--fakeroot --bind and nobody

[D.A. P.]

It seems that when I use "singularity shell --fakeroot" some "--bind" directories that I could read as the user on the host become unreadable from inside the container. On the host, the user has group read and execute permissions on a directory hierarchy. When those are bound into the container and "--fakeroot" is not specified, they are accessible from within the container. However, when "--fakeroot" is specified, the bound directories appear as owned by the nobody user and nobody group. The fake root account inside the container is unable to read them. An "ls" reports "Permission denied." I found this behavior surprising.

Is there any way to keep the bound in directories readable when the "--fakeroot" parameter is specified?

For additional background, I am only using "--fakeroot" so that I can use "--net." The use of "--net" with "--bind" of group controlled directories is my real goal.

Singularity version 3.7.4-1.el7 (Red Hat Enterprise Linux Server release 7.9)

[David Trudgian]

I realised I inadvertently replied without CC'ing the list to this email. Including reply here for the benefit of any others.

On Tue, Sep 14, 2021 at 2:30 PM David Trudgian <dtr...@sylabs.io> wrote:

When you use `--fakeroot` you are inside a user namespace, with subuid mappings in place. This means that user IDs in the container map to a different range of sub-uids outside of the container. This range is configured on the host where the container is running. Depending on what filesystem your binds reside on, and who the files are owned by, they may become inaccessible. I suspect you are binding files from a network (non-local) filesystem?

For example, an NFS or lustre server doesn't know about the subuid mappings associated with the container. They are known only by the host on which the container is running, not the file server. Files owned by your host user account on the network file system should be usable in the container, as the fake root user (which maps to your host uid). However, files owned by other users on the network file system won't map to the uid/gid ranges in the container.

See documentation here for a bit more information:

https://sylabs.io/guides/3.8/admin-guide/installation.html#fakeroot-sub-uid-gid-mapping
https://sylabs.io/guides/3.8/user-guide/fakeroot.html

With regard to using `--net` without `--fakeroot`, take a look at SingularityCE 3.8. New configuration options were added that allow the administrator to 'bless' specific CNI network configurations for use by non-root users:

https://sylabs.io/guides/3.8/admin-guide/configfiles.html#networking-options

--
You received this message because you are subscribed to the Google Groups "Singularity Community Edition" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/singularity-ce/5c8fe89f-884f-40af-bec3-9c1dcbf53603n%40googlegroups.com.

--

David Trudgian

Sylabs Inc.

--

David Trudgian

Sylabs Inc.