singularity icon indicating copy to clipboard operation
singularity copied to clipboard

Published 20 hours ago verified publisher icon apptainer

Build context specification and isolation during bootstrapping

Open olifre opened this issue 7 years ago • 6 comments

This is mostly a proposal / feature request.

Currently, as I learnt, singularity bootstrap uses the directory in which it was started (i.e. PWD) as build context.

This causes a reproducibility issue for bootstrapping, since the result depends on the PWD in which the bootstrapping is performed, and files outside of the directory tree containing the recipe file might be included in the build accidentally.

I propose the following set of changes and extensions:

  • (Default) build context should be the folder of the specified build recipe (c.f. Docker).
  • Docker-like isolation of build context: %files statements or commands in %setup phase should not be allowed to access files outside of the build context.
  • Add a command line parameter to specify the build context, e.g. --buildroot <directory>.

The last feature also allows to realize something like:

singularity bootstrap --buildroot /my_cloned_repo/resource_set_1/ SL6_with_resource_set_1.img /my_cloned_repo/recipes/SL6.def
singularity bootstrap --buildroot /my_cloned_repo/resource_set_2/ SL6_with_resource_set_2.img /my_cloned_repo/recipes/SL6.def

i.e. reuse one recipe to build containers with several different sets of resources.

If this should rather be split up into several issues or something does not sound reasonable, just let me know ;-).

A more complete discussion is given here: https://groups.google.com/a/lbl.gov/forum/#!topic/singularity/mRdVInobt20

olifre avatar Oct 06 '17 18:10 olifre

Thanks @olifre ! I am +1 on this, we would want to minimally ensure some security for allowing build access outside of the build directory.

vsoch avatar Oct 06 '17 19:10 vsoch

Hello,

This is a templated response that is being sent out to all open issues. We are working hard on 'rebuilding' the Singularity community, and a major task on the agenda is finding out what issues are still outstanding.

Please consider the following:

  1. Is this issue a duplicate, or has it been fixed/implemented since being added?
  2. Is the issue still relevant to the current state of Singularity's functionality?
  3. Would you like to continue discussing this issue or feature request?

Thanks, Carter

carterpeel avatar May 15 '21 16:05 carterpeel

@carterpeel This feature request is still relevant I believe there just has not been enough manpower to address it.

olifre avatar May 15 '21 16:05 olifre

This issue has been automatically marked as stale because it has not had activity in over 60 days. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 14 '21 17:07 stale[bot]

Don't close stalebot, the contributors to this issue have responded and it's the maintainers that have not.

vsoch avatar Jul 14 '21 17:07 vsoch

@olifre We're looking into the issue carefully, soon will bring to community and discuss ways to better solve as well address this. Thankyou for keeping the interest in the subject.

pedroalvesbatista avatar Jul 15 '21 00:07 pedroalvesbatista

Pending issues from the old repo copied to the new repo (https://github.com/apptainer/apptainer/issues/1390) and cleaned from the old, retired repo.

kmuriki avatar Jun 06 '23 02:06 kmuriki