Message boards :
Theory Application :
Native applications (Theory and Atlas) with Ubuntu 24.04 and Boinc 8.0.2
Message board moderation
| Author | Message |
|---|---|
|
Send message Joined: 24 May 23 Posts: 31 Credit: 1,449,721 RAC: 21,499   
|
This is what I've done to enable both Theory and Atlas native apps. Desktop with Ubuntu 24.04 and Boinc 8.0.2. wget https://ecsft.cern.ch/dist/cvmfs/cvmfs-release/cvmfs-release-latest_all.deb sudo dpkg -i cvmfs-release-latest_all.deb rm -f cvmfs-release-latest_all.deb sudo apt update sudo apt install cvmfs wget https://github.com/sylabs/singularity/releases/download/v4.1.4/singularity-ce_4.1.4-noble_amd64.deb sudo dpkg -i singularity-ce_4.1.4-noble_amd64.deb rm -f singularity-ce_4.1.4-noble_amd64.deb sudo nano /etc/cvmfs/default.local # ----> Paste this inside: CVMFS_REPOSITORIES="atlas,atlas-condb,grid,cernvm-prod,sft,alice" CVMFS_CLIENT_PROFILE=single CVMFS_USE_CDN=yes CVMFS_HTTP_PROXY="auto;DIRECT" CVMFS_KCACHE_TIMEOUT=2CVMFS_MAX_RETRIES=3 CVMFS_QUOTA_LIMIT=6000 CTRL+O to save and then CTRL+X to exit nano. echo "CVMFS_CONFIG_REPO_REQUIRED=no" |sudo tee /etc/cvmfs/config.d/cvmfs-config.cern.ch.local echo "CVMFS_CONFIG_REPO_REQUIRED=yes" |sudo tee /etc/cvmfs/domain.d/cern.ch.local sudo nano /etc/sudoers.d/50-lhcathome_boinc_theory_native # ----> Paste this inside: # save this file as '/etc/sudoers.d/50-lhcathome_boinc_theory_native' # ownership must be 'root:root' and access rights must be '-r--r-----' # '@includedir /etc/sudoers.d' must be enabled in /etc/sudoers # regular expressions are enclosed between '^' and '$' # this is supported since sudo version 1.9.10 # for more information read 'man sudoers' # the regex patterns given here must match the command arguments in the calling script # missing/additional arguments or an argument order not in sync causes a command to be rejected # the commands are permitted for the local group 'boinc' # ensure the calling user is a member of that group Cmnd_Alias LHCATHOMEBOINC_01 = /usr/bin/cat ^/etc/sudoers.d/50-lhcathome_boinc_theory_native$ Cmnd_Alias LHCATHOMEBOINC_02 = /usr/bin/systemctl ^(freeze|thaw) Theory_[-a-zA-Z0-9_]+\.scope$ Cmnd_Alias LHCATHOMEBOINC_03 = /usr/bin/systemd-run ^--scope -u [a-zA-Z0-9_-]+ -p BindsTo=[a-zA-Z0-9_\.@-]+ -p After=[a-zA-Z0-9_\.@-]+ --slice-inherit --uid=[a-zA-Z0-9_-]+ --gid=boinc --same-dir -q -G /[a-zA-Z0-9_\./-]+/(runc|runc\.new|runc\.old) --root state run -b cernvm [a-zA-Z0-9_-]+$ %boinc ALL = (ALL) NOPASSWD: LHCATHOMEBOINC_01, LHCATHOMEBOINC_02, LHCATHOMEBOINC_03 CTRL+O to save and then CTRL+X to exit nano. sudo chmod u=r,g=r,o= /etc/sudoers.d/50-lhcathome_boinc_theory_native sudo usermod -s /bin/bash boinc sudo passwd boinc # -----> choose a password sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 # -----> This is a bit of a security issue Then go to the project preferences web page, choose Theory and Atlas among the LHC apps, and check the option "run native if available?" HTH... and I hope I haven't forgotten anything. Bye, Lem |
 Send message Joined: 15 Jun 08 Posts: 2509 Credit: 249,193,834 RAC: 127,193   |
... I hope I haven't forgotten anything. ATM SingularityCE as well as Apptainer (the successor of the original Singularity) both work with ATLAS. This may change sometime in the (far) future as stated in the logs. Hence, it is recommended to use Apptainer. [2024-07-17 00:42:36] Falling back to singularity found in PATH at /usr/bin/singularity [2024-07-17 00:42:36] WARNING: singularity support will be removed in a future version of native ATLAS Missing. The most recent config package must be installed in addition to the main package (here: the deb version). https://ecsft.cern.ch/dist/cvmfs/cvmfs-config/cvmfs-config-default_latest_all.deb Wrong variable assignment: CVMFS_KCACHE_TIMEOUT=2CVMFS_MAX_RETRIES=3 Must be on separate lines like: CVMFS_KCACHE_TIMEOUT=2 CVMFS_MAX_RETRIES=3 The sudoers file: It is not recommended to copy it from a forum post as this may insert unwanted characters, e.g. linefeeds. Those can corrupt the sudoers file. Instead, run the script mentioned in Laurence's original post: https://lhcathome.cern.ch/lhcathome/forum_thread.php?id=6075&postid=48978 https://lhcathome.cern.ch/lhcathome/download/prepare_theory_native_environment |
|
Send message Joined: 24 May 23 Posts: 31 Credit: 1,449,721 RAC: 21,499
|
Sure. https://apptainer.org/docs/admin/main/installation.html BTW: setuid or non-setuid? Missing. Uh!? I do not remember this step. It's done automagically, maybe? ;) And I have all these packages installed: cvmfs cvmfs-libs cvmfs-release cvmfs-fuse3 cvmfs-config-default Wrong variable assignment: Yes, my bad, thank you. Bye. Lem |
|
Send message Joined: 15 Jun 08 Posts: 2509 Credit: 249,193,834 RAC: 127,193 |
BTW: setuid or non-setuid? setuid See this comment from apptainer.conf: # ALLOW SETUID: [BOOL] # DEFAULT: yes # Should we allow users to utilize the setuid program flow within Apptainer? # note1: This is the default mode, and to utilize all features, this option # must be enabled. For example, without this option loop mounts of image # files will not work; only sandbox image directories, which do not need loop # mounts, will work (subject to note 2). # note2: If this option is disabled, it will rely on unprivileged user # namespaces which have not been integrated equally between different Linux # distributions. More information can be found in the apptainer manual (you already posted a link to it). |
|
Send message Joined: 24 May 23 Posts: 31 Credit: 1,449,721 RAC: 21,499
|
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 # -----> This is a bit of a security issue Sorry. This must be made persistent, otherwise it's lost on reboot. So: echo "kernel.apparmor_restrict_unprivileged_userns=0 #Security issue. Remove this setting ASAP" |sudo tee /etc/sysctl.d/60-apparmor-namespace.conf Bye, Lem |
©2024 CERN