sylabs / singularity-admindocs Goto Github PK

We should reflect sylabs/singularity#366 in the install docs here.

E.g.

Native mode uses same SIF format as Singularity 3.x

Singularity 3.x cannot run OCI-SIF produced by Singularity 4.x

Which Document page:

docs.sylabs.io/guides/3.11/admin-guide/installation.html

Expected results:

An up-to-date (in service) virtual machine image with a supported OS

Actual results:

The virtual machine is based on the now EOL Ubuntu 18.04 Bionic

https://sylabs.io/guides/3.8/admin-guide/installation.html#installation-on-linux

Download SingularityCE from a release

BASH Snippet

export VERSION=3.8.0 && # adjust this as necessary \
    wget https://github.com/sylabs/singularity/releases/download/v${VERSION}/singularity-ce-${VERSION}.tar.gz && \
    tar -xzf singularity-ce-${VERSION}.tar.gz && \
    cd singularity-ce-{$VERSION}

has a typo in the last line. It should be

cd singularity-ce-"${VERSION}"

Which Document page:

To use Vagrant on Mac
https://docs.sylabs.io/guides/3.10/admin-guide/installation.html#mac

Expected results:

Installing SingularityCE on Macbook PRO (2017) using the command:

$ /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
$ brew install --cask virtualbox vagrant vagrant-manager

Actual results:

Running on MacOS Ventura, the command indicates Ruby Homebrew installer has been disabled

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" 
Error: The Ruby Homebrew installer is now disabled and has been rewritten in
Bash. Please migrate to the following command:
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

The updated command was successful
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)

In the security discussion, cleary document the posture of OCI mode.

• It is intended to be used by non-root users, in which case it is unprivileged (except for call-out to distro provided newuidmap / newgidmap which are setuid).
• It does not aim to provide full isolation / prevent container escape when run as root. This has never been a goal of Singularity, and is a difference from other OCI runtimes.

As title.

Ensure it is documented under what circumstances SingularityCE will us kernel unprivileged overlay, and under what circumstances fuse-overlayfs is required.

The singularity.conf directives are all listed as capitalized, but they are specified in lower case in the config file.

Many distributions do not provide sqfstar or tar2sqfs, required for OCI-mode. Provide instructions of how to obtain them.

Ensure the suffix is used consistently so there is clear differentiation.

• #81
• #80
• #79
• #78
• #77
• #76
• #75
• #82
• #84

• #97
• #98
• #99
• #100
• #101
• #102
• #103
• #104
• #105
• #106
• #107
• #108

As a major update, there should be a top-level section that gives a quick overview of the most important changes, from an admin perspective.

• The experimental --sif-fuse flag, and sif fuse directive in singularity.conf are deprecated. The flag and directive were used to enable experimental mounting of SIF/SquashFS container images with FUSE in prior versions of Singularity. From 4.1, FUSE mounts are used automatically when kernel mounts are disabled / not available.

Ref: apptainer/singularity#5454

remote add --insecure may be used to configure endpoints that are only accessible via http.

Dear all,
I am not able to connect to internet from inside the container, I tried different tools and container and always same. if I "ping google.com" always is bad request which means no internet. I have tried to bind the /etc/resolv.conf but still not working.
Any help is highly appreciated!

The --apply-cgroups flag can be used to apply cgroups resource and device restrictions on a system using the v2 unified cgroups hierarchy. The resource restrictions must still be specified in the v1 / OCI format, which will be translated into v2 cgroups resource restrictions, and eBPF device restrictions.

After the main branch has been branched to 4.0, bump versions etc. in config.py and replacements.py

Document requirements for singularity-buildkitd Dockerfile builds.

Review the entire admin quickstart. Verify / update install instructions, update OCI compatibility notes. Verify other sections are accurate.

In the configuration files -> capabilities.json section, document that OCI mode has different default capabilities and cap addition / dropping behaviour.

Document the user namespace, uid mapping, runc/crun, and other binary requirements of OCI mode.

Note in configfiles.rst the scope of the ECL restrictions to SIF only...

The execution control list that can be used to restrict the execution
of SIF files by signing key is defined here. You can authorize the
containers by validating both the location of the SIF file in the
filesystem and by checking against a list of signing entities.

.. warning::

   The ECL configuration applies to SIF container images only. To lock
   down execution fully you should disable execution of other
   container types (squashfs/extfs/dir) via the ``singularity.conf``
   file ``allow container`` settings.

Singularity Desktop for Mac is no longer updated. Provide instructions for vagrant on Mac.

EL6 and Ubuntu 16.04 references should be removed as these are EOL, unsupported distros.

• A new --keep-layers flag, for the pull and run/shell/exec/instance start commands, allows individual layers to be preserved when an OCI-SIF image is created from an OCI source. Multi layer OCI-SIF images can be run with SingularityCE 4.1 and later.

Example log-plugin rewritten as a CLI callback that can log all commands executed, instead of only container execution, and has access to command arguments.

Some functionality is limited in OCI mode, depending on the underlying distribution, version of crun / runc etc.

We should identify and document the limitations, at least across:

• Ubuntu 20.04 / 22.04
• EL 7 / 8 / 9
• SLES / Leap 12 / 15

Verify / update full installation instructions.

We should try to provide something better for Mac, if we can. See #60

Paths for cryptsetup, go, ldconfig, mksquashfs, nvidia-container-cli, unsquashfs are now found at build time by mconfig and written into singularity.conf. The path to these executables can be overridden by changing the value in singularity.conf. If the path is not set in singularity.conf then the the executable will be found by searching $PATH.

When calling ldconfig to find GPU libraries, singularity will not fall back to /sbin/ldconfig if the ldconfig on $PATH errors. If installing in a Guix/Nix on environment on top of a standard host distribution you must set ldconfig path = /sbin/ldconfig to use the host distribution ldconfig to find GPU libraries.

The experimental --nvccli flag will use nvidia-container-cli to setup the container for Nvidia GPU operation. SingularityCE will not bind GPU libraries itself. Environment variables that are used with Nvidia's docker-nvidia runtime to configure GPU visibility / driver capabilities & requirements are parsed by the --nvccli flag from the environment of the calling user. By default, the compute and utility GPU capabilities are configured. The use nvidia-container-cli option in singularity.conf can be set to yes to always use nvidia-container-cli when supported. Note that in a setuid install, nvidia-container-cli will be run as root with required ambient capabilities. --nvccli is not currently supported in the hybrid fakeroot (setuid install + --fakeroot) workflow. Please see documentation for more details.

Document requirements and admin configuration

• In native mode, SIF/SquashFS container images will now be mounted with
  squashfuse when kernel mounts are disabled in singularity.conf, or cannot be
  used (non-setuid / user namespace workflow). If the FUSE mount fails,
  Singularity will fall back to extracting the container to a temporary sandbox
  in order to run it.
• In native mode, bare extfs container images will now be mounted with
  fuse2fs when kernel mounts are disabled in singularity.conf, or cannot be
  used (non-setuid / user namespace workflow).