GNU bug report logs -
#36093
[PATCH 0/2] 'guix pack --entry-point' and Singularity service
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Tue, 4 Jun 2019 20:53:03 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Hi Danny,
Danny Milosavljevic <dannym <at> scratchpost.org> skribis:
> On Tue, 4 Jun 2019 23:01:14 +0200
> Ludovic Courtès <ludo <at> gnu.org> wrote:
>
>> +@defvr {Scheme Variable} singularity-service-type
>> +This is the type of the service that runs
>> +@url{https://www.sylabs.io/singularity/, Singularity},
>
> Does it?
> Doesn't it just "allow you to invoke"?
Yes, you’re right. I’ll reword as you suggest.
>> + (substitute* (find-files "libexec/cli" "\\.exec$")
>> + (("\\$SINGULARITY_libexecdir/singularity/bin/([a-z]+)-suid"
>> + _ program)
>> + (string-append "/run/setuid-programs/singularity-"
>> + program "-helper")))
>
> Is absolute path OK? There have been some efforts to get guix to relocate in
> the past. Does this apply here?
I think it’s OK: those setuid helpers can only be used on Guix System,
not on a foreign distro, and it goes hand-in-hand with
‘singularity-service-type’.
>> + ;; Create the directories that Singularity 2.6 expects to find.
>> + (for-each (lambda (directory)
>> + (mkdir-p (string-append "/var/singularity/mnt/"
>> + directory)))
>> + '("container" "final" "overlay" "session")))))
>
> Are permissions OK?
They’re good enough for the test, but perhaps it should be #o700.
I’ll check if it works like that.
There’s been a nice CVE for Singularity 3.x in this area recently:
https://nvd.nist.gov/vuln/detail/CVE-2019-11328
It’s not directly applicable here but there could be similar issues.
Thanks,
Ludo’.
This bug report was last modified 6 years and 42 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.