From: "Ludovic Courtès" <ludo@gnu.org>
To: Danny Milosavljevic <dannym@scratchpost.org>
Cc: 36093@debbugs.gnu.org
Subject: [bug#36093] [PATCH 1/2] services: Add Singularity.
Date: Wed, 05 Jun 2019 22:24:05 +0200 [thread overview]
Message-ID: <87v9xjye56.fsf@gnu.org> (raw)
In-Reply-To: <20190605170217.4e4c7fed@scratchpost.org> (Danny Milosavljevic's message of "Wed, 5 Jun 2019 17:02:17 +0200")
Hi Danny,
Danny Milosavljevic <dannym@scratchpost.org> skribis:
> On Tue, 4 Jun 2019 23:01:14 +0200
> Ludovic Courtès <ludo@gnu.org> wrote:
>
>> +@defvr {Scheme Variable} singularity-service-type
>> +This is the type of the service that runs
>> +@url{https://www.sylabs.io/singularity/, Singularity},
>
> Does it?
> Doesn't it just "allow you to invoke"?
Yes, you’re right. I’ll reword as you suggest.
>> + (substitute* (find-files "libexec/cli" "\\.exec$")
>> + (("\\$SINGULARITY_libexecdir/singularity/bin/([a-z]+)-suid"
>> + _ program)
>> + (string-append "/run/setuid-programs/singularity-"
>> + program "-helper")))
>
> Is absolute path OK? There have been some efforts to get guix to relocate in
> the past. Does this apply here?
I think it’s OK: those setuid helpers can only be used on Guix System,
not on a foreign distro, and it goes hand-in-hand with
‘singularity-service-type’.
>> + ;; Create the directories that Singularity 2.6 expects to find.
>> + (for-each (lambda (directory)
>> + (mkdir-p (string-append "/var/singularity/mnt/"
>> + directory)))
>> + '("container" "final" "overlay" "session")))))
>
> Are permissions OK?
They’re good enough for the test, but perhaps it should be #o700.
I’ll check if it works like that.
There’s been a nice CVE for Singularity 3.x in this area recently:
https://nvd.nist.gov/vuln/detail/CVE-2019-11328
It’s not directly applicable here but there could be similar issues.
Thanks,
Ludo’.
prev parent reply other threads:[~2019-06-05 20:25 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-04 20:51 [bug#36093] [PATCH 0/2] 'guix pack --entry-point' and Singularity service Ludovic Courtès
2019-06-04 21:01 ` [bug#36093] [PATCH 1/2] services: Add Singularity Ludovic Courtès
2019-06-04 21:01 ` [bug#36093] [PATCH 2/2] pack: Add '--entry-point' Ludovic Courtès
2019-06-05 15:06 ` Danny Milosavljevic
2019-06-05 20:27 ` Ludovic Courtès
2019-06-06 11:03 ` [bug#36093] [PATCH v2 1/2] services: Add Singularity Ludovic Courtès
2019-06-06 11:03 ` [bug#36093] [PATCH v2 2/2] pack: Add '--entry-point' Ludovic Courtès
2019-06-07 7:58 ` bug#36093: " Ludovic Courtès
2019-06-07 10:21 ` [bug#36093] [PATCH " Ricardo Wurmus
2019-06-07 13:15 ` Ludovic Courtès
2019-06-08 17:21 ` Ricardo Wurmus
2019-06-05 15:02 ` [bug#36093] [PATCH 1/2] services: Add Singularity Danny Milosavljevic
2019-06-05 20:24 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v9xjye56.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=36093@debbugs.gnu.org \
--cc=dannym@scratchpost.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).