int main(int argc, char **argv) {
struct image_object image;
singularity_config_init();
singularity_suid_init();
singularity_priv_init();
singularity_registry_init();
singularity_priv_drop();
singularity_runtime_autofs();
if ( singularity_registry_get("WRITABLE") != NULL ) {
singularity_message(VERBOSE3, "Instantiating writable container image object\n");
image = singularity_image_init(singularity_registry_get("IMAGE"), O_RDWR);
} else {
singularity_message(VERBOSE3, "Instantiating read only container image object\n");
image = singularity_image_init(singularity_registry_get("IMAGE"), O_RDONLY);
}
if ( is_owner(CONTAINER_MOUNTDIR, 0) != 0 ) {
singularity_message(ERROR, "Root must own container mount directory: %s\n", CONTAINER_MOUNTDIR);
ABORT(255);
}
singularity_runtime_ns(SR_NS_MNT);
singularity_image_mount(&image, CONTAINER_MOUNTDIR);
singularity_runtime_overlayfs();
singularity_priv_drop_perm();
envar_set("SINGULARITY_MOUNTPOINT", CONTAINER_FINALDIR, 1);
if ( argc > 1 ) {
singularity_message(VERBOSE, "Running command: %s\n", argv[1]);
singularity_message(DEBUG, "Calling exec...\n");
execvp(argv[1], &argv[1]); // Flawfinder: ignore (Yes flawfinder, we are exec'ing)
singularity_message(ERROR, "Exec failed: %s: %s\n", argv[1], strerror(errno));
ABORT(255);
} else {
singularity_message(INFO, "%s is mounted at: %s\n\n", singularity_image_name(&image), CONTAINER_FINALDIR);
envar_set("PS1", "Singularity> ", 1);
execl("/bin/sh", "/bin/sh", NULL); // Flawfinder: ignore (Yes flawfinder, this is what we want, sheesh, so demanding!)
singularity_message(ERROR, "Exec of /bin/sh failed: %s\n", strerror(errno));
ABORT(255);
}
return(0);
}
int _singularity_runtime_files_passwd(void) {
FILE *file_fp;
char *source_file;
char *tmp_file;
char *homedir = singularity_priv_home();
uid_t uid = singularity_priv_getuid();
struct passwd *pwent = getpwuid(uid);
char *containerdir = CONTAINER_FINALDIR;
char *tmpdir = singularity_registry_get("SESSIONDIR");
singularity_message(DEBUG, "Called singularity_file_passwd_create()\n");
if ( uid == 0 ) {
singularity_message(VERBOSE, "Not updating passwd file, running as root!\n");
return(0);
}
if ( containerdir == NULL ) {
singularity_message(ERROR, "Failed to obtain container directory\n");
ABORT(255);
}
if ( tmpdir == NULL ) {
singularity_message(ERROR, "Failed to obtain session directory\n");
ABORT(255);
}
singularity_message(DEBUG, "Checking configuration option: 'config passwd'\n");
if ( singularity_config_get_bool(CONFIG_PASSWD) <= 0 ) {
singularity_message(VERBOSE, "Skipping bind of the host's /etc/passwd\n");
return(0);
}
source_file = joinpath(containerdir, "/etc/passwd");
tmp_file = joinpath(tmpdir, "/passwd");
singularity_message(VERBOSE2, "Checking for template passwd file: %s\n", source_file);
if ( is_file(source_file) < 0 ) {
singularity_message(VERBOSE, "Passwd file does not exist in container, not updating\n");
return(0);
}
singularity_message(VERBOSE2, "Creating template of /etc/passwd\n");
if ( ( copy_file(source_file, tmp_file) ) < 0 ) {
singularity_message(ERROR, "Failed copying template passwd file to tmpdir: %s\n", strerror(errno));
ABORT(255);
}
singularity_message(VERBOSE, "Creating template passwd file and appending user data: %s\n", tmp_file);
if ( ( file_fp = fopen(tmp_file, "a") ) == NULL ) { // Flawfinder: ignore
singularity_message(ERROR, "Could not open template passwd file %s: %s\n", tmp_file, strerror(errno));
ABORT(255);
}
fprintf(file_fp, "%s:x:%d:%d:%s:%s:%s\n", pwent->pw_name, pwent->pw_uid, pwent->pw_gid, pwent->pw_gecos, homedir, pwent->pw_shell);
fclose(file_fp);
container_file_bind(tmp_file, "/etc/passwd");
// set HOME to the homedir, because it might be different than outside
envar_set("HOME", homedir, 1);
return(0);
}
static int setup_container(spank_t spank)
{
int rc;
struct image_object image;
char *command = NULL;
if ((rc = setup_container_environment(spank)) != 0) { return rc; }
/*
* Ugg, singularity_* calls tend to call ABORT(255), which translates to
* exit(255), all over the place. The slurm SPANK hook API may not
* expect such sudden death of the pending slurm task. I've left
* a bunch of following "return rc;" commented out, as the failure
* conditions from singularity_* calls isn't clear to me.
*/
// Before we do anything, check privileges and drop permission
singularity_priv_init();
singularity_priv_drop();
singularity_message(VERBOSE, "Running Slurm/Singularity integration "
"plugin\n");
if ((rc = singularity_config_init()) != 0) {
return rc;
}
singularity_priv_init();
//TODO singularity_suid_init(argv);
singularity_registry_init();
singularity_priv_userns();
singularity_priv_drop();
singularity_cleanupd();
singularity_runtime_ns(SR_NS_ALL);
singularity_sessiondir();
image = singularity_image_init(singularity_registry_get("IMAGE"));
if ( singularity_registry_get("WRITABLE") == NULL ) {
singularity_image_open(&image, O_RDONLY);
} else {
singularity_image_open(&image, O_RDWR);
}
singularity_image_check(&image);
singularity_image_bind(&image);
singularity_image_mount(&image, singularity_runtime_rootfs(NULL));
action_ready(singularity_runtime_rootfs(NULL));
singularity_runtime_overlayfs();
singularity_runtime_mounts();
singularity_runtime_files();
singularity_runtime_enter();
singularity_runtime_environment();
singularity_priv_drop_perm();
if ((rc = setup_container_cwd()) < 0) {
singularity_message(ERROR, "Could not obtain current directory.\n");
return rc;
}
envar_set("SINGULARITY_CONTAINER", singularity_image_name(&image), 1); // Legacy PS1 support
envar_set("SINGULARITY_NAME", singularity_image_name(&image), 1);
envar_set("SINGULARITY_SHELL", singularity_registry_get("SHELL"), 1);
command = singularity_registry_get("COMMAND");
singularity_message(LOG, "USER=%s, IMAGE='%s', COMMAND='%s'\n", singularity_priv_getuser(), singularity_image_name(&image), singularity_registry_get("COMMAND"));
// At this point, the current process is in the runtime container environment.
// Return control flow back to Slurm: when execv is invoked, it'll be done from
// within the container.
return 0;
}
