search

DCAN-Labs / BIBSnet

This BIDS App provides the utility of creating a nnU-Net anatomical MRI segmentation and mask with a infant brain trained model. It can easily be included in other processing pipelines and for circumventing JLF within Nibabies.
https://bibsnet.readthedocs.io/en/latest/
Apache License 2.0
4 stars 8 forks source link

Permissions error using singularity with latest image (3.4.x) #132

Closed scott-huberty closed 1 month ago

scott-huberty commented 2 months ago

Can anyone replicate this issue using the latest image (3.4.1) with singularity?

singularity pull bibsnet_latest.sif docker://dcanumn/bibsnet:latest
singularity run --nv --cleanenv --no-home \
    -B /home/path/to/project/bids:/input \
    -B  /home/path/to/project/derivatives:/output \
    -B /home/path/to/scratch:/workdir \
    -B /home/path/to/freesurfer/license.txt:/opt/freesurfer/license.txt \
    /home/path/to/bibsnet.sif \
    /input /output participant \
    -w workdir -participant 999 \

It will immediately fail with a permissions error on a file:

Full Stack Trace ```console "uname": executable file not found in $PATH Matplotlib created a temporary config/cache directory at /tmp/matplotlib-skmue9my because the default path (/home/hubers2/.config/matplotlib) is not a writable directory; it is highly recommended to set the MPLCONFIGDIR environment variable to a writable directory, in particular to speed up the import of Matplotlib and to better support multiprocessing. Traceback (most recent call last): File "/home/bibsnet/bibsnet", line 50, in main() File "/home/bibsnet/bibsnet", line 35, in main json_args, sub_ses_IDs = get_params([get_stage_name(stg) for stg in STAGES]) File "/home/bibsnet/src/get_args.py", line 139, in get_params return validate_cli_args(vars(parser.parse_args()), stage_names, File "/home/bibsnet/src/get_args.py", line 224, in validate_cli_args models_df = get_df_with_valid_bibsnet_models(sub_ses_IDs[ix]) File "/home/bibsnet/src/get_args.py", line 278, in get_df_with_valid_bibsnet_models models_df = pd.read_csv(os.path.join(SCRIPT_DIR, "data", "models.csv")) File "/opt/conda/lib/python3.8/site-packages/pandas/util/_decorators.py", line 311, in wrapper return func(*args, **kwargs) File "/opt/conda/lib/python3.8/site-packages/pandas/io/parsers/readers.py", line 586, in read_csv return _read(filepath_or_buffer, kwds) File "/opt/conda/lib/python3.8/site-packages/pandas/io/parsers/readers.py", line 482, in _read parser = TextFileReader(filepath_or_buffer, **kwds) File "/opt/conda/lib/python3.8/site-packages/pandas/io/parsers/readers.py", line 811, in __init__ self._engine = self._make_engine(self.engine) File "/opt/conda/lib/python3.8/site-packages/pandas/io/parsers/readers.py", line 1040, in _make_engine return mapping[engine](self.f, **self.options) # type: ignore[call-arg] File "/opt/conda/lib/python3.8/site-packages/pandas/io/parsers/c_parser_wrapper.py", line 51, in __init__ self._open_handles(src, kwds) File "/opt/conda/lib/python3.8/site-packages/pandas/io/parsers/base_parser.py", line 222, in _open_handles self.handles = get_handle( File "/opt/conda/lib/python3.8/site-packages/pandas/io/common.py", line 702, in get_handle handle = open( PermissionError: [Errno 13] Permission denied: '/home/bibsnet/data/models.csv' ```

If I enter into the singularity container with:


singularity shell --nv --cleanenv --no-home  \
    -B /home/path/to/bids:/input \
    -B   /home/path/to/derivatives:/output  \
    -B /home/path/to/scratch:/workdir \
     -B /home/path/to/freesurfer/license.txt:/opt/freesurfer/license.txt  \ 
      /home/path/to/bibsnet_latest.sif

and once I am in the container, I run:

ls -l /home/bibsnet/data/models.csv

indeed I confirm that others have no file permissions:

-rwxrwx--- 1 root root 713 Aug 14 11:28 /home/bibsnet/data/models.csv

And it would seem that the 'user' inside the container launching these commands does not belong to the 'root' group (i.e. it falls under the others permissions) and has no permissions to the filesystem (the --- in -rwxrwx--- == no permissions).

I am running on a GPU cluster so debugging this is not necessarily trivial, so as a first pass I wanted to see if anyone can replicate this? If you launch BIBSnet with Singularity and the pipeline makes it longer than 10 seconds in, the answer is probably no 🙂

scott-huberty commented 2 months ago

After further investigation, I think this is a corner case that popped up because of a quirk at my institutions HPC cluster. I think that typically someone would launch a singularity container on a filesystem where they have user or group privileges, and those privileges are inherited in the container. This isn't the case for me (at least on my HPC), which is why I am hitting the error, because none of the files in home/bibsnet/data give any file permissions unless they come from someone with user or group privileges.

Technically I think the fix would be to give recursive others read execute permissions to the /home/bibsnet/data folder, something like:


chmod -R o+rx /home/bibsnet/data/

I took a peek and it does seem like other directories in that container have read execute permissions for the other group.

But really this choice is up to the maintainers, who would have to weigh whether it's a security concern to do this. No hurt feelings on my end if you choose not to.

In the mean time I am going to work around my issue by doing this myself on a fork of the bibsnet image.

shreyagudapati9 commented 1 month ago

I received a permission error while using the latest image too. Any solution to resolve this?