search

BD2KGenomics / toil-rnaseq

UC Santa Cruz Computational Genomics Lab's Toil-based RNA-seq pipeline
Apache License 2.0
38 stars 10 forks source link

SELinux? #186

Open aubreybailey opened 3 years ago

aubreybailey commented 3 years ago

I notice that this is formatting all of the "docker run -v" commands as $(PWD):/data however in an SELinux enforcing environment docker needs docker run -v $(PWD):/data:Z

I realize this is probably used mostly in cloud contexts and mostly on ubuntu, but I suspect you have some fans in HPC/edge for whom this is probably a show stopper.

Any idea how much a :Z addition breaks the normal usage, or at the very least, where I can find the -v flag to change it for my deployment?

thanks, Aubrey

jvivian commented 3 years ago

Hi @aubreybailey ,

That's a great question — I also wasn't aware of that issue with SELinux / Docker, so thank you for sharing that.

I realize this is probably used mostly in cloud contexts and mostly on ubuntu, but I suspect you have some fans in HPC/edge for whom this is probably a show stopper.

Although I don't typically recommend it for a variety of reasons, this might be on instance where the dockerized version of toil-rnaseq could be useful as the docker run calls happen within the container, but will spawn them as sibling containers to the parent if you forward the socket. Unfortunately, it hasn't been updated in quite a while so I assume trying to run it will lead to its own set of problems as the host system requires a docker version similar to what's installed in the container and its been a few years.

Any idea how much a :Z addition breaks the normal usage, or at the very least, where I can find the -v flag to change it for my deployment?

This would be an easier issue to patch if toil-rnaseq didn't rely on such an old version of Toil. Newer versions of Toil modified dockerCall to act as a wrapper around the official Docker python API which would give you the flexibility of specifying the mount volumes, but it broke backwards compatibility.

At the moment, I do not have the bandwidth to update the existing codebase to use a newer version of Toil and Toil's updated Docker methods, but in theory it would not be too difficult:

  1. Update the version of Toil (ideally newest version)
  2. Update dockerCall to match the new API and provide an option to customize the mount directory.

I do not know what other backwards-breaking changes have been made since the version I pinned though, so it may not be so trivial depending on that. I would be happy to review a PR that makes these changes if you submit one.