singularity: new variants to enable non-suid and non-network builds (#16088)
Defaults are left as they are currently
This commit is contained in:
Andrew W Elble
GitHub
parent
854a82bbec
commit
985af94c45
1 changed files with 32 additions and 23 deletions
|
|
@ -35,6 +35,8 @@ class Singularity(MakefilePackage):
|
|||
version('3.2.1', sha256='d4388fb5f7e0083f0c344354c9ad3b5b823e2f3f27980e56efa7785140c9b616')
|
||||
version('3.1.1', sha256='7f0df46458d8894ba0c2071b0848895304ae6b1137d3d4630f1600ed8eddf1a4')
|
||||
|
||||
variant('suid', default=True, description='install SUID binary')
|
||||
variant('network', default=True, description='install network plugins')
|
||||
depends_on('go')
|
||||
depends_on('libuuid')
|
||||
depends_on('libgpg-error')
|
||||
|
|
@ -82,7 +84,12 @@ def build_directory(self):
|
|||
# Hijack the edit stage to run mconfig.
|
||||
def edit(self, spec, prefix):
|
||||
with working_dir(self.build_directory):
|
||||
configure = Executable('./mconfig --prefix=%s' % prefix)
|
||||
confstring = './mconfig --prefix=%s' % prefix
|
||||
if '~suid' in spec:
|
||||
confstring += ' --without-suid'
|
||||
if '~network' in spec:
|
||||
confstring += ' --without-network'
|
||||
configure = Executable(confstring)
|
||||
configure()
|
||||
|
||||
# Set these for use by MakefilePackage's default build/install methods.
|
||||
|
|
@ -127,33 +134,35 @@ def _build_script(self, filename, variable_data):
|
|||
|
||||
@run_after('install')
|
||||
def build_perms_script(self):
|
||||
script = self.perm_script_path()
|
||||
chown_files = ['libexec/singularity/bin/starter-suid',
|
||||
'etc/singularity/singularity.conf',
|
||||
'etc/singularity/capability.json',
|
||||
'etc/singularity/ecl.toml']
|
||||
setuid_files = ['libexec/singularity/bin/starter-suid']
|
||||
self._build_script(script, {'prefix': self.spec.prefix,
|
||||
'chown_files': chown_files,
|
||||
'setuid_files': setuid_files})
|
||||
chmod = which('chmod')
|
||||
chmod('555', script)
|
||||
if self.spec.satisfies('+suid'):
|
||||
script = self.perm_script_path()
|
||||
chown_files = ['libexec/singularity/bin/starter-suid',
|
||||
'etc/singularity/singularity.conf',
|
||||
'etc/singularity/capability.json',
|
||||
'etc/singularity/ecl.toml']
|
||||
setuid_files = ['libexec/singularity/bin/starter-suid']
|
||||
self._build_script(script, {'prefix': self.spec.prefix,
|
||||
'chown_files': chown_files,
|
||||
'setuid_files': setuid_files})
|
||||
chmod = which('chmod')
|
||||
chmod('555', script)
|
||||
|
||||
# Until tty output works better from build steps, this ends up in
|
||||
# the build log. See https://github.com/spack/spack/pull/10412.
|
||||
@run_after('install')
|
||||
def caveats(self):
|
||||
tty.warn("""
|
||||
For full functionality, you'll need to chown and chmod some files
|
||||
after installing the package. This has security implications.
|
||||
For details, see:
|
||||
https://sylabs.io/guides/2.6/admin-guide/security.html
|
||||
https://sylabs.io/guides/3.2/admin-guide/admin_quickstart.html#singularity-security
|
||||
if self.spec.satisfies('+suid'):
|
||||
tty.warn("""
|
||||
For full functionality, you'll need to chown and chmod some files
|
||||
after installing the package. This has security implications.
|
||||
For details, see:
|
||||
https://sylabs.io/guides/2.6/admin-guide/security.html
|
||||
https://sylabs.io/guides/3.2/admin-guide/admin_quickstart.html#singularity-security
|
||||
|
||||
We've installed a script that will make the necessary changes;
|
||||
read through it and then execute it as root (e.g. via sudo).
|
||||
We've installed a script that will make the necessary changes;
|
||||
read through it and then execute it as root (e.g. via sudo).
|
||||
|
||||
The script is named:
|
||||
The script is named:
|
||||
|
||||
{0}
|
||||
""".format(self.perm_script_path()))
|
||||
{0}
|
||||
""".format(self.perm_script_path()))
|
||||
|
|
|
|||
Loading…
Reference in a new issue