# SINGULARITY.CONF # This is the global configuration file for Singularity. This file controls # what the container is allowed to do on a particular host, and as a result # this file must be owned by root. # ALLOW SETUID: [BOOL] # DEFAULT: yes # Should we allow users to utilize the setuid program flow within Singularity? # note1: This is the default mode, and to utilize all features, this option # will need to be enabled. # note2: If this option is disabled, it will rely on the user namespace # exclusively which has not been integrated equally between the different # Linux distributions. allow setuid = yes # MAX LOOP DEVICES: [INT] # DEFAULT: 256 # Set the maximum number of loop devices that Singularity should ever attempt # to utilize. max loop devices = 256 # ALLOW PID NS: [BOOL] # DEFAULT: yes # Should we allow users to request the PID namespace? Note that for some HPC # resources, the PID namespace may confuse the resource manager and break how # some MPI implementations utilize shared memory. (note, on some older # systems, the PID namespace is always used) allow pid ns = yes # CONFIG PASSWD: [BOOL] # DEFAULT: yes # If /etc/passwd exists within the container, this will automatically append # an entry for the calling user. config passwd = yes # CONFIG GROUP: [BOOL] # DEFAULT: yes # If /etc/group exists within the container, this will automatically append # group entries for the calling user. config group = yes # CONFIG RESOLV_CONF: [BOOL] # DEFAULT: yes # If there is a bind point within the container, use the host's # /etc/resolv.conf. config resolv_conf = yes # MOUNT PROC: [BOOL] # DEFAULT: yes # Should we automatically bind mount /proc within the container? mount proc = yes # MOUNT SYS: [BOOL] # DEFAULT: yes # Should we automatically bind mount /sys within the container? mount sys = yes # MOUNT DEV: [yes/no/minimal] # DEFAULT: yes # Should we automatically bind mount /dev within the container? If 'minimal' # is chosen, then only 'null', 'zero', 'random', 'urandom', and 'shm' will # be included (the same effect as the --contain options) mount dev = yes # MOUNT DEVPTS: [BOOL] # DEFAULT: yes # Should we mount a new instance of devpts if there is a 'minimal' # /dev, or -C is passed? Note, this requires that your kernel was # configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, or that you're # running kernel 4.7 or newer. mount devpts = yes # MOUNT HOME: [BOOL] # DEFAULT: yes # Should we automatically determine the calling user's home directory and # attempt to mount it's base path into the container? If the --contain option # is used, the home directory will be created within the session directory or # can be overridden with the SINGULARITY_HOME or SINGULARITY_WORKDIR # environment variables (or their corresponding command line options). mount home = yes # MOUNT TMP: [BOOL] # DEFAULT: yes # Should we automatically bind mount /tmp and /var/tmp into the container? If # the --contain option is used, both tmp locations will be created in the # session directory or can be specified via the SINGULARITY_WORKDIR # environment variable (or the --workingdir command line option). mount tmp = yes # MOUNT HOSTFS: [BOOL] # DEFAULT: no # Probe for all mounted file systems that are mounted on the host, and bind # those into the container? mount hostfs = no # BIND PATH: [STRING] # DEFAULT: Undefined # Define a list of files/directories that should be made available from within # the container. The file or directory must exist within the container on # which to attach to. you can specify a different source and destination # path (respectively) with a colon; otherwise source and dest are the same. #bind path = /etc/singularity/default-nsswitch.conf:/etc/nsswitch.conf #bind path = /opt #bind path = /scratch bind path = /etc/localtime bind path = /etc/hosts # USER BIND CONTROL: [BOOL] # DEFAULT: yes # Allow users to influence and/or define bind points at runtime? This will allow # users to specify bind points, scratch and tmp locations. (note: User bind # control is only allowed if the host also supports PR_SET_NO_NEW_PRIVS) user bind control = yes # ENABLE OVERLAY: [yes/no/try] # DEFAULT: try # Enabling this option will make it possible to specify bind paths to locations # that do not currently exist within the container. If 'try' is chosen, # overlayfs will be tried but if it is unavailable it will be silently ignored. enable overlay = try # MOUNT SLAVE: [BOOL] # DEFAULT: yes # Should we automatically propagate file-system changes from the host? # This should be set to 'yes' when autofs mounts in the system should # show up in the container. mount slave = yes # SESSIONDIR MAXSIZE: [STRING] # DEFAULT: 16 # This specifies how large the default sessiondir should be (in MB) and it will # only affect users who use the "--contain" options and don't also specify a # location to do default read/writes to (e.g. "--workdir" or "--home"). sessiondir max size = 16 # LIMIT CONTAINER OWNERS: [STRING] # DEFAULT: NULL # Only allow containers to be used that are owned by a given user. If this # configuration is undefined (commented or set to NULL), all containers are # allowed to be used. This feature only applies when Singularity is running in # SUID mode and the user is non-root. #limit container owners = gmk, singularity, nobody # LIMIT CONTAINER GROUPS: [STRING] # DEFAULT: NULL # Only allow containers to be used that are owned by a given group. If this # configuration is undefined (commented or set to NULL), all containers are # allowed to be used. This feature only applies when Singularity is running in # SUID mode and the user is non-root. #limit container groups = group1, singularity, nobody # LIMIT CONTAINER PATHS: [STRING] # DEFAULT: NULL # Only allow containers to be used that are located within an allowed path # prefix. If this configuration is undefined (commented or set to NULL), # containers will be allowed to run from anywhere on the file system. This # feature only applies when Singularity is running in SUID mode and the user is # non-root. #limit container paths = /scratch, /tmp, /global # ALLOW CONTAINER ${TYPE}: [BOOL] # DEFAULT: yes # This feature limits what kind of containers that Singularity will allow # users to use (note this does not apply for root). allow container squashfs = yes allow container extfs = yes allow container dir = yes # AUTOFS BUG PATH: [STRING] # DEFAULT: Undefined # Define list of autofs directories which produces "Too many levels of symbolink links" # errors when accessed from container (typically bind mounts) #autofs bug path = /nfs #autofs bug path = /cifs-share