search

aces / CIVET_Full_Project

CIVET Installer
http://www.bic.mni.mcgill.ca/ServicesSoftware/CIVET-2-1-0-Source-Code-Access-and-Binaries
Other
26 stars 6 forks source link

Fix permissions of CIVET install so unprivileged Singularity users can run the container #3

Closed gdevenyi closed 4 years ago

gdevenyi commented 4 years ago

Testing a singularity deployment of the docker container, I found we can't actually run the container:

> singularity build civet_2.1.1.img docker://mcin/civet:2.1.1
INFO:    Starting build...
Getting image source signatures
Copying blob 2746a4a261c9 done
Copying blob 4c1d20cdee96 done
Copying blob 0d3160e1d0de done
Copying blob c8e37668deea done
Copying blob a34007e3ec19 done
Copying blob 3348fdd254cc done
Copying blob c59f168518bf done
Copying blob de8600d7ff63 done
Copying config 66d3cdf03c done
Writing manifest to image destination
Storing signatures
2020/02/18 10:42:17  info unpack layer: sha256:2746a4a261c9e18bfd7ff0429c18fd7522acc14fa4c7ec8ab37ba5ebaadbc584
2020/02/18 10:42:20  info unpack layer: sha256:4c1d20cdee96111c8acf1858b62655a37ce81ae48648993542b7ac363ac5c0e5
2020/02/18 10:42:20  info unpack layer: sha256:0d3160e1d0de4061b5b32ee09af687b898921d36ed9556df5910ddc3104449cd
2020/02/18 10:42:20  info unpack layer: sha256:c8e37668deea784f47c8726d934adc12b8d20a2b1c50b0b0c18cb62771cd3684
2020/02/18 10:42:20  info unpack layer: sha256:a34007e3ec1929cd131f2a6c369233ec713be68efc03268c2c3f18a6781f9ecf
2020/02/18 10:42:20  info unpack layer: sha256:3348fdd254cc5b650374e5410be5d536a51ac22dc586d825421ebcb69344fabe
2020/02/18 10:42:42  info unpack layer: sha256:c59f168518bffb3e96ab38074b0c2bb539139ca4ce3a6a222ceca7be8ed210d1
2020/02/18 10:42:42  info unpack layer: sha256:de8600d7ff639e8c4e4fc288787d2a085b05bf77aaa72a2d617f08899a95c335
INFO:    Creating SIF file...
INFO:    Build complete: civet_2.1.1.img
> singularity run civet_2.1.1.img
/.singularity.d/runscript: 39: exec: /opt/CIVET/Linux-x86_64/CIVET-2.1.1/CIVET_Processing_Pipeline: Permission denied

Turns out that the CIVET install is root:root and missing "other" permission:

> singularity exec civet_2.1.1.img ls -l /opt/CIVET/Linux-x86_64
total 4
drwxr-x---  4 root root  509 Jan 10 13:41 CIVET-2.1.1
drwxrwxr-x  2 root root 8692 Jan 10 13:30 bin
drwxr-xr-x  3 root root   38 Jan 10 13:17 doc
drwxr-x---  3 root root   34 Jan 10 13:11 etc
drwxr-x---  8 root root 1670 Jan 10 13:25 include
-rw-r-----  1 root root 1581 Jan 10 13:40 init.csh
-rw-r-----  1 root root 1582 Jan 10 13:40 init.sh
drwxr-x---  4 root root 1068 Jan 10 13:27 lib
drwxr-x---  7 root root  185 Jan 10 13:00 perl
drwxr-x--- 18 root root  303 Jan 10 13:41 share

This patch fixes the permissions of the CIVET install so "other" can access the files, allowing Singularity users to run the container.

WIP because my local build is still building.

sandywang commented 4 years ago

Hi Gabriel, Thank you very much for the test, your modification looks good for me, if Pierre don't have any other comments, I will merge this commit.

Best, Xindi

prioux commented 4 years ago

Looks totally good to me, it's just +rX, which I like.

Although... maybe we can be more selective in making everything executable, even data files. the x bit shoudl be only on files that we want the Linux loader to be able to load. But then it doesn't make much difference.

gdevenyi commented 4 years ago

Big X only sets execute on directories (required) and files already executable

gdevenyi commented 4 years ago

execute/search only if the file is a directory or already has execute permission for some user (X),

Ref: https://linux.die.net/man/1/chmod

prioux commented 4 years ago

Oh great, I forgot that, wonder what I was thinking.

All good.

gdevenyi commented 4 years ago

It looks like the docker hub is updated manually? Can someone push a new version? Thanks!

gdevenyi commented 4 years ago

Also, a possibility: https://docs.docker.com/docker-hub/builds/

gdevenyi commented 4 years ago

Hi, following up again, could someone please use this updated builder to upload a new container to dockerhub?

prioux commented 4 years ago

Hi @gdevenyi , I'd forgotten I'm the one who created that container. It's not even normally my responsibility (I'm not a CIVET dev after all), but I'll build a new one right away.

gdevenyi commented 4 years ago

Cheers thanks, sorry I should've tagged you specifically, since I did know this when I looked at the docker tag :)

prioux commented 4 years ago

@gdevenyi it's building now. I'm not sure how I'll tag it at the end, on DockerHub. Shoudl I just call it mcin/civet:2.1.1 again? It seems wrong. But then, there are NO changes in the scientific code I think. What do you think?

gdevenyi commented 4 years ago

You could add a -build2 tag. I also agree it doesn't change the scientific code so it shouldn't matter though.

prioux commented 4 years ago

I pushed it with the same tag.

Can you try it out and let me know if it's OK? I checked the permissions inside the container and they seem ok.

gdevenyi commented 4 years ago

Permissions are now correct :+1: