Comments (31)
reducing the scope: the minimal ping.sspec shows the same issue (CentOS-6 x86_64)
[tru@visu1 singularity]$ cat ping.sspec
Name: ping
Exec: /bin/ping
[tru@visu1 singularity]$ singularity build ping.sspec
...
[tru@visu1 singularity]$ ./ping.sapp -c 1 google.com
ping: unknown host google.com
[tru@visu1 singularity]$ ping -c 1 google.com
PING google.com (172.217.19.142) 56(84) bytes of data.
64 bytes from par03s12-in-f14.1e100.net (172.217.19.142): icmp_seq=1 ttl=53 time=2.53 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 2.533/2.533/2.533/0.000 ms
from singularity.
So, I'm able to build a curl sapp and run it without issue:
`[gmk@centos7-x64 demo]$ cat example.sspec
Name: curl
Exec: /bin/curl
[gmk@centos7-x64 demo]$ singularity --quiet build example.sspec
Running test...
Hello from within the container... (no test code defined)
WROTE: curl.sapp
[gmk@centos7-x64 demo]$ ./curl.sapp google.com
301 Moved
The document has moved
here.
Ping is an interesting example, because technically to send an ICMP you need to special system privileges. This is what I'm getting on Centos 7 x64:
$ ./ping.sapp -c 1 google.com ping: icmp open socket: Operation not permitted [gmk@centos7-x64 demo]$
So, I'm guessing something is different on my system because it is resolving properly. DNS resolution usually happens by libc dlopen'ing name resolution libraries. Do this please:
$ singularity specgen curl google.com
and then paste the resulting curl.sspec (if both of you can do that, it would be great). Singularity always needs to included these libraries into a container.
Thanks!
from singularity.
[tru@visu1 singularity]$ \rm -rf ~/.singularity-cache/
[tru@visu1 singularity]$ singularity list
CONTAINER NAME UUID SIZE SUMMARY
[tru@visu1 singularity]$ singularity specgen curl google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.fr/?gfe_rd=cr&ei=HiT8VuLZOcHI8gfj0K-ABQ">here</A>.
</BODY></HTML>
WROTE: curl.sspec
[tru@visu1 singularity]$ singularity build curl.sspec
...
WROTE: curl.sapp
Cleaning up temporary files...
[tru@visu1 singularity]$ ./curl.sapp google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.fr/?gfe_rd=cr&ei=XiT8VqWmOcHI8gfj0K-ABQ">here</A>.
</BODY></HTML>
so it works with the "specgen"erated file :)
from singularity.
attaching the generated file on CentOS-6
curl.sspec.txt
from singularity.
I betcha it is the libnss3 and libnssutil3. I don't think I'm adding those automatically... That should catch it for Centos6. ;)
Thanks Tru!
from singularity.
If you retest from trunk, it should now grab those two libraries when building a SAPP. Hopefully that will fix it for both cases! Karl, can you retest current master?
Thanks!
from singularity.
:(
[tru@visu1 singularity]$ singularity build curl.sspec 2>&1 |grep nss
Installing file: /lib64/libnss_files.so.2
Installing file: /lib64/libnss_dns.so.2
Installing file: /lib64/libnss3.so
Installing file: /usr/lib64/libnssutil3.so
Installing file: /lib64/libnssutil3.so
Installing file: /usr/lib64/libnss3.so
but
[tru@visu1 singularity]$ ./curl.sapp google.com
curl: (6) Couldn't resolve host 'google.com'
from singularity.
Hi Tru,
Can you run another test for me? Please capture all of the out from this command in /tmp/debug, and send me that file please:
$ singularity strace curl google.com >/tmp/debug 2>&1
Thanks!
from singularity.
my curl.sspec:
I tried the ping sapp: same problem:
./ping.sapp google.fr
ping: unknown host google.fr
the curl strace:
curl.strace.txt
from singularity.
Hi Karl, I'm no at computer yet (so I'm not sure what the attachments are) but can you also do the strace against curl? Ping is an odditity because it always requires additional permission to run. Up until just recently ping was setuid root. Now it generally uses Linux capabilities to achieve similar results which is why I'm not counting on ping to ever work properly in a singularity container.
Probably the smarter thing would be for singularity to check on files with non standard permissions and error if one is found.
Thanks again!
from singularity.
can you also do the strace against curl?
look at the previous post !
from singularity.
Oh, Tru's response? I wasn't making the assumption that you are running on the same host OS. If you are that will indeed work fine and will use what he provided.
Will investigate more soon as I'm at a real keyboard.
Thanks!
from singularity.
Heya Karl,
Sorry for the confusion about not seeing your attachments. Looking at them now, and I'm noticing that libnss_myhostname.so.* was not installed into your container. I am debugging why that might have happened as that file should always be installed (as of several days ago!).
Thanks!
from singularity.
ok, I think Karl's issue is now fixed now in master.
The problem was that I made an assumption that the libraries I am statically including (e.g. libnss_myhostname.so.) exist right off of the /lib directories. But on Debian like systems they are actually 2 levels deep. Please test. :)
Tru, can you also test against the git master?
Thanks!
from singularity.
Still does not work for me.
I do not know if it is relevant, but for nslookup.spec, I had to include
/usr/lib/x86_64-linux-gnu/openssl-1.0.0
from singularity.
Can you try that for curl too, and then if it works send me an strace of it?
Can you remind me, when you used specgen to create the spec for curl, did it work? If so can you show me that spec?
Thanks!
from singularity.
Can you try that for curl too,
It did not work for curl.Can you remind me, when you used specgen to create the spec for curl, did it work?
nope
same spec as above
from singularity.
What distribution are you using?
Can you send me your curl SAPP? (Either attach to the ticket or email direct to me please).
Thanks!
from singularity.
ubuntu 14.04
Can you send me your curl SAPP? (Either attach to the ticket or email direct to me please).
which curl sapp ? and which email ? the berkeley one ?
from singularity.
I have it running on another Debian/Ubuntu based distribution (Lubuntu) without a problem.
At the moment, I am using the host's /etc/resolv.conf and /etc/hosts, but I am creating a generic /etc/nsswitch.conf. I wonder if that is the problem... Might be worth copying your hosts's /etc/nsswitch.conf into ~/.singulairty-cache/containers/[container UUID]/c/etc/nsswitch.conf for testing.
from singularity.
At the moment, I am using the host's /etc/resolv.conf and /etc/hosts, but I am creating a generic >/etc/nsswitch.conf. I wonder if that is the problem... Might be worth copying your hosts's >/etc/nsswitch.conf into ~/.singulairty-cache/containers/[container UUID]/c/etc/nsswitch.conf for testing.
I tried copying both the nsswitch.conf then the resolv.conf without success.
But remember, if I add /lib/x86_64-linux-gnu/ in %files it works.
Could it be related to pam, sssd, etc... ?
from singularity.
On Fri, Apr 1, 2016 at 4:50 PM, Gregory M. Kurtzer <[email protected]
wrote:
I have it running on another Debian/Ubuntu based distribution (Lubuntu)
without a problem.At the moment, I am using the host's /etc/resolv.conf and /etc/hosts, but
I am creating a generic /etc/nsswitch.conf. I wonder if that is the
problem... Might be worth copying your hosts's /etc/nsswitch.conf into
~/.singulairty-cache/containers/[container UUID]/c/etc/nsswitch.conf for
testing.in any case, I think that files explicitly specified in the %files should
override your templates.—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
https://github.com/gmkurtzer/singularity/issues/16#issuecomment-204425317
from singularity.
But remember, if I add /lib/x86_64-linux-gnu/ in %files it works. Could it be related to pam, sssd, etc... ?
Yes, we are missing some library that is getting dlopen'ed probably by libc itself would be my guess. But why we aren't able to detect it is worrysome. I went over your specgen output and your strace output of library open(), and there were no differences.
I didn't get the SAPP file though, did you send it? Can you also send me the SAPP file where it worked when you included all of /lib/x86_64-linux-gnu/? It will be bigger, so maybe a dropbox or other URL link if it doesn't fit in the ticket?
Thanks
from singularity.
in any case, I think that files explicitly specified in the %files should override your templates.
Oh, this is easy enough to do, but.... It does inherently break portability and possibly expose hosts (targets) to people who are distributing the SAPP file. Let me think about that.
from singularity.
I didn't get the SAPP file though, did you send it? Can you also send me the SAPP file where it worked when you included all of /lib/x86_64-linux-gnu/?
Here they are:
- https://www.dropbox.com/s/pgu04uxvtk57e5w/curl_bare.sapp?dl=0
- https://www.dropbox.com/s/yfuzkox7weyko93/curl_with_all_libs.sapp?dl=0
Oh, this is easy enough to do, but.... It does inherently break portability and possibly expose hosts >(targets) to people who are distributing the SAPP file. Let me think about that.
My point is that if you explicitly add them to %files, then you (should) know what you're doing.
You could maintain a list of sensitive files, and emit warnings if they are in %files...
from singularity.
I'm not sure if this is related or not, but both are picking up a library in a non-standard location:
/home/karl/bin/libnss_dns.so.2
Can you confirm that /bin/ldd is finding that, and that it is necessary?
Thanks!
from singularity.
there is no /home/karl/bin/libnss_dns.so.2
but there is a /home/karl/bin/libstderred.so which is loaded via
LD_PRELOAD=/home/karl/bin/libstderred.so
Could it be related ?
On Mon, Apr 4, 2016 at 4:46 PM, Gregory M. Kurtzer <[email protected]
wrote:
I'm not sure if this is related or not, but both are picking up a library
in a non-standard location:/home/karl/bin/libnss_dns.so.2
Can you confirm that /bin/ldd is finding that, and that it is necessary?
Thanks!
—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
https://github.com/gmkurtzer/singularity/issues/16#issuecomment-205328751
from singularity.
No, I don't think that is related. Is your LD_LIBRARY_PATH set?
I found another thing very interesting:
The container that works has multiple copies of libnss_files and libnss_dns and they aren't the same.
$ md5sum lib64/libnss_files.so.2 lib/x86_64-linux-gnu/libnss_files.so.2
5b3b1eb6d2be03550623921a55c1b41f lib64/libnss_files.so.2
67f25cd8773539eda122b6b44c117048 lib/x86_64-linux-gnu/libnss_files.so.2
$ md5sum lib64/libnss_dns.so.2 lib/x86_64-linux-gnu/libnss_dns.so.2
36286bd509a1cf64ad086e3ca33255df lib64/libnss_dns.so.2
4c611c519cbd06d59ec35f8d210befdb lib/x86_64-linux-gnu/libnss_dns.so.2
To that end I just changed some of the code in master, hoping to fix that. Can you try again?
Thanks!
from singularity.
It works !!!
On Mon, Apr 4, 2016 at 4:57 PM, Gregory M. Kurtzer <[email protected]
wrote:
No, I don't think that is related. Is your LD_LIBRARY_PATH set?
I found another thing very interesting:
The container that works has multiple copies of libnss_files and
libnss_dns and they aren't the same.$ md5sum lib64/libnss_files.so.2 lib/x86_64-linux-gnu/libnss_files.so.2
5b3b1eb6d2be03550623921a55c1b41f lib64/libnss_files.so.2
67f25cd8773539eda122b6b44c117048 lib/x86_64-linux-gnu/libnss_files.so.2
$ md5sum lib64/libnss_dns.so.2 lib/x86_64-linux-gnu/libnss_dns.so.2
36286bd509a1cf64ad086e3ca33255df lib64/libnss_dns.so.2
4c611c519cbd06d59ec35f8d210befdb lib/x86_64-linux-gnu/libnss_dns.so.2To that end I just changed some of the code in master, hoping to fix that.
Can you try again?Thanks!
—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
https://github.com/gmkurtzer/singularity/issues/16#issuecomment-205335807
from singularity.
Fantastic! Thank you so much for your patience while I wrap my head around it. I also wrote a note in the TODO to think about how to handle the issue with sensitive files in %files and how to include or overwrite them.
BTW, It was very cool getting your SAPPs and being able to replicate your exact problem. lol
from singularity.
BTW, It was very cool getting your SAPPs and being able to replicate your exact problem.
yes we'll know for the next time ;)
thanks for the fix.
from singularity.
Related Issues (20)
- After the administrator adds the fakeroot mapping, I can't build an image as fakeroot. HOT 1
- After the administrator adds the fakeroot mapping, I still can't build an image as fakeroot HOT 1
- Options for podman alternative to docker-daemon boostrap-agent HOT 1
- Could not change permissions for temporary file when apt update. HOT 1
- problem in binding a directory from the host machine to the singularity container HOT 1
- Specifying --env-file returns a UID / GID readonly warning HOT 1
- container creation failed: mount hook function failure: mount /proc/self/fd/3->/var/lib/apptainer/mnt/session/rootfs error: while mounting image /proc/self/fd/3: squashfuse_ll exited with status 255: Something went wrong trying to read the squashfs image HOT 1
- FATAL: container creation failed: mount ERROR: while mounting image: no loop devices available HOT 1
- Failed to create mount namespace: mount namespace requires privileges, check Singularity installation : exit status 1 HOT 1
- OpenCL unavailable in Singularity with custom CUDA installation path and additional opencl related libraries from linux repository HOT 1
- Error in running def file during rpm installation HOT 1
- Singularity pull error: FATAL: While getting image info: error decoding image: invalid ObjectId in JSON HOT 1
- Singularity fails to build image on disk with sufficient space HOT 1
- Failed to invoke the specified Python 3 path HOT 1
- How do you authenticate to the Github container registry HOT 1
- manifest unknown HOT 1
- Runtime comparing to VM google cloud HOT 1
- [Usage] How to pass an inline argument for singularity shell call? HOT 1
- Singularity crashes when running heudiconv fmri data conversion HOT 1
- ERROR : Failed invoking the NEWUSER namespace runtime: Invalid argument ABORT : Retval = 255 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from singularity.