ERROR : User namespace not supported, and program not running privileged.

[soichih]

I am finally testing singularity on our HTC cluster; Indiana University Karst (running on RHEL6), and I am seeing following error messages.

$ singularity -v shell docker://ubuntu bash
increasing verbosity level (2)
Exec'ing: /N/soft/rhel6/singularity/2.2/libexec/singularity/cli/shell.exec docker://ubuntulibrary/ubuntu:latest
Downloading layer: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Downloading layer: sha256:668604fde02e75dddb4b44c80d4ce20baaac4832c41c3a945f4a236cd7d2f164
Downloading layer: sha256:2879a7ad31445fe2cea410b8ba76704003c11ee05c0a4d32d1113009ea1a1aae
Downloading layer: sha256:de413bb911fd848383ef2e5068a42c258c898d6ee869fb441fb2391eb327b576
Downloading layer: sha256:fc19d60a83f11bbddc7bd2dfca6095b49100314bfde61d83729112a6b6e11d48
Downloading layer: sha256:6bbedd9b76a496816d86a0af731ea984f40467ef8fb23be752f801cb80436ac6
VERBOSE: Set messagelevel to: 2
VERBOSE: Running NON-SUID program workflow
VERBOSE: Opening configuration file: /N/soft/rhel6/singualrity/2.2/etc/singularity/singularity.conf
VERBOSE: Not invoking SUID mode: SUID sexec not installed
ERROR  : User namespace not supported, and program not running privileged.
ABORT  : Retval = 255
VERBOSE: Cleaning sessiondir: /tmp/.singularity-session-740536.2050.10354693
VERBOSE: Cleaning run directory: /tmp/singularity-rundir.Q1oe5W65

Our sysadmin confirmed that the singularity was cleanly installed, and I see sexec-suid installed with SUID

hayashis@h1(karst):/N/soft/rhel6/singularity/2.2/libexec/singularity $ ls -lrt
total 1536
drwxr-sr-x 4 root root   4096 Oct 14 16:20 bootstrap
drwxr-sr-x 2 root root   4096 Oct 14 16:20 cli
drwxr-sr-x 2 root root   4096 Oct 14 16:20 helpers
drwxr-sr-x 3 root root   4096 Oct 14 16:20 python
-rwxr-xr-x 1 root root   6724 Oct 14 16:20 functions
-rwxr-xr-x 1 root root   8963 Oct 14 16:20 image-handler.sh
-rwsr-xr-x 1 root root 297682 Oct 14 16:20 sexec-suid
-rwxr-xr-x 1 root root  49541 Oct 14 16:20 sexec
-rwxr-xr-x 1 root root  43545 Oct 14 16:20 image-create
-rwxr-xr-x 1 root root  43553 Oct 14 16:20 image-expand
-rwxr-xr-x 1 root root  47354 Oct 14 16:20 image-mount
-rwxr-xr-x 1 root root  48584 Oct 14 16:20 image-bind
-rwxr-xr-x 1 root root  45720 Oct 14 16:20 get-section

I've also manually confirmed that setuid works on our shared filesystem (that /N/soft is mounted on)

$ id -u
835560
$ ./setuid.bin 
740536

What else should I check?

[gmkurtzer]

Hrmm, that is very odd... Can you run it with debugging enabled(singularity --debug ...), and also through strace -ff and send me the full output of both?

Thanks!

[kmuriki]

Is it possible the admin has disabled the setuid in the singularity config
file ?

allow setuid = no

Just in case this helps,
--Krishna.

On Wed, Oct 26, 2016 at 8:41 AM, Gregory M. Kurtzer <
notifications@github.com> wrote:

Hrmm, that is very odd... Can you run it with debugging enabled(singularity
--debug ...), and also through strace -ff and send me the full output of
both?

Thanks!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#267 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACQb9tEsryFLbHQBXKKERILgyWHtnWaFks5q33ScgaJpZM4KhUUD
.

[bbockelm]

@soichih - when you get a chance to do the strace test (and it should be OK to do this as an unprivileged user -- the failure is occurring before any privilege "stuff" happens), feel free to add me to the CC as well. Probably don't need to dump the whole output (which will be large) into the ticket.

[gmkurtzer]

@kmuriki If it was disabled in the config we should see the line:

VERBOSE: Not invoking SUID mode: disallowed by the system administrator

But now I'm double checking, and I just found something interesting... I am not doing a separate check to see if the sexec-suid is present and executable, I simply check to see if it is owned by root and is SUID. Hrmm.. I think another check is necessary, but in the mean time the strace output should be interesting.

Thanks!

[soichih]

@kmuriki
Yes, setuid is set to allowed

allow setuid = yes

@bbockelm @gmkurtzer
I am having trouble running strace on karst..

$ strace -ff ls
strace: test_ptrace_setoptions_followfork: PTRACE_TRACEME doesn't work: No such process
strace: test_ptrace_setoptions_followfork: unexpected exit status 1

whatever that means.. I've asked our sys admins about this and hopefully I will send you the strace later today. (update: Our sysad says "dirtyc0w stap mitigation disables ptrace")

Meanwhile, here is the --debug output

VERBOSE [U=740536,P=15690] message.c:52:init()                        : Set messagelevel to: 5
DEBUG   [U=740536,P=15690] privilege.c:66:singularity_priv_init()     : Called singularity_priv_init(void)
DEBUG   [U=740536,P=15690] privilege.c:131:singularity_priv_init()    : Returning singularity_priv_init(void)
DEBUG   [U=740536,P=15690] privilege.c:179:singularity_priv_drop()    : Dropping privileges to UID=740536, GID=236
DEBUG   [U=740536,P=15690] privilege.c:191:singularity_priv_drop()    : Confirming we have correct UID/GID
VERBOSE [U=740536,P=15690] sexec.c:73:main()                          : Running NON-SUID program workflow
DEBUG   [U=740536,P=15690] sexec.c:75:main()                          : Checking program has appropriate permissions
VERBOSE [U=740536,P=15690] config_parser.c:43:singularity_config_open(): Opening configuration file: /N/soft/rhel6/singualrity/2.2/etc/singularity/singularity.conf
DEBUG   [U=740536,P=15690] config_parser.c:62:singularity_config_rewind(): Rewinding configuration file
VERBOSE [U=740536,P=15690] sexec.c:85:main()                          : Checking that we are allowed to run as SUID
DEBUG   [U=740536,P=15690] config_parser.c:107:singularity_config_get_bool(): Called singularity_config_get_bool(allow setuid, 1)
DEBUG   [U=740536,P=15690] config_parser.c:80:singularity_config_get_value(): Called singularity_config_get_value(allow setuid)
VERBOSE [U=740536,P=15690] config_parser.c:91:singularity_config_get_value(): Got config key allow setuid (= 'yes')
DEBUG   [U=740536,P=15690] config_parser.c:113:singularity_config_get_bool(): Return singularity_config_get_bool(allow setuid, 1) = 1
VERBOSE [U=740536,P=15690] sexec.c:87:main()                          : Checking if we were requested to run as NOSUID by user
DEBUG   [U=740536,P=15690] util/util.c:92:envar_defined()             : Checking if environment variable is defined: SINGULARITY_NOSUID
VERBOSE [U=740536,P=15690] util/util.c:94:envar_defined()             : Environment variable is undefined: SINGULARITY_NOSUID
VERBOSE [U=740536,P=15690] sexec.c:97:main()                          : Not invoking SUID mode: SUID sexec not installed
DEBUG   [U=740536,P=15690] util/util.c:102:envar_path()               : Checking environment variable is valid path: 'SINGULARITY_IMAGE'
VERBOSE [U=740536,P=15690] util/util.c:50:envar()                     : Checking input from environment: 'SINGULARITY_IMAGE'
DEBUG   [U=740536,P=15690] util/util.c:52:envar()                     : Checking environment variable is defined: SINGULARITY_IMAGE
DEBUG   [U=740536,P=15690] util/util.c:58:envar()                     : Checking environment variable length (<= 4096): SINGULARITY_IMAGE
DEBUG   [U=740536,P=15690] util/util.c:64:envar()                     : Checking environment variable has allowed characters: SINGULARITY_IMAGE
VERBOSE [U=740536,P=15690] util/util.c:87:envar()                     : Obtained input from environment 'SINGULARITY_IMAGE' = '/tmp/singularity-rundir.CgM99aSO/ubuntu'
VERBOSE [U=740536,P=15690] util/util.c:50:envar()                     : Checking input from environment: 'SINGULARITY_COMMAND'
DEBUG   [U=740536,P=15690] util/util.c:52:envar()                     : Checking environment variable is defined: SINGULARITY_COMMAND
DEBUG   [U=740536,P=15690] util/util.c:58:envar()                     : Checking environment variable length (<= 10): SINGULARITY_COMMAND
DEBUG   [U=740536,P=15690] util/util.c:64:envar()                     : Checking environment variable has allowed characters: SINGULARITY_COMMAND
VERBOSE [U=740536,P=15690] util/util.c:87:envar()                     : Obtained input from environment 'SINGULARITY_COMMAND' = 'shell'
DEBUG   [U=740536,P=15690] action.c:55:singularity_action_init()      : Checking on action to run
DEBUG   [U=740536,P=15690] action.c:63:singularity_action_init()      : Setting action to: shell
DEBUG   [U=740536,P=15690] action.c:95:singularity_action_init()      : Getting current working directory path string
DEBUG   [U=740536,P=15690] rootfs.c:71:singularity_rootfs_init()      : Checking on container source type
DEBUG   [U=740536,P=15690] config_parser.c:62:singularity_config_rewind(): Rewinding configuration file
DEBUG   [U=740536,P=15690] rootfs.c:80:singularity_rootfs_init()      : Figuring out where to mount Singularity container
DEBUG   [U=740536,P=15690] config_parser.c:80:singularity_config_get_value(): Called singularity_config_get_value(container dir)
VERBOSE [U=740536,P=15690] config_parser.c:91:singularity_config_get_value(): Got config key container dir (= '/var/singularity/mnt')
DEBUG   [U=740536,P=15690] rootfs.c:86:singularity_rootfs_init()      : Set image mount path to: /var/singularity/mnt
DEBUG   [U=740536,P=15690] dir.c:44:rootfs_dir_init()                 : Inializing container rootfs dir subsystem
DEBUG   [U=740536,P=15690] util/util.c:92:envar_defined()             : Checking if environment variable is defined: SINGULARITY_WRITABLE
VERBOSE [U=740536,P=15690] util/util.c:94:envar_defined()             : Environment variable is undefined: SINGULARITY_WRITABLE
DEBUG   [U=740536,P=15690] sessiondir.c:60:singularity_sessiondir_init(): Checking Singularity configuration for 'sessiondir prefix'
DEBUG   [U=740536,P=15690] config_parser.c:62:singularity_config_rewind(): Rewinding configuration file
DEBUG   [U=740536,P=15690] util/util.c:102:envar_path()               : Checking environment variable is valid path: 'SINGULARITY_SESSIONDIR'
VERBOSE [U=740536,P=15690] util/util.c:50:envar()                     : Checking input from environment: 'SINGULARITY_SESSIONDIR'
DEBUG   [U=740536,P=15690] util/util.c:52:envar()                     : Checking environment variable is defined: SINGULARITY_SESSIONDIR
VERBOSE [U=740536,P=15690] util/util.c:54:envar()                     : Environment variable is NULL: SINGULARITY_SESSIONDIR
DEBUG   [U=740536,P=15690] config_parser.c:80:singularity_config_get_value(): Called singularity_config_get_value(sessiondir prefix)
DEBUG   [U=740536,P=15690] config_parser.c:99:singularity_config_get_value(): No configuration file entry found for 'sessiondir prefix'
DEBUG   [U=740536,P=15690] sessiondir.c:75:singularity_sessiondir_init(): Set sessiondir to: /tmp/.singularity-session-740536.2050.3932208
DEBUG   [U=740536,P=15690] util/file.c:245:s_mkpath()                 : Creating directory: /tmp/.singularity-session-740536.2050.3932208
DEBUG   [U=740536,P=15690] sessiondir.c:91:singularity_sessiondir_init(): Opening sessiondir file descriptor
DEBUG   [U=740536,P=15690] sessiondir.c:97:singularity_sessiondir_init(): Setting shared flock() on session directory
DEBUG   [U=740536,P=15690] util/util.c:92:envar_defined()             : Checking if environment variable is defined: SINGULARITY_NOSESSIONCLEANUP
VERBOSE [U=740536,P=15690] util/util.c:94:envar_defined()             : Environment variable is undefined: SINGULARITY_NOSESSIONCLEANUP
DEBUG   [U=740536,P=15690] util/util.c:92:envar_defined()             : Checking if environment variable is defined: SINGULARITY_NOCLEANUP
VERBOSE [U=740536,P=15690] util/util.c:94:envar_defined()             : Environment variable is undefined: SINGULARITY_NOCLEANUP
VERBOSE [U=740536,P=15690] fork.c:74:singularity_fork()               : Forking child process
VERBOSE [U=740536,P=15690] fork.c:90:singularity_fork()               : Hello from parent process
DEBUG   [U=740536,P=15690] fork.c:109:singularity_fork()              : Assigning sigaction()s
DEBUG   [U=740536,P=15690] fork.c:140:singularity_fork()              : Creating generic signal pipes
DEBUG   [U=740536,P=15690] fork.c:148:singularity_fork()              : Creating sigcld signal pipes
DEBUG   [U=740536,P=15690] fork.c:170:singularity_fork()              : Waiting on signal from watchdog
VERBOSE [U=740536,P=15805] fork.c:78:singularity_fork()               : Hello from child process
DEBUG   [U=740536,P=15805] fork.c:81:singularity_fork()               : Closing watchdog write pipe
DEBUG   [U=740536,P=15805] fork.c:86:singularity_fork()               : Child process is returning control to process thread
DEBUG   [U=740536,P=15805] ns.c:45:singularity_ns_unshare()           : Unsharing all namespaces
DEBUG   [U=740536,P=15805] config_parser.c:62:singularity_config_rewind(): Rewinding configuration file
DEBUG   [U=740536,P=15805] config_parser.c:107:singularity_config_get_bool(): Called singularity_config_get_bool(allow user ns, 1)
DEBUG   [U=740536,P=15805] config_parser.c:80:singularity_config_get_value(): Called singularity_config_get_value(allow user ns)
DEBUG   [U=740536,P=15805] config_parser.c:99:singularity_config_get_value(): No configuration file entry found for 'allow user ns'
DEBUG   [U=740536,P=15805] config_parser.c:126:singularity_config_get_bool(): Undefined configuration for 'allow user ns', returning default: yes
DEBUG   [U=740536,P=15805] user.c:77:singularity_ns_user_unshare()    : Attempting to virtualize the USER namespace
VERBOSE [U=740536,P=15805] user.c:79:singularity_ns_user_unshare()    : Not virtualizing USER namespace: runtime support failed (22:Invalid argument)
ERROR   [U=740536,P=15805] user.c:52:check_for_suid()                 : User namespace not supported, and program not running privileged.
ABORT   [U=740536,P=15805] user.c:53:check_for_suid()                 : Retval = 255
DEBUG   [U=740536,P=15690] fork.c:52:handle_sigchld()                 : Checking child pids: 15805 15805
DEBUG   [U=740536,P=15690] fork.c:54:handle_sigchld()                 : Forwarding signal through sigchld_signal_wpipe
DEBUG   [U=740536,P=15690] fork.c:196:singularity_fork()              : Parent process is exiting
DEBUG   [U=740536,P=15690] util/util.c:102:envar_path()               : Checking environment variable is valid path: 'SINGULARITY_RUNDIR'
VERBOSE [U=740536,P=15690] util/util.c:50:envar()                     : Checking input from environment: 'SINGULARITY_RUNDIR'
DEBUG   [U=740536,P=15690] util/util.c:52:envar()                     : Checking environment variable is defined: SINGULARITY_RUNDIR
DEBUG   [U=740536,P=15690] util/util.c:58:envar()                     : Checking environment variable length (<= 4096): SINGULARITY_RUNDIR
DEBUG   [U=740536,P=15690] util/util.c:64:envar()                     : Checking environment variable has allowed characters: SINGULARITY_RUNDIR
VERBOSE [U=740536,P=15690] util/util.c:87:envar()                     : Obtained input from environment 'SINGULARITY_RUNDIR' = '/tmp/singularity-rundir.CgM99aSO'
DEBUG   [U=740536,P=15690] sessiondir.c:111:singularity_sessiondir_init(): Cleanup thread waiting on child...
DEBUG   [U=740536,P=15690] sessiondir.c:116:singularity_sessiondir_init(): Checking to see if we are the last process running in this sessiondir
VERBOSE [U=740536,P=15690] sessiondir.c:118:singularity_sessiondir_init(): Cleaning sessiondir: /tmp/.singularity-session-740536.2050.3932208
DEBUG   [U=740536,P=15690] util/file.c:267:s_rmdir()                  : Removing directory: /tmp/.singularity-session-740536.2050.3932208
VERBOSE [U=740536,P=15690] sessiondir.c:126:singularity_sessiondir_init(): Cleaning run directory: /tmp/singularity-rundir.CgM99aSO
DEBUG   [U=740536,P=15690] util/file.c:267:s_rmdir()                  : Removing directory: /tmp/singularity-rundir.CgM99aSO

[gmkurtzer]

Hrmm.. Unfortunately, no new insights... :(

Yeah, for sure let us know what they say about the strace! Thanks!

[soichih]

@gmkurtze I have to wait at least until next Tuesday to get the strace. strace doesn't work on karst right now because we have the dirtyCOW patch in place. The new kernel is going in next Tuesday and I will run strace again when that happens. I wonder if the issue itself is caused by this patch?

[gmkurtzer]

I would think that they are unrelated, but... crossing fingers anyway! Thanks for the update!

[bauerm97]

I think I see where this is coming from at least. We see in the --debug output that

VERBOSE [U=740536,P=15690] sexec.c:97:main() : Not invoking SUID mode: SUID sexec not installed

is output. From your ls -lrt it's clear that the sexec-suid binary has the proper permissions set. If we check the code that results in this line we can see what it's doing.

char sexec_suid_path[] = LIBEXECDIR "/singularity/sexec-suid";

if ( ( is_owner(sexec_suid_path, 0 ) == 0 ) && ( is_suid(sexec_suid_path) == 0 ) ) {
        singularity_message(VERBOSE, "Invoking SUID sexec: %s\n", sexec_suid_path);

        execv(sexec_suid_path, argv); // Flawfinder: ignore                                                                  
        singularity_abort(255, "Failed to execute sexec binary (%s): %s\n", sexec_suid_path, strerror(errno));
} else {
        singularity_message(VERBOSE, "Not invoking SUID mode: SUID sexec not installed\n");
}

Now we know that if sexec_suid_path is actually the path to the suid binary, this part will resolve properly. I'm willing to wager that sexec_suid_path is being incorrectly set because LIBEXECDIR is incorrect somehow, which in turn causes is_owner() to return(-1). LIBEXECDIR is passed from the makefile, and is substituted in at compile time not runtime.

Could it be possible that your sysadmin compiled singularity first somewhere else, and then manually moved it over to the location on your /N/ file system? If this happened that would explain why the suid bit was properly set on the sexec-suid binary, as well as why the previously mentioned conditional evaluated false. The SUID bit and LIBEXECDIR preprocessor directive is set at compile time in /src/Makefile.am.

I'm not sure how you could test this theory without strace however, but you can ask your sysadmin if he did something to that effect and we could maybe narrow down the issue.

@gmkurtzer @soichih Let me know what you guys think.

[soichih]

@bauerm97

I think you are right. I think it was installed on a misspelled path and then later moved to the correct path.

hayashis@h2(karst):/N/soft/rhel6/singularity/2.2/libexec/singularity $ strings sexec | grep sexec-suid
/N/soft/rhel6/singualrity/2.2/libexec/singularity/sexec-suid

(see "singualrity" instead of "singularity")

I will ask our sysadmin to reinstall it.

@gmkurtzer I was getting hit by statically compiled SYSCONFDIR earlier this morning.. I think it will be nice if the singularity binaries are relocatable.. :) (UPDATE: you probably did this for security purpose?)

[soichih]

After the re-installation, I was able to start singularity. Thank you everyone for troubleshooting!

[gmkurtzer]

Ohhh, this is great news! I will add in the debugging output the path that it is using to check!

@bauerm97 I think some people owe you a beer including me! Shame you won't be at SC, so it will have to be a long term IOU. lol

Thanks everyone!

[bbockelm]

@soichih - just as a FYI:

Non-relocatability is a basic security mechanism for setuid binaries. If you have runtime-relocatability, then you run the risk of a user being able to swap out the sysadmin-provided configuration file with one they control (and possible exploit stemming from this).

Brian

[raffaelepotami]

I am experiencing the same issue but the installation path should be correct, from strace

stat("/home/rp189/virtopt/singularity-2.2/libexec/singularity/sexec-suid", {st_mode=S_IFREG|0755, st_size=255132, ...}) = 0

geteuid()                               = 134064

write(2, "VERBOSE [U=134064,P=4673]  sexec"..., 121VERBOSE [U=134064,P=4673]  sexec.c:97:main()                          : Not invoking SUID mode: SUID sexec not installed
) = 121

any suggestion on what could cause the problem?

[gmkurtzer]

Hello,

What version of Singularity are you running and can you include the singularity --debug ... output?

Thanks!

[bbockelm]

@raffaelepotami - I think you'll need to run make install as root in order to get the binary marked as setuid.

[raffaelepotami]

@bbockelm Thanks Brian that would make perfect sense, I installed it as unprivileged user with ./configure --prefix=/my/path ; make;make install

@gmkurtzer Gregory, I am using version 2.2 , can you confirm Brian theory about having to use sudo make install to have setuid working correctly?

here below is the log from the command

singularity --debug shell docker://ubuntu:latest

VERBOSE [U=134064,P=8267] message.c:52:init() : Set messagelevel to: 5 DEBUG [U=134064,P=8267] privilege.c:66:singularity_priv_init() : Called singularity_priv_init(void) DEBUG [U=134064,P=8267] privilege.c:131:singularity_priv_init() : Returning singularity_priv_init(void) DEBUG [U=134064,P=8267] privilege.c:179:singularity_priv_drop() : Dropping privileges to UID=134064, GID=2134064 DEBUG [U=134064,P=8267] privilege.c:191:singularity_priv_drop() : Confirming we have correct UID/GID VERBOSE [U=134064,P=8267] sexec.c:73:main() : Running NON-SUID program workflow DEBUG [U=134064,P=8267] sexec.c:75:main() : Checking program has appropriate permissions VERBOSE [U=134064,P=8267] config_parser.c:43:singularity_config_open(): Opening configuration file: /home/rp189/virtopt/singularity-2.2-bis/etc/singularity/singularity.conf DEBUG [U=134064,P=8267] config_parser.c:62:singularity_config_rewind(): Rewinding configuration file VERBOSE [U=134064,P=8267] sexec.c:85:main() : Checking that we are allowed to run as SUID DEBUG [U=134064,P=8267] config_parser.c:107:singularity_config_get_bool(): Called singularity_config_get_bool(allow setuid, 1) DEBUG [U=134064,P=8267] config_parser.c:80:singularity_config_get_value(): Called singularity_config_get_value(allow setuid) VERBOSE [U=134064,P=8267] config_parser.c:91:singularity_config_get_value(): Got config key allow setuid (= 'yes') DEBUG [U=134064,P=8267] config_parser.c:113:singularity_config_get_bool(): Return singularity_config_get_bool(allow setuid, 1) = 1 VERBOSE [U=134064,P=8267] sexec.c:87:main() : Checking if we were requested to run as NOSUID by user DEBUG [U=134064,P=8267] util/util.c:92:envar_defined() : Checking if environment variable is defined: SINGULARITY_NOSUID VERBOSE [U=134064,P=8267] util/util.c:94:envar_defined() : Environment variable is undefined: SINGULARITY_NOSUID VERBOSE [U=134064,P=8267] sexec.c:97:main() : Not invoking SUID mode: SUID sexec not installed DEBUG [U=134064,P=8267] util/util.c:102:envar_path() : Checking environment variable is valid path: 'SINGULARITY_IMAGE' VERBOSE [U=134064,P=8267] util/util.c:50:envar() : Checking input from environment: 'SINGULARITY_IMAGE' DEBUG [U=134064,P=8267] util/util.c:52:envar() : Checking environment variable is defined: SINGULARITY_IMAGE DEBUG [U=134064,P=8267] util/util.c:58:envar() : Checking environment variable length (<= 4096): SINGULARITY_IMAGE DEBUG [U=134064,P=8267] util/util.c:64:envar() : Checking environment variable has allowed characters: SINGULARITY_IMAGE VERBOSE [U=134064,P=8267] util/util.c:87:envar() : Obtained input from environment 'SINGULARITY_IMAGE' = '/tmp/singularity-rundir.TcYiznZ6/ubuntu:latest' VERBOSE [U=134064,P=8267] util/util.c:50:envar() : Checking input from environment: 'SINGULARITY_COMMAND' DEBUG [U=134064,P=8267] util/util.c:52:envar() : Checking environment variable is defined: SINGULARITY_COMMAND DEBUG [U=134064,P=8267] util/util.c:58:envar() : Checking environment variable length (<= 10): SINGULARITY_COMMAND DEBUG [U=134064,P=8267] util/util.c:64:envar() : Checking environment variable has allowed characters: SINGULARITY_COMMAND VERBOSE [U=134064,P=8267] util/util.c:87:envar() : Obtained input from environment 'SINGULARITY_COMMAND' = 'shell' DEBUG [U=134064,P=8267] action.c:55:singularity_action_init() : Checking on action to run DEBUG [U=134064,P=8267] action.c:63:singularity_action_init() : Setting action to: shell DEBUG [U=134064,P=8267] action.c:95:singularity_action_init() : Getting current working directory path string DEBUG [U=134064,P=8267] rootfs.c:71:singularity_rootfs_init() : Checking on container source type DEBUG [U=134064,P=8267] config_parser.c:62:singularity_config_rewind(): Rewinding configuration file DEBUG [U=134064,P=8267] rootfs.c:80:singularity_rootfs_init() : Figuring out where to mount Singularity container DEBUG [U=134064,P=8267] config_parser.c:80:singularity_config_get_value(): Called singularity_config_get_value(container dir) VERBOSE [U=134064,P=8267] config_parser.c:91:singularity_config_get_value(): Got config key container dir (= '/var/singularity/mnt') DEBUG [U=134064,P=8267] rootfs.c:86:singularity_rootfs_init() : Set image mount path to: /var/singularity/mnt DEBUG [U=134064,P=8267] dir.c:44:rootfs_dir_init() : Inializing container rootfs dir subsystem DEBUG [U=134064,P=8267] util/util.c:92:envar_defined() : Checking if environment variable is defined: SINGULARITY_WRITABLE VERBOSE [U=134064,P=8267] util/util.c:94:envar_defined() : Environment variable is undefined: SINGULARITY_WRITABLE DEBUG [U=134064,P=8267] sessiondir.c:60:singularity_sessiondir_init(): Checking Singularity configuration for 'sessiondir prefix' DEBUG [U=134064,P=8267] config_parser.c:62:singularity_config_rewind(): Rewinding configuration file DEBUG [U=134064,P=8267] util/util.c:102:envar_path() : Checking environment variable is valid path: 'SINGULARITY_SESSIONDIR' VERBOSE [U=134064,P=8267] util/util.c:50:envar() : Checking input from environment: 'SINGULARITY_SESSIONDIR' DEBUG [U=134064,P=8267] util/util.c:52:envar() : Checking environment variable is defined: SINGULARITY_SESSIONDIR VERBOSE [U=134064,P=8267] util/util.c:54:envar() : Environment variable is NULL: SINGULARITY_SESSIONDIR DEBUG [U=134064,P=8267] config_parser.c:80:singularity_config_get_value(): Called singularity_config_get_value(sessiondir prefix) DEBUG [U=134064,P=8267] config_parser.c:99:singularity_config_get_value(): No configuration file entry found for 'sessiondir prefix' DEBUG [U=134064,P=8267] sessiondir.c:75:singularity_sessiondir_init(): Set sessiondir to: /tmp/.singularity-session-134064.64769.3407874 DEBUG [U=134064,P=8267] util/file.c:245:s_mkpath() : Creating directory: /tmp/.singularity-session-134064.64769.3407874 DEBUG [U=134064,P=8267] sessiondir.c:91:singularity_sessiondir_init(): Opening sessiondir file descriptor DEBUG [U=134064,P=8267] sessiondir.c:97:singularity_sessiondir_init(): Setting shared flock() on session directory DEBUG [U=134064,P=8267] util/util.c:92:envar_defined() : Checking if environment variable is defined: SINGULARITY_NOSESSIONCLEANUP VERBOSE [U=134064,P=8267] util/util.c:94:envar_defined() : Environment variable is undefined: SINGULARITY_NOSESSIONCLEANUP DEBUG [U=134064,P=8267] util/util.c:92:envar_defined() : Checking if environment variable is defined: SINGULARITY_NOCLEANUP VERBOSE [U=134064,P=8267] util/util.c:94:envar_defined() : Environment variable is undefined: SINGULARITY_NOCLEANUP VERBOSE [U=134064,P=8267] fork.c:74:singularity_fork() : Forking child process VERBOSE [U=134064,P=8267] fork.c:90:singularity_fork() : Hello from parent process DEBUG [U=134064,P=8267] fork.c:109:singularity_fork() : Assigning sigaction()s DEBUG [U=134064,P=8267] fork.c:140:singularity_fork() : Creating generic signal pipes DEBUG [U=134064,P=8267] fork.c:148:singularity_fork() : Creating sigcld signal pipes DEBUG [U=134064,P=8267] fork.c:170:singularity_fork() : Waiting on signal from watchdog VERBOSE [U=134064,P=8332] fork.c:78:singularity_fork() : Hello from child process DEBUG [U=134064,P=8332] fork.c:81:singularity_fork() : Closing watchdog write pipe DEBUG [U=134064,P=8332] fork.c:86:singularity_fork() : Child process is returning control to process thread DEBUG [U=134064,P=8332] ns.c:45:singularity_ns_unshare() : Unsharing all namespaces DEBUG [U=134064,P=8332] config_parser.c:62:singularity_config_rewind(): Rewinding configuration file DEBUG [U=134064,P=8332] config_parser.c:107:singularity_config_get_bool(): Called singularity_config_get_bool(allow user ns, 1) DEBUG [U=134064,P=8332] config_parser.c:80:singularity_config_get_value(): Called singularity_config_get_value(allow user ns) DEBUG [U=134064,P=8332] config_parser.c:99:singularity_config_get_value(): No configuration file entry found for 'allow user ns' DEBUG [U=134064,P=8332] config_parser.c:126:singularity_config_get_bool(): Undefined configuration for 'allow user ns', returning default: yes DEBUG [U=134064,P=8332] user.c:77:singularity_ns_user_unshare() : Attempting to virtualize the USER namespace VERBOSE [U=134064,P=8332] user.c:79:singularity_ns_user_unshare() : Not virtualizing USER namespace: runtime support failed (22:Invalid argument) ERROR [U=134064,P=8332] user.c:52:check_for_suid() : User namespace not supported, and program not running privileged. ABORT [U=134064,P=8332] user.c:53:check_for_suid() : Retval = 255 DEBUG [U=134064,P=8267] fork.c:52:handle_sigchld() : Checking child pids: 8332 8332 DEBUG [U=134064,P=8267] fork.c:54:handle_sigchld() : Forwarding signal through sigchld_signal_wpipe DEBUG [U=134064,P=8267] fork.c:196:singularity_fork() : Parent process is exiting DEBUG [U=134064,P=8267] util/util.c:102:envar_path() : Checking environment variable is valid path: 'SINGULARITY_RUNDIR' VERBOSE [U=134064,P=8267] util/util.c:50:envar() : Checking input from environment: 'SINGULARITY_RUNDIR' DEBUG [U=134064,P=8267] util/util.c:52:envar() : Checking environment variable is defined: SINGULARITY_RUNDIR DEBUG [U=134064,P=8267] util/util.c:58:envar() : Checking environment variable length (<= 4096): SINGULARITY_RUNDIR DEBUG [U=134064,P=8267] util/util.c:64:envar() : Checking environment variable has allowed characters: SINGULARITY_RUNDIR VERBOSE [U=134064,P=8267] util/util.c:87:envar() : Obtained input from environment 'SINGULARITY_RUNDIR' = '/tmp/singularity-rundir.TcYiznZ6' DEBUG [U=134064,P=8267] sessiondir.c:111:singularity_sessiondir_init(): Cleanup thread waiting on child... DEBUG [U=134064,P=8267] sessiondir.c:116:singularity_sessiondir_init(): Checking to see if we are the last process running in this sessiondir VERBOSE [U=134064,P=8267] sessiondir.c:118:singularity_sessiondir_init(): Cleaning sessiondir: /tmp/.singularity-session-134064.64769.3407874 DEBUG [U=134064,P=8267] util/file.c:267:s_rmdir() : Removing directory: /tmp/.singularity-session-134064.64769.3407874 VERBOSE [U=134064,P=8267] sessiondir.c:126:singularity_sessiondir_init(): Cleaning run directory: /tmp/singularity-rundir.TcYiznZ6 DEBUG [U=134064,P=8267] util/file.c:267:s_rmdir() : Removing directory: /tmp/singularity-rundir.TcYiznZ6

[raffaelepotami]

@bbockelm turns out you were right, make install must be done by root to make singularity work fine.

Problem solved, thanks everyone

R.

[gmkurtzer]

Good call @bbockelm, and yes @raffaelepotami I confirm Brian's theory! lol