Make singularity suid in arvbox, crunch-dispatch-local runs as user

[arvados.git] / tools / arvbox / lib / arvbox / docker / service / crunch-dispatch-local / run

diff --git a/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run b/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run
deleted file mode 120000 (symlink)
index a388c8b67bf16bbb16601007540e58f1372ebc85..0000000000000000000000000000000000000000
--- a/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run
+++ /dev/null
@@ -1 +0,0 @@
-/usr/local/lib/arvbox/runsu.sh
\ No newline at end of file

diff --git a/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run b/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run
new file mode 100755 (executable)
index 0000000000000000000000000000000000000000..3ce2220d0e26d5dc70705e8c8cafb1a7303225ae
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run
@@ -0,0 +1,16 @@
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+exec 2>&1
+set -ex -o pipefail
+
+# singularity can use suid
+chown root /var/lib/arvados/bin/singularity \
+      /var/lib/arvados/etc/singularity/singularity.conf \
+      /var/lib/arvados/etc/singularity/capability.json \
+      /var/lib/arvados/etc/singularity/ecl.toml
+chmod u+s /var/lib/arvados/bin/singularity
+
+exec /usr/local/lib/arvbox/runsu.sh $0-service $1