Project

General

Profile

Feature #17560

Include unprivileged singularity in pilot software

Added by Dave Dykstra almost 3 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Low
Category:
-
Target version:
Start date:
08/22/2017
Due date:
% Done:

0%

Estimated time:
Stakeholders:
Duration:

Description

Beginning in EL7.4 system administrators may enable unprivileged mount namespaces which allows singularity to run without setuid-root. Let's take advantage of that by including an unprivileged copy of singularity in the software distributed by GlideinWMS to pilots. When running singularity, try that version first and only if it fails see if /usr/bin/singularity exists and if so try that.

Alternatively we could install unprivileged singularity in cvmfs somewhere (e.g. /cvmfs/grid.cern.ch), but including it in GlideinWMS pilot code will make it work even when cvmfs doesn't work.

To test, on an EL7.4 system add "namespace.unpriv_enable=1" to GRUB_CMDLINE_LINUX in /etc/sysconfig/grub, run "grub2-mkconfig -o /boot/grub2/grub.cfg", put "user.max_user_namespaces = 15000" in /etc/sysctl.d/90-max_user_namespaces.conf, and reboot.

Instructions for compiling singularity are at http://singularity.lbl.gov/install-linux. With singularity-2.3.1 (but not in the development branch) you need to change the default config options in etc/singularity/singularity.conf to 'allow setuid = no' and 'enable overlay = no'.


Related issues

Related to GlideinWMS - Support #17639: Support unprivileged singularity and update the singularity scriptsClosed09/05/2017

History

#1 Updated by Dave Dykstra almost 3 years ago

A snag I just found is that singularity does not appear to be as easily relocatable as I thought it was. There is an easily-edited "prefix" setting at the beginning of bin/singularity, but it does not appear to apply to the binaries.

#2 Updated by Dave Dykstra almost 3 years ago

Relocatability is being discussed in this singularity issue

#3 Updated by Dave Dykstra almost 3 years ago

Meanwhile there's now another issue #17639 to use unprivileged singularity out of cvmfs.

#4 Updated by Parag Mhashilkar almost 3 years ago

  • Priority changed from Normal to Low
  • Stakeholders updated (diff)

I talked to Tony and this request is not coming from his group. Also, I haven't heard anything about this officially from OSG or CMS. Will assign stakeholders when I hear about this officially. Also, I would like to re-iterate that glideinwms is not a primarily software distribution mechanism, CVMFS is. I am not rejecting this feature request at this moment. Glideinwms would be happy to use a preexisting deployed version of singularity as it does in case of GLEXEC.

#5 Updated by Parag Mhashilkar almost 3 years ago

  • Related to Support #17639: Support unprivileged singularity and update the singularity scripts added

#6 Updated by Marco Mambelli about 2 years ago

After talking with Dave Dykstra we agreed that:
- GlideinWMS will not include the Singularity binary
- the binary distributed via OASIS CVMFS will be included explicitly in the search path as last element (if it is not in the path, ...)

/cvmfs/oasis.opensciencegrid.org/mis/singularity/el67-x86_64/bin/singularity

#7 Updated by Dave Dykstra about 2 years ago

This should still be done at some point but it can probably wait until Red Hat supports unprivileged namespaces in production, without it being a technology preview.

#8 Updated by Marco Mambelli over 1 year ago

  • Status changed from New to Rejected
  • Assignee set to Marco Mambelli
  • Target version set to v3_5

Superseded by [#21639]. Unprivileged Singularity will be distributed via CVMFS

#9 Updated by Marco Mambelli over 1 year ago

  • Target version changed from v3_5 to v3_4_4


Also available in: Atom PDF