From 72cac4a4d0fca90b216c700b37a0af24d018b31a Mon Sep 17 00:00:00 2001 From: David Trudgian Date: Fri, 16 Jun 2023 12:03:49 +0100 Subject: [PATCH] support `--no-home` in `--oci` mode When `--no-home` is set on the CLI in `--oci` mode, do not mount onto the container home directory. Fixes sylabs/singularity#1780 Signed-off-by: Edita Kizinevic --- CHANGELOG.md | 2 ++ e2e/actions/oci.go | 5 +++++ internal/pkg/runtime/launcher/oci/launcher_linux.go | 3 --- internal/pkg/runtime/launcher/oci/mounts_linux.go | 8 ++++++-- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71607a52a9..d1a26b5d16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -79,6 +79,8 @@ For older changes see the [archived Singularity change log](https://github.com/a storage. If `--scratch ` is used in conjunction with `--workdir`, scratch directories will be mapped to subdirectories nested under `/scratch` on the host, rather than to tmpfs storage. +- OCI-mode now supports the `--no-home` flag, to prevent the container home + directory from being mounted. ### Developer / API diff --git a/e2e/actions/oci.go b/e2e/actions/oci.go index e1a8b44da5..d1534cd319 100644 --- a/e2e/actions/oci.go +++ b/e2e/actions/oci.go @@ -211,6 +211,11 @@ func (c actionTests) actionOciExec(t *testing.T) { argv: []string{"--home", "/tmp:/home", imageRef, "true"}, exit: 0, }, + { + name: "NoHome", + argv: []string{"--no-home", imageRef, "grep", e2e.OCIUserProfile.ContainerUser(t).Dir, "/proc/self/mountinfo"}, + exit: 1, + }, { name: "UTSNamespace", argv: []string{"--uts", imageRef, "true"}, diff --git a/internal/pkg/runtime/launcher/oci/launcher_linux.go b/internal/pkg/runtime/launcher/oci/launcher_linux.go index 18468864be..7f98e4e97a 100644 --- a/internal/pkg/runtime/launcher/oci/launcher_linux.go +++ b/internal/pkg/runtime/launcher/oci/launcher_linux.go @@ -86,9 +86,6 @@ func checkOpts(lo launcher.Options) error { if lo.WritableTmpfs { sylog.Infof("--oci mode uses --writable-tmpfs by default") } - if lo.NoHome { - badOpt = append(badOpt, "NoHome") - } if len(lo.FuseMount) > 0 { badOpt = append(badOpt, "FuseMount") diff --git a/internal/pkg/runtime/launcher/oci/mounts_linux.go b/internal/pkg/runtime/launcher/oci/mounts_linux.go index b8691da58e..c0502f5f4c 100644 --- a/internal/pkg/runtime/launcher/oci/mounts_linux.go +++ b/internal/pkg/runtime/launcher/oci/mounts_linux.go @@ -270,13 +270,17 @@ func (l *Launcher) addSysMount(mounts *[]specs.Mount) error { // `--containall`, so the user must specifically bind in their home directory // from the host for it to be available. func (l *Launcher) addHomeMount(mounts *[]specs.Mount) error { - // If the $HOME mount is skipped by config need to still handle setting the - // correct $HOME dir, but just skip adding the mount. + // If the $HOME mount is skipped by config or --no-home, we still need to + // handle setting the correct $HOME dir, but just skip adding the mount. skipMount := false if !l.apptainerConf.MountHome { sylog.Debugf("Skipping mount of $HOME due to apptainer.conf") skipMount = true } + if l.cfg.NoHome { + sylog.Debugf("Skipping mount of $HOME due to --no-home") + skipMount = true + } // Get the host user's data pw, err := user.CurrentOriginal()