Support --writable-tmpfs for --oci mode
#1621
Assignees
Milestone
Comments
19 tasks
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
May 2, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to callin `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs#1621
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
May 2, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs#1621
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
May 2, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs#1621
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
May 2, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs#1621
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
May 3, 2023
Pick sylabs#1622 The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs#1621
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
May 10, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
May 10, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
May 24, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
May 24, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
May 25, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
Jun 14, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
Jun 14, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
Jun 14, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
Jun 16, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
Jul 4, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
Jul 11, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
Jul 21, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
edytuk
pushed a commit
to vzokay/apptainer
that referenced
this issue
Jul 24, 2023
The `--oci` mode intends to follow behaviour that the native runtime implements when run with `--compat`. One missing aspect is that `--compat` sets `--writable-tmpfs`, where the container rootfs is made writable with a tmpfs backed overlay. This PR: - Introduces a simple wrapping of the `oci run` sub-command as `oci run-wrapped`. This hidden command implements prep / cleanup steps that must take place in a userns for non-root `--oci` execution. - Switches the oci launcher to calling `oci run-wrapped` instead of `oci-run`. - Adds a tmpfs based overlay creation function for OCI bundles. - Includes the tmpfs overlay creation in the `oci run-wrapped` flow. - Copies the native runtime `--compat` e2e tests to OCI mode. Fixes sylabs/singularity#1621 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
--ocimode is currently aiming to offer similar sematics as the native runtime used with its--compatoption.One of the options that is enabled by the
--compatflag is--writable-tmpfs, where the container rootfs is made writable by overlaying a writable tmpfs.The
--ocimode should support this tmpfs overlay, and it should be enabled by default to match the--compatbehaviour in the native runtime.Because the tmpfs mount and overlay must be setup within a user namespace, for non-root users, this will require wrapping the incovation of
runc/crunwith prep / cleanup code.Let's do this in a naive manner at this point. We'll tidy things up once additional prep / cleanup steps have been identified and scoped.
The text was updated successfully, but these errors were encountered: