Permalink
Fetching contributors…
Cannot retrieve contributors at this time
242 lines (187 sloc) 9.09 KB
# SINGULARITY.CONF
# This is the global configuration file for Singularity. This file controls
# what the container is allowed to do on a particular host, and as a result
# this file must be owned by root.
# ALLOW SETUID: [BOOL]
# DEFAULT: @ALLOW_SETUID_DEFAULT@
# Should we allow users to utilize the setuid program flow within Singularity?
# note1: This is the default mode, and to utilize all features, this option
# will need to be enabled.
# note2: If this option is disabled, it will rely on the user namespace
# exclusively which has not been integrated equally between the different
# Linux distributions.
@ALLOW_SETUID@ = @ALLOW_SETUID_DEFAULT@
# MAX LOOP DEVICES: [INT]
# DEFAULT: @MAX_LOOP_DEVS_DEFAULT@
# Set the maximum number of loop devices that Singularity should ever attempt
# to utilize.
@MAX_LOOP_DEVS@ = @MAX_LOOP_DEVS_DEFAULT@
# ALLOW PID NS: [BOOL]
# DEFAULT: @ALLOW_PID_NS_DEFAULT@
# Should we allow users to request the PID namespace? Note that for some HPC
# resources, the PID namespace may confuse the resource manager and break how
# some MPI implementations utilize shared memory. (note, on some older
# systems, the PID namespace is always used)
@ALLOW_PID_NS@ = @ALLOW_PID_NS_DEFAULT@
# CONFIG PASSWD: [BOOL]
# DEFAULT: @CONFIG_PASSWD_DEFAULT@
# If /etc/passwd exists within the container, this will automatically append
# an entry for the calling user.
@CONFIG_PASSWD@ = @CONFIG_PASSWD_DEFAULT@
# CONFIG GROUP: [BOOL]
# DEFAULT: @CONFIG_GROUP_DEFAULT@
# If /etc/group exists within the container, this will automatically append
# group entries for the calling user.
@CONFIG_GROUP@ = @CONFIG_GROUP_DEFAULT@
# CONFIG RESOLV_CONF: [BOOL]
# DEFAULT: @CONFIG_RESOLV_CONF_DEFAULT@
# If there is a bind point within the container, use the host's
# /etc/resolv.conf.
@CONFIG_RESOLV_CONF@ = @CONFIG_RESOLV_CONF_DEFAULT@
# MOUNT PROC: [BOOL]
# DEFAULT: @MOUNT_PROC_DEFAULT@
# Should we automatically bind mount /proc within the container?
@MOUNT_PROC@ = @MOUNT_PROC_DEFAULT@
# MOUNT SYS: [BOOL]
# DEFAULT: @MOUNT_SYS_DEFAULT@
# Should we automatically bind mount /sys within the container?
@MOUNT_SYS@ = @MOUNT_SYS_DEFAULT@
# MOUNT DEV: [yes/no/minimal]
# DEFAULT: @MOUNT_DEV_DEFAULT@
# Should we automatically bind mount /dev within the container? If 'minimal'
# is chosen, then only 'null', 'zero', 'random', 'urandom', and 'shm' will
# be included (the same effect as the --contain options)
@MOUNT_DEV@ = @MOUNT_DEV_DEFAULT@
# MOUNT DEVPTS: [BOOL]
# DEFAULT: @MOUNT_DEVPTS_DEFAULT@
# Should we mount a new instance of devpts if there is a 'minimal'
# /dev, or -C is passed? Note, this requires that your kernel was
# configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, or that you're
# running kernel 4.7 or newer.
@MOUNT_DEVPTS@ = @MOUNT_DEVPTS_DEFAULT@
# MOUNT HOME: [BOOL]
# DEFAULT: @MOUNT_HOME_DEFAULT@
# Should we automatically determine the calling user's home directory and
# attempt to mount it's base path into the container? If the --contain option
# is used, the home directory will be created within the session directory or
# can be overridden with the SINGULARITY_HOME or SINGULARITY_WORKDIR
# environment variables (or their corresponding command line options).
@MOUNT_HOME@ = @MOUNT_HOME_DEFAULT@
# MOUNT TMP: [BOOL]
# DEFAULT: @MOUNT_TMP_DEFAULT@
# Should we automatically bind mount /tmp and /var/tmp into the container? If
# the --contain option is used, both tmp locations will be created in the
# session directory or can be specified via the SINGULARITY_WORKDIR
# environment variable (or the --workingdir command line option).
@MOUNT_TMP@ = @MOUNT_TMP_DEFAULT@
# MOUNT HOSTFS: [BOOL]
# DEFAULT: @MOUNT_HOSTFS_DEFAULT@
# Probe for all mounted file systems that are mounted on the host, and bind
# those into the container?
@MOUNT_HOSTFS@ = @MOUNT_HOSTFS_DEFAULT@
# BIND PATH: [STRING]
# DEFAULT: Undefined
# Define a list of files/directories that should be made available from within
# the container. The file or directory must exist within the container on
# which to attach to. you can specify a different source and destination
# path (respectively) with a colon; otherwise source and dest are the same.
#bind path = /etc/singularity/default-nsswitch.conf:/etc/nsswitch.conf
#bind path = /opt
#bind path = /scratch
bind path = /etc/localtime
bind path = /etc/hosts
# USER BIND CONTROL: [BOOL]
# DEFAULT: @USER_BIND_CONTROL_DEFAULT@
# Allow users to influence and/or define bind points at runtime? This will allow
# users to specify bind points, scratch and tmp locations. (note: User bind
# control is only allowed if the host also supports PR_SET_NO_NEW_PRIVS)
@USER_BIND_CONTROL@ = @USER_BIND_CONTROL_DEFAULT@
# ENABLE OVERLAY: [yes/no/try]
# DEFAULT: @ENABLE_OVERLAY_DEFAULT@
# Enabling this option will make it possible to specify bind paths to locations
# that do not currently exist within the container. If 'try' is chosen,
# overlayfs will be tried but if it is unavailable it will be silently ignored.
@ENABLE_OVERLAY@ = @ENABLE_OVERLAY_DEFAULT@
# MOUNT SLAVE: [BOOL]
# DEFAULT: @MOUNT_SLAVE_DEFAULT@
# Should we automatically propagate file-system changes from the host?
# This should be set to 'yes' when autofs mounts in the system should
# show up in the container.
@MOUNT_SLAVE@ = @MOUNT_SLAVE_DEFAULT@
# SESSIONDIR MAXSIZE: [STRING]
# DEFAULT: @SESSIONDIR_MAXSIZE_DEFAULT@
# This specifies how large the default sessiondir should be (in MB) and it will
# only affect users who use the "--contain" options and don't also specify a
# location to do default read/writes to (e.g. "--workdir" or "--home").
@SESSIONDIR_MAXSIZE@ = @SESSIONDIR_MAXSIZE_DEFAULT@
# LIMIT CONTAINER OWNERS: [STRING]
# DEFAULT: @LIMIT_CONTAINER_OWNERS_DEFAULT@
# Only allow containers to be used that are owned by a given user. If this
# configuration is undefined (commented or set to NULL), all containers are
# allowed to be used. This feature only applies when Singularity is running in
# SUID mode and the user is non-root.
#@LIMIT_CONTAINER_OWNERS@ = gmk, singularity, nobody
# LIMIT CONTAINER GROUPS: [STRING]
# DEFAULT: @LIMIT_CONTAINER_GROUPS_DEFAULT@
# Only allow containers to be used that are owned by a given group. If this
# configuration is undefined (commented or set to NULL), all containers are
# allowed to be used. This feature only applies when Singularity is running in
# SUID mode and the user is non-root.
#@LIMIT_CONTAINER_GROUPS@ = group1, singularity, nobody
# LIMIT CONTAINER PATHS: [STRING]
# DEFAULT: @LIMIT_CONTAINER_PATHS_DEFAULT@
# Only allow containers to be used that are located within an allowed path
# prefix. If this configuration is undefined (commented or set to NULL),
# containers will be allowed to run from anywhere on the file system. This
# feature only applies when Singularity is running in SUID mode and the user is
# non-root.
#@LIMIT_CONTAINER_PATHS@ = /scratch, /tmp, /global
# ALLOW CONTAINER ${TYPE}: [BOOL]
# DEFAULT: yes
# This feature limits what kind of containers that Singularity will allow
# users to use (note this does not apply for root).
@ALLOW_CONTAINER_SQUASHFS@ = @ALLOW_CONTAINER_SQUASHFS_DEFAULT@
@ALLOW_CONTAINER_EXTFS@ = @ALLOW_CONTAINER_EXTFS_DEFAULT@
@ALLOW_CONTAINER_DIR@ = @ALLOW_CONTAINER_DIR_DEFAULT@
# MKSQUASHFS LOCATION ${TYPE}: [STRING]
# DEFAULT: @MKSQUASHFS_LOCATION_DEFAULT@
# The mksquashfs command is necessary to use the build command. If your
# mksquashfs is installed outside of the following directories:
# /bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
# you can specify the full path to it here. For example:
# mksquashfs location = /opt/bin/mksquashfs
@MKSQUASHFS_LOCATION@ = @MKSQUASHFS_LOCATION_DEFAULT@
# AUTOFS BUG PATH: [STRING]
# DEFAULT: Undefined
# Define list of autofs directories which produces "Too many levels of symbolink links"
# errors when accessed from container (typically bind mounts)
#autofs bug path = /nfs
#autofs bug path = /cifs-share
# ALWAYS USE NV ${TYPE}: [BOOL]
# DEFAULT: no
# This feature allows an administrator to determine that every action command
# should be executed implicitely with the --nv option (useful for GPU only
# environments).
@ALWAYS_USE_NV@ = @ALWAYS_USE_NV_DEFAULT@
# ROOT DEFAULT CAPABILITIES: [full/file/default/no]
# DEFAULT: no
# Define default root capability set kept during runtime
# - full: keep all capabilities (same as --keep-privs)
# - file: keep capabilities configured in ${prefix}/etc/singularity/capabilities/user.root
# - default: keep capabilities required by singularity binary
# - no: no capabilities (same as --no-privs)
@ROOT_DEFAULT_CAPABILITIES@ = @ROOT_DEFAULT_CAPABILITIES_DEFAULT@
# ALLOW_ROOT CAPABILITIES: [BOOL]
# DEFAULT: yes
# This allows root to gain/drop capabilities other than those defined
# by root default capabilities.
# Example:
# If root default capabilities = file and allow root capabilities = no,
# only capabilities defined in file ${prefix}/etc/singularity/capabilities/user.root
# could be obtained by root
@ALLOW_ROOT_CAPABILITIES@ = @ALLOW_ROOT_CAPABILITIES_DEFAULT@
# ALLOW USER CAPABILITIES: [BOOL]
# DEFAULT: no
# This allows user to gain capabilities based on whitelist managed by administrator
# (requires recent kernel >= 4.3)
@ALLOW_USER_CAPABILITIES@ = @ALLOW_USER_CAPABILITIES_DEFAULT@