singularity: new variants to enable non-suid and non-network builds (#16088)

Defaults are left as they are currently

var/spack/repos/builtin/packages/singularity/package.py

@@ -35,6 +35,8 @@ class Singularity(MakefilePackage):
     version('3.2.1', sha256='d4388fb5f7e0083f0c344354c9ad3b5b823e2f3f27980e56efa7785140c9b616')
     version('3.1.1', sha256='7f0df46458d8894ba0c2071b0848895304ae6b1137d3d4630f1600ed8eddf1a4')
 
+    variant('suid', default=True, description='install SUID binary')
+    variant('network', default=True, description='install network plugins')
     depends_on('go')
     depends_on('libuuid')
     depends_on('libgpg-error')
@@ -82,7 +84,12 @@ def build_directory(self):
     # Hijack the edit stage to run mconfig.
     def edit(self, spec, prefix):
         with working_dir(self.build_directory):
-            configure = Executable('./mconfig --prefix=%s' % prefix)
+            confstring = './mconfig --prefix=%s' % prefix
+            if '~suid' in spec:
+                confstring += ' --without-suid'
+            if '~network' in spec:
+                confstring += ' --without-network'
+            configure = Executable(confstring)
             configure()
 
     # Set these for use by MakefilePackage's default build/install methods.
@@ -127,33 +134,35 @@ def _build_script(self, filename, variable_data):
 
     @run_after('install')
     def build_perms_script(self):
-        script = self.perm_script_path()
+        if self.spec.satisfies('+suid'):
-        chown_files = ['libexec/singularity/bin/starter-suid',
+            script = self.perm_script_path()
-                       'etc/singularity/singularity.conf',
+            chown_files = ['libexec/singularity/bin/starter-suid',
-                       'etc/singularity/capability.json',
+                           'etc/singularity/singularity.conf',
-                       'etc/singularity/ecl.toml']
+                           'etc/singularity/capability.json',
-        setuid_files = ['libexec/singularity/bin/starter-suid']
+                           'etc/singularity/ecl.toml']
-        self._build_script(script, {'prefix': self.spec.prefix,
+            setuid_files = ['libexec/singularity/bin/starter-suid']
-                                    'chown_files': chown_files,
+            self._build_script(script, {'prefix': self.spec.prefix,
-                                    'setuid_files': setuid_files})
+                                        'chown_files': chown_files,
-        chmod = which('chmod')
+                                        'setuid_files': setuid_files})
-        chmod('555', script)
+            chmod = which('chmod')
+            chmod('555', script)
 
     # Until tty output works better from build steps, this ends up in
     # the build log.  See https://github.com/spack/spack/pull/10412.
     @run_after('install')
     def caveats(self):
-        tty.warn("""
+        if self.spec.satisfies('+suid'):
-        For full functionality, you'll need to chown and chmod some files
+            tty.warn("""
-        after installing the package.  This has security implications.
+            For full functionality, you'll need to chown and chmod some files
-        For details, see:
+            after installing the package.  This has security implications.
-        https://sylabs.io/guides/2.6/admin-guide/security.html
+            For details, see:
-        https://sylabs.io/guides/3.2/admin-guide/admin_quickstart.html#singularity-security
+            https://sylabs.io/guides/2.6/admin-guide/security.html
+            https://sylabs.io/guides/3.2/admin-guide/admin_quickstart.html#singularity-security
 
-        We've installed a script that will make the necessary changes;
+            We've installed a script that will make the necessary changes;
-        read through it and then execute it as root (e.g. via sudo).
+            read through it and then execute it as root (e.g. via sudo).
 
-        The script is named:
+            The script is named:
 
-        {0}
+            {0}
-        """.format(self.perm_script_path()))
+            """.format(self.perm_script_path()))