adding secbuild script

Signed-off-by: Vanessa Sochat <[email protected]>

Author: vsoch

singularity/build/google/instances.py

@@ -43,35 +43,37 @@ def run_build(logfile='/tmp/.shub-log'):
 
     '''run_build will generate the Singularity build from a spec_file from a repo_url.
 
-    If no arguments are required, the metadata api is queried for the values.
-
-    :param build_dir: directory to do the build in. If not specified, will use temporary.   
-    :param spec_file: the spec_file name to use, assumed to be in git repo
-    :param repo_url: the url to download the repo from
-    :param repo_id: the repo_id to uniquely identify the repo (in case name changes)
-    :param commit: the commit to checkout. If none provided, will use most recent.
-    :param bucket_name: the name of the bucket to send files to
-    :param verbose: print out extra details as we go (default True)    
-    :param token: a token to send back to the server to authenticate the collection
-    :param secret: a secret to match to the correct container
-    :param response_url: the build url to send the response back to. Should also come
-    from metadata. If not specified, no response is sent
-    :param branch: the branch to checkout for the build.
-
-    :: note: this function is currently configured to work with Google Compute
-    Engine metadata api, and should (will) be customized if needed to work elsewhere 
+       If no arguments are required, the metadata api is queried for the values.
+
+       Parameters
+       ==========
+       build_dir: directory to do the build in. If not specified, will use temporary.   
+       spec_file: the spec_file name to use, assumed to be in git repo
+       repo_url: the url to download the repo from
+       repo_id: the repo_id to uniquely identify the repo (in case name changes)
+       commit: the commit to checkout. If none provided, will use most recent.
+       bucket_name: the name of the bucket to send files to
+       verbose: print out extra details as we go (default True)    
+       token: a token to send back to the server to authenticate the collection
+       secret: a secret to match to the correct container
+       response_url: the build url to send the response back to. Should also come
+                    from metadata. If not specified, no response is sent
+       branch: the branch to checkout for the build.
+
+       :: note: this function is currently configured to work with Google Compute
+       Engine metadata api, and should (will) be customized if needed to work elsewhere 
 
     '''
 
     # If we are building the image, this will not be set
     go = get_build_metadata(key='dobuild')
-    if go == None:
+    if go is None:
         sys.exit(0)
 
     # If the user wants debug, this will be set
     debug = True
     enable_debug = get_build_metadata(key='debug')
-    if enable_debug == None:
+    if enable_debug is None:
         debug = False
     bot.info('DEBUG %s' %debug)
 
@@ -117,7 +119,7 @@ def run_build(logfile='/tmp/.shub-log'):
 
     # Upload image package files to Google Storage
     if os.path.exists(finished_image):
-        bot.info("%s successfully built" %finished_image)
+        bot.info("%s successfully built" % finished_image)
         dest_dir = tempfile.mkdtemp(prefix='build')
 
         # The path to the images on google drive will be the github url/commit folder
@@ -175,10 +177,11 @@ def run_build(logfile='/tmp/.shub-log'):
 
 def finish_build(verbose=True):
     '''finish_build will finish the build by way of sending the log to the same bucket.
-    the params are loaded from the previous function that built the image, expected in
-    $HOME/params.pkl
-    :: note: this function is currently configured to work with Google Compute
-    Engine metadata api, and should (will) be customized if needed to work elsewhere 
+       the params are loaded from the previous function that built the image, expected in
+       $HOME/params.pkl
+     
+       :: note: this function is currently configured to work with Google Compute
+       Engine metadata api, and should (will) be customized if needed to work elsewhere 
     '''
     # If we are building the image, this will not be set
     go = get_build_metadata(key='dobuild')
@@ -218,7 +221,10 @@ def finish_build(verbose=True):
 
 def get_build_metadata(key):
     '''get_build_metadata will return metadata about an instance from within it.
-    :param key: the key to look up
+
+       Parameters
+       ==========
+       key: the key to look up
     '''
     headers = {"Metadata-Flavor":"Google"}
     url = "http://metadata.google.internal/computeMetadata/v1/instance/attributes/%s" % key  

singularity/build/main.py

@@ -56,7 +56,7 @@ def run_build(build_dir, params, verbose=True):
       - returns a dictionary with: 
           image (path), metadata (dict)
 
-    The following must be included in params: 
+       The following must be included in params: 
        spec_file, repo_url, branch, commit
 
     '''

singularity/build/scripts/bundle.go

@@ -74,7 +74,7 @@ func NewBundle(bundleDir, bundlePrefix string) (b *Bundle, err error) {
 
 	// Bundle path must be predictable
 	b.Path = "/tmp/sbuild"
-	err = os.Mkdir(b.Path)
+	err = os.Mkdir(b.Path, 0755)
 	if err != nil {
 		return nil, err
 	}

singularity/build/scripts/secure-build.sh

@@ -0,0 +1,141 @@
+#!/bin/bash
+
+# The script takes the definition file as first argument. and
+# desired final image page as second.
+SINGULARITY_BUILDDEF="${1}"
+SINGULARITY_FINAL="${2}"
+
+if [ ! -f ${SINGULARITY_BUILDDEF} ]; then
+    echo "${SINGULARITY_BUILDDEF} does not exist";
+    exit 1;
+fi
+
+SINGULARITY_confdir="/usr/local/etc/singularity"
+SINGULARITY_bindir="/usr/local/bin"
+SINGULARITY_libexecdir="/usr/local/libexec/singularity"
+SINGULARITY_PATH="/usr/local/bin"
+SECBUILD_IMAGE="$SINGULARITY_libexecdir/secure-build/secbuild.sif"
+
+# Set the isolated root
+if [ -z "${SINGULARITY_ISOLATED_ROOT:-}" ]; then
+    BUILDDEF_DIR_NAME=$(dirname ${SINGULARITY_BUILDDEF:-})
+else
+    BUILDDEF_DIR_NAME=$(readlink -f ${SINGULARITY_ISOLATED_ROOT:-})
+fi
+BUILDDEF_DIR=$(readlink -f ${BUILDDEF_DIR_NAME:-})
+
+if [ -z "${BUILDDEF_DIR:-}" ]; then
+   echo "Can't find parent directory of $SINGULARITY_BUILDDEF"
+   exit 1
+fi
+
+BUILDDEF=$(basename ${SINGULARITY_BUILDDEF:-})
+
+# create a temporary dir per build instance
+export SINGULARITY_WORKDIR=$(mktemp -d)
+
+# create /tmp and /var/tmp into WORKDIR
+mkdir -p $SINGULARITY_WORKDIR/tmp $SINGULARITY_WORKDIR/var_tmp
+
+# set sticky bit for these directories
+chmod 1777 $SINGULARITY_WORKDIR/tmp
+chmod 1777 $SINGULARITY_WORKDIR/var_tmp
+
+# setup a fake root directory
+cp -a /etc/skel $SINGULARITY_WORKDIR/root
+
+cat > "$SINGULARITY_WORKDIR/root/.rpmmacros" << RPMMAC
+%_var /var
+%_dbpath %{_var}/lib/rpm
+RPMMAC
+
+REPO_DIR="/root/repo"
+STAGED_BUILD_IMAGE="/root/build"
+
+# Move the repo to be the REPO_DIR
+mv $BUILDDEF_DIR $REPO_DIR
+
+mkdir ${SINGULARITY_WORKDIR}${REPO_DIR}
+mkdir ${SINGULARITY_WORKDIR}${STAGED_BUILD_IMAGE}
+
+BUILD_SCRIPT="$SINGULARITY_WORKDIR/tmp/build-script"
+TMP_CONF_FILE="$SINGULARITY_WORKDIR/tmp.conf"
+FSTAB_FILE="$SINGULARITY_WORKDIR/fstab"
+RESOLV_CONF="$SINGULARITY_WORKDIR/resolv.conf"
+HOSTS_FILE="$SINGULARITY_WORKDIR/hosts"
+
+cp /etc/resolv.conf $RESOLV_CONF
+cp /etc/hosts $HOSTS_FILE
+
+cat > "$FSTAB_FILE" << FSTAB
+none $STAGED_BUILD_IMAGE      bind    dev     0 0
+FSTAB
+
+cat > "$TMP_CONF_FILE" << CONF
+config passwd = yes
+config group = no
+config resolv_conf = no
+mount proc = no
+mount sys = no
+mount home = no
+mount dev = minimal
+mount devpts = no
+mount tmp = no
+mount slave = no
+enable overlay = no
+enable underlay = no
+user bind control = no
+bind path = $SINGULARITY_WORKDIR/root:/root
+bind path = $SINGULARITY_WORKDIR/tmp:/tmp
+bind path = $SINGULARITY_WORKDIR/var_tmp:/var/tmp
+bind path = /tmp/sbuild/fs:$STAGED_BUILD_IMAGE
+bind path = $FSTAB_FILE:/etc/fstab
+bind path = $RESOLV_CONF:/etc/resolv.conf
+bind path = $HOSTS_FILE:/etc/hosts
+root default capabilities = full
+allow user capabilities = no
+allow setuid = yes
+CONF
+
+# We only use the builder once, make default config
+sudo cp "$TMP_CONF_FILE" "${SINGULARITY_confdir}/singularity.conf"
+
+# here build pre-stage
+cat > "$BUILD_SCRIPT" << SCRIPT
+#!/bin/sh
+mount -r --no-mtab -t proc proc /proc
+if [ \$? != 0 ]; then
+    echo "Can't mount /proc directory"
+    exit 1
+fi
+mount -r --no-mtab -t sysfs sysfs /sys
+if [ \$? != 0 ]; then
+    echo "Can't mount /sys directory"
+    exit 1
+fi
+cd $REPO_DIR
+singularity build $STAGED_BUILD_IMAGE/container.sif $BUILDDEF
+exit \$?
+SCRIPT
+
+chmod +x $BUILD_SCRIPT
+
+unset SINGULARITY_IMAGE
+unset SINGULARITY_NO_PRIVS
+unset SINGULARITY_KEEP_PRIVS
+unset SINGULARITY_ADD_CAPS
+unset SINGULARITY_DROP_CAPS
+
+${SINGULARITY_bindir}/singularity exec -e -i -p $SECBUILD_IMAGE /tmp/build-script
+if [ $? != 0 ]; then
+    rm -rf $SINGULARITY_WORKDIR
+    exit 1
+fi
+
+if [ ! -f "${SINGULARITY_WORKDIR}${STAGED_BUILD_IMAGE}/container.sif" ]; then
+   echo "Container was not built.";
+   exit 1;
+fi
+
+sudo mv "${SINGULARITY_WORKDIR}${STAGED_BUILD_IMAGE}/container.sif" "${SINGULARITY_FINAL}"
+sudo rm -rf $SINGULARITY_WORKDIR

singularity/build/scripts/singularity-prepare-instance.sh

@@ -28,17 +28,16 @@ sudo apt-get -y install git \
                    build-essential \
                    libssl-dev \
                    uuid-dev \
-                   libgpgme11-dev \
+                   libgpgme-dev \
                    libseccomp-dev \
-                   pkg-config
+                   pkg-config \
                    squashfs-tools \
                    debootstrap \
                    yum \
-                   zypper \
                    python3-pip
 
 # Pip3 installs
-sudo -H pip3 install -H --upgrade pip
+sudo -H pip3 install --upgrade pip
 sudo -H pip3 install pyasn1-modules -U
 sudo -H pip3 install --upgrade google-api-python-client
 sudo -H pip3 install --upgrade google
@@ -91,7 +90,7 @@ From: ubuntu:18.04
 %post 
     export LC_LANG=C
     export VERSION=1.12.6 OS=linux ARCH=amd64
-    export SINGULARITY_VERSION=${SINGULARITY_VERSION}
+    export SINGULARITY_VERSION=3.2.1
     apt-get update -y
     apt-get -y install git build-essential libssl-dev uuid-dev pkg-config curl gcc
     apt-get -y install libgpgme11-dev libseccomp-dev squashfs-tools libc6-dev-i386