singularity: new variants to enable non-suid and non-network builds (#16088)

Defaults are left as they are currently
author: Andrew W Elble <aweits@rit.edu> 2020-04-17 11:38:22 -0400
committer: GitHub <noreply@github.com> 2020-04-17 17:38:22 +0200
commit: 985af94c4580fbdd3ec733082c285e70edeb86ea (patch)
tree: 8c2c28c9054fb33714a250acacca77dcf0bc8162
parent: 854a82bbecc368291daec4a57a38c1fa36fbcfb1 (diff)
download: spack-985af94c4580fbdd3ec733082c285e70edeb86ea.tar.gz
spack-985af94c4580fbdd3ec733082c285e70edeb86ea.tar.bz2
spack-985af94c4580fbdd3ec733082c285e70edeb86ea.tar.xz
spack-985af94c4580fbdd3ec733082c285e70edeb86ea.zip
1 files changed, 32 insertions, 23 deletions
diff --git a/var/spack/repos/builtin/packages/singularity/package.py b/var/spack/repos/builtin/packages/singularity/package.py
index c33b6a3202..8931e270da 100644
--- a/var/spack/repos/builtin/packages/singularity/package.py
+++ b/var/spack/repos/builtin/packages/singularity/package.py
@@ -35,6 +35,8 @@ class Singularity(MakefilePackage):
     version('3.2.1', sha256='d4388fb5f7e0083f0c344354c9ad3b5b823e2f3f27980e56efa7785140c9b616')
     version('3.1.1', sha256='7f0df46458d8894ba0c2071b0848895304ae6b1137d3d4630f1600ed8eddf1a4')
 
+    variant('suid', default=True, description='install SUID binary')
+    variant('network', default=True, description='install network plugins')
     depends_on('go')
     depends_on('libuuid')
     depends_on('libgpg-error')
@@ -82,7 +84,12 @@ class Singularity(MakefilePackage):
     # Hijack the edit stage to run mconfig.
     def edit(self, spec, prefix):
         with working_dir(self.build_directory):
-            configure = Executable('./mconfig --prefix=%s' % prefix)
+            confstring = './mconfig --prefix=%s' % prefix
+            if '~suid' in spec:
+                confstring += ' --without-suid'
+            if '~network' in spec:
+                confstring += ' --without-network'
+            configure = Executable(confstring)
             configure()
 
     # Set these for use by MakefilePackage's default build/install methods.
@@ -127,33 +134,35 @@ class Singularity(MakefilePackage):
 
     @run_after('install')
     def build_perms_script(self):
-        script = self.perm_script_path()
-        chown_files = ['libexec/singularity/bin/starter-suid',
-                       'etc/singularity/singularity.conf',
-                       'etc/singularity/capability.json',
-                       'etc/singularity/ecl.toml']
-        setuid_files = ['libexec/singularity/bin/starter-suid']
-        self._build_script(script, {'prefix': self.spec.prefix,
-                                    'chown_files': chown_files,
-                                    'setuid_files': setuid_files})
-        chmod = which('chmod')
-        chmod('555', script)
+        if self.spec.satisfies('+suid'):
+            script = self.perm_script_path()
+            chown_files = ['libexec/singularity/bin/starter-suid',
+                           'etc/singularity/singularity.conf',
+                           'etc/singularity/capability.json',
+                           'etc/singularity/ecl.toml']
+            setuid_files = ['libexec/singularity/bin/starter-suid']
+            self._build_script(script, {'prefix': self.spec.prefix,
+                                        'chown_files': chown_files,
+                                        'setuid_files': setuid_files})
+            chmod = which('chmod')
+            chmod('555', script)
 
     # Until tty output works better from build steps, this ends up in
     # the build log.  See https://github.com/spack/spack/pull/10412.
     @run_after('install')
     def caveats(self):
-        tty.warn("""
-        For full functionality, you'll need to chown and chmod some files
-        after installing the package.  This has security implications.
-        For details, see:
-        https://sylabs.io/guides/2.6/admin-guide/security.html
-        https://sylabs.io/guides/3.2/admin-guide/admin_quickstart.html#singularity-security
+        if self.spec.satisfies('+suid'):
+            tty.warn("""
+            For full functionality, you'll need to chown and chmod some files
+            after installing the package.  This has security implications.
+            For details, see:
+            https://sylabs.io/guides/2.6/admin-guide/security.html
+            https://sylabs.io/guides/3.2/admin-guide/admin_quickstart.html#singularity-security
 
-        We've installed a script that will make the necessary changes;
-        read through it and then execute it as root (e.g. via sudo).
+            We've installed a script that will make the necessary changes;
+            read through it and then execute it as root (e.g. via sudo).
 
-        The script is named:
+            The script is named:
 
-        {0}
-        """.format(self.perm_script_path()))
+            {0}
+            """.format(self.perm_script_path()))
author	Andrew W Elble <aweits@rit.edu>	2020-04-17 11:38:22 -0400
committer	GitHub <noreply@github.com>	2020-04-17 17:38:22 +0200
commit	985af94c4580fbdd3ec733082c285e70edeb86ea (patch)
tree	8c2c28c9054fb33714a250acacca77dcf0bc8162
parent	854a82bbecc368291daec4a57a38c1fa36fbcfb1 (diff)
download	spack-985af94c4580fbdd3ec733082c285e70edeb86ea.tar.gz spack-985af94c4580fbdd3ec733082c285e70edeb86ea.tar.bz2 spack-985af94c4580fbdd3ec733082c285e70edeb86ea.tar.xz spack-985af94c4580fbdd3ec733082c285e70edeb86ea.zip