user namespaces kernel feature

[kaczmarj]

apptainer 1.1.0 builds without suid by default. do we want to build with suid? we probably do... because if one is using docker anyway, they are probably using root already. though there is a rootless option.

relevant error during mconfig

#11 14.06  checking: unprivileged user namespaces... disabled. Run mconfig with either --with-suid or --without-suid option

[bpinsard]

Hi, thanks for that very useful container.
Do you know if that is possible to run apptainer without-suid in an unpriviledged docker.

Our use case would be to run apptainer in docker for gitlab CI/CD , and in that case not privileging the docker container would be preferable for security reason.

I built the present container with --build-arg MCONFIG_OPTIONS='--without-suid' , but trying to run an apptainer image results in

$ docker run  --rm apptainer:1.1.6-nosuid    run shub://GodloveD/lolcow
INFO:    Downloading shub image
…
INFO:    squashfuse not found, will not be able to mount SIF
INFO:    fuse2fs not found, will not be able to mount EXT3 filesystems
INFO:    Converting SIF file to temporary sandbox...
FATAL:   while extracting /root/.apptainer/cache/shub/a59d8de3121579fe9c95ab8af0297c2e3aefd827: root filesystem extraction failed: extract command failed: INFO   : A system administrator may need to enable user namespaces, install
INFO   :   apptainer-suid, or compile with ./mconfig --with-suid
ERROR  : Failed to create user namespace: user namespace requires to set /proc/sys/kernel/unprivileged_userns_clone to 1
: exit status 1

event if it seems the alpine kernel is set to support user namespaces.

$ docker  run -it --entrypoint /bin/cat  --rm apptainer:1.1.6-nosuid  /proc/sys/kernel/unprivileged_userns_clone 
1

Even adding CAP_SYS_ADMIN results in another error

$ docker run --cap-add=SYS_ADMIN  --rm apptainer:1.1.6-nosuid    run shub://GodloveD/lolcow
INFO:    Downloading shub image
…
ERROR  : Failed to set mount propagation: Permission denied

Thanks!

[kaczmarj]

i am not sure, to be honest. but i can point you to the code that is throwing this error: https://github.com/apptainer/apptainer/blob/3ad0cbef35b68a825389dec9000d495b302aa206/cmd/starter/c/starter.c#L859C59-L861

and the propagation value is set in https://github.com/apptainer/apptainer/blob/3ad0cbef35b68a825389dec9000d495b302aa206/internal/pkg/runtime/engine/config/starter/starter_linux.go#L122-L142

instead of using apptainer in docker, could you install apptainer directly using the .deb packages that apptainer provides? https://github.com/apptainer/apptainer/releases

[bpinsard]

I managed to make it work following https://osg-htc.org/docs/worker-node/install-apptainer/#configuring-docker-to-work-with-apptainer but it required an extra --security-opt apparmor=unconfined
Modified the Dockerfile to add a few package for squash/fuse

FROM golang:1.20.1-alpine3.17 as builder

RUN apk add --no-cache \
        # Required for apptainer to find min go version
        bash \
        cryptsetup \
        gawk \
        gcc \
        git \
        libc-dev \
        linux-headers \
        libressl-dev \
        libuuid \
        libseccomp-dev \
        make \
        util-linux-dev

ARG APPTAINER_COMMITISH="main"
ARG MCONFIG_OPTIONS="--with-suid"
WORKDIR $GOPATH/src/github.com/apptainer
RUN git clone https://github.com/apptainer/apptainer.git \
    && cd apptainer \
    && git checkout "$APPTAINER_COMMITISH" \
    && ./mconfig $MCONFIG_OPTIONS -p /usr/local/apptainer \
    && cd builddir \
    && make \
    && make install

FROM alpine:3.17.2
COPY --from=builder /usr/local/apptainer /usr/local/apptainer
ENV PATH="/usr/local/apptainer/bin:$PATH" \
    APPTAINER_TMPDIR="/tmp-apptainer"
RUN apk add --no-cache ca-certificates libseccomp squashfs-tools tzdata fuse2fs fuse-overlayfs \
    && mkdir -p $APPTAINER_TMPDIR \
    && cp /usr/share/zoneinfo/UTC /etc/localtime \
    && apk del tzdata \
    && rm -rf /tmp/* /var/cache/apk/*
RUN apk add --no-cache squashfuse --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing

WORKDIR /work
ENTRYPOINT ["/usr/local/apptainer/bin/apptainer"]

using the following command

$ docker run --device=/dev/fuse --security-opt apparmor=unconfined  --security-opt seccomp=unconfined --security-opt systempaths=unconfined -it   --rm  apptainer:1.1.6-nosuid run shub://GodloveD/lolcow 
INFO:    Downloading shub image
87.6MiB / 87.6MiB [================================================================================================================] 100 % 40.6 MiB/s 0s
 _________________________________________
/ Perfect day for scrubbing the floor and \
\ other exciting things.                  /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

[kaczmarj]

wow! true container-ception.

would it be simpler though to install apptainer with a deb file? the apptainer team includes those deb files in releases.