Skip to content

feat: squashfuse unpriv SIF image mount (experimental)#711

Merged
dtrudg merged 3 commits intosylabs:masterfrom
dtrudg:squashfuse
Apr 25, 2022
Merged

feat: squashfuse unpriv SIF image mount (experimental)#711
dtrudg merged 3 commits intosylabs:masterfrom
dtrudg:squashfuse

Conversation

@dtrudg
Copy link
Member

@dtrudg dtrudg commented Apr 12, 2022
edited
Loading

Allow SIF images to be mounted with squashfuse in the unpriv / user-namespace flow.

The approach take here is to:

  • Leverage the MountFUSE / UnmountFUSE functionality from sylabs/sif, rather than duplicating code.
  • Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox.
  • Add a 'CLEANUP_HOST' process that is forked from starter early, before any namespace manipulation. This process is able to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination.

Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across singularity oci commands, and general use of runc in future.

--fakeroot is not currently supported.

instance start is not currently supported.

Fixes #718

Unsolved questions?

  • Should we have a singularity.conf to always try? It is experimental, and there's a flag + env-var... but other experimental features have had a conf option in the past.
$ singularity run -u --sif-fuse ubuntu_latest.sif 
INFO:    Mounting SIF with FUSE...
Singularity> echo "HELLO!"
HELLO!
Singularity> 
exit
INFO:    Unmounting SIF with FUSE...
INFO:    Removing image tempDir /tmp/rootfs-949762240

@dtrudg dtrudg self-assigned this Apr 12, 2022
@dtrudg dtrudg added this to the SingularityCE 3.10 milestone Apr 18, 2022
@dtrudg dtrudg force-pushed the squashfuse branch 5 times, most recently from 7901607 to c8123ae Compare April 18, 2022 19:11
@dtrudg dtrudg changed the title [EXPERIMENTAL] - Unpriv SIF mount with squashfuse Unpriv SIF mount with squashfuse Apr 18, 2022
@dtrudg dtrudg force-pushed the squashfuse branch 7 times, most recently from d6a9919 to 2b952f5 Compare April 21, 2022 18:10
@dtrudg dtrudg changed the title Unpriv SIF mount with squashfuse feat: squashfuse unpriv SIF image mount (experimental) Apr 21, 2022
@dtrudg dtrudg force-pushed the squashfuse branch 5 times, most recently from 3bb809d to 32be4d0 Compare April 22, 2022 17:05
@tri-adam tri-adam mentioned this pull request Apr 25, 2022
Closed
@dtrudg
feat: squashfuse unpriv SIF image mount
6703826 
Allow SIF images to be mounted with `squashfuse` in the unpriv /
user-namespace flow.

The approach take here is to:

* Leverage the `MountFUSE` / `UnmountFUSE` functionality from
  sylabs/sif, rather than duplicating code.
* Perform the mount onto a temporary directory in the CLI layer, at
  the point where the SIF would otherwise be extracted. The
  singularity runtime then sees a sandbox.
* Add a 'CLEANUP_HOST' process that is forked from `starter` early,
  before any namespace manipulation. This process is able to
  unmount the SIF at cleanup time. A socket from the host cleanup
  process to the master process is used for coordination.

Mount at the CLI layer, rather than inside of the runtime engine, is
used so that we can adopt a similar approach across `singularity oci`
commands, and general use of runc in future.

`--fakeroot` is not currently supported.

`instance start` is not currently supported.

Fixes sylabs#718
@dtrudg dtrudg marked this pull request as ready for review April 25, 2022 18:10
tri-adam
tri-adam approved these changes Apr 25, 2022
View reviewed changes
Copy link
Member

@tri-adam tri-adam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, small nit regarding contexts. Nice work!

@tri-adam
Copy link
Member

tri-adam commented Apr 25, 2022

Should we have a singularity.conf to always try? It is experimental, and there's a flag + env-var... but other experimental features have had a conf option in the past.

Wouldn't hurt, as long as it's default to off?

dtrudg added 2 commits April 25, 2022 13:46
@dtrudg
feat: add 'sif fuse' directive to singularity.conf
131fcb7 
Allows singularity.conf to force an attempt to use SIF squashfuse
mounting. Still falls back to SIF extraction on failure.
@dtrudg
fix: wire up contexts to squashfs routines
6fbb775 
Note that cleanup host context is left as a TODO at the same level as
the context.TODO in the master process... for future consideration.
@dtrudg dtrudg merged commit d76f160 into sylabs:master Apr 25, 2022
@dtrudg dtrudg deleted the squashfuse branch April 25, 2022 19:34
dtrudg added a commit to dtrudg/singularity that referenced this pull request Jun 30, 2022
@dtrudg
fix: ensure wrapped unsquashfs error is displayed to user
408c975 
`if err :=` was incorrectly used in sylabs#711, resulting in a nil error
return.

Fixes sylabs#897
@dtrudg dtrudg mentioned this pull request Jun 30, 2022
Merged
dtrudg added a commit to dtrudg/singularity that referenced this pull request Jul 14, 2022
@dtrudg
fix: ensure wrapped unsquashfs error is displayed to user
2cae88a 
`if err :=` was incorrectly used in sylabs#711, resulting in a nil error
return.

Fixes sylabs#897
dtrudg added a commit to dtrudg/singularity that referenced this pull request Jul 15, 2022
@dtrudg
fix: ensure wrapped unsquashfs error is displayed to user
a671086 
`if err :=` was incorrectly used in sylabs#711, resulting in a nil error
return.

Fixes sylabs#897
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tri-adam tri-adam tri-adam approved these changes

Assignees

@dtrudg dtrudg

Labels

None yet

Projects

None yet

Milestone

SingularityCE 3.10

Development

Successfully merging this pull request may close these issues.

feat: Experimental squashfuse unprivileged SIF mount (actions)

2 participants

@dtrudg @tri-adam