# APPTAINER.CONF # This is the global configuration file for Apptainer. This file controls # what the container is allowed to do on a particular host, and as a result # this file must be owned by root. # ALLOW SETUID: [BOOL] # DEFAULT: yes # Should we allow users to utilize the setuid program flow within Apptainer? # note1: This is the default mode, and to utilize all features, this option # must be enabled. For example, without this option loop mounts of image # files will not work; only sandbox image directories, which do not need loop # mounts, will work (subject to note 2). # note2: If this option is disabled, it will rely on unprivileged user # namespaces which have not been integrated equally between different Linux # distributions. allow setuid = yes # MAX LOOP DEVICES: [INT] # DEFAULT: 256 # Set the maximum number of loop devices that Apptainer should ever attempt # to utilize. max loop devices = 256 # ALLOW PID NS: [BOOL] # DEFAULT: yes # Should we allow users to request the PID namespace? Note that for some HPC # resources, the PID namespace may confuse the resource manager and break how # some MPI implementations utilize shared memory. (note, on some older # systems, the PID namespace is always used) allow pid ns = yes # CONFIG PASSWD: [BOOL] # DEFAULT: yes # If /etc/passwd exists within the container, this will automatically append # an entry for the calling user. config passwd = yes # CONFIG GROUP: [BOOL] # DEFAULT: yes # If /etc/group exists within the container, this will automatically append # group entries for the calling user. config group = yes # CONFIG RESOLV_CONF: [BOOL] # DEFAULT: yes # If there is a bind point within the container, use the host's # /etc/resolv.conf. config resolv_conf = yes # MOUNT PROC: [BOOL] # DEFAULT: yes # Should we automatically bind mount /proc within the container? mount proc = yes # MOUNT SYS: [BOOL] # DEFAULT: yes # Should we automatically bind mount /sys within the container? mount sys = yes # MOUNT DEV: [yes/no/minimal] # DEFAULT: yes # Should we automatically bind mount /dev within the container? If 'minimal' # is chosen, then only 'null', 'zero', 'random', 'urandom', and 'shm' will # be included (the same effect as the --contain options) mount dev = yes # MOUNT DEVPTS: [BOOL] # DEFAULT: yes # Should we mount a new instance of devpts if there is a 'minimal' # /dev, or -C is passed? Note, this requires that your kernel was # configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, or that you're # running kernel 4.7 or newer. mount devpts = yes # MOUNT HOME: [BOOL] # DEFAULT: yes # Should we automatically determine the calling user's home directory and # attempt to mount it's base path into the container? If the --contain option # is used, the home directory will be created within the session directory or # can be overridden with the APPTAINER_HOME or APPTAINER_WORKDIR # environment variables (or their corresponding command line options). mount home = yes # MOUNT TMP: [BOOL] # DEFAULT: yes # Should we automatically bind mount /tmp and /var/tmp into the container? If # the --contain option is used, both tmp locations will be created in the # session directory or can be specified via the APPTAINER_WORKDIR # environment variable (or the --workingdir command line option). mount tmp = yes # MOUNT HOSTFS: [BOOL] # DEFAULT: no # Probe for all mounted file systems that are mounted on the host, and bind # those into the container? mount hostfs = no # BIND PATH: [STRING] # DEFAULT: Undefined # Define a list of files/directories that should be made available from within # the container. The file or directory must exist within the container on # which to attach to. you can specify a different source and destination # path (respectively) with a colon; otherwise source and dest are the same. # NOTE: these are ignored if apptainer is invoked with --contain except # for /etc/hosts and /etc/localtime. When invoked with --contain and --net, # /etc/hosts would contain a default generated content for localhost resolution. #bind path = /etc/apptainer/default-nsswitch.conf:/etc/nsswitch.conf #bind path = /opt #bind path = /scratch bind path = /etc/localtime bind path = /etc/hosts # USER BIND CONTROL: [BOOL] # DEFAULT: yes # Allow users to influence and/or define bind points at runtime? This will allow # users to specify bind points, scratch and tmp locations. (note: User bind # control is only allowed if the host also supports PR_SET_NO_NEW_PRIVS) user bind control = yes # ENABLE FUSEMOUNT: [BOOL] # DEFAULT: yes # Allow users to mount fuse filesystems inside containers with the --fusemount # command line option. enable fusemount = yes # ENABLE OVERLAY: [yes/no/driver/try] # DEFAULT: yes # Enabling this option will make it possible to specify bind paths to locations # that do not currently exist within the container. If 'yes', kernel overlayfs # will be tried but if it doesn't work, the image driver (i.e. fuse-overlayfs) # will be used instead. 'try' is obsolete and treated the same as 'yes'. # If 'driver' is chosen, overlay will always be handled by the image driver. # If 'no' is chosen, then no overlay type will be used for missing bind paths # nor for any other purpose. # The ENABLE UNDERLAY 'preferred' option below overrides this option for # creating bind paths. enable overlay = yes # ENABLE UNDERLAY: [yes/no/preferred] # DEFAULT: yes # Enabling this option will make it possible to specify bind paths to locations # that do not currently exist within the container without using any overlay # feature, when the '--underlay' action option is given by the user or when # the ENABLE OVERLAY option above is set to 'no'. # If 'preferred' is chosen, then underlay will always be used instead of # overlay for creating bind paths. # This option is deprecated and will be removed in a future release, because # the implementation is complicated and the performance is similar to # overlayfs and fuse-overlayfs. enable underlay = preferred # MOUNT SLAVE: [BOOL] # DEFAULT: yes # Should we automatically propagate file-system changes from the host? # This should be set to 'yes' when autofs mounts in the system should # show up in the container. mount slave = yes # SESSIONDIR MAXSIZE: [STRING] # DEFAULT: 64 # This specifies how large the default sessiondir should be (in MB). It will # affect users who use the "--contain" options and don't also specify a # location to do default read/writes to (e.g. "--workdir" or "--home") and # it will also affect users of "--writable-tmpfs". sessiondir max size = 64 # ***************************************************************************** # WARNING # # The 'limit container' and 'allow container' directives are not effective if # unprivileged user namespaces are enabled. They are only effectively applied # when Apptainer is running using the native runtime in setuid mode, and # unprivileged container execution is not possible on the host. # # You must disable unprivileged user namespace creation on the host if you rely # on the these directives to limit container execution. # # See the 'Security' and 'Configuration Files' sections of the Admin Guide for # more information. # ***************************************************************************** # LIMIT CONTAINER OWNERS: [STRING] # DEFAULT: NULL # Only allow containers to be used that are owned by a given user. If this # configuration is undefined (commented or set to NULL), all containers are # allowed to be used. # # Only effective in setuid mode, with unprivileged user namespace creation # disabled. Ignored for the root user. #limit container owners = gmk, apptainer, nobody # LIMIT CONTAINER GROUPS: [STRING] # DEFAULT: NULL # Only allow containers to be used that are owned by a given group. If this # configuration is undefined (commented or set to NULL), all containers are # allowed to be used. # # Only effective in setuid mode, with unprivileged user namespace creation # disabled. Ignored for the root user. #limit container groups = group1, apptainer, nobody # LIMIT CONTAINER PATHS: [STRING] # DEFAULT: NULL # Only allow containers to be used that are located within an allowed path # prefix. If this configuration is undefined (commented or set to NULL), # containers will be allowed to run from anywhere on the file system. # # Only effective in setuid mode, with unprivileged user namespace creation # disabled. Ignored for the root user. #limit container paths = /scratch, /tmp, /global # ALLOW CONTAINER ${TYPE}: [BOOL] # DEFAULT: yes # This feature limits what kind of containers that Apptainer will allow # users to use. # # Only effective in setuid mode, with unprivileged user namespace creation # disabled. Ignored for the root user. Note that some of the # same operations can be limited in setuid mode by the ALLOW SETUID-MOUNT # feature below; both types need to be "yes" to be allowed. # # Allow use of unencrypted SIF containers allow container sif = yes # # Allow use of encrypted SIF containers allow container encrypted = yes # # Allow use of non-SIF image formats allow container squashfs = yes allow container extfs = yes allow container dir = yes # ALLOW SETUID-MOUNT ${TYPE}: [see specific types below] # This feature limits what types of kernel mounts that Apptainer will # allow unprivileged users to use in setuid mode. Note that some of # the same operations can also be limited by the ALLOW CONTAINER feature # above; both types need to be "yes" to be allowed. Ignored for the root # user. # # ALLOW SETUID-MOUNT ENCRYPTED: [BOOL} # DEFAULT: yes # Allow mounting of SIF encryption using the kernel device-mapper in # setuid mode. If set to "no", gocryptfs (FUSE-based) encryption will be # used instead, which uses a different format in the SIF file, the same # format used in unprivileged user namespace mode. # allow setuid-mount encrypted = yes # # ALLOW SETUID-MOUNT SQUASHFS: [yes/no/iflimited] # DEFAULT: iflimited # Allow mounting of squashfs filesystem types by the kernel in setuid mode, # both inside and outside of SIF files. If set to "no", a FUSE-based # alternative will be used, the same one used in unprivileged user namespace # mode. If set to "iflimited" (the default), then if either a LIMIT CONTAINER # option is used above or the Execution Control List (ECL) feature is activated # in ecl.toml, this setting will be treated as "yes", and otherwise it will be # treated as "no". # WARNING: in setuid mode a "yes" here while still allowing users write # access to the underlying filesystem data enables potential attacks on # the kernel. On the other hand, a "no" here while attempting to limit # users to running only approved containers enables the users to potentially # override those limits using ptrace() functionality since the FUSE processes # run under the user's own uid. So leaving this on the default setting is # advised. # allow setuid-mount squashfs = iflimited # # ALLOW SETUID-MOUNT EXTFS: [BOOL] # DEFAULT: no # Allow mounting of extfs filesystem types by the kernel in setuid mode, both # inside and outside of SIF files. If set to "no", a FUSE-based alternative # will be used, the same one used in unprivileged user namespace mode. # WARNING: this filesystem type frequently has relevant kernel CVEs that take # a long time for vendors to patch because they are not considered to be High # severity since normally unprivileged users do not have write access to the # raw filesystem data. That leaves the kernel vulnerable to attack when # this option is enabled in setuid mode. That is why this option defaults to # "no". Change it at your own risk. # allow setuid-mount extfs = no # ALLOW NET USERS: [STRING] # DEFAULT: NULL # Allow specified root administered CNI network configurations to be used by the # specified list of users. By default only root may use CNI configuration, # except in the case of a fakeroot execution where only 40_fakeroot.conflist # is used. This feature only applies when Apptainer is running in # SUID mode and the user is non-root. #allow net users = gmk, apptainer # ALLOW NET GROUPS: [STRING] # DEFAULT: NULL # Allow specified root administered CNI network configurations to be used by the # specified list of users. By default only root may use CNI configuration, # except in the case of a fakeroot execution where only 40_fakeroot.conflist # is used. This feature only applies when Apptainer is running in # SUID mode and the user is non-root. #allow net groups = group1, apptainer # ALLOW NET NETWORKS: [STRING] # DEFAULT: NULL # Specify the names of CNI network configurations that may be used by users and # groups listed in the allow net users / allow net groups directives. Thus feature # only applies when Apptainer is running in SUID mode and the user is non-root. #allow net networks = bridge # ALWAYS USE NV ${TYPE}: [BOOL] # DEFAULT: no # This feature allows an administrator to determine that every action command # should be executed implicitly with the --nv option (useful for GPU only # environments). always use nv = no # USE NVIDIA-NVIDIA-CONTAINER-CLI ${TYPE}: [BOOL] # DEFAULT: no # EXPERIMENTAL # If set to yes, Apptainer will attempt to use nvidia-container-cli to setup # GPUs within a container when the --nv flag is enabled. # If no (default), the legacy binding of entries in nvbliblist.conf will be performed. use nvidia-container-cli = no # ALWAYS USE ROCM ${TYPE}: [BOOL] # DEFAULT: no # This feature allows an administrator to determine that every action command # should be executed implicitly with the --rocm option (useful for GPU only # environments). always use rocm = no # ROOT DEFAULT CAPABILITIES: [full/file/no] # DEFAULT: full # Define default root capability set kept during runtime # - full: keep all capabilities (same as --keep-privs) # - file: keep capabilities configured for root in # ${prefix}/etc/apptainer/capability.json # - no: no capabilities (same as --no-privs) root default capabilities = full # MEMORY FS TYPE: [tmpfs/ramfs] # DEFAULT: tmpfs # This feature allow to choose temporary filesystem type used by Apptainer. # Cray CLE 5 and 6 up to CLE 6.0.UP05 there is an issue (kernel panic) when Apptainer # use tmpfs, so on affected version it's recommended to set this value to ramfs to avoid # kernel panic memory fs type = tmpfs # CNI CONFIGURATION PATH: [STRING] # DEFAULT: Undefined # Defines path where CNI configuration files are stored #cni configuration path = # CNI PLUGIN PATH: [STRING] # DEFAULT: Undefined # Defines path where CNI executable plugins are stored #cni plugin path = # BINARY PATH: [STRING] # DEFAULT: $PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Colon-separated list of directories to search for many binaries. May include # "$PATH:", which will be replaced by the user's PATH when not running a binary # that may be run with elevated privileges from the setuid program flow. The # internal bin ${prefix}/libexec/apptainer/bin is always included, either at the # beginning of "$PATH:" if it is present or at the very beginning if "$PATH:" is # not present. # binary path = # MKSQUASHFS PROCS: [UINT] # DEFAULT: 0 (All CPUs) # This allows the administrator to specify the number of CPUs for mksquashfs # to use when building an image. The fewer processors the longer it takes. # To enable it to use all available CPU's set this to 0. # mksquashfs procs = 0 mksquashfs procs = 0 # MKSQUASHFS MEM: [STRING] # DEFAULT: Unlimited # This allows the administrator to set the maximum amount of memory for mkswapfs # to use when building an image. e.g. 1G for 1gb or 500M for 500mb. Restricting memory # can have a major impact on the time it takes mksquashfs to create the image. # NOTE: This functionality did not exist in squashfs-tools prior to version 4.3 # If using an earlier version you should not set this. # mksquashfs mem = 1G # SHARED LOOP DEVICES: [BOOL] # DEFAULT: no # Allow to share same images associated with loop devices to minimize loop # usage and optimize kernel cache (useful for MPI) shared loop devices = no # IMAGE DRIVER: [STRING] # DEFAULT: Undefined # This option specifies the name of an image driver provided by a plugin that # will be used to handle image mounts. This will override the builtin image # driver which provides unprivileged image mounts for squashfs, extfs, # overlayfs, and gocryptfs. The overlayfs image driver will only be used # if the kernel overlayfs is not usable, but if the 'enable overlay' option # above is set to 'driver', the image driver will always be used for overlay. # If the driver name specified has not been registered via a plugin installation # the run-time will abort. image driver = # DOWNLOAD CONCURRENCY: [UINT] # DEFAULT: 3 # This option specifies how many concurrent streams when downloading (pulling) # an image from cloud library. download concurrency = 3 # DOWNLOAD PART SIZE: [UINT] # DEFAULT: 5242880 # This option specifies the size of each part when concurrent downloads are # enabled. download part size = 5242880 # DOWNLOAD BUFFER SIZE: [UINT] # DEFAULT: 32768 # This option specifies the transfer buffer size when concurrent downloads # are enabled. download buffer size = 32768 # SYSTEMD CGROUPS: [BOOL] # DEFAULT: yes # Whether to use systemd to manage container cgroups. Required for rootless cgroups # functionality. 'no' will manage cgroups directly via cgroupfs. systemd cgroups = yes # APPTHEUS SOCKET PATH: [STRING] # DEFAULT: /run/apptheus/gateway.sock # Defines apptheus socket path apptheus socket path = /run/apptheus/gateway.sock # ALLOW MONITORING: [BOOL] # DEFAULT: no # Allow to monitor the system resource usage of apptainer. To enable this option # additional tool, i.e. apptheus, is required. allow monitoring = no