Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove privileged mode with Fusion #4141

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Remove privileged mode with Fusion #4141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0583c2a
Remove privileged mode for docker, podman, K8s
bentsherman Jul 27, 2023
e63046c
Update docker fusion options
bentsherman Aug 2, 2023
b91e6f3
Merge branch 'master' into 3337-fusion-with-privileged-mode
bentsherman Oct 9, 2023
7a386a9
Update docs
bentsherman Oct 9, 2023
5056fb3
Merge branch 'master' into 3337-fusion-with-privileged-mode
pditommaso Apr 20, 2024
ec63e64
Merge branch 'master' into 3337-fusion-with-privileged-mode
pditommaso Apr 25, 2024
51d3297
Fix failing tests
pditommaso Apr 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -586,6 +586,14 @@ The following settings are available:
`docker.fixOwnership`
: Fix ownership of files created by the docker container.

`docker.fusionOptions`
: :::{versionadded} 23.01.0-edge
:::
: :::{versionchanged} 23.10.0
pditommaso marked this conversation as resolved.
Show resolved Hide resolved
The default options were changed from `'--rm --privileged'` to the current default.
:::
: The extra command line options to be used with Fusion (default: `'--rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined'`).

`docker.legacy`
: Use command line options removed since Docker 1.10.0 (default: `false`).

Expand Down Expand Up @@ -1321,6 +1329,14 @@ The following settings are available:
`podman.envWhitelist`
: Comma separated list of environment variable names to be included in the container environment.

`podman.fusionOptions`
: :::{versionadded} 23.01.0-edge
:::
: :::{versionchanged} 23.10.0
The default options were changed from `'--rm --privileged'` to the current default.
:::
: The extra command line options to be used with Fusion (default: `'--rm --device /dev/fuse'`).

`podman.mountFlags`
: Add the specified flags to the volume mounts e.g. `mountFlags = 'ro,Z'`.

Expand Down
6 changes: 4 additions & 2 deletions modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,10 @@ class ContainerConfig extends LinkedHashMap {
final eng = getEngine()
if( !eng )
return null
if( eng=='docker' || eng=='podman' )
return '--rm --privileged'
if( eng=='docker' )
return '--rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined'
pditommaso marked this conversation as resolved.
Show resolved Hide resolved
if( eng=='podman' )
return '--rm --device /dev/fuse'
bentsherman marked this conversation as resolved.
Show resolved Hide resolved
pditommaso marked this conversation as resolved.
Show resolved Hide resolved
if( isSingularityOciMode() )
return '-B /dev/fuse'
if( eng=='singularity' || eng=='apptainer' )
Expand Down
4 changes: 2 additions & 2 deletions modules/nextflow/src/test/groovy/nextflow/container/ContainerConfigTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,8 +102,8 @@ class ContainerConfigTest extends Specification {
where:
OPTS | EXPECTED
[:] | null
[engine:'docker'] | '--rm --privileged'
[engine:'podman'] | '--rm --privileged'
[engine:'docker'] | '--rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined'
[engine:'podman'] | '--rm --device /dev/fuse'
and:
[engine: 'singularity'] | null
[engine: 'singularity', ociMode:true] | '-B /dev/fuse'
Expand Down
6 changes: 3 additions & 3 deletions modules/nextflow/src/test/groovy/nextflow/executor/fusion/FusionHelperTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,9 @@ class FusionHelperTest extends Specification {

where:
CONFIG | ENV | NAME | OPTS | CMD | EXPECTED
[engine:'docker'] | [:] | 'image:1' | null | ['echo', 'hello'] | "docker run -i --rm --privileged image:1 echo 'hello'"
[engine:'docker'] | [FOO:'one'] | 'image:2' | null | ['echo', 'hello'] | "docker run -i -e \"FOO=one\" --rm --privileged image:2 echo 'hello'"
[engine:'docker'] | [FOO:'one'] | 'image:2' | '--this=that' | ['echo', 'hello'] | "docker run -i -e \"FOO=one\" --this=that --rm --privileged image:2 echo 'hello'"
[engine:'docker'] | [:] | 'image:1' | null | ['echo', 'hello'] | "docker run -i --rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined image:1 echo 'hello'"
[engine:'docker'] | [FOO:'one'] | 'image:2' | null | ['echo', 'hello'] | "docker run -i -e \"FOO=one\" --rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined image:2 echo 'hello'"
[engine:'docker'] | [FOO:'one'] | 'image:2' | '--this=that' | ['echo', 'hello'] | "docker run -i -e \"FOO=one\" --this=that --rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined image:2 echo 'hello'"
and:
[engine:'singularity'] | [:] | 'image:1' | null | ['echo', 'hello'] | "set +u; env - PATH=\"\$PATH\" \${TMP:+SINGULARITYENV_TMP=\"\$TMP\"} \${TMPDIR:+SINGULARITYENV_TMPDIR=\"\$TMPDIR\"} singularity exec --no-home --pid image:1 echo 'hello'"
[engine:'singularity'] | [FOO:'one'] | 'image:1' | null | ['echo', 'hello'] | "set +u; env - PATH=\"\$PATH\" \${TMP:+SINGULARITYENV_TMP=\"\$TMP\"} \${TMPDIR:+SINGULARITYENV_TMPDIR=\"\$TMPDIR\"} SINGULARITYENV_FOO=\"one\" singularity exec --no-home --pid image:1 echo 'hello'"
Expand Down
2 changes: 1 addition & 1 deletion modules/nextflow/src/test/groovy/nextflow/executor/local/LocalTaskHandlerTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ class LocalTaskHandlerTest extends Specification {
then:
handler.fusionEnabled() >> true
and:
builder.command() == ['sh','-c','docker run -i -e "FUSION_WORK=/fusion/http/some/work/dir" -e "FUSION_TAGS=[.command.*|.exitcode|.fusion.*](nextflow.io/metadata=true),[*](nextflow.io/temporary=true)" --rm --privileged ubuntu:latest /usr/bin/fusion bash \'/fusion/http/some/work/dir/.command.run\'']
builder.command() == ['sh','-c','docker run -i -e "FUSION_WORK=/fusion/http/some/work/dir" -e "FUSION_TAGS=[.command.*|.exitcode|.fusion.*](nextflow.io/metadata=true),[*](nextflow.io/temporary=true)" --rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined ubuntu:latest /usr/bin/fusion bash \'/fusion/http/some/work/dir/.command.run\'']
builder.directory() == null
builder.redirectErrorStream()
builder.redirectOutput().file()
Expand Down
2 changes: 1 addition & 1 deletion plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ class WaveDebugCmd {

protected WaveRunCmd buildWaveRunCmd(String scheme) {
final result = new WaveRunCmd(session)
result.withContainerParams([tty:true, privileged: true])
result.withContainerParams([tty:true])
if( scheme=='s3' ) {
result.withEnvironment('AWS_ACCESS_KEY_ID')
result.withEnvironment('AWS_SECRET_ACCESS_KEY')
Expand Down
Loading