Apptainer Without Setuid
Conference
·
OSTI ID:1886029
- Fermilab
Apptainer (formerly known as Singularity) since its beginning implemented many of its container features with the assistance of a setuid-root program. It still supports that mode, but as of version 1.1.0 it no longer uses setuid by default. This is feasible because it now can mount squash filesystems, mount ext2/3/4 filesystems, and use overlayfs using unprivileged user namespaces and FUSE. It also now enables unprivileged users to build containers, even without requiring system administrators to configure /etc/subuid and /etc/subgid unlike other "rootless" container systems. As a result, all the unprivileged functions can be used nested inside of another container, even if the container runtime prevents any elevated privileges.
- Research Organization:
- Fermi National Accelerator Laboratory (FNAL), Batavia, IL (United States)
- Sponsoring Organization:
- USDOE Office of Science (SC), High Energy Physics (HEP) (SC-25)
- DOE Contract Number:
- AC02-07CH11359
- OSTI ID:
- 1886029
- Report Number(s):
- FERMILAB-CONF-22-642-SCD; arXiv:2208.12106; oai:inspirehep.net:2148816
- Country of Publication:
- United States
- Language:
- English
Similar Records
A fully unprivileged CernVM-FS
Scaling a Podman Container Factory in the Cloud
Userspace Squash Filesystem for Launching Linux Containers on HPC Systems [Thesis]
Journal Article
·
Sun Nov 15 19:00:00 EST 2020
· EPJ Web of Conferences (Online)
·
OSTI ID:1623366
Scaling a Podman Container Factory in the Cloud
Technical Report
·
Thu Feb 20 23:00:00 EST 2025
·
OSTI ID:2573569
Userspace Squash Filesystem for Launching Linux Containers on HPC Systems [Thesis]
Technical Report
·
Thu Jun 23 00:00:00 EDT 2022
·
OSTI ID:1874141