diff --git a/nixos/modules/programs/singularity.nix b/nixos/modules/programs/singularity.nix index bc989ad2dbaf..d1115b361593 100644 --- a/nixos/modules/programs/singularity.nix +++ b/nixos/modules/programs/singularity.nix @@ -56,9 +56,12 @@ in enableFakeroot = lib.mkOption { type = lib.types.bool; default = true; - example = false; description = '' Whether to enable the `--fakeroot` support of Singularity/Apptainer. + + This option is deprecated and has no effect. + `--fakeroot` support is enabled automatically, + as `systemBinPaths = [ "/run/wrappers/bin" ]` is always specified. ''; }; enableSuid = lib.mkOption { @@ -74,22 +77,34 @@ in Whether to enable the SUID support of Singularity/Apptainer. ''; }; + systemBinPaths = lib.mkOption { + type = lib.types.listOf lib.types.path; + default = [ ]; + description = '' + (Extra) system-wide /**/bin paths + for Apptainer/Singularity to find command-line utilities in. + + `"/run/wrappers/bin"` is included by default to make + utilities with SUID bit set available to Apptainer/Singularity. + Use `lib.mkForce` to shadow the default values. + ''; + }; }; config = lib.mkIf cfg.enable { programs.singularity.packageOverriden = ( cfg.package.override ( - lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; } - // lib.optionalAttrs cfg.enableFakeroot { - newuidmapPath = "/run/wrappers/bin/newuidmap"; - newgidmapPath = "/run/wrappers/bin/newgidmap"; + { + systemBinPaths = cfg.systemBinPaths; } + // lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; } // lib.optionalAttrs cfg.enableSuid { enableSuid = true; starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid"; } ) ); + programs.singularity.systemBinPaths = [ "/run/wrappers/bin" ]; environment.systemPackages = [ cfg.packageOverriden ]; security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid { setuid = true; diff --git a/pkgs/applications/virtualization/singularity/generic.nix b/pkgs/applications/virtualization/singularity/generic.nix index 595730b1fe8a..684ca5937788 100644 --- a/pkgs/applications/virtualization/singularity/generic.nix +++ b/pkgs/applications/virtualization/singularity/generic.nix @@ -70,11 +70,19 @@ in # Whether to compile with SUID support enableSuid ? false, starterSuidPath ? null, - # newuidmapPath and newgidmapPath are to support --fakeroot - # where those SUID-ed executables are unavailable from the FHS system PATH. + # Extra system-wide /**/bin paths to prefix, + # useful to specify directories containing binaries with SUID bit set. + # The paths take higher precedence over the FHS system PATH specified + # inside the upstream source code. + # Include "/run/wrappers/bin" by default for the convenience of NixOS users. + systemBinPaths ? [ "/run/wrappers/bin" ], # Path to SUID-ed newuidmap executable + # Deprecated in favour of systemBinPaths + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off newuidmapPath ? null, # Path to SUID-ed newgidmap executable + # Deprecated in favour of systemBinPaths + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off newgidmapPath ? null, # External LOCALSTATEDIR externalLocalStateDir ? null, @@ -99,18 +107,26 @@ in vendorHash ? _defaultGoVendorArgs.vendorHash, deleteVendor ? _defaultGoVendorArgs.deleteVendor, proxyVendor ? _defaultGoVendorArgs.proxyVendor, -}: +}@args: let + # Backward compatibility for privileged-un-utils. + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off. privileged-un-utils = if ((newuidmapPath == null) && (newgidmapPath == null)) then null else - (runCommandLocal "privileged-un-utils" { } '' + runCommandLocal "privileged-un-utils" { } '' mkdir -p "$out/bin" ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" - ''); + ''; + + # Backward compatibility for privileged-un-utils. + # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off. + systemBinPaths = + lib.optional (privileged-un-utils != null) (lib.makeBinPath [ privileged-un-utils ]) + ++ args.systemBinPaths or [ "/run/wrappers/bin" ]; concatMapStringAttrsSep = sep: f: attrs: @@ -207,7 +223,6 @@ in fuse2fs # Mount ext3 filesystems go mount # mount - privileged-un-utils squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges ] ++ lib.optional enableNvidiaContainerCli nvidia-docker; @@ -229,7 +244,7 @@ in lib.concatStringsSep " " [ "--replace-fail" (addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath)) - (addShellDoubleQuotes ''${lib.escapeShellArg originalDefaultPath}''${inputsDefaultPath:+:}$inputsDefaultPath'') + (addShellDoubleQuotes ''$systemDefaultPath''${systemDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}''${inputsDefaultPath:+:}$inputsDefaultPath'') ] ) originalDefaultPaths } @@ -271,6 +286,7 @@ in # Respect PATH from the environment/the user. # Fallback to bin paths provided by Nixpkgs packages. wrapProgram "$out/bin/${projectName}" \ + --suffix PATH : "$systemDefaultPath" \ --suffix PATH : "$inputsDefaultPath" # Make changes in the config file ${lib.optionalString forceNvcCli '' @@ -329,6 +345,7 @@ in }).overrideAttrs ( finalAttrs: prevAttrs: { + systemDefaultPath = lib.concatStringsSep ":" systemBinPaths; inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs; passthru = prevAttrs.passthru or { } // { inherit sourceFilesWithDefaultPaths;