’Docker-like’ mode #75
Assignees
Labels
Milestone
Comments
dtrudg
referenced
this issue
in dtrudg/singularity
Aug 11, 2021
It is common for users to run docker containers that expect more isolation than is default in Singularity, and that can create files on startup. This is a simple short-hand to enable `--contain-all, --no-init, --no-umask, --writable-tmpfs`. These options give the best change of an OCI/Docker container working as expected but *without* requiring the user/uts/net namespaces that we can't rely on in all installations / configurations of SingularityCE. Fixes: #75
dtrudg
referenced
this issue
in dtrudg/singularity
Aug 11, 2021
It is common for users to run docker containers that expect more isolation than is default in Singularity, and that can create files on startup. This is a simple short-hand to enable `--contain-all, --no-init, --no-umask, --writable-tmpfs`. These options give the best chance of an OCI/Docker container working as expected but *without* requiring the user/uts/net namespaces that we can't rely on in all installations / configurations of SingularityCE. Fixes: #75
dtrudg
referenced
this issue
in dtrudg/singularity
Aug 11, 2021
It is common for users to run docker containers that expect more isolation than is default in Singularity, and that can create files on startup. This is a simple short-hand to enable `--contain-all, --no-init, --no-umask, --writable-tmpfs`. These options give the best chance of an OCI/Docker container working as expected but *without* requiring the user/uts/net namespaces that we can't rely on in all installations / configurations of SingularityCE. Fixes: #75
dtrudg
referenced
this issue
in dtrudg/singularity
Aug 11, 2021
It is common for users to run docker containers that expect more isolation than is default in Singularity, and that can create files on startup. This is a simple short-hand to enable `--contain-all, --no-init, --no-umask, --writable-tmpfs`. These options give the best chance of an OCI/Docker container working as expected but *without* requiring the user/uts/net namespaces that we can't rely on in all installations / configurations of SingularityCE. Fixes: #75
DrDaveD
pushed a commit
to DrDaveD/singularity
that referenced
this issue
Oct 6, 2021
It is common for users to run docker containers that expect more isolation than is default in Singularity, and that can create files on startup. This is a simple short-hand to enable `--contain-all, --no-init, --no-umask, --writable-tmpfs`. These options give the best chance of an OCI/Docker container working as expected but *without* requiring the user/uts/net namespaces that we can't rely on in all installations / configurations of Singularity. Fixes: sylabs/singularity#75
DrDaveD
pushed a commit
to DrDaveD/singularity
that referenced
this issue
Oct 8, 2021
It is common for users to run docker containers that expect more isolation than is default in Singularity, and that can create files on startup. This is a simple short-hand to enable `--contain-all, --no-init, --no-umask, --writable-tmpfs`. These options give the best chance of an OCI/Docker container working as expected but *without* requiring the user/uts/net namespaces that we can't rely on in all installations / configurations of Singularity. Fixes: sylabs/singularity#75
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Users may run
docker://containers, be surprised when the lack of$HOMEisolation etc. impacts behavior, and not understand which flags are needed to resolve issues.Describe the solution you'd like
By default, SingularityCE runs containers far less isolated from the host than Docker - relying on system restrictions on the user. This is very convenient for traditional HPC-like jobs, but some Docker containers can have conflicts with files and other things that enter the container from the host. We have a number of flags such as
--containto work around this, but it’s often unclear which are needed. A shortcut to apply the most ‘docker-like’, but practical configuration would be useful.Describe alternatives you've considered
Documentation improvements could assist the issue by providing better guidance, but a single flag for docker like behavior is a more accessible solution.
The text was updated successfully, but these errors were encountered: