You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This relates mostly to the "User Namespaces and Fakeroot" page. I found it fairly confusing because apptainer has so many modular features, each of which requires different levels of permissions and dependent software, that in turn enable different capabilities in apptainer. In theory this could be expanded to talk about FUSE filesystems etc as well.
The motivation for this is helping sysadmins determine which features they can enable "for free" (ie without security risks) e.g. fakeroot, and which ones can be skipped. e.g. the setuid flag is possibly not needed on newer Linux kernels.
I think it might be helpful to present this information as a collection of paragraphs, one for each capability, that describe this information in a structure way. Now I don't actually have all the info to write this because I still don't fully understand everything, but here's an example:
Name: Fakeroot binary How to Enable Install fakeroot command (can be compiled from scratch or installed as a package) Required Privileges: None (any user can compile fakeroot) Security risks: None Enables: The use of sudo inside apptainer, for example sudo apt install or sudo make install. This allows the use of many standard installation mechanisms, which can make building containers much easier
Name: Setuid Flag How to Enable Install apptainer-suid package instead of apptainer Required Privileges: Root Security risks: Potentially Enables: Allows apptainer to run on old Linux kernels that don't support user namespaces
Name: subuid Mappings How to Enable: The root user can customize /etc/subuid and /etc/subgid Required Privileges: Root Security risks: No (?) Enables: Allows apptainer to map multiple users inside the container to multiple users outside the container. This extends the default behaviour whereby the running user outside the container is mapped to root inside the container.
The text was updated successfully, but these errors were encountered:
This relates mostly to the "User Namespaces and Fakeroot" page. I found it fairly confusing because apptainer has so many modular features, each of which requires different levels of permissions and dependent software, that in turn enable different capabilities in apptainer. In theory this could be expanded to talk about FUSE filesystems etc as well.
The motivation for this is helping sysadmins determine which features they can enable "for free" (ie without security risks) e.g.
fakeroot, and which ones can be skipped. e.g. thesetuidflag is possibly not needed on newer Linux kernels.I think it might be helpful to present this information as a collection of paragraphs, one for each capability, that describe this information in a structure way. Now I don't actually have all the info to write this because I still don't fully understand everything, but here's an example:
Name: Fakeroot binary
How to Enable Install
fakerootcommand (can be compiled from scratch or installed as a package)Required Privileges: None (any user can compile
fakeroot)Security risks: None
Enables: The use of
sudoinside apptainer, for examplesudo apt installorsudo make install. This allows the use of many standard installation mechanisms, which can make building containers much easierName: Setuid Flag
How to Enable Install
apptainer-suidpackage instead ofapptainerRequired Privileges: Root
Security risks: Potentially
Enables: Allows apptainer to run on old Linux kernels that don't support user namespaces
Name:
subuidMappingsHow to Enable: The root user can customize
/etc/subuidand/etc/subgidRequired Privileges: Root
Security risks: No (?)
Enables: Allows apptainer to map multiple users inside the container to multiple users outside the container. This extends the default behaviour whereby the running user outside the container is mapped to root inside the container.
The text was updated successfully, but these errors were encountered: