-
Notifications
You must be signed in to change notification settings - Fork 426
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
running singularity within singularity - ruhroh! #1245
Comments
As I mentioned in singularityhub/sregistry-cli#30, I believe that singularity deliberately disallows running any setuid programs inside of a container for security reasons. |
So this means that Singularity can never be run inside Singularity? What is the suggested fix / strategy for an application that needs a (non sudo) singularity command within a Singularity container? I had thought this worked before. |
I think it might work if the outer singularity is run by root. I haven't verified that, but I know it works with docker --privileged. |
So there is no solution for running this entirely in user space? |
The workaround I think is to mount the singularity from the host in the container, but @shahzebsiddiqui had issue with this. @shahzebsiddiqui what are your concerns? |
ok, good to know that I can't do that (was about to try) which is not the end of the world but disallows a few usecases |
Any update on this issue? I'm testing with sudo, and mounting the $ sudo singularity shell --bind /usr/local cromwell.simg
Singularity: Invoking an interactive shell within container...
Singularity cromwell.simg:~> singularity run shub://vsoch/hello-world
Progress |===================================| 100.0%
ERROR : Failed to set processus capabilities
ABORT : Retval = 255 Here is the version singularity --version
2.5.0-feature-squashbuild-secbuild-2.5.0.gabe9005 Is there docs for how to set process capabilities? I was looking here and I think something is in the works, but it's not documented anywhere. Thanks for the update! |
Hello, I'm wondering if you find a solution for this issue. I have tried to use a singularity image inside another singularity image but I get the same error: Singularity sandbox-sing:~/singularity> singularity exec sandbox-deep/ ls Is not possible at all? oriol |
Singularity does not allow running setuid programs within containers. If your kernel allows unprivileged user namespaces, singularity can be run unprivileged and then nesting of singularity works. I have found only one of them can include a -p option for pid namespaces. |
As mentioned in the last comment, we explicitly prohibit running setuid things in containers as part of the general approach of Singularity. Nesting with user-namespace is the option as pointed out by DrDaveD |
Version of Singularity:
2.4.2-master.g91881f7
When Singularity is installed within another container, e.g.,
A command issued to inspect a container results in the following error (I am doing this command shelled in without being root), and the same behavior results when issuing externally:
The command on the host works ok.
I thought it might be an issue with an installation on host and container, so I tried the command with the environment contained:
and
Expected behavior
A minimum working example to reproduce:
Singularity.error
Thanks for the help! And all the fish :)
The text was updated successfully, but these errors were encountered: