github.com/singularityware/singularity@v3.1.1+incompatible/etc/singularity.conf.in (about) 1 # SINGULARITY.CONF 2 # This is the global configuration file for Singularity. This file controls 3 # what the container is allowed to do on a particular host, and as a result 4 # this file must be owned by root. 5 6 7 # ALLOW SETUID: [BOOL] 8 # DEFAULT: @ALLOW_SETUID_DEFAULT@ 9 # Should we allow users to utilize the setuid program flow within Singularity? 10 # note1: This is the default mode, and to utilize all features, this option 11 # will need to be enabled. 12 # note2: If this option is disabled, it will rely on the user namespace 13 # exclusively which has not been integrated equally between the different 14 # Linux distributions. 15 @ALLOW_SETUID@ = @ALLOW_SETUID_DEFAULT@ 16 17 18 # MAX LOOP DEVICES: [INT] 19 # DEFAULT: @MAX_LOOP_DEVS_DEFAULT@ 20 # Set the maximum number of loop devices that Singularity should ever attempt 21 # to utilize. 22 @MAX_LOOP_DEVS@ = @MAX_LOOP_DEVS_DEFAULT@ 23 24 25 # ALLOW PID NS: [BOOL] 26 # DEFAULT: @ALLOW_PID_NS_DEFAULT@ 27 # Should we allow users to request the PID namespace? Note that for some HPC 28 # resources, the PID namespace may confuse the resource manager and break how 29 # some MPI implementations utilize shared memory. (note, on some older 30 # systems, the PID namespace is always used) 31 @ALLOW_PID_NS@ = @ALLOW_PID_NS_DEFAULT@ 32 33 34 # CONFIG PASSWD: [BOOL] 35 # DEFAULT: @CONFIG_PASSWD_DEFAULT@ 36 # If /etc/passwd exists within the container, this will automatically append 37 # an entry for the calling user. 38 @CONFIG_PASSWD@ = @CONFIG_PASSWD_DEFAULT@ 39 40 41 # CONFIG GROUP: [BOOL] 42 # DEFAULT: @CONFIG_GROUP_DEFAULT@ 43 # If /etc/group exists within the container, this will automatically append 44 # group entries for the calling user. 45 @CONFIG_GROUP@ = @CONFIG_GROUP_DEFAULT@ 46 47 48 # CONFIG RESOLV_CONF: [BOOL] 49 # DEFAULT: @CONFIG_RESOLV_CONF_DEFAULT@ 50 # If there is a bind point within the container, use the host's 51 # /etc/resolv.conf. 52 @CONFIG_RESOLV_CONF@ = @CONFIG_RESOLV_CONF_DEFAULT@ 53 54 55 # MOUNT PROC: [BOOL] 56 # DEFAULT: @MOUNT_PROC_DEFAULT@ 57 # Should we automatically bind mount /proc within the container? 58 @MOUNT_PROC@ = @MOUNT_PROC_DEFAULT@ 59 60 61 # MOUNT SYS: [BOOL] 62 # DEFAULT: @MOUNT_SYS_DEFAULT@ 63 # Should we automatically bind mount /sys within the container? 64 @MOUNT_SYS@ = @MOUNT_SYS_DEFAULT@ 65 66 67 # MOUNT DEV: [yes/no/minimal] 68 # DEFAULT: @MOUNT_DEV_DEFAULT@ 69 # Should we automatically bind mount /dev within the container? If 'minimal' 70 # is chosen, then only 'null', 'zero', 'random', 'urandom', and 'shm' will 71 # be included (the same effect as the --contain options) 72 @MOUNT_DEV@ = @MOUNT_DEV_DEFAULT@ 73 74 75 # MOUNT DEVPTS: [BOOL] 76 # DEFAULT: @MOUNT_DEVPTS_DEFAULT@ 77 # Should we mount a new instance of devpts if there is a 'minimal' 78 # /dev, or -C is passed? Note, this requires that your kernel was 79 # configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, or that you're 80 # running kernel 4.7 or newer. 81 @MOUNT_DEVPTS@ = @MOUNT_DEVPTS_DEFAULT@ 82 83 84 # MOUNT HOME: [BOOL] 85 # DEFAULT: @MOUNT_HOME_DEFAULT@ 86 # Should we automatically determine the calling user's home directory and 87 # attempt to mount it's base path into the container? If the --contain option 88 # is used, the home directory will be created within the session directory or 89 # can be overridden with the SINGULARITY_HOME or SINGULARITY_WORKDIR 90 # environment variables (or their corresponding command line options). 91 @MOUNT_HOME@ = @MOUNT_HOME_DEFAULT@ 92 93 94 # MOUNT TMP: [BOOL] 95 # DEFAULT: @MOUNT_TMP_DEFAULT@ 96 # Should we automatically bind mount /tmp and /var/tmp into the container? If 97 # the --contain option is used, both tmp locations will be created in the 98 # session directory or can be specified via the SINGULARITY_WORKDIR 99 # environment variable (or the --workingdir command line option). 100 @MOUNT_TMP@ = @MOUNT_TMP_DEFAULT@ 101 102 103 # MOUNT HOSTFS: [BOOL] 104 # DEFAULT: @MOUNT_HOSTFS_DEFAULT@ 105 # Probe for all mounted file systems that are mounted on the host, and bind 106 # those into the container? 107 @MOUNT_HOSTFS@ = @MOUNT_HOSTFS_DEFAULT@ 108 109 110 # BIND PATH: [STRING] 111 # DEFAULT: Undefined 112 # Define a list of files/directories that should be made available from within 113 # the container. The file or directory must exist within the container on 114 # which to attach to. you can specify a different source and destination 115 # path (respectively) with a colon; otherwise source and dest are the same. 116 #bind path = /etc/singularity/default-nsswitch.conf:/etc/nsswitch.conf 117 #bind path = /opt 118 #bind path = /scratch 119 bind path = /etc/localtime 120 bind path = /etc/hosts 121 122 123 # USER BIND CONTROL: [BOOL] 124 # DEFAULT: @USER_BIND_CONTROL_DEFAULT@ 125 # Allow users to influence and/or define bind points at runtime? This will allow 126 # users to specify bind points, scratch and tmp locations. (note: User bind 127 # control is only allowed if the host also supports PR_SET_NO_NEW_PRIVS) 128 @USER_BIND_CONTROL@ = @USER_BIND_CONTROL_DEFAULT@ 129 130 131 # ENABLE OVERLAY: [yes/no/try] 132 # DEFAULT: @ENABLE_OVERLAY_DEFAULT@ 133 # Enabling this option will make it possible to specify bind paths to locations 134 # that do not currently exist within the container. If 'try' is chosen, 135 # overlayfs will be tried but if it is unavailable it will be silently ignored. 136 @ENABLE_OVERLAY@ = @ENABLE_OVERLAY_DEFAULT@ 137 138 139 # MOUNT SLAVE: [BOOL] 140 # DEFAULT: @MOUNT_SLAVE_DEFAULT@ 141 # Should we automatically propagate file-system changes from the host? 142 # This should be set to 'yes' when autofs mounts in the system should 143 # show up in the container. 144 @MOUNT_SLAVE@ = @MOUNT_SLAVE_DEFAULT@ 145 146 147 # SESSIONDIR MAXSIZE: [STRING] 148 # DEFAULT: @SESSIONDIR_MAXSIZE_DEFAULT@ 149 # This specifies how large the default sessiondir should be (in MB) and it will 150 # only affect users who use the "--contain" options and don't also specify a 151 # location to do default read/writes to (e.g. "--workdir" or "--home"). 152 @SESSIONDIR_MAXSIZE@ = @SESSIONDIR_MAXSIZE_DEFAULT@ 153 154 155 # LIMIT CONTAINER OWNERS: [STRING] 156 # DEFAULT: @LIMIT_CONTAINER_OWNERS_DEFAULT@ 157 # Only allow containers to be used that are owned by a given user. If this 158 # configuration is undefined (commented or set to NULL), all containers are 159 # allowed to be used. This feature only applies when Singularity is running in 160 # SUID mode and the user is non-root. 161 #@LIMIT_CONTAINER_OWNERS@ = gmk, singularity, nobody 162 163 164 # LIMIT CONTAINER GROUPS: [STRING] 165 # DEFAULT: @LIMIT_CONTAINER_GROUPS_DEFAULT@ 166 # Only allow containers to be used that are owned by a given group. If this 167 # configuration is undefined (commented or set to NULL), all containers are 168 # allowed to be used. This feature only applies when Singularity is running in 169 # SUID mode and the user is non-root. 170 #@LIMIT_CONTAINER_GROUPS@ = group1, singularity, nobody 171 172 173 # LIMIT CONTAINER PATHS: [STRING] 174 # DEFAULT: @LIMIT_CONTAINER_PATHS_DEFAULT@ 175 # Only allow containers to be used that are located within an allowed path 176 # prefix. If this configuration is undefined (commented or set to NULL), 177 # containers will be allowed to run from anywhere on the file system. This 178 # feature only applies when Singularity is running in SUID mode and the user is 179 # non-root. 180 #@LIMIT_CONTAINER_PATHS@ = /scratch, /tmp, /global 181 182 183 # ALLOW CONTAINER ${TYPE}: [BOOL] 184 # DEFAULT: yes 185 # This feature limits what kind of containers that Singularity will allow 186 # users to use (note this does not apply for root). 187 @ALLOW_CONTAINER_SQUASHFS@ = @ALLOW_CONTAINER_SQUASHFS_DEFAULT@ 188 @ALLOW_CONTAINER_EXTFS@ = @ALLOW_CONTAINER_EXTFS_DEFAULT@ 189 @ALLOW_CONTAINER_DIR@ = @ALLOW_CONTAINER_DIR_DEFAULT@ 190 191 # MKSQUASHFS LOCATION ${TYPE}: [STRING] 192 # DEFAULT: @MKSQUASHFS_LOCATION_DEFAULT@ 193 # The mksquashfs command is necessary to use the build command. If your 194 # mksquashfs is installed outside of the following directories: 195 # /bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin 196 # you can specify the full path to it here. For example: 197 # mksquashfs location = /opt/bin/mksquashfs 198 @MKSQUASHFS_LOCATION@ = @MKSQUASHFS_LOCATION_DEFAULT@ 199 200 # AUTOFS BUG PATH: [STRING] 201 # DEFAULT: Undefined 202 # Define list of autofs directories which produces "Too many levels of symbolink links" 203 # errors when accessed from container (typically bind mounts) 204 #autofs bug path = /nfs 205 #autofs bug path = /cifs-share 206 207 208 # ALWAYS USE NV ${TYPE}: [BOOL] 209 # DEFAULT: no 210 # This feature allows an administrator to determine that every action command 211 # should be executed implicitely with the --nv option (useful for GPU only 212 # environments). 213 @ALWAYS_USE_NV@ = @ALWAYS_USE_NV_DEFAULT@ 214 215 216 # ROOT DEFAULT CAPABILITIES: [full/file/default/no] 217 # DEFAULT: no 218 # Define default root capability set kept during runtime 219 # - full: keep all capabilities (same as --keep-privs) 220 # - file: keep capabilities configured in ${prefix}/etc/singularity/capabilities/user.root 221 # - default: keep capabilities required by singularity binary 222 # - no: no capabilities (same as --no-privs) 223 @ROOT_DEFAULT_CAPABILITIES@ = @ROOT_DEFAULT_CAPABILITIES_DEFAULT@ 224 225 226 # ALLOW_ROOT CAPABILITIES: [BOOL] 227 # DEFAULT: yes 228 # This allows root to gain/drop capabilities other than those defined 229 # by root default capabilities. 230 # Example: 231 # If root default capabilities = file and allow root capabilities = no, 232 # only capabilities defined in file ${prefix}/etc/singularity/capabilities/user.root 233 # could be obtained by root 234 @ALLOW_ROOT_CAPABILITIES@ = @ALLOW_ROOT_CAPABILITIES_DEFAULT@ 235 236 237 # ALLOW USER CAPABILITIES: [BOOL] 238 # DEFAULT: no 239 # This allows user to gain capabilities based on whitelist managed by administrator 240 # (requires recent kernel >= 4.3) 241 @ALLOW_USER_CAPABILITIES@ = @ALLOW_USER_CAPABILITIES_DEFAULT@