Unify path handling for external binaries, from sylabs 272 #6224
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pulls in sylabs pr
which fixed
which is related to Unable to find unsquashfs from PATH #5858. The pr also addressed
which is the same issue as /usr/local/bin/unsquashfs: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory #6139.
This also includes a commit imported from
in order to avoid the pkg directory depending on buildcfg, and also a small piece of
for the same reason.
The original description was:
Prior to this PR, we were very inconsistent in how we locate external binaries. E.g.
cryptsetup
is found via a buildcfg setting, or asingularity.conf
value.mksquashfs
is found via$PATH
or asingularity.conf
value. In different portions of codeunsquashfs
may be found only via$PATH
or by manipulation of themksquashfs
singularity.conf
value. Some GPU lib finding and overlay creation operations looked for binaries on the user's complete$PATH
. Other lookups on$PATH
were after it is santized as a pre-run on the action commands.This PR:
Removes the forced
PATH
sanitization when action commands are run. The user'sPATH
is now kept in the pre-container environment. This does change our security model a bit. In Singularity 2.x there were a lot of calls across a collection of shell scripts, python, compiled code. SanitizingPATH
to default admin controlled locations only was a means to avoid calling nasty binaries. In 3.x we explicitly call out to a bounded number of executables from our Go code. We should explicitly checkroot
owns things that will be executed in a privileged context that could be dangerous. Outside of this context, allowing binaries to be found on a full userPATH
makes it easier for singularity to be installed by a package manager, or to call binaries in non-standard locations - such as when a cluster provides a newersquashfs-tools
etc.Ensures external binaries are found via a
bin.FindBin(..
) call, so that behaviour for finding a binary can be managed in one place in the code.Uses
singularity.conf
directives for thecryptsetup
,go
,ldconfig
,mksquashfs
,nvidia-container-cli
,unsquashfs
paths. These are most likely to need customization for some environments.- If set, the specified path is used at runtime.
- If unset, we search
PATH
plus sensible default bin/sbin dirs.- At
./mconfig
time we discover these binaries and write their paths into the installedsingularity.conf
.For other external binaries, search
PATH
plus sensible default bin/sbin dirs.Check
cryptsetup
for root ownership explicitly as we now look on the userPATH
. Previously we were assuming that acryptsetup
in the default sanitizedPATH
is safe.