support --no-home in --oci mode

When `--no-home` is set on the CLI in `--oci` mode, do not mount onto the container home directory. Fixes #1780
sylabs · Jun 16, 2023 · e808056 · e808056
1 parent b1828aa
commit e808056
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -69,7 +69,9 @@
   files on the host that have permissions based on supplementary group
   membership. Note that supplementary groups are mapped to `nobody` in the
   container, and `chgrp`, `newgrp`, etc. cannot be used.
-
+- OCI-mode now supports the `--no-home` flag, to prevent the container home
+  directory from being mounted.
+
 ### Bug Fixes
 
 - Fix interaction between `--workdir` when given relative path and `--scratch`.

diff --git a/e2e/actions/oci.go b/e2e/actions/oci.go
@@ -209,6 +209,11 @@ func (c actionTests) actionOciExec(t *testing.T) {
 			argv: []string{"--home", "/tmp:/home", imageRef, "true"},
 			exit: 0,
 		},
+		{
+			name: "NoHome",
+			argv: []string{"--no-home", imageRef, "grep", e2e.OCIUserProfile.ContainerUser(t).Dir, "/proc/self/mountinfo"},
+			exit: 1,
+		},
 		{
 			name: "UTSNamespace",
 			argv: []string{"--uts", imageRef, "true"},

diff --git a/internal/pkg/runtime/launcher/oci/launcher_linux.go b/internal/pkg/runtime/launcher/oci/launcher_linux.go
@@ -82,9 +82,6 @@ func checkOpts(lo launcher.Options) error {
 	if lo.WritableTmpfs {
 		sylog.Infof("--oci mode uses --writable-tmpfs by default")
 	}
-	if lo.NoHome {
-		badOpt = append(badOpt, "NoHome")
-	}
 
 	if len(lo.FuseMount) > 0 {
 		badOpt = append(badOpt, "FuseMount")

diff --git a/internal/pkg/runtime/launcher/oci/mounts_linux.go b/internal/pkg/runtime/launcher/oci/mounts_linux.go
@@ -266,13 +266,17 @@ func (l *Launcher) addSysMount(mounts *[]specs.Mount) error {
 // `--containall`, so the user must specifically bind in their home directory
 // from the host for it to be available.
 func (l *Launcher) addHomeMount(mounts *[]specs.Mount) error {
-	// If the $HOME mount is skipped by config need to still handle setting the
-	// correct $HOME dir, but just skip adding the mount.
+	// If the $HOME mount is skipped by config or --no-home, we still need to
+	// handle setting the correct $HOME dir, but just skip adding the mount.
 	skipMount := false
 	if !l.singularityConf.MountHome {
 		sylog.Debugf("Skipping mount of $HOME due to singularity.conf")
 		skipMount = true
 	}
+	if l.cfg.NoHome {
+		sylog.Debugf("Skipping mount of $HOME due to --no-home")
+		skipMount = true
+	}
 
 	// Get the host user's data
 	pw, err := user.CurrentOriginal()