feat: Experimental squashfuse unprivileged SIF mount (actions) #718
Comments
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 18, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `Mount` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'host cleanup' process that is forked from `starter` early, before any namespace manipulation. This process is able to `fusermount -u` to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 18, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `Mount` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'host cleanup' process that is forked from `starter` early, before any namespace manipulation. This process is able to `fusermount -u` to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 18, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `Mount` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'host cleanup' process that is forked from `starter` early, before any namespace manipulation. This process is able to `fusermount -u` to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 21, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `Mount` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'host cleanup' process that is forked from `starter` early, before any namespace manipulation. This process is able to `fusermount -u` to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 21, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `Mount` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'host cleanup' process that is forked from `starter` early, before any namespace manipulation. This process is able to `fusermount -u` to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 21, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `Mount` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'host cleanup' process that is forked from `starter` early, before any namespace manipulation. This process is able to `fusermount -u` to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 21, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `Mount` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'host cleanup' process that is forked from `starter` early, before any namespace manipulation. This process is able to `fusermount -u` to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. `instance start` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 21, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `MountFUSE` / `UnmountFUSE` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'CLEANUP_HOST' process that is forked from `starter` early, before any namespace manipulation. This process is able to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. `instance start` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 22, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `MountFUSE` / `UnmountFUSE` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'CLEANUP_HOST' process that is forked from `starter` early, before any namespace manipulation. This process is able to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. `instance start` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 22, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `MountFUSE` / `UnmountFUSE` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'CLEANUP_HOST' process that is forked from `starter` early, before any namespace manipulation. This process is able to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. `instance start` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 22, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `MountFUSE` / `UnmountFUSE` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'CLEANUP_HOST' process that is forked from `starter` early, before any namespace manipulation. This process is able to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. `instance start` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 22, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `MountFUSE` / `UnmountFUSE` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'CLEANUP_HOST' process that is forked from `starter` early, before any namespace manipulation. This process is able to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. `instance start` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 22, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `MountFUSE` / `UnmountFUSE` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'CLEANUP_HOST' process that is forked from `starter` early, before any namespace manipulation. This process is able to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. `instance start` is not currently supported. Fixes sylabs#718
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Apr 25, 2022
Allow SIF images to be mounted with `squashfuse` in the unpriv / user-namespace flow. The approach take here is to: * Leverage the `MountFUSE` / `UnmountFUSE` functionality from sylabs/sif, rather than duplicating code. * Perform the mount onto a temporary directory in the CLI layer, at the point where the SIF would otherwise be extracted. The singularity runtime then sees a sandbox. * Add a 'CLEANUP_HOST' process that is forked from `starter` early, before any namespace manipulation. This process is able to unmount the SIF at cleanup time. A socket from the host cleanup process to the master process is used for coordination. Mount at the CLI layer, rather than inside of the runtime engine, is used so that we can adopt a similar approach across `singularity oci` commands, and general use of runc in future. `--fakeroot` is not currently supported. `instance start` is not currently supported. Fixes sylabs#718
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the solution you'd like
Using experimental functionality in sylabs/sif add a means to mount SIF files with squashfuse, so that they can be used without privilege, without needing to extract to a temporary sandbox directory.
Implementation should be outside of the Singularity runtime engine, as it should be adaptable for mounts with the oci command group, and future plans involving using an OCI low-level runtime.
The text was updated successfully, but these errors were encountered: