Include unprivileged singularity in pilot software
Beginning in EL7.4 system administrators may enable unprivileged mount namespaces which allows singularity to run without setuid-root. Let's take advantage of that by including an unprivileged copy of singularity in the software distributed by GlideinWMS to pilots. When running singularity, try that version first and only if it fails see if /usr/bin/singularity exists and if so try that.
Alternatively we could install unprivileged singularity in cvmfs somewhere (e.g. /cvmfs/grid.cern.ch), but including it in GlideinWMS pilot code will make it work even when cvmfs doesn't work.
To test, on an EL7.4 system add "namespace.unpriv_enable=1" to GRUB_CMDLINE_LINUX in /etc/sysconfig/grub, run "grub2-mkconfig -o /boot/grub2/grub.cfg", put "user.max_user_namespaces = 15000" in /etc/sysctl.d/90-max_user_namespaces.conf, and reboot.
Instructions for compiling singularity are at http://singularity.lbl.gov/install-linux. With singularity-2.3.1 (but not in the development branch) you need to change the default config options in etc/singularity/singularity.conf to 'allow setuid = no' and 'enable overlay = no'.
#4 Updated by Parag Mhashilkar almost 3 years ago
- Priority changed from Normal to Low
- Stakeholders updated (diff)
I talked to Tony and this request is not coming from his group. Also, I haven't heard anything about this officially from OSG or CMS. Will assign stakeholders when I hear about this officially. Also, I would like to re-iterate that glideinwms is not a primarily software distribution mechanism, CVMFS is. I am not rejecting this feature request at this moment. Glideinwms would be happy to use a preexisting deployed version of singularity as it does in case of GLEXEC.
#6 Updated by Marco Mambelli about 2 years ago
After talking with Dave Dykstra we agreed that:
- GlideinWMS will not include the Singularity binary
- the binary distributed via OASIS CVMFS will be included explicitly in the search path as last element (if it is not in the path, ...)