singularity icon indicating copy to clipboard operation
singularity copied to clipboard
verified publisher icon apptainer

allow for fakeroot subuid/subgid mappings shorter than 65536 IDs

Open thdesy opened this issue 4 years ago • 5 comments

Version of Singularity:

3.7.3-1.el7

Expected behavior

Running singularity with a limited range of subuid/subgid for fakeroot. We would like to enable fakeroot for our users. But we would like to keep the mapped IDs constraint and consistent with our campus-wide uid policy to avoid potential clashes. To do so, we reserved a blcok of UIDs in our ID namespace to be used only for such dynamic, container-flavoured mappings, that are not to be used for other purposes or actual users. Since the block is currently limited in its range (100k), we can allocate only a limited sub-block of IDs to each others.

> head  -n4 /etc/subuid
# Managed by Puppet (subuid)
# Do NOT edit, changes will be overwritten!
foouser:23000000:100
bazuser:23000100:100
...

> head  -n4 /etc/subdid
# Managed by Puppet (subuid)
# Do NOT edit, changes will be overwritten!
foouser:23000000:100
bazuser:23000100:100
...

Actual behavior

Singularity requires a block with at least 2^16 IDs for a user

>  singularity build --fakeroot --sandbox testbuild.d  Singularity
FATAL:   could not use fakeroot: mapping entries for user foouser found in /etc/subuid but all with a range count lower than 65536

Since we assume, that users will need during container builds or runs of their analyses containers only a few UIDs, it would be nice, if an admin could allow for smaller sub-ID ranges.

thdesy avatar Apr 14 '21 08:04 thdesy

Hello,

This is a templated response that is being sent out to all open issues. We are working hard on 'rebuilding' the Singularity community, and a major task on the agenda is finding out what issues are still outstanding.

Please consider the following:

  1. Is this issue a duplicate, or has it been fixed/implemented since being added?
  2. Is the issue still relevant to the current state of Singularity's functionality?
  3. Would you like to continue discussing this issue or feature request?

Thanks, Carter

carterpeel avatar May 15 '21 16:05 carterpeel

Hi,

I would like to see the request as further feature, i.e., 2. & 3. are applicable from my view.

Cheers, Thomas

thdesy avatar May 17 '21 07:05 thdesy

This issue has been automatically marked as stale because it has not had activity in over 60 days. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 16 '21 08:07 stale[bot]

This issue has been automatically closed because no response was provided within 7 days.

stale[bot] avatar Jul 23 '21 08:07 stale[bot]

Just a drive-by comment to say that this feature would be a big help at my institution as well; we're hoping to enable researchers to build containers on central resources via fakeroot while staying within reasonable numbers of reserved UID/GIDs allocated campus-wide. However, it looks like this may be fundamentally impossible if apptainer/singularity is to support distros using systemd... https://systemd.io/UIDS-GIDS/
(see "Considerations for Container Managers")

ECoulter avatar Apr 21 '22 17:04 ECoulter

Replaced by apptainer/apptainer#691

DrDaveD avatar Sep 08 '22 14:09 DrDaveD