search

DeiC-HPC / cotainr

cotainr - a user space Apptainer/Singularity container builder.
European Union Public License 1.2
18 stars 5 forks source link

cotainr build fails if base image contains files with restricted permissions #48

Closed Chroxvi closed 10 months ago

Chroxvi commented 10 months ago

If a base image (e.g. docker://opensuse/leap:15.4) contains files that are owned by root or otherwise have restricted permissions, cotainr fails when tyring to build a SIF image from such a base image. Here is a minimal reproducible example on LUMI:

schouoxvig@uan01:~> module load LUMI/23.03
schouoxvig@uan01:~> module load cotainr
schouoxvig@uan01:~> cotainr build test.sif --base-image=docker://opensuse/leap:15.4
Cotainr:-: Creating Singularity Sandbox
SingularitySandbox.err:-: WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
SingularitySandbox.err:-: WARNING: The sandbox contain files/dirs that cannot be removed with 'rm'.
SingularitySandbox.err:-: WARNING: Use 'chmod -R u+rwX' to set permissions that allow removal.
SingularitySandbox.err:-: WARNING: Use the '--fix-perms' option to 'singularity build' to modify permissions at build time.
Cotainr:-: Adding metadata to container
Cotainr:-: Building container image
SingularitySandbox.err:-: WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
SingularitySandbox.err:-: FATAL:   While performing build: packer failed to pack: copy Failed: symlink GlobalSign_Root_R46.pem /tmp/schouoxvig/build-temp-2702805790/rootfs/var/lib/ca-certificates/openssl/002c0b4f.0: permission denied
Traceback (most recent call last):
  File "/appl/lumi/SW/LUMI-23.03/common/EB/cotainr/2023.11.0-cray-python-3.9.13.1/bin/cotainr", line 14, in <module>
    sys.exit(main())
  File "/pfs/lustrep2/appl/lumi/SW/LUMI-23.03/common/EB/cotainr/2023.11.0-cray-python-3.9.13.1/cotainr/cli.py", line 594, in main
    cli.subcommand.execute()
  File "/pfs/lustrep2/appl/lumi/SW/LUMI-23.03/common/EB/cotainr/2023.11.0-cray-python-3.9.13.1/cotainr/cli.py", line 253, in execute
    sandbox.build_image(path=self.image_path)
  File "/pfs/lustrep2/appl/lumi/SW/LUMI-23.03/common/EB/cotainr/2023.11.0-cray-python-3.9.13.1/cotainr/container.py", line 183, in build_image
    self._subprocess_runner(
  File "/pfs/lustrep2/appl/lumi/SW/LUMI-23.03/common/EB/cotainr/2023.11.0-cray-python-3.9.13.1/cotainr/container.py", line 334, in _subprocess_runner
    return util.stream_subprocess(
  File "/pfs/lustrep2/appl/lumi/SW/LUMI-23.03/common/EB/cotainr/2023.11.0-cray-python-3.9.13.1/cotainr/util.py", line 136, in stream_subprocess
    completed_process.check_returncode()
  File "/opt/cray/pe/python/3.9.13.1/lib/python3.9/subprocess.py", line 460, in check_returncode
    raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['singularity', '-q', '--nocolor', 'build', '--force', PosixPath('/pfs/lustrep2/users/schouoxvig/test.sif'), PosixPath('/tmp/tmpxfw37gwy/singularity_sandbox')]' returned non-zero exit status 255.
Chroxvi commented 10 months ago

Cotainr is a user space container build tool. The only way we can handle this is by modifying the permissions of those files with restricted permissions. Using the --fix-perms option when creating the singularity sandbox, as suggested in the warnings produced by singularity, seems like a good solution.