Project

General

Profile

Actions

Story #18993

closed

research project: design for being able to start up shell inside an existing singularity container

Added by Peter Amstutz 10 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Crunch
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-

Related issues

Related to Arvados - Feature #19099: Support "arvados-client shell" when using arvados-dispatch-cloud + singularityResolvedTom Clegg05/17/2022

Actions
Actions #1

Updated by Peter Amstutz 10 months ago

  • Target version changed from 2022-04-27 Sprint to 2022-05-11 sprint
Actions #2

Updated by Tom Clegg 10 months ago

Looks like this can be done with "nsenter" if you're root or add some capabilities (including the dreaded cap_sys_admin) and know the PID of a process in the container:

$ echo $$
675765
$ singularity exec --containall --cleanenv docker://debian:11 /bin/bash
Singularity> df /
Filesystem     1K-blocks  Used Available Use% Mounted on
overlay            16384    16     16368   1% /
Singularity> 
$ cp -p /usr/bin/nsenter /tmp/nsenter
$ sudo setcap "cap_sys_admin+pei cap_sys_chroot+pei" /tmp/nsenter
$ pstree -up 675765
bash(675765,tom)───starter-suid(838413)─┬─sinit(838434)─┬─bash(838456)
...
$ /tmp/nsenter --target 838456 --all df /
Filesystem     1K-blocks  Used Available Use% Mounted on
overlay            16384    16     16368   1% /

Surely there is a reasonable way to find the pid of the contained process.

Actions #3

Updated by Peter Amstutz 10 months ago

  • Description updated (diff)
Actions #5

Updated by Peter Amstutz 10 months ago

  • Description updated (diff)

Nice!

So a secure-ish way to do this would be to have a copy of nsenter which has those capabilities, which is executable only by the crunch user.

If it's just copying the environment of the target process, any child process of sinit should do, right?

Actions #6

Updated by Tom Clegg 10 months ago

Yes, I think the target can be any process inside the container, doesn't need to be the topmost one. But it does need to be the right container even when #14922 happens, other singularity processes are running for other reasons, etc. We could run lsns and look for a pid whose Nth great-grandparent matches the PID in the crunch-run lockfile...?

Actions #7

Updated by Peter Amstutz 10 months ago

Tom Clegg wrote:

Yes, I think the target can be any process inside the container, doesn't need to be the topmost one. But it does need to be the right container even when #14922 happens, other singularity processes are running for other reasons, etc. We could run lsns and look for a pid whose Nth great-grandparent matches the PID in the crunch-run lockfile...?

Yes, since we know the pid of the process we started, we should be able to figure out the container pretty easily, since it's just a regular process tree without the shenanagins that Docker does.

Actions #8

Updated by Peter Amstutz 9 months ago

  • Status changed from New to In Progress
Actions #9

Updated by Peter Amstutz 9 months ago

  • Assigned To set to Tom Clegg
Actions #10

Updated by Tom Clegg 9 months ago

  • Related to Feature #19099: Support "arvados-client shell" when using arvados-dispatch-cloud + singularity added
Actions #11

Updated by Tom Clegg 9 months ago

  • Status changed from In Progress to Resolved
Actions

Also available in: Atom PDF