BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

apptainer, singularity: enable non-FHS --fakeroot support

Browse source 
This patch provides input arguments `newuidmapPath` and `newgidmapPath`
for apptainer and singularity to specify the path to the SUID-ed executables
newuidmap and newgidmap where they are not available from the FHS PATH.

As NixOS places those suided executables in a non-FHS position
(/run/wrapper/bin), this patch provides
programs.singularity.enableFakeroot option and implement with the above
input parameters.
This commit is contained in:
Yueh-Shun Li 2023-01-29 01:02:48 +08:00
parent 50788d2fb0
commit 71a89291ee
4 changed files with 38 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
View file

@ -958,6 +958,16 @@
package to use. package to use.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The new option
<literal>programs.singularity.enableFakeroot</literal>, if set
to <literal>true</literal>, provides
<literal>--fakeroot</literal> support for
<literal>apptainer</literal> and
<literal>singularity</literal>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <literal>unifi-poller</literal> package and corresponding The <literal>unifi-poller</literal> package and corresponding

2
nixos/doc/manual/release-notes/rl-2305.section.md
View file

@ -235,6 +235,8 @@ In addition to numerous new and upgraded packages, this release has the followin
`singularity-tools.buildImage` got a new input argument `singularity` to specify which package to use. `singularity-tools.buildImage` got a new input argument `singularity` to specify which package to use.
- The new option `programs.singularity.enableFakeroot`, if set to `true`, provides `--fakeroot` support for `apptainer` and `singularity`.
- The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream. - The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream.
- The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting. - The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.

13
nixos/modules/programs/singularity.nix
View file

@ -45,6 +45,14 @@ in
Use `lib.mkForce` to forcefully specify the overriden package. Use `lib.mkForce` to forcefully specify the overriden package.
''; '';
}; };
enableFakeroot = mkOption {
type = types.bool;
default = true;
example = false;
description = mdDoc ''
Whether to enable the `--fakeroot` support of Singularity/Apptainer.
'';
};
enableSuid = mkOption { enableSuid = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
@ -57,7 +65,10 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
programs.singularity.packageOverriden = (cfg.package.override ( programs.singularity.packageOverriden = (cfg.package.override (
optionalAttrs cfg.enableSuid { optionalAttrs cfg.enableFakeroot {
newuidmapPath = "/run/wrappers/bin/newuidmap";
newgidmapPath = "/run/wrappers/bin/newgidmap";
} // optionalAttrs cfg.enableSuid {
enableSuid = true; enableSuid = true;
starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid"; starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
} }

14
pkgs/applications/virtualization/singularity/generic.nix
View file

@ -25,6 +25,7 @@ let
in in
{ lib { lib
, buildGoModule , buildGoModule
, runCommandLocal
# Native build inputs # Native build inputs
, makeWrapper , makeWrapper
, pkg-config , pkg-config
@ -55,6 +56,12 @@ in
# Whether to compile with SUID support # Whether to compile with SUID support
, enableSuid ? false , enableSuid ? false
, starterSuidPath ? null , starterSuidPath ? null
# newuidmapPath and newgidmapPath are to support --fakeroot
# where those SUID-ed executables are unavailable from the FHS system PATH.
# Path to SUID-ed newuidmap executable
, newuidmapPath ? null
# Path to SUID-ed newgidmap executable
, newgidmapPath ? null
# Remove the symlinks to `singularity*` when projectName != "singularity" # Remove the symlinks to `singularity*` when projectName != "singularity"
, removeCompat ? false , removeCompat ? false
# Workaround #86349 # Workaround #86349
@ -66,6 +73,12 @@ in
let let
defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin"; defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin";
privileged-un-utils = if ((isNull newuidmapPath) && (isNull newgidmapPath)) then null else
(runCommandLocal "privileged-un-utils" { } ''
mkdir -p "$out/bin"
ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
'');
in in
buildGoModule { buildGoModule {
inherit pname version src; inherit pname version src;
@ -130,6 +143,7 @@ buildGoModule {
coreutils coreutils
cryptsetup # cryptsetup cryptsetup # cryptsetup
go go
privileged-un-utils
squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image
squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges
] ]