search

broadinstitute / gatk

Official code repository for GATK versions 4 and up
https://software.broadinstitute.org/gatk
Other
1.64k stars 580 forks source link

Docker container should allow use by non-privileged user #8856

Open potter-s opened 1 month ago

potter-s commented 1 month ago

Bug Report

Affected tool(s) or class(es)

N/A

Affected version(s)

Description

Dockerfile does not create unprivileged user account

Steps to reproduce

Expected behavior

I'd expect the user to be in an unprivileged account in /home/gatk when the container is started. If there is a use case for enabling root (say for allowing system installs) this should be an option (config or a separate Dockerfile).

Actual behavior

On docker run the user is root under /gatk. A container should not put the user in a root account upon startup. This is especially so in shared computing environments. I attempted to create a "gatk" account with RUN useradd -d /home/gatk -ms /bin/bash gatk (etc) in the Dockerfile but I get `Permission denied: '/root/.config/conda/.condarc'.

gokalpcelik commented 1 month ago

Hi @potter-s Our docker image is already built with root account only however PATH is set to be usable by all users so if you wish to keep user priviledges after execution you may add -u $UID:$GID parameter to docker command line therefore the container will run using your user permissions.

This has a catch of course. Temporary folders must be set where your user has RWX permissions therefore we want users to pay attention to that. There is a writing that we posted a while ago which you may refer to for setting up your temporary files for GATK workflows.

How to setup temporary folder for GATK local executtion

For some of the tools such as gCNV or CNN you may need to setup additional environment variables to locate python compilation directory to a place where you have read and write permissions.

I hope this helps.

potter-s commented 1 month ago

Hi,

Thanks for the response. Running with -u isn’t ideal as we can’t control how the user runs this (unless they do this on their own hardware or say a cloud instance).

However, I managed to convert the docker image into a singularity one and that runs ‘out of the box’ in user space.

Simon

On 3 Jun 2024, at 18:43, Gökalp Çelik @.***> wrote:

Hi @potter-s https://github.com/potter-s Our docker image is already built with root account only however PATH is set to be usable by all users so if you wish to keep user priviledges after execution you may add -u $UID:$GID parameter to docker command line therefore the container will run using your user permissions.

This has a catch of course. Temporary folders must be set where your user has RWX permissions therefore we want users to pay attention to that. There is a writing that we posted a while ago which you may refer to for setting up your temporary files for GATK workflows.

How to setup temporary folder for GATK local executtion https://gatk.broadinstitute.org/hc/en-us/articles/18965297287067-How-to-setup-and-use-temporary-folder-for-GATK-local-execution

For some of the tools such as gCNV or CNN you may need to setup additional environment variables to locate python compilation directory to a place where you have read and write permissions.

I hope this helps.

— Reply to this email directly, view it on GitHub https://github.com/broadinstitute/gatk/issues/8856#issuecomment-2145780965, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU3SAWISO2HSCUNHK3SGIDZFSTK5AVCNFSM6AAAAABIWRNXGKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBVG44DAOJWGU . You are receiving this because you were mentioned.Message ID: @.***>