Singularity: appropriate workaround?

[tmozgach]

@sjackman could you please look into my solution to that problem and tell me, could we do that?
Or may be you have a more elegant suggestion.

Given: an immutable container with linuxbrew, only nano installed by brew
What we would like to get: install permanently for example, 'vim', inside the container.
My solution:
Dockerfile (tmozgacheva/orca-a):

FROM linuxbrew/linuxbrew 
RUN brew install nano
USER root
RUN chmod -R 777 /home/linuxbrew/.linuxbrew

sudo singularity build linuxbrewt3.simg docker://tmozgacheva/orca-a 
singularity image.create --size 3000 overlay.simg 
singularity shell --overlay overlay.simg linuxbrewt3.simg

The problem: We can not run brew as linuxbrew user using sudo -u linuxbrew brew as we did it before for Hackseq! When I add the following line %orca_users ALL=(linuxbrew) NOPASSWD:ALL in sudoers, inside the container, I get the following error when I run brew:

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? 

And we can not to do anything, singularity prevents run command as sudo.
Only one way that I see, it is to make /home/linuxbrew/.linuxbrew folder writable for everyone! (e,g, RUN chmod -R 777 /home/linuxbrew/.linuxbrew)
However, I am in doubt that it is good solution but in that way, it work!
What do you think about it?

[tmozgach]

@sjackman =)

[sjackman]

We shouldn't need to use sudo with Singularity. I'm hoping that the directory /home/linuxbrew and all its subdirectories can be owned by your own user and primary group, with permissions 0775.