Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
166 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Zero-consistency root emulation for unprivileged container image build (2405.06085v1)

Published 9 May 2024 in cs.DC and cs.OS

Abstract: Do Linux distribution package managers need the privileged operations they request to actually happen? Apparently not, at least for building container images for HPC applications. We use this observation to implement a root emulation mode using a Linux seccomp filter that intercepts some privileged system calls, does nothing, and returns success to the calling program. This approach provides no consistency whatsoever but appears sufficient to build all Dockerfiles we examined, simplifying fully-unprivileged workflows needed for HPC application containers.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (23)
  1. 2015. Features. https://firejail.wordpress.com/features-3
  2. Felix Abecassis and Jonathan Calmels. 2020. Distributed HPC applications with unprivileged containers. https://archive.fosdem.org/2020/schedule/event/containers_hpc_unprivileged/
  3. Apptainer project. 2021. Community announcement. https://apptainer.org/news/community-announcement-20211130/
  4. Apptainer project. 2023. Apptainer user guide. https://apptainer.org/docs/user/main/security.html#
  5. fakeroot(1). Man page. https://manpages.debian.org/bullseye/fakeroot/fakeroot.1.en.html
  6. distrobuilder contributors. 2023. distrobuilder documentation. https://linuxcontainers.org/distrobuilder/docs/latest/
  7. Docker Inc. 2023. Seccomp security profiles for Docker. https://docs.docker.com/engine/security/seccomp/
  8. Dave Dykstra. 2022. Apptainer without Setuid. https://doi.org/10.48550/arXiv.2208.12106 arXiv:2208.12106 [cs]
  9. man(1). Man page. https://man7.org/linux/man-pages/man1/man.1.html
  10. Michael Kerrisk. 2013a. Namespaces in operation, part 1: Namespaces overview. Linux Weekly News (Jan. 2013). https://lwn.net/Articles/531114/
  11. Michael Kerrisk. 2013b. Namespaces in operation, part 5: User namespaces. Linux Weekly News (Feb. 2013). https://lwn.net/Articles/532593/
  12. Michael Kerrisk. 2024. Seccomp. https://man7.org/training/download/splc_seccomp_slides-mkerrisk-man7.org.pdf
  13. Singularity: Scientific containers for mobility of compute. PLOS ONE 12, 5 (May 2017). https://doi.org/10.1371/journal.pone.0177459
  14. Michael Larabel. 2020. Seccomp filters get a very nice speed-up with Linux 5.11. https://www.phoronix.com/news/Linux-5.11-SECCOMP-Performance
  15. libseccomp. The libseccomp Project. https://github.com/seccomp/libseccomp
  16. Minimizing privilege for building HPC containers. In Proc. SC. https://doi.org/10.1145/3458817.3476187
  17. Reid Priedhorsky and Tim Randles. 2017. Charliecloud: Unprivileged containers for user-defined software stacks in HPC. In Supercomputing. https://doi.org/10.1145/3126908.3126925
  18. Piotr Roszatycki. 2019. fakechroot. https://github.com/dex4er/fakechroot/blob/2.20.1/man/fakechroot.pod
  19. Robert Swiecki et al. 2024. nsjail. https://github.com/google/nsjail
  20. Sylabs Inc. 2022. SingularityCE is Singularity. https://sylabs.io/2022/06/singularityce-is-singularity/
  21. Dave Trudgian. 2022. proot based non-root / non –fakeroot builds. https://github.com/sylabs/singularity/issues/880
  22. Cédric Vincent et al. 2022. PRoot — chroot, mount –bind, and binfmt_misc without privilege/setup. https://proot-me.github.io/
  23. Zatoichi. 2017. Zatoichi’s Engineering Blog. https://zatoichi-engineer.github.io/2017/11/06/seccomp-bpf.html

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now