Add needed changes to use gocryptfs with singularity #590

jmfernandez · 2021-08-03T21:18:56Z

Singularity is a daemon-less container platform very popular in HPC environments. One of its many features is mounting
FUSE filesystems before switching from host to container context, assuring these user space mounts are only visible inside the container (see https://sylabs.io/guides/3.7/user-guide/bind_paths_and_mounts.html#fuse-mounts).

Currently, gocryptfs is not compatible with singularity due two different reasons I'm going to explain in next scenario. Imagine next command line:

singularity run --fusemount "host:gocryptfs --params crypted_in_host uncrypted_in_container" docker://ubuntu

What singularity does under the hood is building a command line similar to this:

gocryptfs --params crypted_in_host /dev/fd/number -f

in order to fire the fuse mount command in foreground, and use as mountpoint the filehandler of the mountpoint directory within the container. This last feature is only supported by a subset of FUSE filesystems, like sshfs or cvmfs, which are usually linked against libfuse3.

Could you consider in your roadmap the support of these features, please?

The text was updated successfully, but these errors were encountered:

rfjakob · 2021-08-04T09:18:31Z

Interesting, yes, I think this can be added.

What error do you get at the moment?

jmfernandez · 2021-08-04T11:05:35Z

Interesting, yes, I think this can be added.

What error do you get at the moment?

Well, the first complaint I'm getting from gocryptfs is that it does not understand the -f parameter and it is at the end (where it is unexpected):

singularity exec --fusemount "host:/home/jmfernandez/projects/WfExS-backend/.pyWEenv/bin/gocryptfs --passfile /tmp/passfile /home/jmfernandez/projects/WfExS-backend/wfexs-backend-test_WorkDir/91c1b346-4058-472f-a56a-aee73ea99418/.crypt /home/jmfernandez/projects/WfExS-backend/wfexs-backend-test_WorkDir/91c1b346-4058-472f-a56a-aee73ea99418/work/" docker://alpine:3.9 ls

Wrong number of arguments (have 3, want 2). You passed: /home/jmfernandez/projects/WfExS-backend/.pyWEenv/bin/gocryptfs /home/jmfernandez/projects/WfExS-backend/wfexs-backend-test_WorkDir/91c1b346-4058-472f-a56a-aee73ea99418/.crypt /dev/fd/3 -f
Usage: gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT [-o COMMA-SEPARATED-OPTIONS]
# And the result from ls is here

In order to circumvent this issue and try advancing, I created a bash wrapper which gets rid of -f, substituting it with -fg at the beginning of the command line.

#!/bin/bash
  
set -e

PROGDIR="$(dirname "$0")"
case "$PROGDIR" in
        /*)
                true
                ;;
        .)
                PROGDIR="$PWD"
                ;;
        *)
                PROGDIR="${PWD}/${PROGDIR}"
                ;;
esac

declare -a arr=( "$@" )
unset "arr[${#arr[@]}-1]"

exec "${PROGDIR}"/gocryptfs -fg "${arr[@]}"

Using the wrapper, the error message from gocryptfs is different:

singularity exec --fusemount "host:/home/jmfernandez/projects/WfExS-backend/.pyWEenv/bin/gocryptfs.bash --passfile /tmp/passfile /home/jmfernandez/projects/WfExS-backend/wfexs-backend-test_WorkDir/91c1b346-4058-472f-a56a-aee73ea99418/.crypt /home/jmfernandez/projects/WfExS-backend/wfexs-backend-test_WorkDir/91c1b346-4058-472f-a56a-aee73ea99418/work/" docker://alpine:3.9 ls

Invalid mountpoint: /dev/fd/3 is not a directory
# And the result from ls is here

Hope this helps!

rfjakob · 2021-08-04T14:26:11Z

References:

libfuse commit: Allow passing /dev/fuse file descriptor from parent process libfuse/libfuse@64e1107
cvmfs testcase: https://github.com/cvmfs/cvmfs/blob/cvmfs-2.7/test/src/084-premounted/fuse_premount.c

Need support for flags at any position for #590

rfjakob · 2021-08-10T17:49:24Z

The problem with -f at the end should be fixed now via f53f52b . This removes the need for the bash wrapper.

#590

rfjakob · 2021-08-12T17:29:30Z

Want to give

gocryptfs.gz
(gocryptfs v2.0.1-52-g9a8dfd9-dirty without_openssl; go-fuse v2.1.1-0.20210802120645-15a8bb029a4e => ../../hanwen/go-fuse; 2021-08-12 go1.16.5 linux/amd64)

a try?

Looks pretty good here:

$ singularity run --fusemount "host:gocryptfs --extpass echo --extpass test /tmp/a /mnt" docker://ubuntu
INFO:    Using cached SIF image
Reading password from extpass program "echo", arguments: ["test"]
Decrypting master key
bash: /home/jakob/.cargo/env: No such file or directory
bash: /home/jakob/.cargo/env: No such file or directory
bash: /home/jakob/.cargo/env: No such file or directory
Singularity> Filesystem mounted and ready.
Singularity>

libfuse introduced [1] a special `/dev/fd/N` syntax for the mountpoint: It means that a privileged parent process: * Opened /dev/fuse * Called mount() on a real mountpoint directory * Inherited the fd to /dev/fuse to us * Informs us about the fd number via /dev/fd/N This functionality is used to allow FUSE mounts inside containers that have neither root permissions nor suid binaries [2], and for the --drop_privileges flag of mount.fuse3 [4] Tested with singularity and gocryptfs and actually works [3]. Now with doc comment for NewServer. [1] libfuse/libfuse@64e1107 [2] rfjakob/gocryptfs#590 [3]: $ singularity run --fusemount "host:gocryptfs --extpass echo --extpass test /tmp/a /mnt" docker://ubuntu INFO: Using cached SIF image Reading password from extpass program "echo", arguments: ["test"] Decrypting master key bash: /home/jakob/.cargo/env: No such file or directory bash: /home/jakob/.cargo/env: No such file or directory bash: /home/jakob/.cargo/env: No such file or directory Singularity> Filesystem mounted and ready. [4] man mount.fuse3 Change-Id: Ibcc2464b0ef1e3d236207981b487fd9a7d94c910

jmfernandez · 2021-08-13T09:55:30Z

Yes, you got it! It is working!!! 👏👏👏👏👏👏👏👏👏👏👏👏

libfuse introduced [1] a special `/dev/fd/N` syntax for the mountpoint: It means that a privileged parent process: * Opened /dev/fuse * Called mount() on a real mountpoint directory * Inherited the fd to /dev/fuse to us * Informs us about the fd number via /dev/fd/N This functionality is used to allow FUSE mounts inside containers that have neither root permissions nor suid binaries [2], and for the --drop_privileges flag of mount.fuse3 [4] Tested with singularity and gocryptfs and actually works [3]. v2: Added doccomment for NewServer. v3: Added specific error message on Server.Unmount(). v4: Moved mount details to package comment [1] libfuse/libfuse@64e1107 [2] rfjakob/gocryptfs#590 [3] $ singularity run --fusemount "host:gocryptfs --extpass echo --extpass test /tmp/a /mnt" docker://ubuntu INFO: Using cached SIF image Reading password from extpass program "echo", arguments: ["test"] Decrypting master key bash: /home/jakob/.cargo/env: No such file or directory bash: /home/jakob/.cargo/env: No such file or directory bash: /home/jakob/.cargo/env: No such file or directory Singularity> Filesystem mounted and ready. [4] man mount.fuse3 Change-Id: Ibcc2464b0ef1e3d236207981b487fd9a7d94c910

rfjakob · 2021-08-25T10:19:09Z

Merged to master now.

libfuse introduced [1] a special `/dev/fd/N` syntax for the mountpoint: It means that a privileged parent process: * Opened /dev/fuse * Called mount() on a real mountpoint directory * Inherited the fd to /dev/fuse to us * Informs us about the fd number via /dev/fd/N This functionality is used to allow FUSE mounts inside containers that have neither root permissions nor suid binaries [2], and for the --drop_privileges flag of mount.fuse3 [4] Tested with singularity and gocryptfs and actually works [3]. v2: Added doccomment for NewServer. v3: Added specific error message on Server.Unmount(). v4: Moved mount details to package comment [1] libfuse/libfuse@64e1107 [2] rfjakob/gocryptfs#590 [3] $ singularity run --fusemount "host:gocryptfs --extpass echo --extpass test /tmp/a /mnt" docker://ubuntu INFO: Using cached SIF image Reading password from extpass program "echo", arguments: ["test"] Decrypting master key bash: /home/jakob/.cargo/env: No such file or directory bash: /home/jakob/.cargo/env: No such file or directory bash: /home/jakob/.cargo/env: No such file or directory Singularity> Filesystem mounted and ready. [4] man mount.fuse3 Change-Id: Ibcc2464b0ef1e3d236207981b487fd9a7d94c910

rfjakob added the feature request label Aug 4, 2021

rfjakob added a commit that referenced this issue Aug 10, 2021

main: switch from flag to pflag

f53f52b

Need support for flags at any position for #590

rfjakob added a commit that referenced this issue Aug 12, 2021

main: accept magic /dev/fd/ mountpoint

9a8dfd9

#590

rfjakob closed this as completed in b3d26b7 Aug 25, 2021

jiefenghuang mentioned this issue Aug 6, 2024

fuse: support special /dev/fd/N mountpoint juicedata/go-fuse#25

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add needed changes to use gocryptfs with singularity #590

Add needed changes to use gocryptfs with singularity #590

jmfernandez commented Aug 3, 2021

rfjakob commented Aug 4, 2021

jmfernandez commented Aug 4, 2021

rfjakob commented Aug 4, 2021 •

edited

Loading

rfjakob commented Aug 10, 2021 •

edited

Loading

rfjakob commented Aug 12, 2021

jmfernandez commented Aug 13, 2021

rfjakob commented Aug 25, 2021

Add needed changes to use gocryptfs with singularity #590

Add needed changes to use gocryptfs with singularity #590

Comments

jmfernandez commented Aug 3, 2021

rfjakob commented Aug 4, 2021

jmfernandez commented Aug 4, 2021

rfjakob commented Aug 4, 2021 • edited Loading

rfjakob commented Aug 10, 2021 • edited Loading

rfjakob commented Aug 12, 2021

jmfernandez commented Aug 13, 2021

rfjakob commented Aug 25, 2021

rfjakob commented Aug 4, 2021 •

edited

Loading

rfjakob commented Aug 10, 2021 •

edited

Loading