github.com/apptainer/singularity@v3.1.1+incompatible/etc/conf/testdata/test_default.tmpl (about) 1 # SINGULARITY.CONF 2 # This is the global configuration file for Singularity. This file controls 3 # what the container is allowed to do on a particular host, and as a result 4 # this file must be owned by root. 5 6 7 # ALLOW SETUID: [BOOL] 8 # DEFAULT: yes 9 # Should we allow users to utilize the setuid program flow within Singularity? 10 # note1: This is the default mode, and to utilize all features, this option 11 # will need to be enabled. 12 # note2: If this option is disabled, it will rely on the user namespace 13 # exclusively which has not been integrated equally between the different 14 # Linux distributions. 15 allow setuid = {{ if eq .AllowSetuid true }}yes{{ else }}no{{ end }} 16 17 18 # MAX LOOP DEVICES: [INT] 19 # DEFAULT: 256 20 # Set the maximum number of loop devices that Singularity should ever attempt 21 # to utilize. 22 max loop devices = {{ .MaxLoopDevices }} 23 24 25 # ALLOW PID NS: [BOOL] 26 # DEFAULT: yes 27 # Should we allow users to request the PID namespace? Note that for some HPC 28 # resources, the PID namespace may confuse the resource manager and break how 29 # some MPI implementations utilize shared memory. (note, on some older 30 # systems, the PID namespace is always used) 31 allow pid ns = {{ if eq .AllowPidNs true }}yes{{ else }}no{{ end }} 32 33 34 # CONFIG PASSWD: [BOOL] 35 # DEFAULT: yes 36 # If /etc/passwd exists within the container, this will automatically append 37 # an entry for the calling user. 38 config passwd = {{ if eq .ConfigPasswd true }}yes{{ else }}no{{ end }} 39 40 41 # CONFIG GROUP: [BOOL] 42 # DEFAULT: yes 43 # If /etc/group exists within the container, this will automatically append 44 # group entries for the calling user. 45 config group = {{ if eq .ConfigGroup true }}yes{{ else }}no{{ end }} 46 47 48 # CONFIG RESOLV_CONF: [BOOL] 49 # DEFAULT: yes 50 # If there is a bind point within the container, use the host's 51 # /etc/resolv.conf. 52 config resolv_conf = {{ if eq .ConfigResolvConf true }}yes{{ else }}no{{ end }} 53 54 55 # MOUNT PROC: [BOOL] 56 # DEFAULT: yes 57 # Should we automatically bind mount /proc within the container? 58 mount proc = {{ if eq .MountProc true }}yes{{ else }}no{{ end }} 59 60 61 # MOUNT SYS: [BOOL] 62 # DEFAULT: yes 63 # Should we automatically bind mount /sys within the container? 64 mount sys = {{ if eq .MountSys true }}yes{{ else }}no{{ end }} 65 66 67 # MOUNT DEV: [yes/no/minimal] 68 # DEFAULT: yes 69 # Should we automatically bind mount /dev within the container? If 'minimal' 70 # is chosen, then only 'null', 'zero', 'random', 'urandom', and 'shm' will 71 # be included (the same effect as the --contain options) 72 mount dev = {{ .MountDev }} 73 74 75 # MOUNT DEVPTS: [BOOL] 76 # DEFAULT: yes 77 # Should we mount a new instance of devpts if there is a 'minimal' 78 # /dev, or -C is passed? Note, this requires that your kernel was 79 # configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, or that you're 80 # running kernel 4.7 or newer. 81 mount devpts = {{ if eq .MountDevPts true }}yes{{ else }}no{{ end }} 82 83 84 # MOUNT HOME: [BOOL] 85 # DEFAULT: yes 86 # Should we automatically determine the calling user's home directory and 87 # attempt to mount it's base path into the container? If the --contain option 88 # is used, the home directory will be created within the session directory or 89 # can be overridden with the SINGULARITY_HOME or SINGULARITY_WORKDIR 90 # environment variables (or their corresponding command line options). 91 mount home = {{ if eq .MountHome true }}yes{{ else }}no{{ end }} 92 93 94 # MOUNT TMP: [BOOL] 95 # DEFAULT: yes 96 # Should we automatically bind mount /tmp and /var/tmp into the container? If 97 # the --contain option is used, both tmp locations will be created in the 98 # session directory or can be specified via the SINGULARITY_WORKDIR 99 # environment variable (or the --workingdir command line option). 100 mount tmp = {{ if eq .MountTmp true }}yes{{ else }}no{{ end }} 101 102 103 # MOUNT HOSTFS: [BOOL] 104 # DEFAULT: no 105 # Probe for all mounted file systems that are mounted on the host, and bind 106 # those into the container? 107 mount hostfs = {{ if eq .MountHostfs true }}yes{{ else }}no{{ end }} 108 109 110 # BIND PATH: [STRING] 111 # DEFAULT: Undefined 112 # Define a list of files/directories that should be made available from within 113 # the container. The file or directory must exist within the container on 114 # which to attach to. you can specify a different source and destination 115 # path (respectively) with a colon; otherwise source and dest are the same. 116 #bind path = /etc/singularity/default-nsswitch.conf:/etc/nsswitch.conf 117 #bind path = /opt 118 #bind path = /scratch 119 {{ range $path := .BindPath }} 120 {{- if ne $path "" -}} 121 bind path = {{$path}} 122 {{ end -}} 123 {{ end }} 124 125 # USER BIND CONTROL: [BOOL] 126 # DEFAULT: yes 127 # Allow users to influence and/or define bind points at runtime? This will allow 128 # users to specify bind points, scratch and tmp locations. (note: User bind 129 # control is only allowed if the host also supports PR_SET_NO_NEW_PRIVS) 130 user bind control = {{ if eq .UserBindControl true }}yes{{ else }}no{{ end }} 131 132 133 # ENABLE OVERLAY: [yes/no/try] 134 # DEFAULT: try 135 # Enabling this option will make it possible to specify bind paths to locations 136 # that do not currently exist within the container. If 'try' is chosen, 137 # overlayfs will be tried but if it is unavailable it will be silently ignored. 138 enable overlay = {{ .EnableOverlay }} 139 140 141 # MOUNT SLAVE: [BOOL] 142 # DEFAULT: yes 143 # Should we automatically propagate file-system changes from the host? 144 # This should be set to 'yes' when autofs mounts in the system should 145 # show up in the container. 146 mount slave = {{ if eq .MountSlave true }}yes{{ else }}no{{ end }} 147 148 149 # SESSIONDIR MAXSIZE: [STRING] 150 # DEFAULT: 16 151 # This specifies how large the default sessiondir should be (in MB) and it will 152 # only affect users who use the "--contain" options and don't also specify a 153 # location to do default read/writes to (e.g. "--workdir" or "--home"). 154 sessiondir max size = {{ .SessiondirMaxSize }} 155 156 157 # LIMIT CONTAINER OWNERS: [STRING] 158 # DEFAULT: NULL 159 # Only allow containers to be used that are owned by a given user. If this 160 # configuration is undefined (commented or set to NULL), all containers are 161 # allowed to be used. This feature only applies when Singularity is running in 162 # SUID mode and the user is non-root. 163 #limit container owners = gmk, singularity, nobody 164 {{ range $index, $owners := .LimitContainerOwners }} 165 limit container owners = 166 {{ if $index }}, {{ end }}{{$owners}} 167 {{- end }} 168 169 # LIMIT CONTAINER GROUPS: [STRING] 170 # DEFAULT: @LIMIT_CONTAINER_GROUPS_DEFAULT@ 171 # Only allow containers to be used that are owned by a given group. If this 172 # configuration is undefined (commented or set to NULL), all containers are 173 # allowed to be used. This feature only applies when Singularity is running in 174 # SUID mode and the user is non-root. 175 #limit container groups = group1, singularity, nobody 176 {{ range $index, $groups := .LimitContainerGroups }} 177 limit container groups = 178 {{ if $index }}, {{ end }}{{$groups}} 179 {{- end }} 180 181 # LIMIT CONTAINER PATHS: [STRING] 182 # DEFAULT: NULL 183 # Only allow containers to be used that are located within an allowed path 184 # prefix. If this configuration is undefined (commented or set to NULL), 185 # containers will be allowed to run from anywhere on the file system. This 186 # feature only applies when Singularity is running in SUID mode and the user is 187 # non-root. 188 #limit container paths = /scratch, /tmp, /global 189 {{ range $index, $paths := .LimitContainerPaths }} 190 limit container paths = 191 {{ if $index }}, {{ end }}{{$paths}} 192 {{- end }} 193 194 # ALLOW CONTAINER ${TYPE}: [BOOL] 195 # DEFAULT: yes 196 # This feature limits what kind of containers that Singularity will allow 197 # users to use (note this does not apply for root). 198 allow container squashfs = {{ if eq .AllowContainerSquashfs true }}yes{{ else }}no{{ end }} 199 allow container extfs = {{ if eq .AllowContainerExtfs true }}yes{{ else }}no{{ end }} 200 allow container dir = {{ if eq .AllowContainerDir true }}yes{{ else }}no{{ end }} 201 202 203 # AUTOFS BUG PATH: [STRING] 204 # DEFAULT: Undefined 205 # Define list of autofs directories which produces "Too many levels of symbolink links" 206 # errors when accessed from container (typically bind mounts) 207 #autofs bug path = /nfs 208 #autofs bug path = /cifs-share 209 {{ range $path := .AutofsBugPath }} 210 {{- if ne $path "" -}} 211 autofs bug path = {{$path}} 212 {{ end -}} 213 {{ end }} 214 215 # ALWAYS USE NV ${TYPE}: [BOOL] 216 # DEFAULT: no 217 # This feature allows an administrator to determine that every action command 218 # should be executed implicitely with the --nv option (useful for GPU only 219 # environments). 220 always use nv = {{ if eq .AlwaysUseNv true }}yes{{ else }}no{{ end }} 221 222 223 # ROOT DEFAULT CAPABILITIES: [full/file/no] 224 # DEFAULT: no 225 # Define default root capability set kept during runtime 226 # - full: keep all capabilities (same as --keep-privs) 227 # - file: keep capabilities configured in ${prefix}/etc/singularity/capabilities/user.root 228 # - no: no capabilities (same as --no-privs) 229 root default capabilities = {{ .RootDefaultCapabilities }} 230 231 232 # MEMORY FS TYPE: [tmpfs/ramfs] 233 # DEFAULT: tmpfs 234 # This feature allow to choose temporary filesystem type used by Singularity. 235 # Cray CLE 5 and 6 up to CLE 6.0.UP05 there is an issue (kernel panic) when Singularity 236 # use tmpfs, so on affected version it's recommended to set this value to ramfs to avoid 237 # kernel panic 238 memory fs type = {{ .MemoryFSType }}