search

apptainer / apptainer-admindocs

Other
2 stars 15 forks source link

Clarification needed about localstatedir #165

Closed biochem-fan closed 4 months ago

biochem-fan commented 4 months ago

Which Document page:

https://apptainer.org/docs/admin/main/installation.html#filesystem-support-limitations

Expected results:

Requirements about localstatedir (and SESSIONDIR) are clearly stated.

Actual results:

I am new to Apptainer and get confused about localstatedir (and SESSIONDIR). Clarification of the document would be very useful.

Suppose the software account (without root privileges) installs Apptainer to a shared file system of a cluster and wants to let other people use it.

  1. What permission should the directory have? The old Singularity documentation says it must be 0755 and owned by root:root but the Apptainer document does not say anything.
    This GitHub issue comment says "It does not need to be writable". Does this still apply?
  2. The same issue comment also says "Most important is that the directory has to pre-exist". If we specify /var, is it OK, because it is present on every node? Or do we have to manually make subdirectories (e.g. /var/lib/apptainer/mnt/session) on every node? (But this would require the root privileges; in such a case we could use /tmp instead).
DrDaveD commented 4 months ago

I think that github issue comment was referring to /var/apptainer/mnt/session, not to everything in localstatedir. That directory needs to pre-exist and doesn't need to be writable.

All that documentation about localstatedir and installing on a network filesystem is quite old and I hadn't even noticed it before. I'm not sure how accurate it is anymore or what they were referring to. I know that I have had great success with installing apptainer entirely in a read-only network filesystem, with nothing on the local node. I even use install-unprivileged.sh to install relocatable pre-built binaries there. The implications may be different if you need a setuid installation, but probably we should just delete that documentation to prevent it from misleading people.

biochem-fan commented 4 months ago

Thank you very much for your reply.

I know that I have had great success with installing apptainer entirely in a read-only network filesystem, with nothing on the local node. I even use install-unprivileged.sh to install relocatable pre-built binaries there.

Yes, I also tried install-unprivileged.sh on a login node to install Apptainer on an NFS mounted user area without root privileges. It seems the binary is usable by other user accounts and on other cluster nodes but I tested only the alpine image and am not sure if other functionalities also work. This is why I asked it here.

If developers suspect the paragraph is a false alarm, I will let our users try the binary and see if problems arise.

DrDaveD commented 4 months ago

Yes I don't think the info about localstatedir is relevant at least if you're not using setuid mode.

DrDaveD commented 4 months ago

On the other hand there may be some network filesystem types that aren't supported as the lower layer for overlay. That's kind of the main point of that documentation section. I guess the best advice is to try it and see if it works. fuse-overlayfs works in more cases than kernel overlayfs, so if you can use that you might not even notice it falling back to using fuse-overlayfs.

DrDaveD commented 4 months ago

@biochem-fan How does #168 look to you? Is it clearer?

biochem-fan commented 4 months ago

@DrDaveD Yes, the proposed change is better. Thanks!