A fully unprivileged CernVM-FS
The CernVM File System provides the software and container distribution backbone for most High Energy and Nuclear Physics experiments. It is implemented as a file system in user-space (Fuse) module, which permits its execution without any elevated privileges. Yet, mounting the file system in the fir...
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
EDP Sciences
2020-01-01
|
| Series: | EPJ Web of Conferences |
| Online Access: | https://www.epj-conferences.org/articles/epjconf/pdf/2020/21/epjconf_chep2020_07012.pdf |
| _version_ | 1818676771250241536 |
|---|---|
| author | Blomer Jakob Dykstra Dave Ganis Gerardo Mosciatti Simone Priessnitz Jan |
| author_facet | Blomer Jakob Dykstra Dave Ganis Gerardo Mosciatti Simone Priessnitz Jan |
| author_sort | Blomer Jakob |
| collection | DOAJ |
| description | The CernVM File System provides the software and container distribution backbone for most High Energy and Nuclear Physics experiments. It is implemented as a file system in user-space (Fuse) module, which permits its execution without any elevated privileges. Yet, mounting the file system in the first place is handled by a privileged suid helper program that is installed by the Fuse package on most systems. The privileged nature of the mount system call is a serious hindrance to running CernVM-FS on opportunistic resource and supercomputers. Fortunately, recent developments in the Linux kernel and in the Fuse user-space libraries enabled fully unprivileged mounting for Fuse file systems (as of RHEL 8), or at least outsourcing the privileged mount system call to a custom, external process. This opens the door to several, very appealing new ways to use CernVM-FS, such as a generally usable “super pilot” consisting of the pilot code bundled with Singularity and CernVM-FS, or the on-demand instantiation of unprivileged, ephemeral containers to publish new CernVM-FS content from anywhere. In this contribution, we discuss the integration of these new Linux features with CernVM-FS and show some of its most promising, new applications. |
| first_indexed | 2024-12-17T08:48:46Z |
| format | Article |
| id | doaj.art-81b37b0233774a5281154b09e0ca4772 |
| institution | Directory Open Access Journal |
| issn | 2100-014X |
| language | English |
| last_indexed | 2024-12-17T08:48:46Z |
| publishDate | 2020-01-01 |
| publisher | EDP Sciences |
| record_format | Article |
| series | EPJ Web of Conferences |
| spelling | doaj.art-81b37b0233774a5281154b09e0ca47722022-12-21T21:56:08ZengEDP SciencesEPJ Web of Conferences2100-014X2020-01-012450701210.1051/epjconf/202024507012epjconf_chep2020_07012A fully unprivileged CernVM-FSBlomer Jakob0Dykstra Dave1Ganis Gerardo2Mosciatti Simone3Priessnitz Jan4CERNFermilabCERNCERNCERNThe CernVM File System provides the software and container distribution backbone for most High Energy and Nuclear Physics experiments. It is implemented as a file system in user-space (Fuse) module, which permits its execution without any elevated privileges. Yet, mounting the file system in the first place is handled by a privileged suid helper program that is installed by the Fuse package on most systems. The privileged nature of the mount system call is a serious hindrance to running CernVM-FS on opportunistic resource and supercomputers. Fortunately, recent developments in the Linux kernel and in the Fuse user-space libraries enabled fully unprivileged mounting for Fuse file systems (as of RHEL 8), or at least outsourcing the privileged mount system call to a custom, external process. This opens the door to several, very appealing new ways to use CernVM-FS, such as a generally usable “super pilot” consisting of the pilot code bundled with Singularity and CernVM-FS, or the on-demand instantiation of unprivileged, ephemeral containers to publish new CernVM-FS content from anywhere. In this contribution, we discuss the integration of these new Linux features with CernVM-FS and show some of its most promising, new applications.https://www.epj-conferences.org/articles/epjconf/pdf/2020/21/epjconf_chep2020_07012.pdf |
| spellingShingle | Blomer Jakob Dykstra Dave Ganis Gerardo Mosciatti Simone Priessnitz Jan A fully unprivileged CernVM-FS EPJ Web of Conferences |
| title | A fully unprivileged CernVM-FS |
| title_full | A fully unprivileged CernVM-FS |
| title_fullStr | A fully unprivileged CernVM-FS |
| title_full_unstemmed | A fully unprivileged CernVM-FS |
| title_short | A fully unprivileged CernVM-FS |
| title_sort | fully unprivileged cernvm fs |
| url | https://www.epj-conferences.org/articles/epjconf/pdf/2020/21/epjconf_chep2020_07012.pdf |
| work_keys_str_mv | AT blomerjakob afullyunprivilegedcernvmfs AT dykstradave afullyunprivilegedcernvmfs AT ganisgerardo afullyunprivilegedcernvmfs AT mosciattisimone afullyunprivilegedcernvmfs AT priessnitzjan afullyunprivilegedcernvmfs AT blomerjakob fullyunprivilegedcernvmfs AT dykstradave fullyunprivilegedcernvmfs AT ganisgerardo fullyunprivilegedcernvmfs AT mosciattisimone fullyunprivilegedcernvmfs AT priessnitzjan fullyunprivilegedcernvmfs |