From 25bcd259cf59d51263d74ab09dfc4d9a92ca3fa4 Mon Sep 17 00:00:00 2001 From: Peter Amstutz Date: Mon, 4 Oct 2021 13:37:42 -0400 Subject: [PATCH] 18238: Arvbox Singularity / Docker updates wip Arvados-DCO-1.1-Signed-off-by: Peter Amstutz --- tools/arvbox/lib/arvbox/docker/Dockerfile.base | 2 +- tools/arvbox/lib/arvbox/docker/createusers.sh | 7 +++++++ .../docker/service/crunch-dispatch-local/run | 17 +---------------- 3 files changed, 9 insertions(+), 17 deletions(-) mode change 100755 => 120000 tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run diff --git a/tools/arvbox/lib/arvbox/docker/Dockerfile.base b/tools/arvbox/lib/arvbox/docker/Dockerfile.base index c112972c43..4556652563 100644 --- a/tools/arvbox/lib/arvbox/docker/Dockerfile.base +++ b/tools/arvbox/lib/arvbox/docker/Dockerfile.base @@ -105,7 +105,7 @@ RUN apt-key add --no-tty /tmp/8D81803C0EBFCD88.asc && \ RUN mkdir -p /etc/apt/sources.list.d && \ echo deb https://download.docker.com/linux/debian/ buster stable > /etc/apt/sources.list.d/docker.list && \ apt-get update && \ - apt-get -yq --no-install-recommends install docker-ce=5:19.03.13~3-0~debian-buster && \ + apt-get -yq --no-install-recommends install docker-ce=5:20.10.6~3-0~debian-buster && \ apt-get clean # Set UTF-8 locale diff --git a/tools/arvbox/lib/arvbox/docker/createusers.sh b/tools/arvbox/lib/arvbox/docker/createusers.sh index 7cf58e201d..66a4ff4747 100755 --- a/tools/arvbox/lib/arvbox/docker/createusers.sh +++ b/tools/arvbox/lib/arvbox/docker/createusers.sh @@ -42,6 +42,13 @@ if ! grep "^arvbox:" /etc/passwd >/dev/null 2>/dev/null ; then mkdir -p /tmp/crunch0 /tmp/crunch1 chown crunch:crunch -R /tmp/crunch0 /tmp/crunch1 + # singularity needs to be owned by root and suid + chown root /var/lib/arvados/bin/singularity \ + /var/lib/arvados/etc/singularity/singularity.conf \ + /var/lib/arvados/etc/singularity/capability.json \ + /var/lib/arvados/etc/singularity/ecl.toml + chmod u+s /var/lib/arvados/bin/singularity + echo "arvbox ALL=(crunch) NOPASSWD: ALL" >> /etc/sudoers cat < /etc/profile.d/paths.sh diff --git a/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run b/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run deleted file mode 100755 index 3ce2220d0e..0000000000 --- a/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# Copyright (C) The Arvados Authors. All rights reserved. -# -# SPDX-License-Identifier: AGPL-3.0 - -exec 2>&1 -set -ex -o pipefail - -# singularity can use suid -chown root /var/lib/arvados/bin/singularity \ - /var/lib/arvados/etc/singularity/singularity.conf \ - /var/lib/arvados/etc/singularity/capability.json \ - /var/lib/arvados/etc/singularity/ecl.toml -chmod u+s /var/lib/arvados/bin/singularity - -exec /usr/local/lib/arvbox/runsu.sh $0-service $1 diff --git a/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run b/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run new file mode 120000 index 0000000000..a388c8b67b --- /dev/null +++ b/tools/arvbox/lib/arvbox/docker/service/crunch-dispatch-local/run @@ -0,0 +1 @@ +/usr/local/lib/arvbox/runsu.sh \ No newline at end of file -- 2.30.2