Skip to content

Install Singularity & Apptainer SUID-free; bump to latest#180

Open
kennedydane wants to merge 5 commits into
masterfrom
dane/update/singularity
Open

Install Singularity & Apptainer SUID-free; bump to latest#180
kennedydane wants to merge 5 commits into
masterfrom
dane/update/singularity

Conversation

@kennedydane
Copy link
Copy Markdown
Collaborator

@kennedydane kennedydane commented Jun 1, 2026

Summary

Reconfigure both container runtimes so containers run via unprivileged user namespaces instead of the setuid-root starter-suid binary, and so the runtimes install without any sudo. Also bumps both to their latest releases.

Scope was deliberately limited to running containers — building happens elsewhere, so roles/containers/ build tasks and .def files are untouched.

Changes

SUID-free build & install (apptainer.yaml, singularity.yaml)

  • Build with mconfig --without-suid (apptainer switched from --with-suid).
  • Point --localstatedir/--sysconfdir under the per-version install prefix so make install writes only to the user-writable /software tree → removed become: true from the go-based installs.
  • Bounded singularity's --without-conmon to < 4.3 (the flag was removed in SingularityCE 4.3.0); kept --without-seccomp.

Config managed elsewhere

  • Removed the root-owned apptainer.conf deployment from apptainer.yaml.
  • Both installs now emit a debug reminder to set allow setuid = no in the externally-managed singularity.conf / apptainer.conf.
  • make install still drops a default config into the new sysconfdir, so the runtime has a baseline before the separate tooling hardens it.

Version bumps (main.yml)

  • SingularityCE → 4.4.1, Apptainer → 1.5.0, plus Go 1.25.10 (both runtimes require Go ≥ 1.25.7).
  • Older versions commented out (kept as reference).

Notes / follow-ups

  • roles/compiled/templates/common/apptainer.conf is now orphaned (nothing deploys it). It still holds the ilifu bind-path reference (/idia, /data, /users, …) — that content should move into the separate config management, after which the template can be deleted here.
  • Ubuntu 22.04 hosts (kernel 5.15) have unprivileged user namespaces enabled by default, so rootless running works without kernel tuning.

Verification (non-root user)

ansible-playbook site.yaml -t golang,golang1.25.10
ansible-playbook site.yaml -t singularity,singularity4.4.1
ansible-playbook site.yaml -t apptainer,apptainer1.5.0
# no starter-suid installed; both run without sudo:
singularity exec <img>.sif id
apptainer exec <img>.sif id

🤖 Generated with Claude Code

@kennedydane @claude
Install Singularity & Apptainer SUID-free; bump to latest
3d3b8c8 
Reconfigure both container runtimes so containers run via unprivileged
user namespaces instead of the setuid-root starter binary, and install
them without any sudo:

- Build with mconfig --without-suid (drop --with-suid for apptainer).
- Point --localstatedir/--sysconfdir under the per-version install
  prefix so make install writes only to the user-writable /software
  tree; remove become: true from the go-based installs.
- Bound singularity's --without-conmon to < 4.3 (removed in 4.3.0);
  keep --without-seccomp.
- Stop managing singularity.conf/apptainer.conf here (config lives
  elsewhere); emit a debug reminder to set 'allow setuid = no' there.

Pin to the latest releases and comment out older versions for
reference: SingularityCE 4.4.1, Apptainer 1.5.0, plus Go 1.25.10
(both runtimes require Go >= 1.25.7).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 1, 2026 12:45
Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reconfigures SingularityCE and Apptainer builds/installs to be SUID-free (rootless runtime) and install entirely into the user-writable /software prefix (no become: true), while also bumping both runtimes (and Go) to newer versions.

Changes:

  • Build SingularityCE/Apptainer with mconfig --without-suid and install state/config directories under the per-version install prefix (--localstatedir / --sysconfdir).
  • Remove root-owned apptainer.conf deployment from this role and replace it with operator reminders to enforce allow setuid = no in externally managed config.
  • Bump versions in the compiled role to SingularityCE 4.4.1, Apptainer 1.5.0, and Go 1.25.10; comment older versions as reference.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File Description
ansible/roles/compiled/templates/common/apptainer.conf Sets allow setuid = no and disables setuid squashfs mounting in the (now orphaned) template.
ansible/roles/compiled/tasks/common/singularity.yaml Updates mconfig flags/paths for SUID-free install and removes privileged install step; adds operator reminder.
ansible/roles/compiled/tasks/common/main.yml Bumps runtime and Go versions; narrows installs to latest versions while retaining older entries as comments.
ansible/roles/compiled/tasks/common/apptainer.yaml Switches to --without-suid, installs fully unprivileged, removes config templating, and adds operator reminder.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread ansible/roles/compiled/templates/common/apptainer.conf
Comment thread ansible/roles/compiled/tasks/common/apptainer.yaml Outdated
Comment thread ansible/roles/compiled/templates/common/apptainer.conf
Comment thread ansible/roles/compiled/tasks/common/apptainer.yaml Outdated
Comment thread ansible/roles/compiled/templates/common/apptainer.conf
Comment thread ansible/roles/compiled/tasks/common/apptainer.yaml Outdated
@kennedydane @claude
Address PR review: clarify reminders and orphaned template
8c6b9f9 
- Note in apptainer.conf that it is retained for reference only and no
  longer deployed (config managed elsewhere).
- Point the apptainer/singularity setuid reminders at the full config
  file path instead of just the sysconfdir root.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@kennedydane
Copy link
Copy Markdown
Collaborator Author

kennedydane commented Jun 1, 2026

Addressed the Copilot review feedback in 8c6b9f9:

  • apptainer.conf retained-for-reference note — added a header comment stating the template is no longer deployed and is kept only as a reference (config is managed elsewhere).
  • Reminder paths — the apptainer and singularity setuid reminders now point at the full config-file path ({{ install_dir }}/etc/apptainer/apptainer.conf and .../etc/singularity/singularity.conf) rather than just the sysconfdir root. Applied to singularity too for consistency.

@kennedydane kennedydane requested a review from Copilot June 1, 2026 13:04
Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

Comment thread ansible/roles/compiled/tasks/common/singularity.yaml Outdated
@kennedydane @claude
Fix directory mode typo flagged in PR review
ef21313 
The 'Ensure installation parent exists' tasks used mode o=rwx,g=rx,o=rx,
which repeated o= and never set the owner bits. Correct to
u=rwx,g=rx,o=rx (0755).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@kennedydane kennedydane requested a review from Copilot June 1, 2026 13:32
Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

@kennedydane @claude
Document why localstatedir lives under install_dir
f8505ac 
localstatedir holds only empty mount-point stubs created at install time
and never written at runtime, so install_dir can be read-only and the
install stays sudo-free. Add a comment so it isn't moved back to
/usr/local/var by a future change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@kennedydane kennedydane requested a review from MikeCTZA June 1, 2026 14:02
@kennedydane @claude
Build SingularityCE --without-libsubid (Ubuntu 22.04)
d89cc7f 
libsubid-dev is not packaged for Ubuntu 22.04; SingularityCE 4.3+
requires libsubid headers to build unless --without-libsubid is passed.
Add the flag bounded to >= 4.3 (complementing the < 4.3 --without-conmon
bound) so the build succeeds on Jammy and the commented reference
versions stay buildable. Impact is limited to fakeroot subid lookups
(static /etc/sub{u,g}id only, no NSS) and is nil for plain rootless runs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MikeCTZA MikeCTZA MikeCTZA approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kennedydane @MikeCTZA