Make fakeroot recommended in rpm #2348

Make fakeroot recommended in rpm #2348

https://github.com/apptainer/apptainer/issues/2348

arozenfe opened on Jul 10, 2024 Contributor

Currently, fakeroot is required by the apptainer rpm.

apptainer/dist/rpm/apptainer.spec.in

Line 130 in 20b5353 Requires: fakeroot

But apptainer doesn’t actually need the fakeroot command to work; if it can’t find the command, it will just use root-mapped namespace. Some dists don’t provide this tool (not even on SLES15SP6).

Can we change the Requires: to Recommends:? Activity arozenfe added 2 commits that reference this issue on Jul 11, 2024

Changing fakeroot to from Required to Recommended in the rpm spec to fix 78558dc

Changing fakeroot to from Required to Recommended in the rpm spec to fix c86b526 arozenfe mentioned this on Jul 11, 2024

Changing fakeroot from Required to Recommended in the rpm spec to fix #2348 #2352

DrDaveD DrDaveD commented on Jul 12, 2024 DrDaveD on Jul 12, 2024 · edited by DrDaveD Contributor

I don’t ever see Recommends used for rpms. Will it install a package if it is available? If not, I would rather put an %if statement in the .spec to exclude trying to install it where it’s not available. Better yet would be to add it for sles to the packages included internally by scripts/{download|compile|install|clean}-dependencies. arozenfe arozenfe commented on Jul 12, 2024 arozenfe on Jul 12, 2024 · edited by arozenfe ContributorAuthor

It’s being used by rpm packages managers such as dnf and zypper. It’s a “weak dependency” concept. If the package is not available in the repositories, it won’t be installed, but if it is available it will be installed by default (unless disabled by a configuration for the package manager).

Weak dependencies may only be used in a package if the package still functions without the dependency present. It is acceptable, however, to create packages that have very limited functionality without adding any of its weak requirements. Weak dependencies should be used where possible to minimise the installation for reasonable use cases, especially for building virtual machines or containers that have a single purpose only and do not require the full feature set of the package.

Even if the package is available you can tell the package manager to only install “hard” dependencies and skip “weak” dependencies. For instance, in dnf you can pass –setopt=install_weak_deps=False flag, and in zypper the flag is –no-recommends.

What’s the benefit of using the fakeroot command line? DrDaveD DrDaveD commented on Jul 12, 2024 DrDaveD on Jul 12, 2024 Contributor

It’s described in method 3 in the fakeroot doc page. It adds to unprivileged user namespaces without /etc/subuid mappings the ability to pretend to have files owned by different user ids, so things like chown work. Some rpm installations (my go-to example is openssh) don’t work with only a root-mapped user namespace. DrDaveD DrDaveD commented on Jul 12, 2024 DrDaveD on Jul 12, 2024 Contributor

Do you know who does packaging for apptainer for SUSE? I tried installing it from an opensuse/leap:15 docker container and it’s only version 1.3.0 and they did not follow the updated installation instructions for version 1.3. DrDaveD DrDaveD commented on Jul 12, 2024 DrDaveD on Jul 12, 2024 · edited by DrDaveD Contributor

I see that the binaries (built on EL8) installed by install-unprivileged.sh work in an opensuse/leap:15 docker container as an unprivileged user and demonstrate the difference. That includes a fakeroot command in the installation. Install with

curl -s https://raw.githubusercontent.com/apptainer/apptainer/main/tools/install-unprivileged.sh |
bash -s - /tmp/apptainer

It turns out that on suse the openssh package does not demonstrate the difference, but the squid package does. This command which ignores the fakeroot command included in the installation fails:

/tmp/apptainer/bin/apptainer exec –ignore-subuid –ignore-fakeroot-command –writable-tmpfs
–fakeroot docker://opensuse/leap:15 zypper install -y squid

but if you remove –ignore-fakeroot-command it works. arozenfe arozenfe commented on Jul 14, 2024 arozenfe on Jul 14, 2024 ContributorAuthor

Ok, I understand. This problem only manifests when using –ignore-subuid or when /etc/subuid / /etc/subgid are not available or don’t have appropriate mapping for the user. I would still call it a “weak dependency”, as apptainer will work without the fakeroot command while using /etc/subuid and /etc/subgid mapping file. It’s completely acceptable for an admin to decide not to install fakeroot command, and still use apptainer without this specific capability. I find it an appropriate use case for a weak dependency. DrDaveD DrDaveD commented on Jul 16, 2024 DrDaveD on Jul 16, 2024 Contributor

I wouldn’t mind much it being a weak dependency on SUSE, but on RHEL it’s available in the optional EPEL and I want to make sure that people have installed it there. Otherwise I’ll be getting support requests from people asking why they can’t install packages when building containers when all they needed to do was install the fakeroot command. arozenfe arozenfe commented on Jul 17, 2024 arozenfe on Jul 17, 2024 ContributorAuthor

Ok, so I’ll change my commit to make it Recommended only on SUSE.