[bug#36093] [PATCH 1/2] services: Add Singularity.

[Ludovic Courtès]

Hi Danny,

Danny Milosavljevic <address@hidden> skribis:

> On Tue,  4 Jun 2019 23:01:14 +0200
> Ludovic Courtès <address@hidden> wrote:
>
>> address@hidden {Scheme Variable} singularity-service-type
>> +This is the type of the service that runs
>> address@hidden://www.sylabs.io/singularity/, Singularity}, 
>
> Does it?
> Doesn't it just "allow you to invoke"?

Yes, you’re right.  I’ll reword as you suggest.

>> +                  (substitute* (find-files "libexec/cli" "\\.exec$")
>> +                    
>> (("\\$SINGULARITY_libexecdir/singularity/bin/([a-z]+)-suid"
>> +                      _ program)
>> +                     (string-append "/run/setuid-programs/singularity-"
>> +                                    program "-helper")))
>
> Is absolute path OK?  There have been some efforts to get guix to relocate in
> the past.  Does this apply here?

I think it’s OK: those setuid helpers can only be used on Guix System,
not on a foreign distro, and it goes hand-in-hand with
‘singularity-service-type’.

>> +        ;; Create the directories that Singularity 2.6 expects to find.
>> +        (for-each (lambda (directory)
>> +                    (mkdir-p (string-append "/var/singularity/mnt/"
>> +                                            directory)))
>> +                  '("container" "final" "overlay" "session")))))
>
> Are permissions OK?

They’re good enough for the test, but perhaps it should be #o700.
I’ll check if it works like that.

There’s been a nice CVE for Singularity 3.x in this area recently:

  https://nvd.nist.gov/vuln/detail/CVE-2019-11328

It’s not directly applicable here but there could be similar issues.

Thanks,
Ludo’.