Closed preminger closed 1 year ago
Can you paste debug logs for this...
$ sudo singularity shell --oci --overlay ro-overlay-dir:ro docker://busybox
2023/05/11 10:27:13 info unpack layer: sha256:b50100f25006c29bd3a3dd4abacfeb7e9cb61c1a758d07c68fa699a2494fd2df
2023-05-11T14:27:13.865141Z: cannot mkdir `proc`: Read-only file system
I think I know what's going on here, but just want to verify this is out of crun
/ runc
.
Okay, so this is because:
/proc
directory./proc
in the rootfs, because we've asked it to mount procfs
onto /proc
... so /proc
must exist.Probably in this situation (only read-only --overlay) we have to...
crun
can mkdir
in it.crun
ensures it is read-only.We can discuss this at some point if you'd like.
Just to make sure: do you want to do this —
- Ensure there is an ephemeral writable overlay sitting on top of the read-only overlay, so
crun
canmkdir
in it.- Change the image config to mark the rootfs as read-only, so that once we enter the container,
crun
ensures it is read-only.
— whenever we have only read-only overlay(s)? (← I'm guessing you meant exactly this, but just to check...)
Or only when we have only read-only overlay(s) and an image that doesn't contain /proc
?
Or only when we have only read-only overlay(s) and a busybox
-based image?
Whenever we have only read-only overlays.
This won't just affect /proc
... there are other places that we mount onto (e.g. /sys, /var/tmp) and which could be missing from an arbitrary container (not just in busybox).
Okay, thanks to @dtrudg 's help, we've seen that native mode doesn't mark the container as read-only under the same circumstances discussed above:
$ singularity run -u --compat --overlay a/:ro docker://alpine
INFO: Using cached SIF image
INFO: Converting SIF file to temporary sandbox...
Singularity> touch /bob
Singularity> mount | grep overlay
overlay on / type overlay (rw,seclabel,nodev,relatime,lowerdir=/usr/local/var/singularity/mnt/session/overlay-images/0/upper:/usr/local/var/singularity/mnt/session/overlay-lowerdir:/usr/local/var/singularity/mnt/session/rootfs,upperdir=/usr/local/var/singularity/mnt/session/tmpfs/upper,workdir=/usr/local/var/singularity/mnt/session/tmpfs/work)
So I'll implement a solution that behaves the same in OCI mode.
Version of Singularity
HEAD of
main
Describe the bug When using (newly added)
--overlay
in OCI mode, the currentbusybox
docker image fails to run, reporting a failed attempt to write to a read-only filesystem, involving/proc
To Reproduce
Expected behavior Here's the behavior with (as an example) the current
alpine
docker image:OS / Linux Distribution Which Linux distribution are you using?
Installation Method Built from source (using HEAD of
main
)