New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for bind mounts to directories not existing within a container on read-only FS #96
Comments
A side-effect I see is that the user in the user-namespace is then effective owner of |
We do this for I'm a little hesitant to put it in the C code since it seems kind of complex. Would a We haven't yet clarified the contract on the unpacked image. For example, it is portable between machines? Can you just tar it up again to get a valid image tarball? |
For the use case in mind, this would not be sufficient: The trick described here (and by now also suggested here apptainer/singularity#1207 ) would allow to freely specify any bind mount point inside the container without requiring a decision already at the unpack stage. I think the C-code is the only suitable place in that case, since the bind mounts need to be performed after activating the user namespace. But I agree, it's kind of complex, so I am not sure it should be the highest thing on the priority list of enhancements ;-). |
OK, thanks for the clarification. Do you (or does anyone) know the prospects for overlayfs? I did try to implement |
Also, is this a showstopper for you? |
For our site, no (we don't need anything special in terms of bind-mounts). Our main showstopper right now is HTCondor's lack of correct support for any container implementation, which at the moment means only setuid root containers work correctly. Sadly, their upstream is very unresponsive, so I'm working on workarounds for now, and until this is done, we have to stay with privileged Singularity. Since WLCG (Worldwide LHC Computing Grid) is currently on the "Singularity-train", they will likely also not really care (but it would be a showstopper for one of the experiments if Singularity would not implement it. My goal here would be to have the useful functionality in Charliecloud to have an alternative runtime which fulfills all the necessary requirements, and also, it looks like a reasonable extension, since it makes containers built by a third-party and distributed in a read-only manner more portable. |
Ubuntu has made their own modification to allow unprivileged overlayfs and it's not expected to get into the mainstream kernel anytime soon. I haven't found a definitive source I can point you to for that, but see https://lwn.net/Articles/671641/, especially the comments at the end. |
On the other hand https://lwn.net/Articles/718062/ says that "There has been a fair amount of work in adding support for unprivileged containers" to overlayfs. No details though. |
Thinking about whether this should go into 0.2.4. Couple other options. Would these satisfy the use case?
|
This seems very inefficient: Distributing full .tar.gz via CVMFS (or other means) is significantly more waste of space on the servers and in caches than distributing just the deltas. On our site, we build new containers of several flavours at least once a day, with sizes ~ 1G. The deltas to the last build are just a few MB, though, so only the small changes need to be transferred on-demand.
This could work for local use on sites, but could not be easily used independent from the site - and could not be made available easily to users. I think this pretty much summarizes the use case, maybe @DrDaveD can expand, he is closer to the WLCG working group on the topic. |
OK
OK
I'm not actually convinced of that; we already have a partial solution that does it for |
@olifre I saw your message but you summarized well, I really can't think of anything to add. One thing that I don't see mentioned in this issue but which is in the second comment of apptainer/singularity#1207 and is an answer to the second comment in this issue, is to make '/' be a read-only bind mount of the separate scratch area, so the user cannot modify it. |
I just stumbled upon: |
@olifre I'm sorry you weren't aware of that, I have known about it for quite some time. It does require linux kernels >= 4.18, such as on CentOS 8. Meanwhile it's not been reported here, but singularity has had the underlay feature for over a year, first in the C++ 2.6 series and soon thereafter in the golang 3.x series. |
@DrDaveD Thanks for chiming in! |
I can't tell if this is the exact same issue, sounds similar to title I think--one thing Docker allows (mounting to a nested path that does not already exist in the image) seems to be prohibited by Charliecloud:
|
currently charliecloud can't bind mount directories that don't exist within the container This adds a workaround uses mkdir to create them before bind-mounting. ref: hpc/charliecloud#96 Also, ENV layers are not honored by charliecloud when images are pulled from a docker registry using 'ch-grow pull' When the container contains software outside of the standard $PATH of the host, it needs to be appended manually. This workaround assumes that containers have the file '/etc/environment' present, which can be used with ch-run --set-env ref:hpc/charliecloud#719 TODO: * handle additional environment defined in nextflow env scope * extend mkdir workaround to additional mounts * add tests This is a continuation of nextflow-io#1712 by @tbugfinder Signed-off-by: Patrick Hüther <patrick.huether@gmail.com>
currently charliecloud can't bind mount directories that don't exist within the container This adds a workaround uses mkdir to create them before bind-mounting. ref: hpc/charliecloud#96 Also, ENV layers are not honored by charliecloud when images are pulled from a docker registry using 'ch-grow pull' When the container contains software outside of the standard $PATH of the host, it needs to be appended manually. This workaround assumes that containers have the file '/etc/environment' present, which can be used with ch-run --set-env ref:hpc/charliecloud#719 TODO: * handle additional environment defined in nextflow env scope * extend mkdir workaround to additional mounts * add tests This is a continuation of nextflow-io#1712 by @tbugfinder Signed-off-by: Patrick Hüther <patrick.huether@gmail.com>
currently charliecloud can't bind mount directories that don't exist within the container This adds a workaround uses mkdir to create them before bind-mounting. ref: hpc/charliecloud#96 Also, ENV layers are not honored by charliecloud when images are pulled from a docker registry using 'ch-grow pull' When the container contains software outside of the standard $PATH of the host, it needs to be appended manually. This workaround assumes that containers have the file '/etc/environment' present, which can be used with ch-run --set-env ref:hpc/charliecloud#719 TODO: * handle additional environment defined in nextflow env scope * extend mkdir workaround to additional mounts * add tests This is a continuation of nextflow-io#1712 by @tbugfinder Signed-off-by: Patrick Hüther <patrick.huether@gmail.com>
On the WLCG containers mailing list, somebody suggested the following magic to be able to add bind-mount points to a read-only container without using overlayfs.
Is there a logic error in this approach?
The text was updated successfully, but these errors were encountered: