Comments (2)
dtrudg
commented on July 19, 2024
1
Hi @wynstep - I'm afraid there is no way to effectively do this. In order to run a container it must be decrypted, and the user can then access/extract the content even if the shell command only is locked down. E.g. they could mount the unencrypted container image directly and copy the files out.
Encryption of the container is useful to ensure that only the intended user of a container can access what's inside it.
If you need to restrict access by the intended user to the custom scripts you would probably need to implement some kind of application-level encryption to protect those scripts.
from singularity.
wynstep
commented on July 19, 2024
Hi @wynstep - I'm afraid there is no way to effectively do this. In order to run a container it must be decrypted, and the user can then access/extract the content even if the
shellcommand only is locked down. E.g. they couldmountthe container image directly and copy the files out.Encryption of the container is useful to ensure that only the intended user of a container can access what's inside it.
If you need to restrict access by the intended user to the custom scripts you would probably need to implement some kind of application-level encryption to protect those scripts.
Alright, thank you! I'll try to think to another solution.
from singularity.
Related Issues (20)
- Support OCI-SIF data-container in --bind & --mount
- Support squashfs->tar in push of an OCI-SIF data container
- Remove CentOS 7 from CI matrix:
- Remove EL7, SLES 11 examples
- Remove Yum CentOS7 bootstrap tests
- Remove CentOS 7 regression test for issue 5250 HOT 1
- Remove CentOS 7 install specifics:
- Remove kernel version as proxy requirement for OCSP test
- Remove EL7 test case / handling of old ld listing HOT 1
- oci: fixed descriptor capacity for OCI-SIF prevents pulling some images
- singularity build --fakeroot fails with free(): invalid pointer while spawning RPC server HOT 3
- Pip install uses too much disk space - error with /tmp as tmpfs HOT 2
- Unknown image format/type in nextflow pipeline HOT 5
- Drop remaining direct containers/common usage
- CNI dhcp plugin does not work - netns bind issues
- oci-sif: inefficent copies of oci (layout) and tarball images
- delete sandbox
- allow user ns in singularity.conf
- allow ipc ns in singularity.conf
- e2e: OCI CustomHomePreservesRootShell failure
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from singularity.