Open potter-s opened 1 month ago
Hi @potter-s
Our docker image is already built with root account only however PATH is set to be usable by all users so if you wish to keep user priviledges after execution you may add -u $UID:$GID
parameter to docker command line therefore the container will run using your user permissions.
This has a catch of course. Temporary folders must be set where your user has RWX permissions therefore we want users to pay attention to that. There is a writing that we posted a while ago which you may refer to for setting up your temporary files for GATK workflows.
How to setup temporary folder for GATK local executtion
For some of the tools such as gCNV or CNN you may need to setup additional environment variables to locate python compilation directory to a place where you have read and write permissions.
I hope this helps.
Hi,
Thanks for the response. Running with -u isn’t ideal as we can’t control how the user runs this (unless they do this on their own hardware or say a cloud instance).
However, I managed to convert the docker image into a singularity one and that runs ‘out of the box’ in user space.
Simon
On 3 Jun 2024, at 18:43, Gökalp Çelik @.***> wrote:
Hi @potter-s https://github.com/potter-s Our docker image is already built with root account only however PATH is set to be usable by all users so if you wish to keep user priviledges after execution you may add -u $UID:$GID parameter to docker command line therefore the container will run using your user permissions.
This has a catch of course. Temporary folders must be set where your user has RWX permissions therefore we want users to pay attention to that. There is a writing that we posted a while ago which you may refer to for setting up your temporary files for GATK workflows.
How to setup temporary folder for GATK local executtion https://gatk.broadinstitute.org/hc/en-us/articles/18965297287067-How-to-setup-and-use-temporary-folder-for-GATK-local-execution
For some of the tools such as gCNV or CNN you may need to setup additional environment variables to locate python compilation directory to a place where you have read and write permissions.
I hope this helps.
— Reply to this email directly, view it on GitHub https://github.com/broadinstitute/gatk/issues/8856#issuecomment-2145780965, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU3SAWISO2HSCUNHK3SGIDZFSTK5AVCNFSM6AAAAABIWRNXGKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBVG44DAOJWGU . You are receiving this because you were mentioned.Message ID: @.***>
Bug Report
Affected tool(s) or class(es)
N/A
Affected version(s)
Description
Dockerfile does not create unprivileged user account
Steps to reproduce
Expected behavior
I'd expect the user to be in an unprivileged account in
/home/gatk
when the container is started. If there is a use case for enabling root (say for allowing system installs) this should be an option (config or a separate Dockerfile).Actual behavior
On
docker run
the user is root under/gatk
. A container should not put the user in a root account upon startup. This is especially so in shared computing environments. I attempted to create a "gatk" account withRUN useradd -d /home/gatk -ms /bin/bash gatk
(etc) in the Dockerfile but I get `Permission denied: '/root/.config/conda/.condarc'.