apptainer, singularity: enable non-FHS --fakeroot support

This patch provides input arguments `newuidmapPath` and `newgidmapPath` for apptainer and singularity to specify the path to the SUID-ed executables newuidmap and newgidmap where they are not available from the FHS PATH. As NixOS places those suided executables in a non-FHS position (/run/wrapper/bin), this patch provides programs.singularity.enableFakeroot option and implement with the above input parameters.
2023-01-29 01:02:48 +08:00 · 2023-01-29 01:02:48 +08:00 · 71a89291ee
parent 50788d2fb0
commit 71a89291ee
4 changed files with 38 additions and 1 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@ -958,6 +958,16 @@
          package to use.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          The new option
+          <literal>programs.singularity.enableFakeroot</literal>, if set
+          to <literal>true</literal>, provides
+          <literal>--fakeroot</literal> support for
+          <literal>apptainer</literal> and
+          <literal>singularity</literal>.
+        </para>
+      </listitem>
      <listitem>
        <para>
          The <literal>unifi-poller</literal> package and corresponding
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@ -235,6 +235,8 @@ In addition to numerous new and upgraded packages, this release has the followin

  `singularity-tools.buildImage` got a new input argument `singularity` to specify which package to use.

+- The new option `programs.singularity.enableFakeroot`, if set to `true`, provides `--fakeroot` support for `apptainer` and `singularity`.
+
 - The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream.

 - The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.
--- a/nixos/modules/programs/singularity.nix
+++ b/nixos/modules/programs/singularity.nix
@ -45,6 +45,14 @@ in
        Use `lib.mkForce` to forcefully specify the overriden package.
      '';
    };
+    enableFakeroot = mkOption {
+      type = types.bool;
+      default = true;
+      example = false;
+      description = mdDoc ''
+        Whether to enable the `--fakeroot` support of Singularity/Apptainer.
+      '';
+    };
    enableSuid = mkOption {
      type = types.bool;
      default = true;
@ -57,7 +65,10 @@ in

  config = mkIf cfg.enable {
    programs.singularity.packageOverriden = (cfg.package.override (
-      optionalAttrs cfg.enableSuid {
+      optionalAttrs cfg.enableFakeroot {
+        newuidmapPath = "/run/wrappers/bin/newuidmap";
+        newgidmapPath = "/run/wrappers/bin/newgidmap";
+      } // optionalAttrs cfg.enableSuid {
        enableSuid = true;
        starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
      }
--- a/pkgs/applications/virtualization/singularity/generic.nix
+++ b/pkgs/applications/virtualization/singularity/generic.nix
@ -25,6 +25,7 @@ let
 in
 { lib
 , buildGoModule
+, runCommandLocal
  # Native build inputs
 , makeWrapper
 , pkg-config
@ -55,6 +56,12 @@ in
  # Whether to compile with SUID support
 , enableSuid ? false
 , starterSuidPath ? null
+  # newuidmapPath and newgidmapPath are to support --fakeroot
+  # where those SUID-ed executables are unavailable from the FHS system PATH.
+  # Path to SUID-ed newuidmap executable
+, newuidmapPath ? null
+  # Path to SUID-ed newgidmap executable
+, newgidmapPath ? null
  # Remove the symlinks to `singularity*` when projectName != "singularity"
 , removeCompat ? false
  # Workaround #86349
@ -66,6 +73,12 @@ in

 let
  defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin";
+  privileged-un-utils = if ((isNull newuidmapPath) && (isNull newgidmapPath)) then null else
+  (runCommandLocal "privileged-un-utils" { } ''
+    mkdir -p "$out/bin"
+    ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
+    ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
+  '');
 in
 buildGoModule {
  inherit pname version src;
@ -130,6 +143,7 @@ buildGoModule {
    coreutils
    cryptsetup # cryptsetup
    go
+    privileged-un-utils
    squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image
    squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges
  ]