Adding singularity.conf option "compat mode"

CHANGELOG.md

@@ -17,6 +17,9 @@
   `exec`, `shell`, and `instance start` can now also be passed a `--authfile
   <path>` option, to read OCI registry credentials from this custom file.
 
+- The `singularity.conf` configuration file now features a toggle to control
+OCI/Docker compatibility mode, `compat mode <no/yes>`.
+
 ### Bug Fixes
 
 - Support parentheses in `test` / `[` commands in container startup scripts,

CONTRIBUTORS.md

@@ -71,6 +71,7 @@ The following have contributed code and/or documentation to this repository.
 - Lars Quentin <[email protected]>
 - Maciej Sieczka <[email protected]>
 - Marcelo Magallon <[email protected]>
+- Marco Claudio De La Pierre <[email protected]>
 - Marco Rubin <[email protected]>
 - Mark Egan-Fuller <[email protected]>
 - Matt Wiens <[email protected]>

cmd/internal/cli/action_flags.go

@@ -43,8 +43,6 @@ var (
 	isFakeroot      bool
 	noSetgroups     bool
 	isCleanEnv      bool
-	isCompat        bool
-	noCompat        bool
 	isContained     bool
 	isContainAll    bool
 	isWritable      bool
@@ -352,26 +350,6 @@ var actionCleanEnvFlag = cmdline.Flag{
 	EnvKeys:      []string{"CLEANENV"},
 }
 
-// --compat
-var actionCompatFlag = cmdline.Flag{
-	ID:           "actionCompatFlag",
-	Value:        &isCompat,
-	DefaultValue: false,
-	Name:         "compat",
-	Usage:        "apply settings for increased OCI/Docker compatibility. Infers --containall, --no-init, --no-umask, --no-eval, --writable-tmpfs.",
-	EnvKeys:      []string{"COMPAT"},
-}
-
-// --no-compat
-var actionNoCompatFlag = cmdline.Flag{
-	ID:           "actionNoCompatFlag",
-	Value:        &noCompat,
-	DefaultValue: false,
-	Name:         "no-compat",
-	Usage:        "(--oci mode) do not apply settings for increased OCI/Docker compatibility. Emulate native runtime defaults without --contain etc.",
-	EnvKeys:      []string{"NO_COMPAT"},
-}
-
 // -c|--contain
 var actionContainFlag = cmdline.Flag{
 	ID:           "actionContainFlag",
@@ -821,8 +799,6 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&actionApplyCgroupsFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionBindFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionCleanEnvFlag, actionsInstanceCmd...)
-		cmdManager.RegisterFlagForCmd(&actionCompatFlag, actionsInstanceCmd...)
-		cmdManager.RegisterFlagForCmd(&actionNoCompatFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionContainAllFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionContainFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionContainLibsFlag, actionsInstanceCmd...)
@@ -890,6 +866,8 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&actionProotFlag, actionsCmd...)
 		cmdManager.RegisterFlagForCmd(&commonOCIFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&commonNoOCIFlag, actionsInstanceCmd...)
+		cmdManager.RegisterFlagForCmd(&commonCompatFlag, actionsInstanceCmd...)
+		cmdManager.RegisterFlagForCmd(&commonNoCompatFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionNoTmpSandbox, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&commonAuthFileFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionDevice, actionsCmd...)

cmd/internal/cli/singularity.go

@@ -90,6 +90,10 @@ var (
 	isOCI bool
 	noOCI bool
 
+	// Improve OCI/Docker compatibility?
+	isCompat bool
+	noCompat bool
+
 	// Platform for retrieving images
 	arch     string
 	platform string
@@ -292,6 +296,26 @@ var commonNoOCIFlag = cmdline.Flag{
 	EnvKeys:      []string{"NO_OCI"},
 }
 
+// --compat
+var commonCompatFlag = cmdline.Flag{
+	ID:           "commonCompatFlag",
+	Value:        &isCompat,
+	DefaultValue: false,
+	Name:         "compat",
+	Usage:        "apply settings for increased OCI/Docker compatibility. Infers --containall, --no-init, --no-umask, --no-eval, --writable-tmpfs.",
+	EnvKeys:      []string{"COMPAT"},
+}
+
+// --no-compat
+var commonNoCompatFlag = cmdline.Flag{
+	ID:           "commonNoCompatFlag",
+	Value:        &noCompat,
+	DefaultValue: false,
+	Name:         "no-compat",
+	Usage:        "(--oci mode) do not apply settings for increased OCI/Docker compatibility. Emulate native runtime defaults without --contain etc.",
+	EnvKeys:      []string{"NO_COMPAT"},
+}
+
 // --no-tmp-sandbox
 var actionNoTmpSandbox = cmdline.Flag{
 	ID:           "actionNoTmpSandbox",
@@ -435,6 +459,15 @@ func persistentPreRun(*cobra.Command, []string) error {
 		isOCI = false
 	}
 
+	// Honor 'compat mode' in singularity.conf, and allow negation with `--no-compat`.
+	if isCompat && noCompat {
+		return fmt.Errorf("--compat and --no-compat cannot be used together")
+	}
+	isCompat = isCompat || config.CompatMode
+	if noCompat {
+		isCompat = false
+	}
+
 	// Honor 'tmp sandbox' in singularity.conf, and allow negation with
 	// `--no-tmp-sandbox`.
 	canUseTmpSandbox = config.TmpSandboxAllowed

internal/pkg/runtime/launcher/native/launcher_linux.go

@@ -79,7 +79,7 @@ func NewLauncher(opts ...launcher.Option) (*Launcher, error) {
 	}
 
 	if lo.NoCompat {
-		sylog.Warningf("--no-compat applies to --oci mode only, ignoring")
+		sylog.Warningf("Disabling OCI/Docker compatibility applies to --oci mode only, ignoring")
 	}
 
 	// Initialize empty default Singularity Engine and OCI configuration

pkg/util/singularityconf/config.go

@@ -77,6 +77,7 @@ type File struct {
 	SystemdCgroups          bool     `default:"yes" authorized:"yes,no" directive:"systemd cgroups"`
 	SIFFUSE                 bool     `default:"no" authorized:"yes,no" directive:"sif fuse"`
 	OCIMode                 bool     `default:"no" authorized:"yes,no" directive:"oci mode"`
+	CompatMode              bool     `default:"no" authorized:"yes,no" directive:"compat mode"`
 	TmpSandboxAllowed       bool     `default:"yes" authorized:"yes,no" directive:"tmp sandbox"`
 }
 
@@ -106,6 +107,15 @@ allow setuid = {{ if eq .AllowSetuid true }}yes{{ else }}no{{ end }}
 # subuid / subgid mappings.
 oci mode = {{ if eq .OCIMode true }}yes{{ else }}no{{ end }}
 
+# COMPAT MODE: [BOOL]
+# DEFAULT: no
+# Should we apply settings for increased OCI/Docker compatibility by default?
+# Mimics always specifying --compat on the command line.
+# Can be reversed by specifying --no-compat on the command line.
+# Note that default for OCI/Docker Compatibility should be set with 
+# keeping in mind the chosen default for OCI mode above. See documentation.
+compat mode = {{ if eq .CompatMode true }}yes{{ else }}no{{ end }}
+
 # MAX LOOP DEVICES: [INT]
 # DEFAULT: 256
 # Set the maximum number of loop devices that Singularity should ever attempt