Re: [HTCondor-users] sudo / package installation inside a docker container inside a user job

[Thomas Hartmann <thomas.hartmann@xxxxxxx>]

if you are intending to run somehwat manually processes as root (0/1)
in a Docker container, you should assure, that you have user namespace
mapping enabled on the kernel and the Docker deamon!
Else the processes might run under the same UID as in the 'host' user
namespace.



On 13/06/2019 23.14, Gergely Debreczeni via HTCondor-users wrote:
> Thanks, that is indeed a good advice! I’ll check and see whether it has
> any limitations for our use case.... But if I understood correctly
> “becoming root” inside a docker container should not harm the host OS in
> any manner... so why it is disabled in Condor ? Is there some security
> flaw there ?
> 
>  
> 
> Thanks,
> 
> Gergely
> 
>  
> 
>  
> 
> *From:* HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> *On Behalf
> Of *Kandes, Martin
> *Sent:* Thursday, June 13, 2019 11:06 PM
> *To:* HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> *Subject:* Re: [HTCondor-users] sudo / package installation inside a
> docker container inside a user job
> 
>  
> 
> Gergely,
> 
>  
> 
> Dimitri does have a good point. But I understand your problem. I help
> maintain the Singularity containers we build for our users [1].
> 
>  
> 
> One possibility you might consider is using miniconda [2] to install
> additional packages in  userspace, if the user's HOME directory or some
> scratch space available to the job is large enough to handle
> installations of packages like TensorFlow. I actually install miniconda
> by default in our base containers for this purpose myself. e.g., see [3]
> [4].
> 
>  
> 
> I know this isn't a Docker-native solution. But that's how I might do it
> with Singularity. 
> 
>  
> 
> Marty
> 
>  
> 
> [1]
> 
>  
> 
> https://github.com/mkandes/naked-singularity
> 
>  
> 
> [2]
> 
>  
> 
> https://docs.conda.io/en/latest/miniconda.html
> 
>  
> 
> [3]
> 
>  
> 
> https://github.com/mkandes/naked-singularity/blob/master/definition-files/comet/ubuntu/ubuntu.def
> 
>  
> 
> [4]
> 
>  
> 
> https://github.com/mkandes/naked-singularity/blob/master/definition-files/comet/ubuntu/ubuntu-cuda.def
> 
>  
> 
>  
> 
> ------------------------------------------------------------------------
> 
> *From:*HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx
> <mailto:htcondor-users-bounces@xxxxxxxxxxx>> on behalf of Dimitri Maziuk
> via HTCondor-users <htcondor-users@xxxxxxxxxxx
> <mailto:htcondor-users@xxxxxxxxxxx>>
> *Sent:* Thursday, June 13, 2019 1:27:50 PM
> *To:* htcondor-users@xxxxxxxxxxx <mailto:htcondor-users@xxxxxxxxxxx>
> *Cc:* Dimitri Maziuk
> *Subject:* Re: [HTCondor-users] sudo / package installation inside a
> docker container inside a user job
> 
>  
> 
> On 6/13/19 3:07 PM, Gergely Debreczeni via HTCondor-users wrote:
>> python3, tensorflow, gnuplot, etc... nothing special, in principle
> they could be installed in advance, but each user group has different
> requirements and we don't want to manage / maintain so many different
> docker image...
> 
> Is reproduce/repet-ability a concern? You may get a different new
> version of $foo on every run if you do this; "immutable" is one of the
> buzzwords in docker's sales pitch.
> 
> -- 
> Dimitri Maziuk
> Programmer/sysadmin
> BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu
> 
> ------------------------------------------------------------------------
> /This e-mail and any files transmitted with it contain confidential and
> may contain privileged information. If you are not the intended
> recipient (or have received this e-mail in error) please notify the
> sender immediately and delete this e-mail. Any unauthorized use,
> copying, disclosure or distribution of the material in this e-mail is
> strictly forbidden./
> 
> 
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature