Open truatpasteurdotfr opened 2 years ago
This should be relatively simple to fix. Currently I believe the tarballs we create contain no explicit entry for /
, so adding that and setting appropriate permissions on it should help.
The only "weird" thing about this is that there will either need to be a special layer for this (bad idea because of layer budgets), or alternatively it would start existing in every tarball (and thus overlapping "in order"). Minor thing but worth thinking about for a bit.
Clarification question: Are you sure this only needs the permissions set on /
itself?
I'm asking because from the singularity build
docs it sounds like it's giving root write permissions for every file in the image.
Hi,
to be honest, I only checked the top level of the docker image! I should have dig a little deeper (ie starting a docker image and chmod 755 / , commit and singulity build the new docker image)...
[tru@elitebook840g3 ~]$ docker images nixery.dev/shell/bash
REPOSITORY TAG IMAGE ID CREATED SIZE
nixery.dev/shell/bash latest 4edc2efa819a 292 years ago 105 MB
[tru@elitebook840g3 ~]$ docker run -ti nixery.dev/shell/bash bash
bash-5.1# ls -ld /
dr-xr-xr-x 14 0 0 15 Oct 31 14:31 /
bash-5.1# find / -type d -perm 555
bash: find: command not found
bash-5.1# ls
bin dev etc lib libexec nix nix-support proc run share sys usr
bash-5.1# ls -ls /nix
total 13
13 drw------- 21 0 0 21 Oct 26 09:58 store
bash-5.1# ls -ld /*
dr-xr-xr-x 2 0 0 131 Jan 1 1980 /bin
drwxr-xr-x 5 0 0 360 Oct 31 14:31 /dev
dr-xr-xr-x 3 0 0 9 Oct 31 14:31 /etc
dr-xr-xr-x 3 0 0 3 Jan 1 1980 /lib
dr-xr-xr-x 3 0 0 3 Jan 1 1980 /libexec
drw------- 3 0 0 3 Oct 26 09:05 /nix
dr-xr-xr-x 2 0 0 4 Jan 1 1980 /nix-support
dr-xr-xr-x 506 0 0 0 Oct 31 14:31 /proc
drwxr-xr-x 3 0 0 3 Oct 31 14:31 /run
dr-xr-xr-x 6 0 0 6 Jan 1 1980 /share
dr-xr-xr-x 13 0 0 0 Oct 29 09:14 /sys
dr-xr-xr-x 3 0 0 3 Jan 1 1980 /usr
I am not familiar at all with nix, so I am already stuck at this level:
bash-5.1# find / -type d -perm 555
bash: find: command not found
So you are probaby right, singularity migh need more permissions than only the top level!
as / is not writable by root, this is causing some issue for converting the docker image to a singularity container, but there is a workaround by using
singularity build --fix-perms my.sif docker://nixery.dev/shell/bash
. There is no such thing afaik when trying tosingularity run
the docker image.Would it be possible to "fix" the / permissions?