Unify path handling for external binaries, from sylabs 272 #6224
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prior to this PR, we were very inconsistent in how we locate external
binaries. E.g. `cryptsetup` is found via a buildcfg setting, or a
`singularity.conf` value. `mksquashfs` is found via `$PATH` or a
`singularity.conf` value. In different locations `unsquashfs` may be
found only via `$PATH` or by manipulation of the `mksquashfs`
`singularity.conf` value.
This PR:
* Removes the forced `PATH` sanitization when action commands are
run. The user's `PATH` is now kept in the pre-container
environment. This does change our security model a bit. In Singularity
2.x there were a lot of calls across a collection of shell scripts,
python, compiled code. Santizing `PATH` was a means to avoid calling
nasty binaries. In 3.x we explicitly call out to specific executables
from our Go code. We should explicitly check `root` owns things that
will be executed in a privileged context that could be
dangerous. Outside of this context, allowing binaries to be found on a
full user `PATH` makes it easier for singularity to be installed by a
package manager, or to call binaries in non-standard locations - such
as when a cluster provides a newer `squashfs-tools` etc.
* Ensures external binaries are found via a `bin.FindBin(..)` call, so
that behaviour for finding a binary can be managed in one place in the
code.
* Uses `singularity.conf` directives for the `cryptsetup`, `go`,
`ldconfig`, `mksquashfs`, `nvidia-container-cli`, `unsquashfs`
paths. These are most likely to need customization for some environments.
* If set, the specified path is used at runtime.
* If unset, we search `PATH` plus sensible default bin/sbin dirs.
* At `./mconfig` time we discover these binaries and write their
paths into the installed `sinularity.conf`.
* For other external binaries, search `PATH` plus sensible default
bin/sbin dirs.
* Check `cryptsetup` for root ownership explicitly as we now look on
the user `PATH`. Previously we were assuming that a `cryptsetup` in
the default sanitized `PATH` is safe.
- Fixes sylabs/singularity#178
Removes buildcfg dependency from pkg directory
Removes buildcfg dependency on pkg directory
cclerget
approved these changes
Oct 19, 2021
13 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pulls in sylabs pr
which fixed
which is related to Unable to find unsquashfs from PATH #5858. The pr also addressed
which is the same issue as /usr/local/bin/unsquashfs: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory #6139.
This also includes a commit imported from
in order to avoid the pkg directory depending on buildcfg, and also a small piece of
for the same reason.
The original description was:
Prior to this PR, we were very inconsistent in how we locate external binaries. E.g.
cryptsetupis found via a buildcfg setting, or asingularity.confvalue.mksquashfsis found via$PATHor asingularity.confvalue. In different portions of codeunsquashfsmay be found only via$PATHor by manipulation of themksquashfssingularity.confvalue. Some GPU lib finding and overlay creation operations looked for binaries on the user's complete$PATH. Other lookups on$PATHwere after it is santized as a pre-run on the action commands.This PR:
Removes the forced
PATHsanitization when action commands are run. The user'sPATHis now kept in the pre-container environment. This does change our security model a bit. In Singularity 2.x there were a lot of calls across a collection of shell scripts, python, compiled code. SanitizingPATHto default admin controlled locations only was a means to avoid calling nasty binaries. In 3.x we explicitly call out to a bounded number of executables from our Go code. We should explicitly checkrootowns things that will be executed in a privileged context that could be dangerous. Outside of this context, allowing binaries to be found on a full userPATHmakes it easier for singularity to be installed by a package manager, or to call binaries in non-standard locations - such as when a cluster provides a newersquashfs-toolsetc.Ensures external binaries are found via a
bin.FindBin(..) call, so that behaviour for finding a binary can be managed in one place in the code.Uses
singularity.confdirectives for thecryptsetup,go,ldconfig,mksquashfs,nvidia-container-cli,unsquashfspaths. These are most likely to need customization for some environments.- If set, the specified path is used at runtime.
- If unset, we search
PATHplus sensible default bin/sbin dirs.- At
./mconfigtime we discover these binaries and write their paths into the installedsingularity.conf.For other external binaries, search
PATHplus sensible default bin/sbin dirs.Check
cryptsetupfor root ownership explicitly as we now look on the userPATH. Previously we were assuming that acryptsetupin the default sanitizedPATHis safe.