Apptainer
Last updated
Was this helpful?
Last updated
Was this helpful?
is the most widely used container system for HPC. It is designed to execute applications at bare-metal performance while being secure, portable, and 100% reproducible. Apptainer is an open-source project with a friendly community of developers and users. The user base continues to expand, with Apptainer/Singularity now used across industry and academia in many areas of work.
is a container platform. It allows you to create and run containers that package up pieces of software in a way that is portable and reproducible. You can build a container using Apptainer on your laptop, and then run it on many of the largest HPC clusters in the world, local university or company clusters, a single server, in the cloud, or on a workstation down the hall. Your container is a single file, and you don’t have to worry about how to install all the software you need on each different operating system.
Apptainer allows for more secure containers than docker without the need for root access.
From .
Apptainer allows you to:
Build on a personal computer with root or on a shared system with fakeroot.
Move images between systems easily.
Execute on a shared system without root.
Apptainer is designed for HPC:
Defaults to running as the current user
Defaults to mounting the home directory in /home/$USER
Defaults to running as a program (not background process)
Apptainer also has great support with Docker images.
docker
thunderx
zenith
Other systems can have Apptainer installed by request.
%setup
is a scriplet which runs outside the container and can modify the host. Use ${APPTAINER_ROOTFS}
to access the files in the Apptainer image.
Environment variables defined in %environment
are available only after the build, so if you need access to them for the build, define them in the %post
section.
NFS filesystems support overlay mounts as a lowerdir
only, and do not support user-namespace (sub)uid/gid mapping.
Containers run from SIF files located on an NFS filesystem do not have restrictions.
In setuid mode, you cannot use --overlay mynfsdir/
to overlay a directory onto a container when the overlay (upperdir) directory is on an NFS filesystem. In non-setuid mode and fuse-overlayfs it is allowed but will be read-only.
When using --fakeroot
and /etc/subuid
mappings to build or run a container, your TMPDIR
/ APPTAINER_TMPDIR
should not be set to an NFS location.
You should not run a sandbox container with --fakeroot
and /etc/subuid
mappings from an NFS location.
These container registry also work with Apptainer images.
Follow the regular instructions to setup Harbor. Then see the commands below for an Apptainer specific reference.
Create a robot account in Harbor using the regular method.
Then use the CI environment variables APPTAINER_DOCKER_USERNAME
and APPTAINER_DOCKER_PASSWORD
to specify the robot username and token. Make sure to deselect Expand variable reference since the username has a ‘$’ in it.
It is helpful to add commonly needed bind paths to /etc/apptainer/apptainer.conf
. I have added the following bind commands to Zenith:
Apptainer mounts $HOME
, /sys:/sys
, /proc:/proc
, /tmp:/tmp
, /var/tmp:/var/tmp
, /etc/resolv.conf:/etc/resolv.conf
, /etc/passwd:/etc/passwd
, and $PWD
by default and run in ~
by default. This means you can change files in your home directory by running with Apptainer. This is different from Docker which creates a container (overlay in Apptainer) by default for the application to run in. See .
To mount another location when running Apptainer, use the --bind
option. For example to mount /noback
use --bind /noback:/noback
. See .
Admins can specify default bind points in /etc/apptainer/apptainer.conf
. See
When creating a definition file, pay attention to the rules for each section. See For example:
To use --fakeroot
you must first have fakeroot configured for that user. This can be done with the command sudo apptainer config fakeroot --add <user>
. See
To use X11 applications in Apptainer with over , you need to bind /var/opt/thinlinc
with --bind /var/opt/thinlinc
since that is where the user’s XAuthority file is stored.
sandbox
image build mode along with fakeroot
can help if one needs to apt-get install
or yum install
packages within a singularity / apptainer container and persist the mutable image out on disk: .
From .
See for general information for how to use the ORNL Container Repositories. These sites and are the internal and external container repositories running .
ORNL uses can also look at this page for more details on using containers at ORNL.