Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

envWhitelist not working with docker.sudo = true #5309

Open
fntlnz opened this issue Sep 18, 2024 · 5 comments
Open

envWhitelist not working with docker.sudo = true #5309

fntlnz opened this issue Sep 18, 2024 · 5 comments
Labels
software/docker

Comments

@fntlnz
Copy link

fntlnz commented Sep 18, 2024
edited
Loading

Bug report

Expected behavior and actual behavior

When running nextflow with docker.sudo=true and any env var in envWhitelist I expect the env vars to be available inside the process containers, however they are not, see additional context for more details.

Steps to reproduce the problem

Open your nextflow config and write

docker {
    enabled = true
    sudo = true
    envWhitelist = 'AVARTHATSHOULDTOTALLYBETHERE'
}

Now run this pipeline

#!/usr/bin/env nextflow

process testenv {
    container 'ubuntu'

    output:
    path 'out'

    """
    echo "IS IT THERE \${AVARTHATSHOULDTOTALLYBETHERE}" > out
    """
}

workflow {
    testenv | view
}
export AVARTHATSHOULDTOTALLYBETHERE="Hello, I'm here"
nextflow run ./test.nf

Program output

ERROR ~ Error executing process > 'testenv'

Caused by:
  Process `testenv` terminated with an error exit status (1)


Command executed:

  echo "IS IT THERE ${AVARTHATSHOULDTOTALLYBETHERE}" > out

Command exit status:
  1

Command output:
  (empty)

Command error:
  .command.sh: line 2: AVARTHATSHOULDTOTALLYBETHERE: unbound variable

Work dir:
  /tmp/test-nf/work/f6/98c929c696d8b31f6f12f7422a90c4

Tip: when you have fixed the problem you can continue the execution adding the option `-resume` to the run command line

 -- Check '.nextflow.log' file for details

Environment

  • Nextflow version: nextflow version 24.04.4.5917
  • Java version:
openjdk 21 2023-09-19 LTS
OpenJDK Runtime Environment Temurin-21+35 (build 21+35-LTS)
OpenJDK 64-Bit Server VM Temurin-21+35 (build 21+35-LTS, mixed mode, sharing)
  • Operating system: Linux 6.8.0-44-generic #44-Ubuntu SMP PREEMPT_DYNAMIC Tue Aug 13 13:35:26 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • Bash version: zsh 5.9 (x86_64-ubuntu-linux-gnu)

Additional context

As a best practice, when you install the Docker daemon the installation process suggests you to not allow access to /var/run/docker.sock to your otherwise unprivileged user on the machine. This is because when a user gets added to the docker group it essentially becomes root since things like this can be done docker run -it --privileged --net=host --pid=host debian nsenter -t 1 -n -m -p.

Following this best practice, one can configure Nextflow to ask for privileges when running docker in this way:

docker {
    enabled = true
    sudo = true
    envWhitelist = 'AVARTHATSHOULDTOTALLYBETHERE'
}

This works well indeed, however when used in combination with docker.envWhitelist. Why? Because envWhitelist will share the environment variables with the shell that is starting the sudo command here but the final docker run command does not get the env vars in its /proc/self/environ because they are not automatically passed down by sudo. A possible solution to this problem is to run with sudo -E, however a safer approach would be to forward only the whitelisted env vars.
@fntlnz
Copy link
Author

fntlnz commented Sep 18, 2024

This is the nfx_launch command that it created

nxf_launch() {
    sudo docker run -i --cpu-shares 1024 -e "NXF_TASK_WORKDIR" -e "AVARTHATSHOULDTOTALLYBETHERE" -v /tmp/test-nf/work/aa/de499a28fb8da7677d285fc3941f97:/tmp/test-nf/work/aa/de499a28fb8da7677d285fc3941f97 -w "$NXF_TASK_WORKDIR" --name $NXF_BOXID ubuntu /bin/bash -ue /tmp/test-nf/work/aa/de499a28fb8da7677d285fc3941f97/.command.sh
}

as you can see the sudo command does not pass down the needed env vars.

@pditommaso
Copy link
Member

this seems to be a docker limitation?

@fntlnz
Copy link
Author

fntlnz commented Sep 23, 2024

@pditommaso no we just have to compose the nfx_launch script in this way when using sudo

nxf_launch() {
sudo NXF_TASK_WORKDIR="$NXF_TASK_WORKDIR" AVARTHATSHOULDTOTALLYBETHERE="$AVARTHATSHOULDTOTALLYBETHERE" docker run -i --cpu-shares 1024 -e "NXF_TASK_WORKDIR" -e "AVARTHATSHOULDTOTALLYBETHERE" -v /tmp/test-nf/work/aa/de499a28fb8da7677d285fc3941f97:/tmp/test-nf/work/aa/de499a28fb8da7677d285fc3941f97 -w "$NXF_TASK_WORKDIR" --name "$NXF_BOXID" ubuntu /bin/bash -ue /tmp/test-nf/work/aa/de499a28fb8da7677d285fc3941f97/.command.sh
}

instead of this

nxf_launch() {
    sudo docker run -i --cpu-shares 1024 -e "NXF_TASK_WORKDIR" -e "AVARTHATSHOULDTOTALLYBETHERE" -v /tmp/test-nf/work/aa/de499a28fb8da7677d285fc3941f97:/tmp/test-nf/work/aa/de499a28fb8da7677d285fc3941f97 -w "$NXF_TASK_WORKDIR" --name $NXF_BOXID ubuntu /bin/bash -ue /tmp/test-nf/work/aa/de499a28fb8da7677d285fc3941f97/.command.sh
}

and of course do the same thing in any other place where we do the same thing with sudo and the docker cli.

@pditommaso

This comment was marked as outdated.

Sign in to view
@pditommaso
Copy link
Member

Got it, the variable must be passed before the docker command. Likely it can be extended as general case

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
software/docker
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pditommaso @fntlnz @bentsherman