use non-root location

[satra]

change to use a non-root location to help with singularity

[satra]

@oesteban - do you want the workdir to be /src/mriqc or sth like /workdir ?

[oesteban]

I don't have a preference, it is ok right now

[chrisgorgo]

Interesting. Does Singularity mount /root on your system?

…

On Mar 15, 2017 8:35 AM, "Oscar Esteban" ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In circle.yml <#429 (comment)>: > @@ -25,7 +25,7 @@ dependencies: test: override: # Test mriqcp - - docker run -i -v /etc/localtime:/etc/localtime:ro -v ${CIRCLE_TEST_REPORTS}:/scratch -w /root/src/mriqc --entrypoint="/usr/bin/run_tests" mriqc:py35 : + - docker run -i -v /etc/localtime:/etc/localtime:ro -v ${CIRCLE_TEST_REPORTS}:/scratch -w /opt/src/mriqc --entrypoint="/usr/bin/run_tests" mriqc:py35 : I don't have a preference, it is ok right now — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#429 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAOkp0K0h01hr-dfmzJyTnSkGQbw9tf0ks5rmAVTgaJpZM4MeAns> .

[satra]

singularity shows a root folder but as a user we don't have access.

[chrisgorgo]

So this is more of permissions issue then. MRIQC operates under root user so even if you put the code in /opt it might not solve the issue.

Both docker2singularity and docker2singularity.py change permissions when importing containers from docker hub to avoid such problems.

[satra]

the docker user doesn't matter in singularity context, but /root is special.

[chrisgorgo]

Doesn't Dockerfile user influence the ownership of files in the container image deposited on Docker Hub which would be a problem when those files are downloaded by singularity?

[satra]

not really, because we are using singularity as an executable effectively, so as long as things are readable we are ok. now if you try to write to some location that's not accessible to the user, they one can run into issues, but containers should be very clear as to where they are writing.

[chrisgorgo]

Sorry to drag this on. I'm still trying to understand this since a) we did not run into this problem when running mriqc with singularity b) I need to know if we need to change anything about BIDS Apps.

1. Why is /root special? What is special about it?
2. What do you mean by "using singularity as an executable"? Is there another way to use it?

[satra]

re: 1
/root is special with respect to bootstrap. since all creation/editing commands are run as root

essentially host /root gets mounted in during bootstrap. therefore /root from the container doesn't show up during the bootstrap post process.

also for docker images, i just learned that %setup executes before downloading docker layers, so i can't use it (at least presently) to even move the src out.

re: 2

well one can violate singularity's isolation using paths and other things. so we generally recommend the -c flag by default to prevent things like PYTHONPATH and external executables from contaminating the environment. we create the mental image of an immutable binary file.

[chrisgorgo]

re re 1 This seem like something that could be improved in the singularity bootstrap process re re 2 From what I understand `-c` "disables the automatic sharing of writable filesystems on your host" and should not influence how environment variables are taken care of. For example: [chrisgor@sherlock-ln02 login_node ~]$ export TEST="bla" [chrisgor@sherlock-ln02 login_node ~]$ singularity shell -c /share/PI/russpold/s ingularity_images/poldracklab_fmriprep_0.2.0-2017-01-13-d683f2e7a780.img Singularity: Invoking an interactive shell within container... Singularity.poldracklab_fmriprep_0.2.0-2017-01-13-d683f2e7a780.img> $ echo $TEST bla This also makes me wonder how are you reading/writing data if you are using -c.

…

On Wed, Mar 15, 2017 at 1:44 PM, Satrajit Ghosh ***@***.***> wrote: re: 1 /root is special with respect to bootstrap. since all creation/editing commands are run as root essentially host /root gets mounted in during bootstrap. therefore /root from the container doesn't show up during the bootstrap post process. also for docker images, i just learned that %setup executes before downloading docker layers, so i can't use it (at least presently) to even move the src out. re: 2 well one can violate singularity's isolation using paths and other things. so we generally recommend the -c flag by default to prevent things like PYTHONPATH and external executables from contaminating the environment. we create the mental image of an immutable binary file. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#429 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAOkp-2GWNrpVeWsKXIdJEs262usw0SRks5rmE2TgaJpZM4MeAns> .

[satra]

re: 1 - yes it will be handled post 2.3 release

re: 2 - you can still use -B to mount writable end points. we are just recommending that people take away automatic mapping.

i agree variables will go through but are likely to have less impact without $HOME, which is often used as a place for storing things.