Merge pull request #306730 from ShamrockLee/apptainer-default-path

apptainer, singularity: precede system-level bin paths in `defaultPath` and fix `singularity` image running

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -225,6 +225,19 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `appimageTools.wrapAppImage` now creates the binary at `$out/bin/${pname}` rather than `$out/bin/${pname}-${version}`, which will break downstream workarounds.
 
+- `apptainer` and `singularity` now prioritize system-wide `PATH` over those constructed from dependent packages when searching for third-party utilities. The `PATH` to search for third-party utilities, known as `defaultPath` inside Apptainer/Singularity source code, is now constructed from the following sources, ordered by their precedence:
+  - `systemBinPaths`, a new argument introduced to specify system-wide `"/**/bin"` directories.
+  - The FHS `defaultPath` value set by Apptainer/Singularity developers, making Apptainer/Singularity work out of the box in FHS systems.
+  - `defaultPathInputs`, a list of packages to form the fall-back `PATH`.
+
+  This change is required to enable Sylabs SingularityCE (`singularity`) to run images, as it requires a `fusermount3` commant with the SUID bit set.
+
+  `newuidmapPath` and `newgidmapPath` arguments are deprecated in favour of `systemBinPaths`. Their support will be removed in future releases.
+
+  `programs.singularity.systemBinPaths` option is introduced to specify the `systemBinPaths` argument of the overridden package. It includes `"/run/wrappers/bin"` even if specified empty.
+
+  `programs.singularity.enableFakeroot` option is deprecated and has no effect. `--fakeroot` support is now always enabled as long as `programs.singularity.systemBinPaths` is not forcefully overridden.
+
 - `azure-cli` now has extension support. For example, to install the `aks-preview` extension, use
 
   ```nix

nixos/modules/programs/singularity.nix

@@ -56,9 +56,12 @@ in
     enableFakeroot = lib.mkOption {
       type = lib.types.bool;
       default = true;
-      example = false;
       description = ''
         Whether to enable the `--fakeroot` support of Singularity/Apptainer.
+
+        This option is deprecated and has no effect.
+        `--fakeroot` support is enabled automatically,
+        as `systemBinPaths = [ "/run/wrappers/bin" ]` is always specified.
       '';
     };
     enableSuid = lib.mkOption {
@@ -74,22 +77,34 @@ in
         Whether to enable the SUID support of Singularity/Apptainer.
       '';
     };
+    systemBinPaths = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [ ];
+      description = ''
+        (Extra) system-wide /**/bin paths
+        for Apptainer/Singularity to find command-line utilities in.
+
+        `"/run/wrappers/bin"` is included by default to make
+        utilities with SUID bit set available to Apptainer/Singularity.
+        Use `lib.mkForce` to shadow the default values.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
     programs.singularity.packageOverriden = (
       cfg.package.override (
-        lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
-        // lib.optionalAttrs cfg.enableFakeroot {
-          newuidmapPath = "/run/wrappers/bin/newuidmap";
-          newgidmapPath = "/run/wrappers/bin/newgidmap";
+        {
+          systemBinPaths = cfg.systemBinPaths;
         }
+        // lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
         // lib.optionalAttrs cfg.enableSuid {
           enableSuid = true;
           starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
         }
       )
     );
+    programs.singularity.systemBinPaths = [ "/run/wrappers/bin" ];
     environment.systemPackages = [ cfg.packageOverriden ];
     security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid {
       setuid = true;

pkgs/applications/virtualization/singularity/generic.nix

@@ -70,11 +70,19 @@ in
   # Whether to compile with SUID support
   enableSuid ? false,
   starterSuidPath ? null,
-  # newuidmapPath and newgidmapPath are to support --fakeroot
-  # where those SUID-ed executables are unavailable from the FHS system PATH.
+  # Extra system-wide /**/bin paths to prefix,
+  # useful to specify directories containing binaries with SUID bit set.
+  # The paths take higher precedence over the FHS system PATH specified
+  # inside the upstream source code.
+  # Include "/run/wrappers/bin" by default for the convenience of NixOS users.
+  systemBinPaths ? [ "/run/wrappers/bin" ],
   # Path to SUID-ed newuidmap executable
+  # Deprecated in favour of systemBinPaths
+  # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off
   newuidmapPath ? null,
   # Path to SUID-ed newgidmap executable
+  # Deprecated in favour of systemBinPaths
+  # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off
   newgidmapPath ? null,
   # External LOCALSTATEDIR
   externalLocalStateDir ? null,
@@ -99,18 +107,30 @@ in
   vendorHash ? _defaultGoVendorArgs.vendorHash,
   deleteVendor ? _defaultGoVendorArgs.deleteVendor,
   proxyVendor ? _defaultGoVendorArgs.proxyVendor,
-}:
+}@args:
 
 let
+  # Backward compatibility for privileged-un-utils.
+  # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off.
   privileged-un-utils =
     if ((newuidmapPath == null) && (newgidmapPath == null)) then
       null
     else
-      (runCommandLocal "privileged-un-utils" { } ''
-        mkdir -p "$out/bin"
-        ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
-        ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
-      '');
+      lib.warn
+        "${pname}: arguments newuidmapPath and newgidmapPath is deprecated in favour of systemBinPaths."
+        (
+          runCommandLocal "privileged-un-utils" { } ''
+            mkdir -p "$out/bin"
+            ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
+            ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
+          ''
+        );
+
+  # Backward compatibility for privileged-un-utils.
+  # TODO(@ShamrockLee): Remove after Nixpkgs 24.05 branch-off.
+  systemBinPaths =
+    lib.optional (privileged-un-utils != null) (lib.makeBinPath [ privileged-un-utils ])
+    ++ args.systemBinPaths or [ "/run/wrappers/bin" ];
 
   concatMapStringAttrsSep =
     sep: f: attrs:
@@ -196,8 +216,9 @@ in
   # causes redefinition of _FORTIFY_SOURCE
   hardeningDisable = [ "fortify3" ];
 
-  # Packages to prefix to the Apptainer/Singularity container runtime default PATH
-  # Use overrideAttrs to override
+  # Packages to provide fallback bin paths
+  # to the Apptainer/Singularity container runtime default PATHs.
+  # Override with `<pkg>.overrideAttrs`.
   defaultPathInputs = [
     bash
     coreutils
@@ -206,7 +227,6 @@ in
     fuse2fs # Mount ext3 filesystems
     go
     mount # mount
-    privileged-un-utils
     squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image
     squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges
   ] ++ lib.optional enableNvidiaContainerCli nvidia-docker;
@@ -228,7 +248,7 @@ in
             lib.concatStringsSep " " [
               "--replace-fail"
               (addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath))
-              (addShellDoubleQuotes ''$inputsDefaultPath''${inputsDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}'')
+              (addShellDoubleQuotes ''$systemDefaultPath''${systemDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}''${inputsDefaultPath:+:}$inputsDefaultPath'')
             ]
           ) originalDefaultPaths
         }
@@ -267,8 +287,11 @@ in
   postFixup = ''
     substituteInPlace "$out/bin/run-singularity" \
       --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}"
+    # Respect PATH from the environment/the user.
+    # Fallback to bin paths provided by Nixpkgs packages.
     wrapProgram "$out/bin/${projectName}" \
-      --prefix PATH : "$inputsDefaultPath"
+      --suffix PATH : "$systemDefaultPath" \
+      --suffix PATH : "$inputsDefaultPath"
     # Make changes in the config file
     ${lib.optionalString forceNvcCli ''
       substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \
@@ -326,6 +349,7 @@ in
 }).overrideAttrs
   (
     finalAttrs: prevAttrs: {
+      systemDefaultPath = lib.concatStringsSep ":" systemBinPaths;
       inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs;
       passthru = prevAttrs.passthru or { } // {
         inherit sourceFilesWithDefaultPaths;