3

I have a question about the official Snakemake container image.
https://hub.docker.com/r/snakemake/snakemake/dockerfile

In this Dockerfile, singularity will be installed. As far as I know, the --privileged argument seems to be required to use singularity in a docker container.
docker run -it --privileged snakemake/snakemake ........

However, I think the --privileged argument is insecure from a security standpoint, so it would be preferable not to use it if possible.

Can anyone tell me the proper way to use singularity in a docker container?

Thanks,

tetsuro90
  • 41
  • 5

1 Answers1

4

The --privileged flag is the recommended and only way to run singularity in Docker.

Use of --privileged is not bad in itself, it is also used for running Docker-in-Docker, but it does allow the possibility of container escape. Follow best practices, build your own images and you should be okay.

tsnowlan
  • 3,472
  • 10
  • 15
  • It seems this answer is unfinished. "Use of `--privileged` is not insecure in". In what ? – Mickael B. May 03 '20 at 14:19
  • Thank you for your reply ! I understand that `--privileged` flag is the only way to do it. And here's what I want to make sure of. > "*possibility* of container escape" This means an attacker gets through the container and accesses the host? > "Follow best practices" This means *Best practices for writing Dockerfiles* and I should creating the user and group in the Dockerfile with something like `RUN groupadd -r postgres && useradd --no-log-init -r -g postgres postgres` ?? Thanks, – tetsuro90 May 04 '20 at 02:46
  • 1
    If a malicious user is able to escape the container, they will have root on the host OS. You always need the `privileged` flag when running singularity, but running singularity images does not require root and you should use the docker `--user` flag (e.g., to the `postgres` user you mention). – tsnowlan May 04 '20 at 11:21
  • I now understand why you would set the general user instead of the root when using singularity. It was very helpful. Thank you very much. – tetsuro90 May 04 '20 at 12:13