From 2bf2146d9779486dbf36d0b02b63af1a944efc5aabe31cf1b20dd945ea2d95f1 Mon Sep 17 00:00:00 2001 From: Christian Goll Date: Thu, 4 Aug 2022 15:03:35 +0000 Subject: [PATCH 1/2] Accepting request 993098 from home:mslacken:pr - Updated to version 1.1.0-rc1 which enables apptainer to run without suid and additional groups. Although this is a prerelease this is a major advantage justifying its use. * Added a squashfuse image driver that enables mounting SIF files without using setuid-root. Requires the squashfuse command and unprivileged user namespaces. * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF overlay partitions without using setuid-root. Requires the fuse2fs command and unprivileged user namespaces. * Added the ability to use persistent overlay (--overlay) and --writable-tmpfs without using setuid-root. This requires unprivileged user namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs command. Persistent overlay works when the overlay path points to a regular filesystem (known as "sandbox" mode, which is not allowed when in setuid mode), or when it points to an EXT3 image. Does not work with a SIF partition because that requires privileges to mount as an ext3 image. * Extended the --fakeroot option to be useful when /etc/subuid and /etc/subgid mappings have not been set up. If they have not been set up, a root-mapped unprivileged user namespace (the equivalent of unshare -r) and/or the fakeroot command from the host will be tried. Together they emulate the mappings pretty well but they are simpler to administer. This feature is especially useful with the --overlay and --writable-tmpfs options and for building containers unprivileged, because they allow installing packages that assume they're running as root. A limitation on using it with --overlay and --writable-tmpfs however is that when only the fakeroot command can be used (because there are no user namespaces available, in suid mode) then the base image has to be a sandbox. This feature works nested inside of an apptainer container, where another apptainer command will also be in the fakeroot environment without requesting the --fakeroot option again, or it can be used inside an OBS-URL: https://build.opensuse.org/request/show/993098 OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=14 --- README.SUSE | 15 ---- apptainer-1.0.3.tar.gz | 3 - apptainer-1.1.0-rc.1.tar.gz | 3 + apptainer.changes | 135 ++++++++++++++++++++++++++++++++++++ apptainer.spec | 35 +++------- useful_error_message.patch | 26 ------- vendor.tar.gz | 4 +- 7 files changed, 151 insertions(+), 70 deletions(-) delete mode 100644 apptainer-1.0.3.tar.gz create mode 100644 apptainer-1.1.0-rc.1.tar.gz delete mode 100644 useful_error_message.patch diff --git a/README.SUSE b/README.SUSE index c13db4e..fa7ea34 100644 --- a/README.SUSE +++ b/README.SUSE @@ -1,18 +1,3 @@ -openSUSE/SUSE specific Settings -=============================== - -openSUSE and SUSE have a small difference with upstream default. -This means the SUID root binaries distributed by singularty are -executable only by users belonging to the group 'apptainer'. - -Otherwise, users will get an error message like this one: - -FATAL: while executing /usr/lib/apptainer/bin/starter-suid: permission denied - -To add a user to the group apptainer, execute (as root): - - # usermod -a -G apptainer - Create Apptainer Images from openSUSE/SLE =========================================== diff --git a/apptainer-1.0.3.tar.gz b/apptainer-1.0.3.tar.gz deleted file mode 100644 index cba5d4b..0000000 --- a/apptainer-1.0.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:29eb94d16cd5d3b0a10ab8c2f7bc49c003a06fddb66ef46fa53b86b9a846a459 -size 5113453 diff --git a/apptainer-1.1.0-rc.1.tar.gz b/apptainer-1.1.0-rc.1.tar.gz new file mode 100644 index 0000000..9551119 --- /dev/null +++ b/apptainer-1.1.0-rc.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:18d2828c4c4e7adaccfbf82aac9ea8d698e11d5d4a690c372733f5eafd116d11 +size 5165719 diff --git a/apptainer.changes b/apptainer.changes index ee7ed98..730d629 100644 --- a/apptainer.changes +++ b/apptainer.changes @@ -1,3 +1,138 @@ +------------------------------------------------------------------- +Thu Aug 4 12:31:33 UTC 2022 - Christian Goll + +- Updated to version 1.1.0-rc1 which enables apptainer to run without + suid and additional groups. Although this is a prerelease this is + a major advantage justifying its use. + * Added a squashfuse image driver that enables mounting SIF files without + using setuid-root. Requires the squashfuse command and unprivileged user + namespaces. + * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF + overlay partitions without using setuid-root. Requires the fuse2fs command + and unprivileged user namespaces. + * Added the ability to use persistent overlay (--overlay) and + --writable-tmpfs without using setuid-root. This requires unprivileged user + namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs + command. Persistent overlay works when the overlay path points to a regular + filesystem (known as "sandbox" mode, which is not allowed when in setuid + mode), or when it points to an EXT3 image. Does not work with a SIF + partition because that requires privileges to mount as an ext3 image. + * Extended the --fakeroot option to be useful when /etc/subuid and + /etc/subgid mappings have not been set up. If they have not been set up, a + root-mapped unprivileged user namespace (the equivalent of unshare -r) + and/or the fakeroot command from the host will be tried. Together they + emulate the mappings pretty well but they are simpler to administer. This + feature is especially useful with the --overlay and --writable-tmpfs + options and for building containers unprivileged, because they allow + installing packages that assume they're running as root. A limitation on + using it with --overlay and --writable-tmpfs however is that when only the + fakeroot command can be used (because there are no user namespaces + available, in suid mode) then the base image has to be a sandbox. This + feature works nested inside of an apptainer container, where another + apptainer command will also be in the fakeroot environment without + requesting the --fakeroot option again, or it can be used inside an + apptainer container that was not started with --fakeroot. However, the + fakeroot command uses LD_PRELOAD and so needs to be bound into the + container which requires a compatible libc. For that reason it doesn't work + when the host and container operating systems are of very different + vintages. If that's a problem and you want to use only an unprivileged + root-mapped namespace even when the fakeroot command is installed, just run + apptainer with unshare -r. + * Made the --fakeroot option be implied when an unprivileged user builds a + container from a definition file. When /etc/subuid and /etc/subgid mappings + are not available, all scriptlets are run in a root-mapped unprivileged + namespace (when possible) and the %post scriptlet is additionally run with + the fakeroot command. When unprivileged user namespaces are not available, + such that only the fakeroot command can be used, the --fix-perms option is + implied to allow writing into directories. + * Added a --fakeroot option to the apptainer overlay create command to make + an overlay EXT3 image file that works with the fakeroot that comes from + unprivileged root-mapped namespaces. This is not needed with the fakeroot + that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes + with only the fakeroot command in suid flow. + * $HOME is now used to find the user's configuration and cache by default. If + that is not set it will fall back to the previous behavior of looking up + the home directory in the password file. The value of $HOME inside the + container still defaults to the home directory in the password file and can + still be overridden by the --home option. + * When starting a container, if the user has specified the cwd by using the + --pwd flag, if there is a problem an error is returned instead of + defaulting to a different directory. + * Nesting of bind mounts now works even when a --bind option specified a + different source and destination with a colon between them. Now the + APPTAINER_BIND environment variable makes sure the bind source is from the + bind destination so it will be succesfully re-bound into a nested apptainer + container. + * The warning about more than 50 bind mounts required for an underlay bind + has been changed to an info message. + * oci mount sets Process.Terminal: true when creating an OCI config.json, so + that oci run provides expected interactive behavior by default. + The default hostname for oci mount containers is now apptainer instead of mrsdalloway. + * systemd is now supported and used as the default cgroups manager. Set + systemd cgroups = no in apptainer.conf to manage cgroups directly via the + cgroupfs. + * Added a new action flag --no-eval which: + + Prevents shell evaluation of APPTAINERENV_ / --env / --env-file + environment variables as they are injected in the container, to match + OCI behavior. Applies to all containers. + + Prevents shell evaluation of the values of CMD / ENTRYPOINT and command + line arguments for containers run or built directly from an OCI/Docker + source. Applies to newly built containers only, use apptainer inspect + to check version that container was built with. + * Added --no-eval to the list of flags set by the OCI/Docker --compat mode. + * sinit process has been renamed to appinit. + * Added --keysdir to key command to provide an alternative way of setting + local keyring path. The existing reading of the keyring path from + environment variable 'APPTAINER_KEYSDIR' is untouched. + * apptainer key push will output the key server's response if included in + order to help guide users through any identity verification the server may + require. + * ECL no longer requires verification for all signatures, but only when + signature verification would alter the expected behavior of the list: + + At least one matching signature included in a whitelist must be + validated, but other unvalidated signatures do not cause ECL to fail. + + All matching signatures included in a whitestrict must be validated, + but unvalidated signatures not in the whitestrict do not cause ECL to + fail. + + Signature verification is not checked for a blacklist; unvalidated + signatures can still block execution via ECL, and unvalidated + signatures not in the blacklist do not cause ECL to fail. +- New features / functionalities + * Non-root users can now use --apply-cgroups with run/shell/exec to limit + container resource usage on a system using cgroups v2 and the systemd + cgroups manager. + * Native cgroups v2 resource limits can be specified using the [unified] key + in a cgroups toml file applied via --apply-cgroups. + * Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups + resource limits to a container directly. + Added instance stats command. + * The --no-mount flag & APPTAINER_NO_MOUNT env var can now be used to disable + a bind path entry from apptainer.conf by specifying the absolute path to + the destination of the bind. + * Apptainer now supports the riscv64 architecture. + * remote add --insecure may now be used to configure endpoints that are only + accessible via http. Alternatively the environment variable + APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be added + wihtout the --insecure flag. Specifying https in the remote URI overrules + both --insecure and APPTAINER_ADD_INSECURE. + * Gpu flags --nv and --rocm can now be used from an apptainer nested inside + another apptainer container. + * Added --public, --secret, and --both flags to the key remove command to + support removing secret keys from the apptainer keyring. + * Debug output can now be enabled by setting the APPTAINER_DEBUG env var. + * Debug output is now shown for nested apptainer calls, in wrapped unsquashfs + image extraction, and build stages. +- Bug fixes + * Remove warning message about SINGULARITY and APPTAINER variables having + different values when the SINGULARITY variable is not set. + * Add specific error for unreadable image / overlay file. + * Pass through a literal \n in host environment variables to the container. + * Fix loop device creation with loop-control when running inside docker containers. + * Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag. +- File changes + * Removed useful_error_message.patch as not needed any more + + ------------------------------------------------------------------- Mon Jul 11 09:38:45 UTC 2022 - Christian Goll diff --git a/apptainer.spec b/apptainer.spec index cd6f65c..ff5c6f2 100644 --- a/apptainer.spec +++ b/apptainer.spec @@ -19,13 +19,13 @@ %define apptainerpath src/github.com/apptainer/ %define _buildshell /bin/bash -#%%define vers_suffix -rc.2 +%define vers_suffix -rc.1 Summary: Application and environment virtualization License: BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version: 1.0.3 +Version: 1.1.0 Release: 0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL: https://apptainer.org @@ -35,7 +35,6 @@ Source2: SLE-12SP5.def Source3: SLE-15SP3.def Source5: %{name}-rpmlintrc Source10: vendor.tar.gz -Patch1: useful_error_message.patch BuildRequires: cryptsetup BuildRequires: fdupes BuildRequires: gcc @@ -55,8 +54,8 @@ PreReq: permissions # there's no golang for ppc64, ppc64le does not have non pie builds ExcludeArch: ppc64 ppc64le -Provides: %{name}-runtime Obsoletes: singularity +Obsoletes: singularity-ce Obsoletes: singularity-runtime %description @@ -68,14 +67,13 @@ containers that can be used across host environments. cp %{S:1} %{S:2} %{S:3} . mv %{name}-%{version}%{?vers_suffix} %{name} cd %{_builddir}/gopath/%{apptainerpath}/apptainer -%patch1 -p1 %build cd %{name} # create VERSION file echo %version > VERSION # Not all of these parameters currently have an effect, but they might be -# used someday. They are the same parameters as in the configure macro. +# used someday. They are the same parameters as in the configure macro. tar xzf %{S:10} ./mconfig -V %{version}-%{release} \ -P release \ @@ -91,7 +89,8 @@ tar xzf %{S:10} --localstatedir=%{_localstatedir}/lib \ --sharedstatedir=%{_sharedstatedir} \ --mandir=%{_mandir} \ - --infodir=%{_infodir} + --infodir=%{_infodir} \ + --without-suid cd builddir make V="" old_config= @@ -101,8 +100,7 @@ export GOFLAGS=-mod=vendor export PATH=$GOPATH/bin:$PATH cd %{name}/builddir -mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 -make DESTDIR=$RPM_BUILD_ROOT install man +make DESTDIR=$RPM_BUILD_ROOT install cd ../.. %fdupes apptainer/examples mkdir -p .tmp @@ -115,21 +113,10 @@ for j in LICENSE.md LICENSE; do done done -echo "g %name -" > system-group-%{name}.conf -%sysusers_generate_pre system-group-%{name}.conf %{name} system-group-%{name}.conf -install -D -m 644 system-group-%{name}.conf %{buildroot}%{_sysusersdir}/system-group-%{name}.conf - -%fdupes -s .tmp +%fdupes -s .tmp/ mv .tmp/* . rmdir .tmp - -%pre -f %{name}.pre - -%post -%set_permissions %{_libexecdir}/apptainer/bin/starter-suid - -%verifyscript -%set_permissions %{_libexecdir}/apptainer/bin/starter-suid +%fdupes -s %buildroot %files %doc apptainer/examples @@ -142,12 +129,13 @@ rmdir .tmp %doc %{basename:%{S:3}} %license apptainer/LICENSE.md %license *-LICENSE.md *-LICENSE -%attr(4750, root, apptainer) %{_libexecdir}/apptainer/bin/starter-suid %{_bindir}/* %dir %{_libexecdir}/apptainer %dir %{_libexecdir}/apptainer/bin %dir %{_libexecdir}/apptainer/cni +%dir %{_libexecdir}/apptainer/lib %{_libexecdir}/apptainer/bin/starter +%{_libexecdir}/apptainer/lib/offsetpreload.so %{_libexecdir}/apptainer/cni/* %dir %{_sysconfdir}/apptainer %config(noreplace) %{_sysconfdir}/apptainer/capability.json @@ -166,6 +154,5 @@ rmdir .tmp %dir %{_localstatedir}/lib/apptainer/mnt %dir %{_localstatedir}/lib/apptainer/mnt/session %{_mandir}/man1/* -%{_sysusersdir}/system-group-%{name}.conf %changelog diff --git a/useful_error_message.patch b/useful_error_message.patch deleted file mode 100644 index f255a95..0000000 --- a/useful_error_message.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 5194ad8f863e971dde1c668d9c9de844b58ae893 Mon Sep 17 00:00:00 2001 -From: Christian Goll -Date: Mon, 13 Dec 2021 14:35:41 +0100 -Subject: [PATCH] Add an useful error message when the user doesn't belong to - the singularity group - ---- - internal/pkg/util/starter/starter.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/internal/pkg/util/starter/starter.go b/internal/pkg/util/starter/starter.go -index 11858ee20..5f76ac08d 100644 ---- a/internal/pkg/util/starter/starter.go -+++ b/internal/pkg/util/starter/starter.go -@@ -94,7 +94,7 @@ func Exec(name string, config *config.Common, ops ...CommandOp) error { - return fmt.Errorf("while initializing starter command: %s", err) - } - err := unix.Exec(c.path, []string{name}, c.env) -- return fmt.Errorf("while executing %s: %s", c.path, err) -+ return fmt.Errorf("while executing %s: %s\nPlease read /usr/share/doc/packages/apptainer/README.SUSE to get help\n", c.path, err) - } - - // Run executes the starter binary and returns once starter --- -2.34.1 - diff --git a/vendor.tar.gz b/vendor.tar.gz index c70fe4a..1b3d3f4 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:009ecb531043c5b66eaf112a9a2a3f9f8612d890ce59fae16ac30128b031078e -size 6499970 +oid sha256:7735457b98aafd288d84535215550976fff739082cd8290784415e1bee514c1f +size 7205443 From 0aad0a2b682710bd0babba8bd10a8360a0dfeecfa0f6906cba79b346ea88b4bb Mon Sep 17 00:00:00 2001 From: Christian Goll Date: Fri, 5 Aug 2022 08:57:40 +0000 Subject: [PATCH 2/2] Accepting request 993258 from home:mslacken:pr * Added fix-32bit-compilation.patch from upstream OBS-URL: https://build.opensuse.org/request/show/993258 OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=15 --- apptainer.changes | 1 + apptainer.spec | 2 ++ fix-32bit-compilation.patch | 26 ++++++++++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 fix-32bit-compilation.patch diff --git a/apptainer.changes b/apptainer.changes index 730d629..bc29ac5 100644 --- a/apptainer.changes +++ b/apptainer.changes @@ -131,6 +131,7 @@ Thu Aug 4 12:31:33 UTC 2022 - Christian Goll * Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag. - File changes * Removed useful_error_message.patch as not needed any more + * Added fix-32bit-compilation.patch from upstream ------------------------------------------------------------------- diff --git a/apptainer.spec b/apptainer.spec index ff5c6f2..cc5909c 100644 --- a/apptainer.spec +++ b/apptainer.spec @@ -35,6 +35,7 @@ Source2: SLE-12SP5.def Source3: SLE-15SP3.def Source5: %{name}-rpmlintrc Source10: vendor.tar.gz +Patch1: fix-32bit-compilation.patch BuildRequires: cryptsetup BuildRequires: fdupes BuildRequires: gcc @@ -67,6 +68,7 @@ containers that can be used across host environments. cp %{S:1} %{S:2} %{S:3} . mv %{name}-%{version}%{?vers_suffix} %{name} cd %{_builddir}/gopath/%{apptainerpath}/apptainer +%patch1 -p1 %build cd %{name} diff --git a/fix-32bit-compilation.patch b/fix-32bit-compilation.patch new file mode 100644 index 0000000..c9337ea --- /dev/null +++ b/fix-32bit-compilation.patch @@ -0,0 +1,26 @@ +From cf82cf54c592e1fb86fe0b552c2a1769c5193725 Mon Sep 17 00:00:00 2001 +From: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com> +Date: Tue, 2 Aug 2022 11:55:17 -0500 +Subject: [PATCH] fix 32bit compilation + +Signed-off-by: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com> +--- + internal/pkg/util/fs/overlay/overlay_linux.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/internal/pkg/util/fs/overlay/overlay_linux.go b/internal/pkg/util/fs/overlay/overlay_linux.go +index b5eff4bd2..7b220f97f 100644 +--- a/internal/pkg/util/fs/overlay/overlay_linux.go ++++ b/internal/pkg/util/fs/overlay/overlay_linux.go +@@ -81,7 +81,7 @@ func check(path string, d dir, allowType int64) error { + return nil + } + +- if stfs.Type == allowType { ++ if int64(stfs.Type) == allowType { + return nil + } + +-- +2.37.1 +