New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RTE SINGULARITY: Use the SINGULARITY_OPTIONS input parameter instead of the environment variable if defined #11
Conversation
…env variable if defined
Allowing end-user to define singularity options on-demand is a security hole. But if you don't mind to open your system in this way, you can always create a "user defined" RTE script even with the same name and use it, no need to update the "system RTE" redistributed with ARC. |
Thanks for your prompt answer. Is that really a security hole? Source: https://sylabs.io/guides/3.3/user-guide/security.html#singularity-runtime |
This is not about singlarity itself, it is about user origins and trust boundaries. Local users indeed has access to the filesystem with or without singularity based on they permissions and this is defined by organization policies. However hear we are talking about grid users who are external to the resource and have nothing to do with organization policy, they just mapped to some accounts and should be handled in a more restricted way generally. Using singularity with proper option allows to enforce better isolation (e.g. mounting only the job scratch area). What is you use-case? |
An option here could be to modify the change you suggest to add a default None, then if the sys-admin wants to allow this option, he will set the parameter. |
Note @manfuin that the SINGULARITY_OPTIONS parameter is already defined in the RTE, but not used. |
There is a big difference between parameter defined by system owner vs defined in job xRSL by end-user |
Alright, I understand your concern, and indeed users could potentially exploit the
We share an ARC instance connected to a supercomputer - with no external connectivity at all - with other VOs.
There is probably a workaround: I guess we could embed a given directory within our container to just have to call: |
In the documentation of the Singularity RTE, 2 parameters are defined:
SINGULARITY_IMAGE
andSINGULARITY_OPTIONS
.Defining
SINGULARITY_IMAGE
in the submission script seems to have an effect on the execution and effectively uses the given singularity image. See in the source code:$2
is used hereUnfortunately, this does not seem to be the case for the
SINGULARITY_OPTIONS
. Using this variable in the submission script does not change anything during the execution: options are not used.This PR aims to support the use of the
SINGULARITY_OPTIONS
parameter from the submission script.