.189.88.142 80]

Err:7 http://security.ubuntu.com/ubuntu xenial-security Release             

  Could not open file /var/lib/apt/lists/partial/security.ubuntu.com_ubuntu_dists_xenial-security_Release - open (13: Permission denied) [IP: 91.189.88.142 80]

..................

..................

however it can be done using:

sudo singularity shell --writable nvdemo 

The server is a Dell 4U PowerEdge R940XA with 4xIntel 6230, running CentOS Stream 8.

Attached the files. 

Any help would be appreciated!

Best regards,

Haopeng

[Haopeng Han]

Forgot to mention: 

singularity version 3.8.3

[Dave Dykstra]

On Sun, Dec 05, 2021 at 09:20:45PM -0800, Haopeng Han wrote:
> Hi,
> I am using singularity on my company's server. So far I am pretty happy
> about its capabilities and performance.
> I got two issues with the --fakeroot option:
>
> 1:couldn't delete all the sandbox files:
> singularity build --fakeroot --sandbox demo docker://ubuntu:20.04
> singularity shell --fakeroot --writable demo
> singularity->./to_install.sh
> singularity->./startxfce.sh
> singularity-> ctrl+c, ctrl+d
> rm -rf demo/ > rmdemo.log
> ll demo/var/cache
> drwxr-xr-x. 25 100005 100011 4096 Dec 6 12:33 man

I think that's just the way it has to be, a consequence of the way
"rootless containers" deal with multiple user ids by enabling each user
to have access to multiple other user ids while inside the container.
Those files will just have to be removed from inside a container.

> 2:--fakeroot doesn't work with Nvidia docker images

> singularity build --fakeroot --sandbox nvdemo
> docker://nvcr.io/nvidia/cuda:11.3.1-devel-ubuntu16.04
> singularity shell --fakeroot --writable nvdemo
> singularity-> apt update
> Ign:1 http://security.ubuntu.com/ubuntu xenial-security InRelease
> Ign:2 http://archive.ubuntu.com/ubuntu xenial InRelease
> Ign:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
> Err:4 https://developer.download.nvidia.com/compute/cuda/repos/ubuntu1604/x86_64
> InRelease
> Could not open file
> /var/lib/apt/lists/partial/developer.download.nvidia.com_compute_cuda_repos_ubuntu1604_x86%5f64_InRelease
> - open (13: Permission denied)
> Ign:5 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
> Err:6 http://archive.ubuntu.com/ubuntu xenial Release
> Could not open file
> /var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_Release -
> open (13: Permission denied) [IP: 91.189.88.142 80]
> Err:7 http://security.ubuntu.com/ubuntu xenial-security Release
> Could not open file
> /var/lib/apt/lists/partial/security.ubuntu.com_ubuntu_dists_xenial-security_Release
> - open (13: Permission denied) [IP: 91.189.88.142 80]
> ..................
> ..................

I cannot reproduce your symptoms, those commands worked for me.
Maybe you have to say more about your environment.

Dave

> however it can be done using:
> sudo singularity shell --writable nvdemo
>
> The server is a Dell 4U PowerEdge R940XA with 4xIntel 6230, running CentOS
> Stream 8.
> Attached the files.
> Any help would be appreciated!
> Best regards,
> Haopeng
>

> --
> You received this message because you are subscribed to the Google Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
> To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/singularity/9e188b67-3e02-4bf2-bea3-25cc359df8e6n%40lbl.gov .



> rm: cannot remove 'demo/var/cache/man/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/hu/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/hu/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/hu/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/tr/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/tr/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/tr/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/ko/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/ko/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/ko/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_TW/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_TW/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_TW/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/id/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/id/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/id/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat3': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat7': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/cat5': Permission denied
> rm: cannot remove 'demo/var/lib/gdm3/.local/share/applications': Permission denied
> rm: cannot remove 'demo/var/lib/gdm3/.config/pulse/default.pa': Permission denied
> rm: cannot remove 'demo/var/lib/gdm3/.config/dconf': Permission denied
> rm: cannot remove 'demo/var/lib/colord/icc': Permission denied
> rm: cannot remove 'demo/run/systemd/netif/lldp': Permission denied
> rm: cannot remove 'demo/run/systemd/netif/leases': Permission denied
> rm: cannot remove 'demo/run/systemd/netif/links': Permission denied
> [hhan@dv-srv01 dv-app-11]$ rm -rf demo/ > rmdemo.log
> rm: cannot remove 'demo/var/cache/man/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/ru/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/pt/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/es/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/hu/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/hu/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/hu/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/ja/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/tr/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/tr/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/tr/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/cs/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/nl/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/ko/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/ko/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/ko/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/de/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/sv/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/da/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_TW/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_TW/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_TW/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/zh_CN/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/pl/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/id/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/id/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/id/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/fr/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat3': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat7': Permission denied
> rm: cannot remove 'demo/var/cache/man/cat5': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/index.db': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/cat1': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/CACHEDIR.TAG': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/cat8': Permission denied
> rm: cannot remove 'demo/var/cache/man/it/cat5': Permission denied
> rm: cannot remove 'demo/var/lib/gdm3/.local/share/applications': Permission denied
> rm: cannot remove 'demo/var/lib/gdm3/.config/pulse/default.pa': Permission denied
> rm: cannot remove 'demo/var/lib/gdm3/.config/dconf': Permission denied
> rm: cannot remove 'demo/var/lib/colord/icc': Permission denied
> rm: cannot remove 'demo/run/systemd/netif/lldp': Permission denied
> rm: cannot remove 'demo/run/systemd/netif/leases': Permission denied
> rm: cannot remove 'demo/run/systemd/netif/links': Permission denied
>

[Haopeng Han]

Thanks Dave for your reply!

For the first one, my concern is: if a user (without sudo privilege on the host, with --fakeroot on) issue "rm -rf /*" inside the container, will all the mounted/bound directories on the host that the user has rw access (eg home) get deleted?

For the second one, I guess it was the server's problem. I tried the same command on another server, it was ok.

Thanks & Best,

Haopeng

[Thomas Hartmann]

Hi Haopeng,

iirc - bin mounts into a container's context behave just like the same
directories on other paths.

e.g., if you bind mount a directory onto another path

> mount --bind /original/path /new/path

and your user has r/w on `/original/path`, the same capabilities apply
to your user on the new view `/new/path` as well

Cheers,
Thomas

> <http://nvcr.io/nvidia/cuda:11.3.1-devel-ubuntu16.04>

> <http://default.pa>': Permission denied

> <http://default.pa>': Permission denied

> > rm: cannot remove 'demo/var/lib/gdm3/.config/dconf': Permission
> denied
> > rm: cannot remove 'demo/var/lib/colord/icc': Permission denied
> > rm: cannot remove 'demo/run/systemd/netif/lldp': Permission denied
> > rm: cannot remove 'demo/run/systemd/netif/leases': Permission denied
> > rm: cannot remove 'demo/run/systemd/netif/links': Permission denied
> >
>

> --
> You received this message because you are subscribed to the Google
> Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to singularity...@lbl.gov

> <mailto:singularity...@lbl.gov>.

> To view this discussion on the web visit

> https://groups.google.com/a/lbl.gov/d/msgid/singularity/df3e1fee-4cff-4536-910d-762ce9470bc4n%40lbl.gov
> <https://groups.google.com/a/lbl.gov/d/msgid/singularity/df3e1fee-4cff-4536-910d-762ce9470bc4n%40lbl.gov?utm_medium=email&utm_source=footer>.

[Haopeng Han]

Hi Thomas,

I just did an experiment on running "rm -rf /*" insider container with --fakeroot on a virtual machine. Yes, it wiped out everything under the home directory. And I think it will be the same result without --fakeroot.

Thanks & Best,

Haopeng