Merge pull request #72 from gvallee/singularity_manifest

gvallee · web-flow · commit 365331a81620 · 2019-12-08T15:06:59.000-05:00
Create manifests for Singularity installations
diff --git a/cmd/sympi/sympi.go b/cmd/sympi/sympi.go
@@ -21,6 +21,7 @@ import (
 	"github.com/sylabs/singularity-mpi/internal/pkg/checker"
 	"github.com/sylabs/singularity-mpi/internal/pkg/implem"
 	"github.com/sylabs/singularity-mpi/internal/pkg/kv"
+	"github.com/sylabs/singularity-mpi/internal/pkg/manifest"
 	"github.com/sylabs/singularity-mpi/internal/pkg/sy"
 	"github.com/sylabs/singularity-mpi/internal/pkg/sympierr"
 	"github.com/sylabs/singularity-mpi/internal/pkg/sys"
@@ -52,8 +53,12 @@ func getSingularityInstalls(basedir string, entries []os.FileInfo) ([]string, er
 		}
 		if matched {
 			// Now we check if we have an install manifest for more information
-			installManifest := filepath.Join(basedir, entry.Name(), "install.MANIFEST")
+			installManifest := filepath.Join(basedir, entry.Name(), "mconfig.MANIFEST")
 			availVersion := strings.Replace(entry.Name(), sys.SingularityInstallDirPrefix, "", -1)
+
+			if !util.PathExists(installManifest) {
+				installManifest = filepath.Join(basedir, entry.Name(), "install.MANIFEST")
+			}
 			if util.PathExists(installManifest) {
 				data, err := ioutil.ReadFile(installManifest)
 				// Errors are not fatal, it means we just do not extract more information
@@ -347,6 +352,16 @@ func installSingularity(id string, params []string, sysCfg *sys.Config) error {
 		return fmt.Errorf("failed to install %s: %s", id, execRes.Err)
 	}
 
+	// Create manifest for the Singularity binary
+	syBin := filepath.Join(buildEnv.InstallDir, "bin", "singularity")
+	manifestPath := filepath.Join(buildEnv.InstallDir, "singularity.MANIFEST")
+	hashes := manifest.HashFiles([]string{syBin})
+	err = manifest.Create(manifestPath, hashes)
+	if err != nil {
+		// This is not an error, we just log the error
+		log.Printf("failed to create the MANIFEST for %s\n", id)
+	}
+
 	return nil
 }
 
@@ -579,7 +594,7 @@ func main() {
 	if *run != "" {
 		err := sympi.RunContainer(*run, nil, &sysCfg)
 		if err != nil {
-			fmt.Printf("Impossible to run container %s: %s", *run, err)
+			fmt.Printf("Impossible to run container %s: %s\n", *run, err)
 			os.Exit(1)
 		}
 
diff --git a/internal/pkg/buildenv/buildenv.go b/internal/pkg/buildenv/buildenv.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/sylabs/singularity-mpi/internal/pkg/implem"
 	"github.com/sylabs/singularity-mpi/internal/pkg/persistent"
+	"github.com/sylabs/singularity-mpi/internal/pkg/syexec"
 	"github.com/sylabs/singularity-mpi/internal/pkg/sys"
 	util "github.com/sylabs/singularity-mpi/internal/pkg/util/file"
 )
@@ -138,36 +139,35 @@ func (env *Info) RunMake(priv bool, args []string, stage string) error {
 		return fmt.Errorf("invalid parameter(s)")
 	}
 
-	var stdout, stderr bytes.Buffer
-
+	var makeCmd syexec.SyCmd
+	makeCmd.ManifestName = "make"
 	if stage != "" {
 		args = append(args, stage)
+		makeCmd.ManifestName = strings.Join(args, "_")
 	}
 
 	args = append([]string{"-j4"}, args...)
 	logMsg := "make " + strings.Join(args, " ")
-	var makeCmd *exec.Cmd
 	if !priv {
-		makeCmd = exec.Command("make", args...)
+		makeCmd.BinPath = "make"
 	} else {
 		sudoBin, err := exec.LookPath("sudo")
 		logMsg = sudoBin + " " + logMsg
 		if err != nil {
 			return fmt.Errorf("failed to find the sudo binary: %s", err)
 		}
 		args = append([]string{"make"}, args...)
-		makeCmd = exec.Command(sudoBin, args...)
+		makeCmd.BinPath = sudoBin
 	}
+	makeCmd.CmdArgs = args
 	log.Printf("* Executing (from %s): %s", env.SrcDir, logMsg)
 	if len(env.Env) > 0 {
 		makeCmd.Env = env.Env
 	}
-	makeCmd.Dir = env.SrcDir
-	makeCmd.Stderr = &stderr
-	makeCmd.Stdout = &stdout
-	err := makeCmd.Run()
-	if err != nil {
-		return fmt.Errorf("command failed: %s - stdout: %s - stderr: %s", err, stdout.String(), stderr.String())
+	makeCmd.ExecDir = env.SrcDir
+	res := makeCmd.Run()
+	if res.Err != nil {
+		return fmt.Errorf("command failed: %s - stdout: %s - stderr: %s", res.Err, res.Stdout, res.Stderr)
 	}
 
 	return nil
diff --git a/internal/pkg/manifest/manifest.go b/internal/pkg/manifest/manifest.go
@@ -6,11 +6,42 @@
 package manifest
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
+	"io"
 	"os"
 	"strings"
 )
 
+func getFileHash(path string) string {
+	f, err := os.Open(path)
+	if err != nil {
+		return ""
+	}
+	defer f.Close()
+
+	hasher := sha256.New()
+	_, err = io.Copy(hasher, f)
+	if err != nil {
+		return ""
+	}
+
+	return hex.EncodeToString(hasher.Sum(nil))
+}
+
+// Hash files returns the hash for a list of files (absolute path)
+func HashFiles(files []string) []string {
+	var hashData []string
+
+	for _, file := range files {
+		hash := getFileHash(file)
+		hashData = append(hashData, file+": "+hash)
+	}
+
+	return hashData
+}
+
 // Create a new manifest
 func Create(filepath string, entries []string) error {
 	f, err := os.Create(filepath)
diff --git a/internal/pkg/sy/sy.go b/internal/pkg/sy/sy.go
@@ -23,6 +23,7 @@ import (
 	"github.com/sylabs/singularity-mpi/internal/pkg/implem"
 	"github.com/sylabs/singularity-mpi/internal/pkg/kv"
 	"github.com/sylabs/singularity-mpi/internal/pkg/manifest"
+	"github.com/sylabs/singularity-mpi/internal/pkg/syexec"
 	"github.com/sylabs/singularity-mpi/internal/pkg/sys"
 	util "github.com/sylabs/singularity-mpi/internal/pkg/util/file"
 )
@@ -243,26 +244,22 @@ func Configure(env *buildenv.Info, sysCfg *sys.Config, extraArgs []string) error
 			return fmt.Errorf("failed to create %s: %s", env.InstallDir, err)
 		}
 	}
-	singularityManifestPath := filepath.Join(env.InstallDir, "install.MANIFEST")
-	err := manifest.Create(singularityManifestPath, []string{strings.Join(args, " ")})
-	if err != nil {
-		return fmt.Errorf("failed to create installation manifest: %s", err)
-	}
 
 	// Run mconfig
+	var sycmd syexec.SyCmd
+	sycmd.Env = updateEnviron(env)
+	sycmd.ExecDir = env.SrcDir
+	sycmd.ManifestDir = env.InstallDir
+	sycmd.ManifestName = "mconfig"
+	sycmd.BinPath = "./mconfig"
+	sycmd.CmdArgs = args
+	sycmd.ManifestData = []string{strings.Join(args, " ")}
 	log.Printf("-> Executing from %s: ./mconfig %s\n", env.SrcDir, strings.Join(args, " "))
-	newEnv := updateEnviron(env)
-	env.Env = newEnv
-	log.Printf("-> Using env: %s\n", strings.Join(newEnv, "\n"))
-	var stderr bytes.Buffer
-	cmd = exec.CommandContext(ctx, "./mconfig", args...)
-	cmd.Dir = env.SrcDir
-	cmd.Env = newEnv
-	cmd.Stderr = &stderr
-	cmd.Stdout = &stdout
-	err = cmd.Run()
-	if err != nil {
-		return fmt.Errorf("failed to run mconfig: %s (stderr: %s; stdout: %s)", err, stderr.String(), stdout.String())
+	log.Printf("-> Using env: %s\n", strings.Join(sycmd.Env, "\n"))
+
+	res := sycmd.Run()
+	if res.Err != nil {
+		return fmt.Errorf("failed to run mconfig: %s (stderr: %s; stdout: %s)", res.Err, res.Stderr, res.Stdout)
 	}
 
 	return nil
@@ -362,3 +359,40 @@ func GetVersion(sysCfg *sys.Config) string {
 
 	return stdout.String()
 }
+
+// CheckIntegrity checks if the installation of Singularity has been compromised
+func CheckIntegrity(sysCfg *sys.Config) error {
+	log.Println("* Checking intergrity of Singularity...")
+
+	if sysCfg.SingularityBin == "" {
+		return fmt.Errorf("singularity bianry cannot be found")
+	}
+
+	basedir := filepath.Dir(sysCfg.SingularityBin)
+	basedir = filepath.Join(basedir, "..")
+	installManifest := filepath.Join(basedir, "singularity.MANIFEST")
+
+	if util.FileExists(installManifest) {
+		data, err := ioutil.ReadFile(installManifest)
+		if err != nil {
+			log.Printf("Manifest %s does not exist", installManifest)
+			return nil // This is not a fatal error
+		}
+		content := string(data)
+		lines := strings.Split(content, "\n")
+		for _, line := range lines {
+			if strings.Contains(line, "bin/singularity: ") {
+				curFileHash := manifest.HashFiles([]string{sysCfg.SingularityBin})
+				if curFileHash[0] != line {
+					hashRecordeed := strings.Split(line, ": ")[1]
+					actualHash := strings.Split(curFileHash[0], ": ")[1]
+					return fmt.Errorf("hashes differ (record: %s; actual: %s)", hashRecordeed, actualHash)
+				}
+			}
+		}
+	} else {
+		log.Printf("No manifest in %s, skipping...\n", basedir)
+	}
+
+	return nil
+}
diff --git a/internal/pkg/syexec/syexec.go b/internal/pkg/syexec/syexec.go
@@ -8,11 +8,7 @@ package syexec
 import (
 	"bytes"
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"io"
 	"log"
-	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
@@ -59,6 +55,9 @@ type SyCmd struct {
 	// CancelFn is the function to cancel the command to submit a job
 	CancelFn context.CancelFunc
 
+	// ManifestName is the name of the manifest, it will default to "exec.MANIFEST" if not defined
+	ManifestName string
+
 	// ManifestDir is the directory where to create the manifest related to the command execution
 	ManifestDir string
 
@@ -69,33 +68,6 @@ type SyCmd struct {
 	ManifestFileHash []string
 }
 
-func getFileHash(path string) string {
-	f, err := os.Open(path)
-	if err != nil {
-		return ""
-	}
-	defer f.Close()
-
-	hasher := sha256.New()
-	_, err = io.Copy(hasher, f)
-	if err != nil {
-		return ""
-	}
-
-	return hex.EncodeToString(hasher.Sum(nil))
-}
-
-func hashFiles(files []string) []string {
-	var hashData []string
-
-	for _, file := range files {
-		hash := getFileHash(file)
-		hashData = append(hashData, file+": "+hash)
-	}
-
-	return hashData
-}
-
 // Run executes a syexec command and creates the appropriate manifest (when possible)
 func (c *SyCmd) Run() Result {
 	var res Result
@@ -127,16 +99,19 @@ func (c *SyCmd) Run() Result {
 
 	if c.ManifestDir != "" {
 		path := filepath.Join(c.ManifestDir, "exec.MANIFEST")
+		if c.ManifestName != "" {
+			path = filepath.Join(c.ManifestDir, c.ManifestName+".MANIFEST")
+		}
 		if !util.FileExists(path) {
 			currentTime := time.Now()
-			data := []string{"Command: " + c.BinPath + strings.Join(c.CmdArgs, " ") + "\n"}
+			data := []string{"Command: " + c.BinPath + " " + strings.Join(c.CmdArgs, " ") + "\n"}
 			data = append(data, "Execution path: "+c.ExecDir)
 			data = append(data, "Execution time: "+currentTime.Format("2006-01-02 15:04:05"))
 			data = append(data, c.ManifestData...)
 
 			filesToHash := []string{c.BinPath} // we always get the fingerprint of the binary we execute
 			filesToHash = append(filesToHash, c.ManifestFileHash...)
-			hashData := hashFiles(filesToHash)
+			hashData := manifest.HashFiles(filesToHash)
 			data = append(data, hashData...)
 
 			err := manifest.Create(path, data)
diff --git a/pkg/sympi/sympi.go b/pkg/sympi/sympi.go
@@ -25,6 +25,7 @@ import (
 	"github.com/sylabs/singularity-mpi/internal/pkg/kv"
 	"github.com/sylabs/singularity-mpi/internal/pkg/launcher"
 	"github.com/sylabs/singularity-mpi/internal/pkg/mpi"
+	"github.com/sylabs/singularity-mpi/internal/pkg/sy"
 	"github.com/sylabs/singularity-mpi/internal/pkg/syexec"
 	"github.com/sylabs/singularity-mpi/internal/pkg/sys"
 	util "github.com/sylabs/singularity-mpi/internal/pkg/util/file"
@@ -275,8 +276,10 @@ func RunContainer(containerDesc string, args []string, sysCfg *sys.Config) error
 	}
 
 	// Inspect the image and extract the metadata
-	if sysCfg.SingularityBin == "" {
-		log.Fatalf("singularity bin not defined")
+	err = sy.CheckIntegrity(sysCfg)
+	if err != nil {
+		fmt.Printf("[WARNING] Your Singularity installation seems to be corrupted: %s\n", err)
+		return fmt.Errorf("Compromised Singularity installation")
 	}
 
 	fmt.Printf("Analyzing %s to figure out the correct configuration for execution...\n", imgPath)
