struct tempfile *make_logfile(char *label) { struct tempfile *tf; char *daemon = singularity_registry_get("DAEMON_NAME"); char *image = basename(singularity_registry_get("IMAGE")); tf = malloc(sizeof(struct tempfile)); if (tf == NULL) { singularity_message(ERROR, "Could not allocate memory for tempfile\n"); ABORT(255); } if ( snprintf(tf->filename, sizeof(tf->filename) - 1, "/tmp/%s.%s.%s.XXXXXX", image, daemon, label) > sizeof(tf->filename) - 1 ) { singularity_message(ERROR, "Label string too long\n"); ABORT(255); } tf->filename[sizeof(tf->filename) - 1] = '\0'; if ( (tf->fd = mkstemp(tf->filename)) == -1 || (tf->fp = fdopen(tf->fd, "w+")) == NULL ) { if (tf->fd != -1) { unlink(tf->filename); close(tf->fd); } singularity_message(DEBUG, "Could not create log file, running silently\n"); return(NULL); } singularity_message(DEBUG, "Logging container's %s at: %s\n", label, tf->filename); return(tf); }
int main(int argc, char **argv) { struct image_object image; singularity_config_init(); singularity_suid_init(); singularity_priv_init(); singularity_registry_init(); singularity_priv_drop(); singularity_runtime_autofs(); if ( singularity_registry_get("WRITABLE") != NULL ) { singularity_message(VERBOSE3, "Instantiating writable container image object\n"); image = singularity_image_init(singularity_registry_get("IMAGE"), O_RDWR); } else { singularity_message(VERBOSE3, "Instantiating read only container image object\n"); image = singularity_image_init(singularity_registry_get("IMAGE"), O_RDONLY); } if ( is_owner(CONTAINER_MOUNTDIR, 0) != 0 ) { singularity_message(ERROR, "Root must own container mount directory: %s\n", CONTAINER_MOUNTDIR); ABORT(255); } singularity_runtime_ns(SR_NS_MNT); singularity_image_mount(&image, CONTAINER_MOUNTDIR); singularity_runtime_overlayfs(); singularity_priv_drop_perm(); envar_set("SINGULARITY_MOUNTPOINT", CONTAINER_FINALDIR, 1); if ( argc > 1 ) { singularity_message(VERBOSE, "Running command: %s\n", argv[1]); singularity_message(DEBUG, "Calling exec...\n"); execvp(argv[1], &argv[1]); // Flawfinder: ignore (Yes flawfinder, we are exec'ing) singularity_message(ERROR, "Exec failed: %s: %s\n", argv[1], strerror(errno)); ABORT(255); } else { singularity_message(INFO, "%s is mounted at: %s\n\n", singularity_image_name(&image), CONTAINER_FINALDIR); envar_set("PS1", "Singularity> ", 1); execl("/bin/sh", "/bin/sh", NULL); // Flawfinder: ignore (Yes flawfinder, this is what we want, sheesh, so demanding!) singularity_message(ERROR, "Exec of /bin/sh failed: %s\n", strerror(errno)); ABORT(255); } return(0); }
static int setup_container_cwd() { singularity_message(DEBUG, "Trying to change directory to where we started\n"); char *target_pwd = singularity_registry_get("TARGET_PWD"); if (!target_pwd || (chdir(target_pwd) < 0)) { singularity_message(ERROR, "Failed to change into correct directory " "(%s) inside container.", target_pwd ? target_pwd : "UNKNOWN"); return -1; } free(target_pwd); return 0; }
int main(int argc, char **argv) { int i, cleanupd_fd; struct tempfile *stdout_log, *stderr_log, *singularity_debug; struct image_object image; pid_t child; siginfo_t siginfo; struct stat filestat; singularity_config_init(); singularity_suid_init(); singularity_priv_init(); singularity_registry_init(); singularity_priv_drop(); singularity_runtime_autofs(); singularity_registry_set("UNSHARE_PID", "1"); singularity_registry_set("UNSHARE_IPC", "1"); if ( singularity_registry_get("INSTANCE_BOOT") != NULL ) { singularity_registry_set("CONTAIN", "1"); } singularity_cleanupd(); if ( singularity_registry_get("WRITABLE") != NULL ) { singularity_message(VERBOSE3, "Instantiating writable container image object\n"); image = singularity_image_init(singularity_registry_get("IMAGE"), O_RDWR); } else { singularity_message(VERBOSE3, "Instantiating read only container image object\n"); image = singularity_image_init(singularity_registry_get("IMAGE"), O_RDONLY); } singularity_runtime_ns(SR_NS_ALL); singularity_sessiondir(); singularity_image_mount(&image, CONTAINER_MOUNTDIR); action_ready(); singularity_runtime_overlayfs(); singularity_runtime_mounts(); singularity_runtime_files(); /* After this point, we are running as PID 1 inside PID NS */ singularity_message(DEBUG, "Preparing sinit daemon\n"); singularity_registry_set("ROOTFS", CONTAINER_FINALDIR); singularity_daemon_init(); singularity_message(DEBUG, "Entering chroot environment\n"); singularity_runtime_enter(); singularity_priv_drop_perm(); if ( envclean() != 0 ) { singularity_message(ERROR, "Failed sanitizing the environment\n"); ABORT(255); } if ( chdir("/") < 0 ) { singularity_message(ERROR, "Can't change directory to /\n"); } setsid(); umask(0); cleanupd_fd = atoi(singularity_registry_get("CLEANUPD_FD")); if ( singularity_registry_get("INSTANCE_BOOT") != NULL ) { int pipes[2]; if ( pipe2(pipes, O_CLOEXEC) < 0 ) { singularity_signal_go_ahead(255); return(0); } if ( fork() == 0 ) { /* wait a broken pipe which mean exec success */ struct pollfd pfd; pfd.fd = pipes[0]; pfd.events = POLLRDHUP; close(pipes[1]); while( poll(&pfd, 1, 1000) >= 0 ) { if ( pfd.revents == POLLHUP ) break; } singularity_signal_go_ahead(0); /* wait /sbin/init install signal handler */ usleep(20000); return(0); } else { close(pipes[0]); if ( is_exec("/sbin/init") == 0 ) { argv[1] = NULL; if ( execv("/sbin/init", argv) < 0 ) { // Flawfinder: ignore singularity_message(ERROR, "Exec of /sbin/init failed\n"); } } else { singularity_message(ERROR, "/sbin/init not present in container\n"); } /* send exit status and implicitly kill polling child */ singularity_signal_go_ahead(255); return(0); } } /* set program name */ if ( prctl(PR_SET_NAME, "sinit", 0, 0, 0) < 0 ) { singularity_message(ERROR, "Failed to set program name\n"); ABORT(255); } singularity_install_signal_handler(); /* Close all open fd's that may be present besides daemon info file fd */ singularity_message(DEBUG, "Closing open fd's\n"); for( i = sysconf(_SC_OPEN_MAX); i > 2; i-- ) { if ( i != cleanupd_fd ) { if ( fstat(i, &filestat) == 0 ) { if ( S_ISFIFO(filestat.st_mode) != 0 ) { continue; } } close(i); } } singularity_debug = make_logfile("singularity-debug"); stdout_log = make_logfile("stdout"); stderr_log = make_logfile("stderr"); for( i = 0; i <= 2; i++ ) { close(i); } if ( chdir("/") < 0 ) { singularity_message(ERROR, "Can't change directory to /\n"); } setsid(); umask(0); /* set program name */ if ( prctl(PR_SET_NAME, "sinit", 0, 0, 0) < 0 ) { singularity_message(ERROR, "Failed to set program name\n"); ABORT(255); } child = fork(); if ( child == 0 ) { /* Make standard output and standard error files to log stdout & stderr into */ if ( stdout_log != NULL ) { if ( -1 == dup2(stdout_log->fd, 1) ) { singularity_message(ERROR, "Unable to dup2(): %s\n", strerror(errno)); ABORT(255); } } if ( stderr_log != NULL ) { if ( -1 == dup2(stderr_log->fd, 2) ) { singularity_message(ERROR, "Unable to dup2(): %s\n", strerror(errno)); ABORT(255); } } /* Unblock signals and execute startscript */ singularity_unblock_signals(); if ( is_exec("/.singularity.d/actions/start") == 0 ) { singularity_message(DEBUG, "Exec'ing /.singularity.d/actions/start\n"); if ( execv("/.singularity.d/actions/start", argv) < 0 ) { // Flawfinder: ignore singularity_message(ERROR, "Failed to execv() /.singularity.d/actions/start: %s\n", strerror(errno)); ABORT(CHILD_FAILED); } } else { singularity_message(VERBOSE, "Instance start script not found\n"); kill(1, SIGCONT); } } else if ( child > 0 ) { if ( singularity_debug != NULL ) { if ( -1 == dup2(singularity_debug->fd, 2) ) { singularity_message(ERROR, "Unable to dup2(): %s\n", strerror(errno)); ABORT(255); } } singularity_message(DEBUG, "Waiting for signals\n"); /* send a SIGALRM if start script doesn't send SIGCONT within 1 seconds */ alarm(1); while (1) { if ( singularity_handle_signals(&siginfo) < 0 ) { singularity_signal_go_ahead(255); break; } if ( siginfo.si_signo == SIGCHLD ) { singularity_message(DEBUG, "Child exited\n"); if ( siginfo.si_pid == 2 && siginfo.si_status == CHILD_FAILED ) { singularity_signal_go_ahead(CHILD_FAILED); break; } } else if ( siginfo.si_signo == SIGCONT && siginfo.si_pid == 2 ) { /* start script correctly exec */ singularity_signal_go_ahead(0); started = 1; } else if ( siginfo.si_signo == SIGALRM && started == 0 ) { /* don't receive SIGCONT, start script modified/replaced ? */ singularity_message(ERROR, "Start script doesn't send SIGCONT\n"); singularity_signal_go_ahead(255); break; } } } else { singularity_message(ERROR, "Failed to execute start script\n"); singularity_signal_go_ahead(255); } return(0); }
int _singularity_runtime_mount_binds(void) { char *tmp_config_string; char *container_dir = singularity_runtime_rootfs(NULL); if ( singularity_registry_get("CONTAIN") != NULL ) { singularity_message(DEBUG, "Skipping bind mounts as contain was requested\n"); return(0); } singularity_message(DEBUG, "Checking configuration file for 'bind path'\n"); const char **tmp_config_string_list = singularity_config_get_value_multi(BIND_PATH); if ( strlength(*tmp_config_string_list, 1) == 0 ) { return(0); } while ( *tmp_config_string_list != NULL ) { tmp_config_string = strdup(*tmp_config_string_list); tmp_config_string_list++; char *source = strtok(tmp_config_string, ":"); char *dest = strtok(NULL, ":"); chomp(source); if ( dest == NULL ) { dest = strdup(source); } else { chomp(dest); } singularity_message(VERBOSE2, "Found 'bind path' = %s, %s\n", source, dest); if ( ( is_file(source) < 0 ) && ( is_dir(source) < 0 ) ) { singularity_message(WARNING, "Non existent 'bind path' source: '%s'\n", source); continue; } singularity_message(DEBUG, "Checking if bind point is already mounted: %s\n", dest); if ( check_mounted(dest) >= 0 ) { singularity_message(VERBOSE, "Not mounting bind point (already mounted): %s\n", dest); continue; } if ( ( is_file(source) == 0 ) && ( is_file(joinpath(container_dir, dest)) < 0 ) ) { if ( singularity_registry_get("OVERLAYFS_ENABLED") != NULL ) { char *basedir = dirname(joinpath(container_dir, dest)); singularity_message(DEBUG, "Checking base directory for file %s ('%s')\n", dest, basedir); if ( is_dir(basedir) != 0 ) { singularity_message(DEBUG, "Creating base directory for file bind\n"); singularity_priv_escalate(); if ( s_mkpath(basedir, 0755) != 0 ) { singularity_message(ERROR, "Failed creating base directory to bind file: %s\n", dest); ABORT(255); } singularity_priv_drop(); } free(basedir); singularity_priv_escalate(); singularity_message(VERBOSE3, "Creating bind file on overlay file system: %s\n", dest); FILE *tmp = fopen(joinpath(container_dir, dest), "w+"); // Flawfinder: ignore singularity_priv_drop(); if ( tmp == NULL ) { singularity_message(WARNING, "Could not create bind point file in container %s: %s\n", dest, strerror(errno)); continue; } if ( fclose(tmp) != 0 ) { singularity_message(WARNING, "Could not close bind point file descriptor %s: %s\n", dest, strerror(errno)); continue; } singularity_message(DEBUG, "Created bind file: %s\n", dest); } else { singularity_message(WARNING, "Non existent bind point (file) in container: '%s'\n", dest); continue; } } else if ( ( is_dir(source) == 0 ) && ( is_dir(joinpath(container_dir, dest)) < 0 ) ) { if ( singularity_registry_get("OVERLAYFS_ENABLED") != NULL ) { singularity_priv_escalate(); singularity_message(VERBOSE3, "Creating bind directory on overlay file system: %s\n", dest); if ( s_mkpath(joinpath(container_dir, dest), 0755) < 0 ) { singularity_priv_drop(); singularity_message(WARNING, "Could not create bind point directory in container %s: %s\n", dest, strerror(errno)); continue; } singularity_priv_drop(); } else { singularity_message(WARNING, "Non existent bind point (directory) in container: '%s'\n", dest); continue; } } singularity_priv_escalate(); singularity_message(VERBOSE, "Binding '%s' to '%s/%s'\n", source, container_dir, dest); if ( mount(source, joinpath(container_dir, dest), NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) { singularity_message(ERROR, "There was an error binding the path %s: %s\n", source, strerror(errno)); ABORT(255); } if ( singularity_priv_userns_enabled() != 1 ) { if ( mount(NULL, joinpath(container_dir, dest), NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT, NULL) < 0 ) { singularity_message(ERROR, "There was an error remounting the path %s: %s\n", source, strerror(errno)); ABORT(255); } } singularity_priv_drop(); } return(0); }
int _singularity_runtime_mount_tmp(void) { char *container_dir = singularity_runtime_rootfs(NULL); char *tmp_source; char *vartmp_source; if ( singularity_config_get_bool(MOUNT_TMP) <= 0 ) { singularity_message(VERBOSE, "Skipping tmp dir mounting (per config)\n"); return(0); } if ( singularity_registry_get("CONTAIN") == NULL ) { tmp_source = strdup("/tmp"); vartmp_source = strdup("/var/tmp"); } else { char *tmpdirpath; if ( ( tmpdirpath = singularity_registry_get("WORKDIR") ) != NULL ) { if ( singularity_config_get_bool(USER_BIND_CONTROL) <= 0 ) { singularity_message(ERROR, "User bind control is disabled by system administrator\n"); ABORT(5); } tmp_source = joinpath(tmpdirpath, "/tmp"); vartmp_source = joinpath(tmpdirpath, "/var_tmp"); } else { char *sessiondir = singularity_registry_get("SESSIONDIR"); tmp_source = joinpath(sessiondir, "/tmp"); vartmp_source = joinpath(sessiondir, "/var_tmp"); } free(tmpdirpath); } if ( check_mounted("/tmp") < 0 ) { if ( s_mkpath(tmp_source, 0755) < 0 ) { singularity_message(ERROR, "Could not create source /tmp directory %s: %s\n", tmp_source, strerror(errno)); ABORT(255); } if ( is_dir(tmp_source) == 0 ) { if ( is_dir(joinpath(container_dir, "/tmp")) == 0 ) { singularity_priv_escalate(); singularity_message(VERBOSE, "Mounting directory: /tmp\n"); if ( mount(tmp_source, joinpath(container_dir, "/tmp"), NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) { singularity_message(ERROR, "Failed to mount %s -> /tmp: %s\n", tmp_source, strerror(errno)); ABORT(255); } if ( singularity_priv_userns_enabled() != 1 ) { if ( mount(NULL, joinpath(container_dir, "/tmp"), NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT, NULL) < 0 ) { singularity_message(ERROR, "Failed to remount /tmp: %s\n", strerror(errno)); ABORT(255); } } singularity_priv_drop(); } else { singularity_message(VERBOSE, "Could not mount container's /tmp directory: does not exist\n"); } } else { singularity_message(VERBOSE, "Could not mount host's /tmp directory (%s): does not exist\n", tmp_source); } } else { singularity_message(VERBOSE, "Not mounting '/tmp', already mounted\n"); } if ( check_mounted("/var/tmp") < 0 ) { if ( s_mkpath(vartmp_source, 0755) < 0 ) { singularity_message(ERROR, "Could not create source /var/tmp directory %s: %s\n", vartmp_source, strerror(errno)); ABORT(255); } if ( is_dir(vartmp_source) == 0 ) { if ( is_dir(joinpath(container_dir, "/var/tmp")) == 0 ) { singularity_priv_escalate(); singularity_message(VERBOSE, "Mounting directory: /var/tmp\n"); if ( mount(vartmp_source, joinpath(container_dir, "/var/tmp"), NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) { singularity_message(ERROR, "Failed to mount %s -> /var/tmp: %s\n", vartmp_source, strerror(errno)); ABORT(255); } if ( singularity_priv_userns_enabled() != 1 ) { if ( mount(NULL, joinpath(container_dir, "/var/tmp"), NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT, NULL) < 0 ) { singularity_message(ERROR, "Failed to remount /var/tmp: %s\n", strerror(errno)); ABORT(255); } } singularity_priv_drop(); } else { singularity_message(VERBOSE, "Could not mount container's /var/tmp directory: does not exist\n"); } } else { singularity_message(VERBOSE, "Could not mount host's /var/tmp directory (%s): does not exist\n", vartmp_source); } } else { singularity_message(VERBOSE, "Not mounting '/var/tmp', already mounted\n"); } free(tmp_source); free(vartmp_source); return(0); }
int _singularity_runtime_files_passwd(void) { FILE *file_fp; char *source_file; char *tmp_file; char *homedir = singularity_priv_home(); uid_t uid = singularity_priv_getuid(); struct passwd *pwent = getpwuid(uid); char *containerdir = CONTAINER_FINALDIR; char *tmpdir = singularity_registry_get("SESSIONDIR"); singularity_message(DEBUG, "Called singularity_file_passwd_create()\n"); if ( uid == 0 ) { singularity_message(VERBOSE, "Not updating passwd file, running as root!\n"); return(0); } if ( containerdir == NULL ) { singularity_message(ERROR, "Failed to obtain container directory\n"); ABORT(255); } if ( tmpdir == NULL ) { singularity_message(ERROR, "Failed to obtain session directory\n"); ABORT(255); } singularity_message(DEBUG, "Checking configuration option: 'config passwd'\n"); if ( singularity_config_get_bool(CONFIG_PASSWD) <= 0 ) { singularity_message(VERBOSE, "Skipping bind of the host's /etc/passwd\n"); return(0); } source_file = joinpath(containerdir, "/etc/passwd"); tmp_file = joinpath(tmpdir, "/passwd"); singularity_message(VERBOSE2, "Checking for template passwd file: %s\n", source_file); if ( is_file(source_file) < 0 ) { singularity_message(VERBOSE, "Passwd file does not exist in container, not updating\n"); return(0); } singularity_message(VERBOSE2, "Creating template of /etc/passwd\n"); if ( ( copy_file(source_file, tmp_file) ) < 0 ) { singularity_message(ERROR, "Failed copying template passwd file to tmpdir: %s\n", strerror(errno)); ABORT(255); } singularity_message(VERBOSE, "Creating template passwd file and appending user data: %s\n", tmp_file); if ( ( file_fp = fopen(tmp_file, "a") ) == NULL ) { // Flawfinder: ignore singularity_message(ERROR, "Could not open template passwd file %s: %s\n", tmp_file, strerror(errno)); ABORT(255); } fprintf(file_fp, "%s:x:%d:%d:%s:%s:%s\n", pwent->pw_name, pwent->pw_uid, pwent->pw_gid, pwent->pw_gecos, homedir, pwent->pw_shell); fclose(file_fp); container_file_bind(tmp_file, "/etc/passwd"); // set HOME to the homedir, because it might be different than outside envar_set("HOME", homedir, 1); return(0); }
int _singularity_runtime_mount_userbinds(void) { char *container_dir = singularity_runtime_rootfs(NULL); char *bind_path_string; singularity_message(DEBUG, "Checking for environment variable 'SINGULARITY_BINDPATH'\n"); if ( ( bind_path_string = singularity_registry_get("BINDPATH") ) != NULL ) { singularity_message(DEBUG, "Checking for 'user bind control' in config\n"); if ( singularity_config_get_bool(USER_BIND_CONTROL) <= 0 ) { singularity_message(WARNING, "Ignoring user bind request: user bind control is disabled by system administrator\n"); return(0); } #ifndef SINGULARITY_NO_NEW_PRIVS singularity_message(WARNING, "Ignoring user bind request: host does not support PR_SET_NO_NEW_PRIVS\n"); return(0); #endif singularity_message(DEBUG, "Parsing SINGULARITY_BINDPATH for user-specified bind mounts.\n"); char *outside_token = NULL; char *inside_token = NULL; char *current = strtok_r(strdup(bind_path_string), ",", &outside_token); free(bind_path_string); while ( current != NULL ) { int read_only = 0; char *source = strtok_r(current, ":", &inside_token); char *dest = strtok_r(NULL, ":", &inside_token); char *opts = strtok_r(NULL, ":", &inside_token); current = strtok_r(NULL, ",", &outside_token); if ( dest == NULL ) { dest = source; } singularity_message(DEBUG, "Found bind: %s -> container:%s\n", source, dest); if ( opts != NULL ) { if ( strcmp(opts, "rw") == 0 ) { // This is the default } else if ( strcmp(opts, "ro") == 0 ) { read_only = 1; } else { singularity_message(WARNING, "Not mounting requested bind point, invalid mount option %s: %s\n", opts, dest); continue; } } singularity_message(DEBUG, "Checking if bind point is already mounted: %s\n", dest); if ( check_mounted(dest) >= 0 ) { singularity_message(WARNING, "Not mounting requested bind point (already mounted in container): %s\n", dest); continue; } if ( ( is_file(source) == 0 ) && ( is_file(joinpath(container_dir, dest)) < 0 ) ) { if ( singularity_registry_get("OVERLAYFS_ENABLED") != NULL ) { char *dir = dirname(strdup(dest)); if ( is_dir(joinpath(container_dir, dir)) < 0 ) { singularity_message(VERBOSE3, "Creating bind directory on overlay file system: %s\n", dest); if ( s_mkpath(joinpath(container_dir, dir), 0755) < 0 ) { singularity_priv_escalate(); singularity_message(VERBOSE3, "Retrying with privileges to create bind directory on overlay file system: %s\n", dest); if ( s_mkpath(joinpath(container_dir, dir), 0755) < 0 ) { singularity_message(ERROR, "Could not create basedir for file bind %s: %s\n", dest, strerror(errno)); continue; } singularity_priv_drop(); } } singularity_priv_escalate(); singularity_message(VERBOSE3, "Creating bind file on overlay file system: %s\n", dest); FILE *tmp = fopen(joinpath(container_dir, dest), "w+"); // Flawfinder: ignore singularity_priv_drop(); if ( tmp == NULL ) { singularity_message(WARNING, "Skipping user bind, could not create bind point %s: %s\n", dest, strerror(errno)); continue; } if ( fclose(tmp) != 0 ) { singularity_message(WARNING, "Skipping user bind, could not close bind point file descriptor %s: %s\n", dest, strerror(errno)); continue; } singularity_message(DEBUG, "Created bind file: %s\n", dest); } else { singularity_message(WARNING, "Skipping user bind, non existant bind point (file) in container: '%s'\n", dest); continue; } } else if ( ( is_dir(source) == 0 ) && ( is_dir(joinpath(container_dir, dest)) < 0 ) ) { if ( singularity_registry_get("OVERLAYFS_ENABLED") != NULL ) { singularity_message(VERBOSE3, "Creating bind directory on overlay file system: %s\n", dest); if ( s_mkpath(joinpath(container_dir, dest), 0755) < 0 ) { singularity_priv_escalate(); singularity_message(VERBOSE3, "Retrying with privileges to create bind directory on overlay file system: %s\n", dest); if ( s_mkpath(joinpath(container_dir, dest), 0755) < 0 ) { singularity_priv_drop(); singularity_message(WARNING, "Skipping user bind, could not create bind point %s: %s\n", dest, strerror(errno)); continue; } singularity_priv_drop(); } } else { singularity_message(WARNING, "Skipping user bind, non existant bind point (directory) in container: '%s'\n", dest); continue; } } singularity_priv_escalate(); singularity_message(VERBOSE, "Binding '%s' to '%s/%s'\n", source, container_dir, dest); if ( mount(source, joinpath(container_dir, dest), NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) { singularity_message(ERROR, "There was an error binding the path %s: %s\n", source, strerror(errno)); ABORT(255); } if ( read_only ) { if ( singularity_priv_userns_enabled() == 1 ) { singularity_message(WARNING, "Can not make bind mount read only within the user namespace: %s\n", dest); } else { singularity_message(VERBOSE, "Remounting %s read-only\n", dest); if ( mount(NULL, joinpath(container_dir, dest), NULL, MS_RDONLY|MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT, NULL) < 0 ) { singularity_message(ERROR, "There was an error write-protecting the path %s: %s\n", source, strerror(errno)); ABORT(255); } if ( access(joinpath(container_dir, dest), W_OK) == 0 || errno != EROFS ) { // Flawfinder: ignore (precautionary confirmation, not necessary) singularity_message(ERROR, "Failed to write-protect the path %s: %s\n", source, strerror(errno)); ABORT(255); } } } else { if ( singularity_priv_userns_enabled() <= 0 ) { if ( mount(NULL, joinpath(container_dir, dest), NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT, NULL) < 0 ) { singularity_message(ERROR, "There was an error remounting the path %s: %s\n", source, strerror(errno)); ABORT(255); } } } singularity_priv_drop(); } singularity_message(DEBUG, "Unsetting environment variable 'SINGULARITY_BINDPATH'\n"); unsetenv("SINGULARITY_BINDPATH"); } else { singularity_message(DEBUG, "No user bind mounts specified.\n"); } return(0); }
static int setup_container(spank_t spank) { int rc; struct image_object image; char *command = NULL; if ((rc = setup_container_environment(spank)) != 0) { return rc; } /* * Ugg, singularity_* calls tend to call ABORT(255), which translates to * exit(255), all over the place. The slurm SPANK hook API may not * expect such sudden death of the pending slurm task. I've left * a bunch of following "return rc;" commented out, as the failure * conditions from singularity_* calls isn't clear to me. */ // Before we do anything, check privileges and drop permission singularity_priv_init(); singularity_priv_drop(); singularity_message(VERBOSE, "Running Slurm/Singularity integration " "plugin\n"); if ((rc = singularity_config_init()) != 0) { return rc; } singularity_priv_init(); //TODO singularity_suid_init(argv); singularity_registry_init(); singularity_priv_userns(); singularity_priv_drop(); singularity_cleanupd(); singularity_runtime_ns(SR_NS_ALL); singularity_sessiondir(); image = singularity_image_init(singularity_registry_get("IMAGE")); if ( singularity_registry_get("WRITABLE") == NULL ) { singularity_image_open(&image, O_RDONLY); } else { singularity_image_open(&image, O_RDWR); } singularity_image_check(&image); singularity_image_bind(&image); singularity_image_mount(&image, singularity_runtime_rootfs(NULL)); action_ready(singularity_runtime_rootfs(NULL)); singularity_runtime_overlayfs(); singularity_runtime_mounts(); singularity_runtime_files(); singularity_runtime_enter(); singularity_runtime_environment(); singularity_priv_drop_perm(); if ((rc = setup_container_cwd()) < 0) { singularity_message(ERROR, "Could not obtain current directory.\n"); return rc; } envar_set("SINGULARITY_CONTAINER", singularity_image_name(&image), 1); // Legacy PS1 support envar_set("SINGULARITY_NAME", singularity_image_name(&image), 1); envar_set("SINGULARITY_SHELL", singularity_registry_get("SHELL"), 1); command = singularity_registry_get("COMMAND"); singularity_message(LOG, "USER=%s, IMAGE='%s', COMMAND='%s'\n", singularity_priv_getuser(), singularity_image_name(&image), singularity_registry_get("COMMAND")); // At this point, the current process is in the runtime container environment. // Return control flow back to Slurm: when execv is invoked, it'll be done from // within the container. return 0; }