{subuid,subgid} ?

https://github.com/apptainer/apptainer/issues/1812

truatpasteurdotfr opened on Nov 17, 2023 Contributor Version of Apptainer

apptainer-1.2.4-1.el9.x86_64 Expected behaviour

apptainer -v build /dev/shm/a.sif alpine.def && /bin/rm /dev/shm/a.sif apptainer -v build /dev/shm/a.sif debian.def && /bin/rm /dev/shm/a.sif

These commands are not behaving the same when $USER is listed or not in /etc/{subuid,subgid} ? Actual behaviour

debian sif is building w/wo $USER alpine is only building w $USER is listed and fails otherwise What actually happened? Why was it incorrect? Steps to reproduce this behaviour

debian.def file:

BootStrap: docker From: debian

%post touch /singularity-date +%Y%m%d-%H%M%S

alpine.def file:

BootStrap: docker From: alpine

%post touch /singularity-date +%Y%m%d-%H%M%S

What OS/distro are you running

RHEL9.3 RHEL8.8ELS How did you install Apptainer

RHEL9: epel repository RHEL8: built from source by IT service Activity truatpasteurdotfr truatpasteurdotfr commented on Nov 17, 2023 truatpasteurdotfr on Nov 17, 2023 ContributorAuthor

Our campus cluster is running RHEL8 with a built from source apptainer 1.2.4 but without any user regular listed in /etc/{subuid,subgid}, my laptop is running the epel provided apptainer and $USER has been automatically added into /etc/{subuid,subgid}.

After reading comments: #1800 (comment) #1758 (comment)

apptainer-1.2.4-1.el9.x86_64

[bisadm@bisadm-Precision-5480 apptainer-subuid]$ echo $USER bisadm [bisadm@bisadm-Precision-5480 apptainer-subuid]$ grep $USER /etc/sub* /etc/subgid:bisadm:100000:65536 /etc/subuid:bisadm:100000:65536

[bisadm@bisadm-Precision-5480 apptainer-subuid]$ apptainer -v build /dev/shm/a.sif debian.def && /bin/rm /dev/shm/a.sif VERBOSE: Implying –fakeroot because building from definition file unprivileged VERBOSE: Set messagelevel to: 4 …

date +%Y%m%d-%H%M%S
touch /singularity-20231116-105432 INFO: Creating SIF file… VERBOSE: Set SIF container architecture to amd64 VERBOSE: Build complete: /dev/shm/a.sif INFO: Build complete: /dev/shm/a.sif [bisadm@bisadm-Precision-5480 apptainer-subuid]$ apptainer -v build /dev/shm/a.sif alpine.def && /bin/rm /dev/shm/a.sif VERBOSE: Implying –fakeroot because building from definition file unprivileged VERBOSE: Set messagelevel to: 4 VERBOSE: Starter initialisation VERBOSE: Check if we are running as setuid: 0 … VERBOSE: Set SIF container architecture to amd64 VERBOSE: Build complete: /dev/shm/a.sif INFO: Build complete: /dev/shm/a.sif

Removing the entry from /etc/{subuid,subgid}

[bisadm@bisadm-Precision-5480 apptainer-subuid]$ apptainer -v build –ignore-subuid /dev/shm/a.sif alpine.def && /bin/rm /dev/shm/a.sif VERBOSE: Implying –fakeroot because building from definition file unprivileged INFO: User not listed in /etc/subuid, trying root-mapped namespace INFO: The %post section will be run under fakeroot INFO: Starting build… Getting image source signatures Copying blob 96526aa774ef skipped: already exists … VERBOSE: Skipping bind of the host’s /etc/resolv.conf WARNING: No current working directory set: skipping mount VERBOSE: Not updating passwd/group files, running as root! VERBOSE: rpc server exited with status 0 VERBOSE: Execute stage 2 VERBOSE: Running command with fakeroot FATAL: exec /.singularity.d/libs/fakeroot failed: a shared library is likely missing in the image FATAL: While performing build: while running engine: exit status 255

[bisadm@bisadm-Precision-5480 apptainer-subuid]$ apptainer -v build –ignore-subuid /dev/shm/a.sif debian.def && /bin/rm /dev/shm/a.sif VERBOSE: Implying –fakeroot because building from definition file unprivileged INFO: User not listed in /etc/subuid, trying root-mapped namespace INFO: The %post section will be run under fakeroot INFO: Starting build… Getting image source signatures Copying blob 8457fd5474e7 skipped: already exists … VERBOSE: Running command with fakeroot

date +%Y%m%d-%H%M%S
touch /singularity-20231116-105648 INFO: Creating SIF file… VERBOSE: Set SIF container architecture to amd64 VERBOSE: Build complete: /dev/shm/a.sif INFO: Build complete: /dev/shm/a.sif

works as expected on the debian recipe and fails for alpine one.

It seems to be the expected behaviour and a “workaround” can be found at https://docs.gcc.rug.nl/hyperchicken/apptainer/#alpine-as-regular-user-build-static-file-via-sandbox-directory by using a sandbox at staging area. GodloveD GodloveD commented on Nov 18, 2023 GodloveD on Nov 18, 2023 Contributor

Thanks for the question and the due diligence/clarifying comments. Should this be closed? truatpasteurdotfr truatpasteurdotfr commented on Nov 19, 2023 truatpasteurdotfr on Nov 19, 2023 ContributorAuthor

Imho, this could be documented for HPC centre users (as I was) as they might be surprised by the difference of behaviour while building from recipes between their owned devices and remote compute services. GodloveD mentioned this on Nov 21, 2023

add notes about potential differences building with different user namespace support apptainer-userdocs#232

DrDaveD DrDaveD commented on Nov 21, 2023 DrDaveD on Nov 21, 2023 Contributor

An issue for documenting this has been made at apptainer/apptainer-userdocs#232, closing this one. DrDaveD closed this as completedon Nov 21, 2023