github.com/apptainer/singularity@v3.1.1+incompatible/internal/pkg/runtime/engines/singularity/config/data/singularity.conf (about) 1 # SINGULARITY.CONF 2 # This is the global configuration file for Singularity. This file controls 3 # what the container is allowed to do on a particular host, and as a result 4 # this file must be owned by root. 5 6 # ALLOW SETUID: [BOOL] 7 # DEFAULT: yes 8 # Should we allow users to utilize the setuid program flow within Singularity? 9 # note1: This is the default mode, and to utilize all features, this option 10 # must be enabled. For example, without this option loop mounts of image 11 # files will not work; only sandbox image directories, which do not need loop 12 # mounts, will work (subject to note 2). 13 # note2: If this option is disabled, it will rely on unprivileged user 14 # namespaces which have not been integrated equally between different Linux 15 # distributions. 16 allow setuid = {{ if eq .AllowSetuid true }}yes{{ else }}no{{ end }} 17 18 # MAX LOOP DEVICES: [INT] 19 # DEFAULT: 256 20 # Set the maximum number of loop devices that Singularity should ever attempt 21 # to utilize. 22 max loop devices = {{ .MaxLoopDevices }} 23 24 # ALLOW PID NS: [BOOL] 25 # DEFAULT: yes 26 # Should we allow users to request the PID namespace? Note that for some HPC 27 # resources, the PID namespace may confuse the resource manager and break how 28 # some MPI implementations utilize shared memory. (note, on some older 29 # systems, the PID namespace is always used) 30 allow pid ns = {{ if eq .AllowPidNs true }}yes{{ else }}no{{ end }} 31 32 # CONFIG PASSWD: [BOOL] 33 # DEFAULT: yes 34 # If /etc/passwd exists within the container, this will automatically append 35 # an entry for the calling user. 36 config passwd = {{ if eq .ConfigPasswd true }}yes{{ else }}no{{ end }} 37 38 # CONFIG GROUP: [BOOL] 39 # DEFAULT: yes 40 # If /etc/group exists within the container, this will automatically append 41 # group entries for the calling user. 42 config group = {{ if eq .ConfigGroup true }}yes{{ else }}no{{ end }} 43 44 # CONFIG RESOLV_CONF: [BOOL] 45 # DEFAULT: yes 46 # If there is a bind point within the container, use the host's 47 # /etc/resolv.conf. 48 config resolv_conf = {{ if eq .ConfigResolvConf true }}yes{{ else }}no{{ end }} 49 50 # MOUNT PROC: [BOOL] 51 # DEFAULT: yes 52 # Should we automatically bind mount /proc within the container? 53 mount proc = {{ if eq .MountProc true }}yes{{ else }}no{{ end }} 54 55 # MOUNT SYS: [BOOL] 56 # DEFAULT: yes 57 # Should we automatically bind mount /sys within the container? 58 mount sys = {{ if eq .MountSys true }}yes{{ else }}no{{ end }} 59 60 # MOUNT DEV: [yes/no/minimal] 61 # DEFAULT: yes 62 # Should we automatically bind mount /dev within the container? If 'minimal' 63 # is chosen, then only 'null', 'zero', 'random', 'urandom', and 'shm' will 64 # be included (the same effect as the --contain options) 65 mount dev = {{ .MountDev }} 66 67 # MOUNT DEVPTS: [BOOL] 68 # DEFAULT: yes 69 # Should we mount a new instance of devpts if there is a 'minimal' 70 # /dev, or -C is passed? Note, this requires that your kernel was 71 # configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, or that you're 72 # running kernel 4.7 or newer. 73 mount devpts = {{ if eq .MountDevPts true }}yes{{ else }}no{{ end }} 74 75 # MOUNT HOME: [BOOL] 76 # DEFAULT: yes 77 # Should we automatically determine the calling user's home directory and 78 # attempt to mount it's base path into the container? If the --contain option 79 # is used, the home directory will be created within the session directory or 80 # can be overridden with the SINGULARITY_HOME or SINGULARITY_WORKDIR 81 # environment variables (or their corresponding command line options). 82 mount home = {{ if eq .MountHome true }}yes{{ else }}no{{ end }} 83 84 # MOUNT TMP: [BOOL] 85 # DEFAULT: yes 86 # Should we automatically bind mount /tmp and /var/tmp into the container? If 87 # the --contain option is used, both tmp locations will be created in the 88 # session directory or can be specified via the SINGULARITY_WORKDIR 89 # environment variable (or the --workingdir command line option). 90 mount tmp = {{ if eq .MountTmp true }}yes{{ else }}no{{ end }} 91 92 # MOUNT HOSTFS: [BOOL] 93 # DEFAULT: no 94 # Probe for all mounted file systems that are mounted on the host, and bind 95 # those into the container? 96 mount hostfs = {{ if eq .MountHostfs true }}yes{{ else }}no{{ end }} 97 98 # BIND PATH: [STRING] 99 # DEFAULT: Undefined 100 # Define a list of files/directories that should be made available from within 101 # the container. The file or directory must exist within the container on 102 # which to attach to. you can specify a different source and destination 103 # path (respectively) with a colon; otherwise source and dest are the same. 104 #bind path = /etc/singularity/default-nsswitch.conf:/etc/nsswitch.conf 105 #bind path = /opt 106 #bind path = /scratch 107 {{ range $path := .BindPath }} 108 {{- if ne $path "" -}} 109 bind path = {{$path}} 110 {{ end -}} 111 {{ end }} 112 # USER BIND CONTROL: [BOOL] 113 # DEFAULT: yes 114 # Allow users to influence and/or define bind points at runtime? This will allow 115 # users to specify bind points, scratch and tmp locations. (note: User bind 116 # control is only allowed if the host also supports PR_SET_NO_NEW_PRIVS) 117 user bind control = {{ if eq .UserBindControl true }}yes{{ else }}no{{ end }} 118 119 # ENABLE OVERLAY: [yes/no/try] 120 # DEFAULT: try 121 # Enabling this option will make it possible to specify bind paths to locations 122 # that do not currently exist within the container. If 'try' is chosen, 123 # overlayfs will be tried but if it is unavailable it will be silently ignored. 124 enable overlay = {{ .EnableOverlay }} 125 126 # ENABLE UNDERLAY: [yes/no] 127 # DEFAULT: yes 128 # Enabling this option will make it possible to specify bind paths to locations 129 # that do not currently exist within the container even if overlay is not 130 # working. If overlay is available, it will be tried first. 131 enable underlay = {{ if eq .EnableUnderlay true }}yes{{ else }}no{{ end }} 132 133 # MOUNT SLAVE: [BOOL] 134 # DEFAULT: yes 135 # Should we automatically propagate file-system changes from the host? 136 # This should be set to 'yes' when autofs mounts in the system should 137 # show up in the container. 138 mount slave = {{ if eq .MountSlave true }}yes{{ else }}no{{ end }} 139 140 # SESSIONDIR MAXSIZE: [STRING] 141 # DEFAULT: 16 142 # This specifies how large the default sessiondir should be (in MB) and it will 143 # only affect users who use the "--contain" options and don't also specify a 144 # location to do default read/writes to (e.g. "--workdir" or "--home"). 145 sessiondir max size = {{ .SessiondirMaxSize }} 146 147 # LIMIT CONTAINER OWNERS: [STRING] 148 # DEFAULT: NULL 149 # Only allow containers to be used that are owned by a given user. If this 150 # configuration is undefined (commented or set to NULL), all containers are 151 # allowed to be used. This feature only applies when Singularity is running in 152 # SUID mode and the user is non-root. 153 #limit container owners = gmk, singularity, nobody 154 {{ range $index, $owners := .LimitContainerOwners }} 155 limit container owners = 156 {{ if $index }}, {{ end }}{{$owners}} 157 {{- end }} 158 # LIMIT CONTAINER GROUPS: [STRING] 159 # DEFAULT: NULL 160 # Only allow containers to be used that are owned by a given group. If this 161 # configuration is undefined (commented or set to NULL), all containers are 162 # allowed to be used. This feature only applies when Singularity is running in 163 # SUID mode and the user is non-root. 164 #limit container groups = group1, singularity, nobody 165 {{ range $index, $groups := .LimitContainerGroups }} 166 limit container groups = 167 {{ if $index }}, {{ end }}{{$groups}} 168 {{- end }} 169 # LIMIT CONTAINER PATHS: [STRING] 170 # DEFAULT: NULL 171 # Only allow containers to be used that are located within an allowed path 172 # prefix. If this configuration is undefined (commented or set to NULL), 173 # containers will be allowed to run from anywhere on the file system. This 174 # feature only applies when Singularity is running in SUID mode and the user is 175 # non-root. 176 #limit container paths = /scratch, /tmp, /global 177 {{ range $index, $paths := .LimitContainerPaths }} 178 limit container paths = 179 {{ if $index }}, {{ end }}{{$paths}} 180 {{- end }} 181 # ALLOW CONTAINER ${TYPE}: [BOOL] 182 # DEFAULT: yes 183 # This feature limits what kind of containers that Singularity will allow 184 # users to use (note this does not apply for root). 185 allow container squashfs = {{ if eq .AllowContainerSquashfs true }}yes{{ else }}no{{ end }} 186 allow container extfs = {{ if eq .AllowContainerExtfs true }}yes{{ else }}no{{ end }} 187 allow container dir = {{ if eq .AllowContainerDir true }}yes{{ else }}no{{ end }} 188 189 # AUTOFS BUG PATH: [STRING] 190 # DEFAULT: Undefined 191 # Define list of autofs directories which produces "Too many levels of symbolink links" 192 # errors when accessed from container (typically bind mounts) 193 #autofs bug path = /nfs 194 #autofs bug path = /cifs-share 195 {{ range $path := .AutofsBugPath }} 196 {{- if ne $path "" -}} 197 autofs bug path = {{$path}} 198 {{ end -}} 199 {{ end }} 200 # ALWAYS USE NV ${TYPE}: [BOOL] 201 # DEFAULT: no 202 # This feature allows an administrator to determine that every action command 203 # should be executed implicitely with the --nv option (useful for GPU only 204 # environments). 205 always use nv = {{ if eq .AlwaysUseNv true }}yes{{ else }}no{{ end }} 206 207 # ROOT DEFAULT CAPABILITIES: [full/file/no] 208 # DEFAULT: no 209 # Define default root capability set kept during runtime 210 # - full: keep all capabilities (same as --keep-privs) 211 # - file: keep capabilities configured in ${prefix}/etc/singularity/capabilities/user.root 212 # - no: no capabilities (same as --no-privs) 213 root default capabilities = {{ .RootDefaultCapabilities }} 214 215 # MEMORY FS TYPE: [tmpfs/ramfs] 216 # DEFAULT: tmpfs 217 # This feature allow to choose temporary filesystem type used by Singularity. 218 # Cray CLE 5 and 6 up to CLE 6.0.UP05 there is an issue (kernel panic) when Singularity 219 # use tmpfs, so on affected version it's recommended to set this value to ramfs to avoid 220 # kernel panic 221 memory fs type = {{ .MemoryFSType }} 222 223 # CNI CONFIGURATION PATH: [STRING] 224 # DEFAULT: Undefined 225 # Defines path from where CNI configuration files are stored 226 #cni configuration path = 227 {{ if ne .CniConfPath "" }}cni configuration path = {{ .CniConfPath }}{{ end }} 228 # CNI PLUGIN PATH: [STRING] 229 # DEFAULT: Undefined 230 # Defines path from where CNI executable plugins are stored 231 #cni plugin path = 232 {{ if ne .CniPluginPath "" }}cni plugin path = {{ .CniPluginPath }}{{ end }} 233 # MKSQUASHFS PATH: [STRING] 234 # DEFAULT: Undefined 235 # This allows the administrator to specify the location for mksquashfs if it is not 236 # installed in a standard system location 237 # mksquashfs path = 238 {{ if ne .MksquashfsPath "" }}mksquashfs path = {{ .MksquashfsPath }}{{ end }} 239 # SHARED LOOP DEVICES: [BOOL] 240 # DEFAULT: no 241 # Allow to share same images associated with loop devices to minimize loop 242 # usage and optimize kernel cache (useful for MPI) 243 shared loop devices = {{ if eq .SharedLoopDevices true }}yes{{ else }}no{{ end }}