A fully unprivileged CernVM-FS

Blomer, Jakob; Dykstra, Dave; Ganis, Gerardo; Mosciatti, Simone; Priessnitz, Jan

doi:10.1051/epjconf/202024507012

A fully unprivileged CernVM-FS

Journal Article · Mon Nov 16 00:00:00 EST 2020 · EPJ Web of Conferences (Online)

DOI:https://doi.org/10.1051/epjconf/202024507012· OSTI ID:1623366

^[1]; ^[2]; Ganis, Gerardo ^[1]; Mosciatti, Simone ^[1]; Priessnitz, Jan ^[1]

European Organization for Nuclear Research (CERN), Geneva (Switzerland)
Fermi National Accelerator Lab. (FNAL), Batavia, IL (United States)

The CernVM File System provides the software and container distribution backbone for most High Energy and Nuclear Physics experiments. It is implemented as a file system in user-space (Fuse) module, which permits its execution without any elevated privileges. Yet, mounting the file system in the first place is handled by a privileged suid helper program that is installed by the Fuse package on most systems. The privileged nature of the mount system call is a serious hindrance to running CernVM-FS on opportunistic resource and supercomputers. Fortunately, recent developments in the Linux kernel and in the Fuse user-space libraries enabled fully unprivileged mounting for Fuse file systems (as of RHEL 8), or at least outsourcing the privileged mount system call to a custom, external process. This opens the door to several, very appealing new ways to use CernVM-FS, such as a generally usable “super pilot” consisting of the pilot code bundled with Singularity and CernVM-FS, or the on-demand instantiation of unprivileged, ephemeral containers to publish new CernVM-FS content from anywhere. In this contribution, we discuss the integration of these new Linux features with CernVM-FS and show some of its most promising, new applications.

Research Organization:: Fermi National Accelerator Laboratory (FNAL), Batavia, IL (United States)

Sponsoring Organization:: USDOE Office of Science (SC), High Energy Physics (HEP)

Grant/Contract Number:: AC02-07CH11359

OSTI ID:: 1623366

Alternate ID(s):: OSTI ID: 23172402

Report Number(s):: FERMILAB-CONF--20-109-SCD; oai:inspirehep.net:1796162

Journal Information:: EPJ Web of Conferences (Online), Journal Name: EPJ Web of Conferences (Online) Vol. 245; ISSN 2100-014X

Publisher:: EDP SciencesCopyright Statement

Country of Publication:: United States

Language:: English

References (2)

Towards a serverless CernVM-FS Blomer, Jakob; Ganis, Gerardo; Mosciatti, Simone EPJ Web of Conferences, Vol. 214 https://doi.org/10.1051/epjconf/201921409007	journal	January 2019
Distributing LHC application software and conditions databases using the CernVM file system Blomer, Jakob; Aguado-Sánchez, Carlos; Buncic, Predrag Journal of Physics: Conference Series, Vol. 331, Issue 4 https://doi.org/10.1088/1742-6596/331/4/042003	journal	December 2011

Similar Records

Apptainer Without Setuid

Conference · Thu Aug 25 00:00:00 EDT 2022 · OSTI ID:1886029

Using Pilot Jobs and CernVM File System for Simplified Use of Containers and Software Distribution

Conference · Thu Dec 31 23:00:00 EST 2020 · No journal information · OSTI ID:1824852

Charliecloud: Unprivileged containers for user-defined software stacks in HPC

Conference · Tue Aug 09 00:00:00 EDT 2016 · OSTI ID:1296650

Related Subjects

72 PHYSICS OF ELEMENTARY PARTICLES AND FIELDS

A fully unprivileged CernVM-FS

Citation Formats

References (2)

Similar Records

Related Subjects