movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

apptainer, singularity: add argument systemBinPaths

Browse source 
Use systemBinPaths as the new way to specify system bin paths,
especifally for SUID'ed binaries.

Deprecate arguments setuidmapPath and setgidmapPath in favour of
systemBinPaths.

Add NixOS configuration option programs.singularity.systemBinPath, with
"/run/wrappers/bin" included by default.
This commit is contained in:
Yueh-Shun Li 2024-04-24 03:55:30 +08:00
parent 409cbbe61a
commit f6d9b4b6fc
2 changed files with 44 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

25
nixos/modules/programs/singularity.nix
View file

@ -56,9 +56,12 @@ in
enableFakeroot = lib.mkOption { enableFakeroot = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = true; default = true;
example = false;
description = '' description = ''
Whether to enable the `--fakeroot` support of Singularity/Apptainer. Whether to enable the `--fakeroot` support of Singularity/Apptainer.
This option is deprecated and has no effect.
`--fakeroot` support is enabled automatically,
as `systemBinPaths = [ "/run/wrappers/bin" ]` is always specified.
''; '';
}; };
enableSuid = lib.mkOption { enableSuid = lib.mkOption {
@ -74,22 +77,34 @@ in
Whether to enable the SUID support of Singularity/Apptainer. Whether to enable the SUID support of Singularity/Apptainer.
''; '';
}; };
systemBinPaths = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [ ];
description = ''
(Extra) system-wide /**/bin paths
for Apptainer/Singularity to find command-line utilities in.
`"/run/wrappers/bin"` is included by default to make
utilities with SUID bit set available to Apptainer/Singularity.
Use `lib.mkForce` to shadow the default values.
'';
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
programs.singularity.packageOverriden = ( programs.singularity.packageOverriden = (
cfg.package.override ( cfg.package.override (
lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; } {
// lib.optionalAttrs cfg.enableFakeroot { systemBinPaths = cfg.systemBinPaths;
newuidmapPath = "/run/wrappers/bin/newuidmap";
newgidmapPath = "/run/wrappers/bin/newgidmap";
} }
// lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
// lib.optionalAttrs cfg.enableSuid { // lib.optionalAttrs cfg.enableSuid {
enableSuid = true; enableSuid = true;
starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid"; starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
} }
) )
); );
programs.singularity.systemBinPaths = [ "/run/wrappers/bin" ];
environment.systemPackages = [ cfg.packageOverriden ]; environment.systemPackages = [ cfg.packageOverriden ];
security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid { security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid {
setuid = true; setuid = true;

31
pkgs/applications/virtualization/singularity/generic.nix
View file

@ -70,11 +70,19 @@ in
# Whether to compile with SUID support # Whether to compile with SUID support
enableSuid ? false, enableSuid ? false,
starterSuidPath ? null, starterSuidPath ? null,
# newuidmapPath and newgidmapPath are to support --fakeroot # Extra system-wide /**/bin paths to prefix,
# where those SUID-ed executables are unavailable from the FHS system PATH. # useful to specify directories containing binaries with SUID bit set.
# The paths take higher precedence over the FHS system PATH specified
# inside the upstream source code.
# Include "/run/wrappers/bin" by default for the convenience of NixOS users.
systemBinPaths ? [ "/run/wrappers/bin" ],
# Path to SUID-ed newuidmap executable # Path to SUID-ed newuidmap executable
# Deprecated in favour of systemBinPaths
# TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off
newuidmapPath ? null, newuidmapPath ? null,
# Path to SUID-ed newgidmap executable # Path to SUID-ed newgidmap executable
# Deprecated in favour of systemBinPaths
# TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off
newgidmapPath ? null, newgidmapPath ? null,
# External LOCALSTATEDIR # External LOCALSTATEDIR
externalLocalStateDir ? null, externalLocalStateDir ? null,
@ -99,18 +107,26 @@ in
vendorHash ? _defaultGoVendorArgs.vendorHash, vendorHash ? _defaultGoVendorArgs.vendorHash,
deleteVendor ? _defaultGoVendorArgs.deleteVendor, deleteVendor ? _defaultGoVendorArgs.deleteVendor,
proxyVendor ? _defaultGoVendorArgs.proxyVendor, proxyVendor ? _defaultGoVendorArgs.proxyVendor,
}: }@args:
let let
# Backward compatibility for privileged-un-utils.
# TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off.
privileged-un-utils = privileged-un-utils =
if ((newuidmapPath == null) && (newgidmapPath == null)) then if ((newuidmapPath == null) && (newgidmapPath == null)) then
null null
else else
(runCommandLocal "privileged-un-utils" { } '' runCommandLocal "privileged-un-utils" { } ''
mkdir -p "$out/bin" mkdir -p "$out/bin"
ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
''); '';
# Backward compatibility for privileged-un-utils.
# TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off.
systemBinPaths =
lib.optional (privileged-un-utils != null) (lib.makeBinPath [ privileged-un-utils ])
++ args.systemBinPaths or [ "/run/wrappers/bin" ];
concatMapStringAttrsSep = concatMapStringAttrsSep =
sep: f: attrs: sep: f: attrs:
@ -207,7 +223,6 @@ in
fuse2fs # Mount ext3 filesystems fuse2fs # Mount ext3 filesystems
go go
mount # mount mount # mount
privileged-un-utils
squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image
squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges
] ++ lib.optional enableNvidiaContainerCli nvidia-docker; ] ++ lib.optional enableNvidiaContainerCli nvidia-docker;
@ -229,7 +244,7 @@ in
lib.concatStringsSep " " [ lib.concatStringsSep " " [
"--replace-fail" "--replace-fail"
(addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath)) (addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath))
(addShellDoubleQuotes ''${lib.escapeShellArg originalDefaultPath}''${inputsDefaultPath:+:}$inputsDefaultPath'') (addShellDoubleQuotes ''$systemDefaultPath''${systemDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}''${inputsDefaultPath:+:}$inputsDefaultPath'')
] ]
) originalDefaultPaths ) originalDefaultPaths
} }
@ -271,6 +286,7 @@ in
# Respect PATH from the environment/the user. # Respect PATH from the environment/the user.
# Fallback to bin paths provided by Nixpkgs packages. # Fallback to bin paths provided by Nixpkgs packages.
wrapProgram "$out/bin/${projectName}" \ wrapProgram "$out/bin/${projectName}" \
--suffix PATH : "$systemDefaultPath" \
--suffix PATH : "$inputsDefaultPath" --suffix PATH : "$inputsDefaultPath"
# Make changes in the config file # Make changes in the config file
${lib.optionalString forceNvcCli '' ${lib.optionalString forceNvcCli ''
@ -329,6 +345,7 @@ in
}).overrideAttrs }).overrideAttrs
( (
finalAttrs: prevAttrs: { finalAttrs: prevAttrs: {
systemDefaultPath = lib.concatStringsSep ":" systemBinPaths;
inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs; inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs;
passthru = prevAttrs.passthru or { } // { passthru = prevAttrs.passthru or { } // {
inherit sourceFilesWithDefaultPaths; inherit sourceFilesWithDefaultPaths;