github.com/apptainer/singularity@v3.1.1+incompatible/etc/conf/testdata/test_2.in (about)

     1  # SINGULARITY.CONF
     2  # This is the global configuration file for Singularity. This file controls
     3  # what the container is allowed to do on a particular host, and as a result
     4  # this file must be owned by root.
     5  
     6  
     7  # ALLOW SETUID: [BOOL]
     8  # DEFAULT: yes
     9  # Should we allow users to utilize the setuid program flow within Singularity?
    10  # note1: This is the default mode, and to utilize all features, this option
    11  # will need to be enabled.
    12  # note2: If this option is disabled, it will rely on the user namespace
    13  # exclusively which has not been integrated equally between the different
    14  # Linux distributions.
    15  allow setuid = yes
    16  
    17  
    18  # MAX LOOP DEVICES: [INT]
    19  # DEFAULT: 256
    20  # Set the maximum number of loop devices that Singularity should ever attempt
    21  # to utilize.
    22  max loop devices = 200
    23  
    24  
    25  # ALLOW PID NS: [BOOL]
    26  # DEFAULT: yes
    27  # Should we allow users to request the PID namespace? Note that for some HPC
    28  # resources, the PID namespace may confuse the resource manager and break how
    29  # some MPI implementations utilize shared memory. (note, on some older
    30  # systems, the PID namespace is always used)
    31  allow pid ns = yes
    32  
    33  
    34  # CONFIG PASSWD: [BOOL]
    35  # DEFAULT: yes
    36  # If /etc/passwd exists within the container, this will automatically append
    37  # an entry for the calling user.
    38  config passwd = yes
    39  
    40  
    41  # CONFIG GROUP: [BOOL]
    42  # DEFAULT: yes
    43  # If /etc/group exists within the container, this will automatically append
    44  # group entries for the calling user.
    45  config group = yes
    46  
    47  
    48  # CONFIG RESOLV_CONF: [BOOL]
    49  # DEFAULT: yes
    50  # If there is a bind point within the container, use the host's
    51  # /etc/resolv.conf.
    52  config resolv_conf = yes
    53  
    54  
    55  # MOUNT PROC: [BOOL]
    56  # DEFAULT: yes
    57  # Should we automatically bind mount /proc within the container?
    58  mount proc = yes
    59  
    60  
    61  # MOUNT SYS: [BOOL]
    62  # DEFAULT: yes
    63  # Should we automatically bind mount /sys within the container?
    64  mount sys = yes
    65  
    66  
    67  # MOUNT DEV: [yes/no/minimal]
    68  # DEFAULT: yes
    69  # Should we automatically bind mount /dev within the container? If 'minimal'
    70  # is chosen, then only 'null', 'zero', 'random', 'urandom', and 'shm' will
    71  # be included (the same effect as the --contain options)
    72  mount dev = yes
    73  
    74  
    75  # MOUNT DEVPTS: [BOOL]
    76  # DEFAULT: yes
    77  # Should we mount a new instance of devpts if there is a 'minimal'
    78  # /dev, or -C is passed?  Note, this requires that your kernel was
    79  # configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, or that you're
    80  # running kernel 4.7 or newer.
    81  mount devpts = yes
    82  
    83  
    84  # MOUNT HOME: [BOOL]
    85  # DEFAULT: yes
    86  # Should we automatically determine the calling user's home directory and
    87  # attempt to mount it's base path into the container? If the --contain option
    88  # is used, the home directory will be created within the session directory or
    89  # can be overridden with the SINGULARITY_HOME or SINGULARITY_WORKDIR
    90  # environment variables (or their corresponding command line options).
    91  mount home = yes
    92  
    93  
    94  # MOUNT TMP: [BOOL]
    95  # DEFAULT: yes
    96  # Should we automatically bind mount /tmp and /var/tmp into the container? If
    97  # the --contain option is used, both tmp locations will be created in the
    98  # session directory or can be specified via the  SINGULARITY_WORKDIR
    99  # environment variable (or the --workingdir command line option).
   100  mount tmp = yes
   101  
   102  
   103  # MOUNT HOSTFS: [BOOL]
   104  # DEFAULT: no
   105  # Probe for all mounted file systems that are mounted on the host, and bind
   106  # those into the container?
   107  mount hostfs = no
   108  
   109  
   110  # BIND PATH: [STRING]
   111  # DEFAULT: Undefined
   112  # Define a list of files/directories that should be made available from within
   113  # the container. The file or directory must exist within the container on
   114  # which to attach to. you can specify a different source and destination
   115  # path (respectively) with a colon; otherwise source and dest are the same.
   116  #bind path = /etc/singularity/default-nsswitch.conf:/etc/nsswitch.conf
   117  #bind path = /opt
   118  #bind path = /scratch
   119  bind path = /etc/localtime
   120  bind path = /etc/hosts
   121  
   122  
   123  # USER BIND CONTROL: [BOOL]
   124  # DEFAULT: yes
   125  # Allow users to influence and/or define bind points at runtime? This will allow
   126  # users to specify bind points, scratch and tmp locations. (note: User bind
   127  # control is only allowed if the host also supports PR_SET_NO_NEW_PRIVS)
   128  user bind control = yes
   129  
   130  
   131  # ENABLE OVERLAY: [yes/no/try]
   132  # DEFAULT: try
   133  # Enabling this option will make it possible to specify bind paths to locations
   134  # that do not currently exist within the container.  If 'try' is chosen,
   135  # overlayfs will be tried but if it is unavailable it will be silently ignored.
   136  enable overlay = try
   137  
   138  
   139  # MOUNT SLAVE: [BOOL]
   140  # DEFAULT: yes
   141  # Should we automatically propagate file-system changes from the host?
   142  # This should be set to 'yes' when autofs mounts in the system should
   143  # show up in the container.
   144  mount slave = yes
   145  
   146  
   147  # SESSIONDIR MAXSIZE: [STRING]
   148  # DEFAULT: 16
   149  # This specifies how large the default sessiondir should be (in MB) and it will
   150  # only affect users who use the "--contain" options and don't also specify a
   151  # location to do default read/writes to (e.g. "--workdir" or "--home").
   152  sessiondir max size = 16
   153  
   154  
   155  # LIMIT CONTAINER OWNERS: [STRING]
   156  # DEFAULT: NULL
   157  # Only allow containers to be used that are owned by a given user. If this
   158  # configuration is undefined (commented or set to NULL), all containers are
   159  # allowed to be used. This feature only applies when Singularity is running in
   160  # SUID mode and the user is non-root.
   161  #limit container owners = gmk, singularity, nobody
   162  
   163  
   164  # LIMIT CONTAINER GROUPS: [STRING]
   165  # DEFAULT: @LIMIT_CONTAINER_GROUPS_DEFAULT@
   166  # Only allow containers to be used that are owned by a given group. If this
   167  # configuration is undefined (commented or set to NULL), all containers are
   168  # allowed to be used. This feature only applies when Singularity is running in
   169  # SUID mode and the user is non-root.
   170  #limit container groups = group1, singularity, nobody
   171  
   172  
   173  # LIMIT CONTAINER PATHS: [STRING]
   174  # DEFAULT: NULL
   175  # Only allow containers to be used that are located within an allowed path
   176  # prefix. If this configuration is undefined (commented or set to NULL),
   177  # containers will be allowed to run from anywhere on the file system. This
   178  # feature only applies when Singularity is running in SUID mode and the user is
   179  # non-root.
   180  #limit container paths = /scratch, /tmp, /global
   181  
   182  
   183  # ALLOW CONTAINER ${TYPE}: [BOOL]
   184  # DEFAULT: yes
   185  # This feature limits what kind of containers that Singularity will allow
   186  # users to use (note this does not apply for root).
   187  allow container squashfs = yes
   188  allow container extfs = yes
   189  allow container dir = yes
   190  
   191  
   192  # AUTOFS BUG PATH: [STRING]
   193  # DEFAULT: Undefined
   194  # Define list of autofs directories which produces "Too many levels of symbolink links"
   195  # errors when accessed from container (typically bind mounts)
   196  #autofs bug path = /nfs
   197  #autofs bug path = /cifs-share
   198  
   199  
   200  # ALWAYS USE NV ${TYPE}: [BOOL]
   201  # DEFAULT: no
   202  # This feature allows an administrator to determine that every action command
   203  # should be executed implicitely with the --nv option (useful for GPU only 
   204  # environments). 
   205  always use nv = no
   206  
   207  
   208  # ROOT DEFAULT CAPABILITIES: [full/file/no]
   209  # DEFAULT: no
   210  # Define default root capability set kept during runtime
   211  # - full: keep all capabilities (same as --keep-privs)
   212  # - file: keep capabilities configured in ${prefix}/etc/singularity/capabilities/user.root
   213  # - no: no capabilities (same as --no-privs)
   214  root default capabilities = full
   215  
   216  
   217  # ALLOW_ROOT CAPABILITIES: [BOOL]
   218  # DEFAULT: yes
   219  # This allows root to gain/drop capabilities other than those defined
   220  # by root default capabilities.
   221  # Example:
   222  # If root default capabilities = file and allow root capabilities = no,
   223  # only capabilities defined in file ${prefix}/etc/singularity/capabilities/user.root
   224  # could be obtained by root
   225  allow root capabilities = yes
   226  
   227  
   228  # ALLOW USER CAPABILITIES: [BOOL]
   229  # DEFAULT: no
   230  # This allows user to gain capabilities based on whitelist managed by administrator
   231  # (requires recent kernel >= 4.3)
   232  allow user capabilities = no
   233  
   234  
   235  # MEMORY FS TYPE: [tmpfs/ramfs]
   236  # DEFAULT: tmpfs
   237  # This feature allow to choose temporary filesystem type used by Singularity.
   238  # Cray CLE 5 and 6 up to CLE 6.0.UP05 there is an issue (kernel panic) when Singularity
   239  # use tmpfs, so on affected version it's recommended to set this value to ramfs to avoid
   240  # kernel panic
   241  memory fs type = tmpfs