Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Address layer / image extraction issues in user namespaces #2699

Merged
merged 2 commits into from
Mar 4, 2024
Merged

fix: Address layer / image extraction issues in user namespaces #2699

merged 2 commits into from
Mar 4, 2024

Conversation

dtrudg
Copy link
Member

@dtrudg dtrudg commented Mar 1, 2024
edited
Loading

Description of the Pull Request (PR):

Note - there are no e2e tests for the nested containers / nested namespaces situations that are fixed by the commits in this PR. However, our e2e tests do confirm the changes don't cause regressions in non-nested cases.

The e2e framework doesn't offer a great way of executing singularity nested, and I've opened an issue (#2700) to address this to verify functionality more generally than a messy one-off for this PR would handle.

fix: use rootless umoci inside user namespace

If we are running from within a user namespace, then use rootless OCI layer extrraction with umoci.

This permits the extraction to complete when singularity is run under unshare -r.

fix: honor --userns in unsquashfs wrapping

If singularity is executed with --userns/-u then it should also use a user namespace where it executes unsquashfs in a wrapped manner.

Previously the unsquashfs wrapping was without --userns/-u in a setuid installation. This caused extraction to fail from within a non-root-mapped user namespace (e.g. unshare -c).

This fixes or addresses the following GitHub issues:

Before submitting a PR, make sure you have done the following:

@dtrudg dtrudg added bug Something isn't working backport Backport this to stable version labels Mar 1, 2024
@dtrudg dtrudg added this to the SingularityCE 4.1.2 milestone Mar 1, 2024
@dtrudg dtrudg self-assigned this Mar 1, 2024
@dtrudg
fix: use rootless umoci inside user namespace
877b762 
If we are running from within a user namespace, then use rootless OCI
layer with umoci.

This permits the extraction to complete when singularity is run under
`unshare -r`.

Part of sylabs#2698
@dtrudg dtrudg force-pushed the unshare-fixes branch 4 times, most recently from f6b2f83 to f07b511 Compare March 1, 2024 12:21
@dtrudg
fix: honor --userns in unsquashfs wrapping
829c9fe 
If singularity is executed with `--userns/-u` then where possible it
should also use a user namespace where it executes `unsquashfs` in a
wrapped manner.

Previously the `unsquashfs` wrapping was without `--userns/-u` in a
setuid installation. This caused extraction to fail from within a
non-root-mapped user namespace (e.g. `unshare -c`).

Part of sylabs#2698
@dtrudg dtrudg marked this pull request as ready for review March 1, 2024 13:03
@dtrudg dtrudg mentioned this pull request Mar 4, 2024
Merged
@dtrudg dtrudg merged commit 5db897a into sylabs:main Mar 4, 2024
1 check passed
@dtrudg dtrudg deleted the unshare-fixes branch March 4, 2024 15:55
@DrDaveD DrDaveD mentioned this pull request Apr 2, 2024
Closed
21 tasks
@JasonYangShadow JasonYangShadow mentioned this pull request Oct 3, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wobito wobito wobito approved these changes

Assignees

@dtrudg dtrudg

Labels
backport Backport this to stable version bug Something isn't working
Projects
None yet
Milestone
SingularityCE 4.1.2
Development

Successfully merging this pull request may close these issues.

Running Singularity in a user namespace created by an unprivileged user doesn't work
2 participants
@dtrudg @wobito