Unprivileged Encrypted container
14 views
Skip to first unread message
Alfio Lazzaro
Sep 19, 2024, 8:40:44 AM9/19/24
to Singularity Community Edition
Dear Singularity community,
We have a case where Singularity is installed with suid but there is no userns enabled. We can build on the system with PROOT. Now, the question is: can we do an encrypted build in such a case?
From what I see this is not possible, indeed I get:
> singularity build --pem-path=rsa_pub.pem test_encrypted.sif test.def
INFO: Using proot to build unprivileged. Not all builds are supported. If build fails, use --remote or --fakeroot.
FATAL: You must be root to build an encrypted container
INFO: Using proot to build unprivileged. Not all builds are supported. If build fails, use --remote or --fakeroot.
FATAL: You must be root to build an encrypted container
The naive question is: is there any way we can get encrypted builds, even with new Singularity versions as a new feature?
For instance, I've tried to use Apptainer with Gocryptfs for building, but then I can't run it with Singularity ("unknown filesystem type Unknown").
Best regards,
Alfio
David Trudgian
Oct 4, 2024, 4:12:29 AM10/4/24
to Singularity Community Edition
Hi Alfio,
SingularityCE doesn't support Apptainer's gocryptfs encrypted format, and at this time it's not on the roadmap to bring that feature across.
We havge hesitated for a few reasons:
SingularityCE doesn't support Apptainer's gocryptfs encrypted format, and at this time it's not on the roadmap to bring that feature across.
We havge hesitated for a few reasons:
- Requests for unprivileged encryption have generally involved use-cases which it does not completely satisfy. Almost all of the requests we've had come in have been wishes to use encryption to stop the end-user of the container from being able to look at its content, but still be able to run it - which is not something we can implement.
- Our main focus in SingularityCE has been the OCI-mode, and feature parity between it and the default native mode.
- The way in which the Apptainer encryption wrapping is laid out in the SIF probably wouldn't be our first choice for an implementation. There are complexities related to any future extension into OCI-Mode, and compatibility with Apptainer etc. We have limited resources and have to prioritise features to work on for SingularityCE.
If you are interested in making a case for the inclusion of unprivileged encryption, the best thing to do would be to present a detailed use-case here, or on the GitHub discussions roadmap thread. What is the aim of the encryption in this case? What does the user need to protect?
Regards,
Regards,
DT
Reply all
Reply to author
Forward
0 new messages