Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does Singularity support installation by user without root privileges? #1258

Open
adamryczkowski opened this issue Jan 18, 2018 · 11 comments

Comments

Projects
None yet
8 participants
@adamryczkowski
Copy link

commented Jan 18, 2018

I am aware, that Singularity needs setuid attributes for at least one of its installation files. This attribute cannot be set by non-root user. Is there any walkaround of this problem, even with the cost of reduced functionality?

There are many HPC environments, where there is no Singularity (most of them in my experience), where users would benefit from the Singularity the most.

@cclerget

This comment has been minimized.

Copy link
Contributor

commented Jan 18, 2018

@adamryczkowski You can disable setuid at build time by using ./configure --disable-suid --prefix=/where/you/have/rights. Disable setuid requires a kernel >= 3.8

@maxogden

This comment has been minimized.

Copy link

commented Jan 24, 2018

Is there documentation anywhere that explains why singularity needs root for installation? Why can't it just be a standalone binary?

Edit: I found by looking through the code + other issues that if user namespaces are not supported, and the executable has not been setuid 0, then singularity will fail with the error "Failed invoking the NEWUSER namespace runtime: Invalid argument".

@GodloveD

This comment has been minimized.

Copy link
Member

commented Jan 24, 2018

@sjackman

This comment has been minimized.

Copy link

commented Oct 15, 2018

I compiled and installed Singularity 2.6.0 in my home directory using ./configure --disable-suid --with-userns. When I run singularity run shub://GodloveD/lolcow I get the error message:

ERROR  : Failed invoking the NEWUSER namespace runtime: Invalid argument
ABORT  : Retval = 255

Can Singularity be used without root and setuid permissions? I don't have root access. I'm on an HPC system with CentOS 7.4.1708 and Linux kernel 3.10.0-693.5.2.el7.x86_64.

@jmstover

This comment has been minimized.

Copy link
Collaborator

commented Oct 15, 2018

@sjackman I don't believe that RHEL 7.4 fully supports user namespace, or at least it isn't fully enabled yet. The user space code is there, but it's still an experimental feature, until 7.5 (I think). To enable, the kernel needs to be booted with the option:

namespace.unpriv_enable=1

@DrDaveD

This comment has been minimized.

Copy link
Contributor

commented Oct 15, 2018

Actualy it is a technology preview in both RHEL 7.4 and 7.5. In addition to the boot parameter, you also need to set sysctl user.max_user_namespaces = 15000 (or some other non-zero number). The boot parameter is no longer needed in RHEL 7.6 (which is in beta now).

@sjackman

This comment has been minimized.

Copy link

commented Oct 16, 2018

Thanks for the information! So non-root Singularity is expected to work out-of-the-box with CentOS 7.6?

@DrDaveD

This comment has been minimized.

Copy link
Contributor

commented Oct 17, 2018

Yes, without the singularity features that still require setuid root (for example mounting image files -- sandboxes will work without setuid).

@sjackman

This comment has been minimized.

Copy link

commented Oct 17, 2018

Excellent. I like forward to the release of CentOS 7.6 then. Hopefully our systems group will upgrade to it.

@felipeportella

This comment has been minimized.

Copy link

commented Jan 18, 2019

Is there a way to disable-suid in Singularity 3.0 as well, as now it uses mconfig?

@DrDaveD

This comment has been minimized.

Copy link
Contributor

commented Jan 18, 2019

There's not an mconfig option, although I think that is a good idea. I suggest making a separate issue for that. The workaround is to remove libexec/singularity/starter-suid after make install. That's what I do and I know it works.

Another workaround that will work starting in 3.0.3 is to set 'allow setuid = no' in singularity.conf. Then if starter-suid is really installed as setuid-root there's still a small risk of vulnerability, but if starter-suid is invoked manually (since singularity won't invoke it) it will exit very early so the risk is quite low. This is the recommended way to go when using a prebuilt package such as an rpm.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.