non-readable python files in a container

[yarikoptic]

What happened?

origin:

• https://github.com/ReproNim/containers/issues/118

Since 23.1.1 (ok in 23.1.0) converted to singularity image is not usable due to .py files being not given read permissions to anyone but the root! And as this showed -- there is apparently python3.1 folder there too!!!

git)smaug:~/proj/repronim/containers[master]images/bids
$> PAGER=more singularity exec bids-mriqc--23.1.1.sing bash -c 'ls -ld /opt/conda/lib/python*/encodings/__init__.py'
-rwx------ 1 root root 5884 Feb 16 16:20 /opt/conda/lib/python3.1/encodings/__init__.py
-rwx------ 1 root root 5884 Feb 16 16:20 /opt/conda/lib/python3.11/encodings/__init__.py

$> PAGER=more singularity exec bids-mriqc--23.1.0.sing bash -c 'ls -ld /opt/conda/lib/python*/encodings/__init__.py'
-rw-rw-r-- 1 root root 5588 Mar 24  2022 /opt/conda/lib/python3.9/encodings/__init__.py

NB the python3.1 is I guess a poor man workaround for something

$> PAGER=more singularity exec bids-mriqc--23.1.1.sing bash -c 'ls -ld /opt/conda/lib/python*'
lrwxrwxrwx  1 root root   10 Mar 18 11:27 /opt/conda/lib/python3.1 -> python3.11
drwxr-xr-x 39 root root 3968 Mar 18 11:27 /opt/conda/lib/python3.11

I am yet to find a host with over 30GB of space in / to pull the origina docker image to see if permissions are indeed that wrong.

What command did you use?

singularity container was built from a rudimentary Singularity file

(git)smaug:~/proj/repronim/containers[master]images/bids
$> cat Singularity.bids-mriqc--23.1.1
#
# Automagically prepared for ReproNim/containers distribution.
# See http://github.com/ReproNim/containers for more info
#
Bootstrap: docker
From: nipreps/mriqc:23.1.1

%post

# Create commonly present root directories to avoid need in overlays not supported
# on older systems
mkdir -p /ihome /data /data2 /zfs /isi /dartfs /dartfs-hpc

%environment
export LANG="C.UTF-8"
export LC_ALL="C.UTF-8"

### What version of the software are you running?

23.1.1

### How are you running this software?

Singularity

### Is your data BIDS valid?

Yes

### Are you reusing any previously computed results?

No

### Please copy and paste any relevant log output.

_No response_

### Additional information / screenshots

_No response_

[jbwexler]

I wasn't able to replicate this:

(main) login4.frontera(1032)$ singularity exec bids-mriqc--23.1.1.sing bash -c 'ls -ld /opt/conda/lib/python*/encodings/__init__.py'
-rwxr-xr-x 1 nobody nogroup 5884 Feb 16 15:20 /opt/conda/lib/python3.1/encodings/__init__.py
-rwxr-xr-x 1 nobody nogroup 5884 Feb 16 15:20 /opt/conda/lib/python3.11/encodings/__init__.py

But I am getting this issue, not sure if it's related: https://github.com/poldracklab/tacc-openneuro/issues/86

[yarikoptic]

hm, thank you @jbwexler ! Indeed something odd since it is the same (good one) at docker level:

yoh@typhon:~$ docker run --rm --entrypoint bash nipreps/mriqc:23.1.1 -c 'ls -ld /opt/conda/lib/python*/encodings/__init__.py'
-rw-rw-r-- 2 root root 5884 Feb 16 21:20 /opt/conda/lib/python3.11/encodings/__init__.py
-rw-rw-r-- 2 root root 5884 Feb 16 21:20 /opt/conda/lib/python3.1/encodings/__init__.py

so somehow those two specific conversions were different on my end for some reason. The only thing which comes to mind is that I could have ran interactively in my session where I have more restrictive umask and that is somehow affected conversion... looking at git log I do not see reflections of that (images were contributed spread in time etc).

Overall, I guess this issue could be closed as seems to have no manifestation in the original docker image(s)