Open JohnWalshTempus opened 6 months ago
Mino type, not sure if it's what you actually tried:
process { containerOptions = "-u 1000:1000" }
Mino type, not sure if it's what you actually tried:
process { containerOptions = "-u 1000:1000" }
Thanks, corrected that but the issue is still there with /mnt/disks/**
access
containerOptions are propagating to my batch runnable definition when I describe the job with gcloud:
Likely need to look at the GCS mount options to see if there is anything related to permissions: https://github.com/nextflow-io/nextflow/blob/fd27fbc16a4a503c7292f3a22a35692c812141f3/plugins/nf-google/src/main/nextflow/cloud/google/batch/GoogleBatchScriptLauncher.groovy#L126-L142
If you can submit a job through gcloud
and play with these options, and find something that works, it should be trivial to update in Nextflow
So far I've had success with the following but it fails when allow_other is removed. allow_other
was removed for some reason back in https://github.com/nextflow-io/nextflow/pull/4332 - I've found these docs on the security implications https://github.com/torvalds/linux/blob/a33f32244d8550da8b4a26e277ce07d5c6d158b5/Documentation/filesystems/fuse.txt#L218-L310
.addAllMountOptions( ['-o rw,allow_other', '--file-mode=777', '--dir-mode=777', '-implicit-dirs'] ) // working option 1
.addAllMountOptions( ['-o rw,allow_other', '--uid=1000', '--gid=1000', '-implicit-dirs'] ) // working option 2
Bug report
Expected behavior and actual behavior
The GCP Batch executor (
google-batch
) should allow non-root users for improved security concerns. Today, only the root user can access files under/mnt/disks/**
Steps to reproduce the problem
I have pushed two public docker images, one with
root
as the default user, another withworker
as the default user.These can be found at on dockerhub at:
The workflow I am running is as follows
main.nf:
nextflow.config:
Program output
The execution is successful in the root image, while the non-root image gives the following error in the GCP Batch logs:
nextflow.log
``` Apr-03 13:08:58.219 [main] DEBUG nextflow.cli.Launcher - $> nextflow run . Apr-03 13:08:58.274 [main] INFO nextflow.cli.CmdRun - N E X T F L O W ~ version 23.10.1 Apr-03 13:08:58.288 [main] DEBUG nextflow.plugin.PluginsFacade - Setting up plugin manager > mode=prod; embedded=false; plugins-dir=/Users/John.Walsh/.nextflow/plugins; core-plugins: nf-amazon@2.1.4,nf-azure@1.3.3,nf-cloudcache@0.3.0,nf-codecommit@0.1.5,nf-console@1.0.6,nf-ga4gh@1.1.0,nf-google@1.8.3,nf-tower@1.6.3,nf-wave@1.0.1 Apr-03 13:08:58.299 [main] INFO o.pf4j.DefaultPluginStatusProvider - Enabled plugins: [] Apr-03 13:08:58.300 [main] INFO o.pf4j.DefaultPluginStatusProvider - Disabled plugins: [] Apr-03 13:08:58.302 [main] INFO org.pf4j.DefaultPluginManager - PF4J version 3.4.1 in 'deployment' mode Apr-03 13:08:58.309 [main] INFO org.pf4j.AbstractPluginManager - No plugins Apr-03 13:08:58.636 [main] DEBUG nextflow.config.ConfigBuilder - Found config local: /Users/John.Walsh/Learn/nf-minimal-issue/nextflow.config Apr-03 13:08:58.637 [main] DEBUG nextflow.config.ConfigBuilder - Parsing config file: /Users/John.Walsh/Learn/nf-minimal-issue/nextflow.config Apr-03 13:08:58.641 [main] DEBUG nextflow.config.ConfigBuilder - Applying config profile: `standard` Apr-03 13:08:58.681 [main] DEBUG nextflow.cli.CmdRun - Applied DSL=2 by global default Apr-03 13:08:58.706 [main] INFO nextflow.cli.CmdRun - Launching `./main.nf` [furious_plateau] DSL2 - revision: 0f6cc6a24a Apr-03 13:08:58.707 [main] DEBUG nextflow.plugin.PluginsFacade - Plugins default=[nf-google@1.8.3] Apr-03 13:08:58.707 [main] DEBUG nextflow.plugin.PluginsFacade - Plugins resolved requirement=[nf-google@1.8.3] Apr-03 13:08:58.707 [main] DEBUG nextflow.plugin.PluginUpdater - Installing plugin nf-google version: 1.8.3 Apr-03 13:08:58.738 [main] INFO org.pf4j.AbstractPluginManager - Plugin 'nf-google@1.8.3' resolved Apr-03 13:08:58.739 [main] INFO org.pf4j.AbstractPluginManager - Start plugin 'nf-google@1.8.3' Apr-03 13:08:58.812 [main] DEBUG nextflow.plugin.BasePlugin - Plugin started nf-google@1.8.3 Apr-03 13:08:58.823 [main] DEBUG n.secret.LocalSecretsProvider - Secrets store: /Users/John.Walsh/.nextflow/secrets/store.json Apr-03 13:08:58.825 [main] DEBUG nextflow.secret.SecretsLoader - Discovered secrets providers: [nextflow.secret.LocalSecretsProvider@12b5736c] - activable => nextflow.secret.LocalSecretsProvider@12b5736c Apr-03 13:08:58.859 [main] DEBUG nextflow.Session - Session UUID: 11a85f03-9fcc-4ee8-940b-a606ff267b8d Apr-03 13:08:58.860 [main] DEBUG nextflow.Session - Run name: furious_plateau Apr-03 13:08:58.860 [main] DEBUG nextflow.Session - Executor pool size: 10 Apr-03 13:08:59.048 [main] DEBUG nextflow.file.FilePorter - File porter settings maxRetries=3; maxTransfers=50; pollTimeout=null Apr-03 13:08:59.051 [main] DEBUG nextflow.util.ThreadPoolBuilder - Creating thread pool 'FileTransfer' minSize=10; maxSize=30; workQueue=LinkedBlockingQueue[10000]; allowCoreThreadTimeout=false Apr-03 13:08:59.268 [main] DEBUG nextflow.cli.CmdRun - Version: 23.10.1 build 5891 Created: 12-01-2024 22:01 UTC (16:01 CDT) System: Mac OS X 13.4.1 Runtime: Groovy 3.0.19 on OpenJDK 64-Bit Server VM 11.0.21+0 Encoding: UTF-8 (UTF-8) Process: 73834@TMREM00010367.local [192.168.1.66] CPUs: 10 - Mem: 16 GB (64.9 MB) - Swap: 9 GB (327.2 MB) Apr-03 13:08:59.286 [main] DEBUG nextflow.Session - Work-dir: gs://Additionally, running
gcloud beta batch jobs describe projects/<project-id>/locations/us-west1/jobs/<my-nf-job> --format json
gives a consistent output like:Environment
Additional context
Other attempts to address the issue
process { containerOptions = "--user worker" }
process { containerOptions = "--u 1000:1000" }
(worker's user/group id)I am wondering if there's a need for an explicit option like the docker executor's fixOwnership