search

rocker-org / rocker-versioned

Run current & prior versions of R using docker
https://hub.docker.com/r/rocker/r-ver
GNU General Public License v2.0
297 stars 169 forks source link

Add PAM helper script for Singularity #71

Closed nathanweeks closed 6 years ago

nathanweeks commented 6 years ago

Minimal POSIX shell script for enforcing password authentication (via the PASSWORD environment variable) when rocker RStudio is run as a Singularity container. The username will be the local (unix) username.

Example usage:

PASSWORD='...' singularity exec IMAGE rserver --auth-none 0 --auth-pam-helper-path=auth_singularity

Addresses https://github.com/rocker-org/rocker/issues/277

nathanweeks commented 6 years ago

I'll add that an alternative (or perhaps an addition) to adding such a script to the Docker image requiring a bit more setup and a little more maintenance---at least I think, as I've never actually done it before---could be to add a short Singularity build recipe for each Dockerfile that specifies that Docker image version as the base, and copies the script into the Singularity image. The Singularity images would be hosted on Singularity Hub (see the Singularity Hub documentation).

I'll leave it up to the rocker maintainers as to which approach they would prefer to take.

cboettig commented 6 years ago

@nathanweeks Great, thanks. I wonder if the script should just be called pam-helper.sh instead, since it is in principle more general than singularity and could arise in other cases where someone wants to run the rserver command without root, yes?

Not sure if it's worth setting up a separate singularity build, since singularity does a reasonable job of just running containers right from docker hub.

nathanweeks commented 6 years ago

@cboettig , sure thing---done.

Singularity is more efficient when directly downloading a Singularity image file than importing a Docker image (IIRC first each layer in the image is downloaded & cached into the user's home directory, then untarred to a temporary directory---and due to a relatively small /tmp partition on our compute nodes, we've had to set SINGULARITY_TMPDIR to point to a larger file system---then copied into the final SquashFS image). However, I'm perfectly happy to let that idea sit on the backburner for now---I'm just happy to be able to use Rocker images with Singularity!

cboettig commented 6 years ago

Thanks much, this looks great. Would love a PR or anything on the documentation side for Singularity if you have time (could probably largely copy-paste from your issue thread).

nathanweeks commented 6 years ago

Certainly; I'm working on a .md file to use as a starting point for Singularity-specific documentation.