Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Figure out a way to run WDL and CWL runners without nondefault Docker privileges #4907

Open
stxue1 opened this issue May 1, 2024 · 2 comments
Open

Figure out a way to run WDL and CWL runners without nondefault Docker privileges #4907

stxue1 opened this issue May 1, 2024 · 2 comments

Comments

@stxue1
Copy link
Contributor

stxue1 commented May 1, 2024
edited

We do some trickery with syscalls and whatnot to allow Singularity to run inside the container

toil/src/toil/provisioners/abstractProvisioner.py

Line 820 in 5d436d3

"--security-opt seccomp=unconfined --security-opt systempaths=unconfined"} \\

This means toil-wdl-runner (and maybe toil-cwl-runner) is unable to run inside a default Docker command, ie docker exec -it toil_image toil-wdl-runner... after a default docker run toil_image.

This is resulting in some issues with the TES plugin, and might have other implications for other batchsystem plugins who want to run the Toil container via their own docker command. (Though the main issue with TES is it wants to run the container as read only)

┆Issue is synchronized with this Jira Story
┆Issue Number: TOIL-1558
@stxue1
Copy link
Contributor Author

stxue1 commented May 24, 2024

Tangentially related to #4915

@mr-c
Copy link
Contributor

mr-c commented May 24, 2024

(Though the main issue with TES is it wants to run the container as read only)

That's the default for cwltool

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mr-c @stxue1