2000 character limit reached
Zero-consistency root emulation for unprivileged container image build
Published 9 May 2024 in cs.DC and cs.OS | (2405.06085v1)
Abstract: Do Linux distribution package managers need the privileged operations they request to actually happen? Apparently not, at least for building container images for HPC applications. We use this observation to implement a root emulation mode using a Linux seccomp filter that intercepts some privileged system calls, does nothing, and returns success to the calling program. This approach provides no consistency whatsoever but appears sufficient to build all Dockerfiles we examined, simplifying fully-unprivileged workflows needed for HPC application containers.
- 2015. Features. https://firejail.wordpress.com/features-3
- Felix Abecassis and Jonathan Calmels. 2020. Distributed HPC applications with unprivileged containers. https://archive.fosdem.org/2020/schedule/event/containers_hpc_unprivileged/
- Apptainer project. 2021. Community announcement. https://apptainer.org/news/community-announcement-20211130/
- Apptainer project. 2023. Apptainer user guide. https://apptainer.org/docs/user/main/security.html#
- fakeroot(1). Man page. https://manpages.debian.org/bullseye/fakeroot/fakeroot.1.en.html
- distrobuilder contributors. 2023. distrobuilder documentation. https://linuxcontainers.org/distrobuilder/docs/latest/
- Docker Inc. 2023. Seccomp security profiles for Docker. https://docs.docker.com/engine/security/seccomp/
- Dave Dykstra. 2022. Apptainer without Setuid. https://doi.org/10.48550/arXiv.2208.12106 arXiv:2208.12106Â [cs]
- man(1). Man page. https://man7.org/linux/man-pages/man1/man.1.html
- Michael Kerrisk. 2013a. Namespaces in operation, part 1: Namespaces overview. Linux Weekly News (Jan. 2013). https://lwn.net/Articles/531114/
- Michael Kerrisk. 2013b. Namespaces in operation, part 5: User namespaces. Linux Weekly News (Feb. 2013). https://lwn.net/Articles/532593/
- Michael Kerrisk. 2024. Seccomp. https://man7.org/training/download/splc_seccomp_slides-mkerrisk-man7.org.pdf
- Singularity: Scientific containers for mobility of compute. PLOS ONE 12, 5 (May 2017). https://doi.org/10.1371/journal.pone.0177459
- Michael Larabel. 2020. Seccomp filters get a very nice speed-up with Linux 5.11. https://www.phoronix.com/news/Linux-5.11-SECCOMP-Performance
- libseccomp. The libseccomp Project. https://github.com/seccomp/libseccomp
- Minimizing privilege for building HPC containers. In Proc. SC. https://doi.org/10.1145/3458817.3476187
- Reid Priedhorsky and Tim Randles. 2017. Charliecloud: Unprivileged containers for user-defined software stacks in HPC. In Supercomputing. https://doi.org/10.1145/3126908.3126925
- Piotr Roszatycki. 2019. fakechroot. https://github.com/dex4er/fakechroot/blob/2.20.1/man/fakechroot.pod
- Robert Swiecki et al. 2024. nsjail. https://github.com/google/nsjail
- Sylabs Inc. 2022. SingularityCE is Singularity. https://sylabs.io/2022/06/singularityce-is-singularity/
- Dave Trudgian. 2022. proot based non-root / non –fakeroot builds. https://github.com/sylabs/singularity/issues/880
- Cédric Vincent et al. 2022. PRoot — chroot, mount –bind, and binfmt_misc without privilege/setup. https://proot-me.github.io/
- Zatoichi. 2017. Zatoichi’s Engineering Blog. https://zatoichi-engineer.github.io/2017/11/06/seccomp-bpf.html
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Collections
Sign up for free to add this paper to one or more collections.