Created
September 10, 2018 06:12
-
-
Save gavanderhoorn/446b49ee11ab3405d075a3f05d0843b8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SINGULARITY.CONF | |
| # This is the global configuration file for Singularity. This file controls | |
| # what the container is allowed to do on a particular host, and as a result | |
| # this file must be owned by root. | |
| # ALLOW SETUID: [BOOL] | |
| # DEFAULT: yes | |
| # Should we allow users to utilize the setuid program flow within Singularity? | |
| # note1: This is the default mode, and to utilize all features, this option | |
| # will need to be enabled. | |
| # note2: If this option is disabled, it will rely on the user namespace | |
| # exclusively which has not been integrated equally between the different | |
| # Linux distributions. | |
| allow setuid = yes | |
| # MAX LOOP DEVICES: [INT] | |
| # DEFAULT: 256 | |
| # Set the maximum number of loop devices that Singularity should ever attempt | |
| # to utilize. | |
| max loop devices = 256 | |
| # ALLOW PID NS: [BOOL] | |
| # DEFAULT: yes | |
| # Should we allow users to request the PID namespace? Note that for some HPC | |
| # resources, the PID namespace may confuse the resource manager and break how | |
| # some MPI implementations utilize shared memory. (note, on some older | |
| # systems, the PID namespace is always used) | |
| allow pid ns = yes | |
| # CONFIG PASSWD: [BOOL] | |
| # DEFAULT: yes | |
| # If /etc/passwd exists within the container, this will automatically append | |
| # an entry for the calling user. | |
| config passwd = yes | |
| # CONFIG GROUP: [BOOL] | |
| # DEFAULT: yes | |
| # If /etc/group exists within the container, this will automatically append | |
| # group entries for the calling user. | |
| config group = yes | |
| # CONFIG RESOLV_CONF: [BOOL] | |
| # DEFAULT: yes | |
| # If there is a bind point within the container, use the host's | |
| # /etc/resolv.conf. | |
| config resolv_conf = yes | |
| # MOUNT PROC: [BOOL] | |
| # DEFAULT: yes | |
| # Should we automatically bind mount /proc within the container? | |
| mount proc = yes | |
| # MOUNT SYS: [BOOL] | |
| # DEFAULT: yes | |
| # Should we automatically bind mount /sys within the container? | |
| mount sys = yes | |
| # MOUNT DEV: [yes/no/minimal] | |
| # DEFAULT: yes | |
| # Should we automatically bind mount /dev within the container? If 'minimal' | |
| # is chosen, then only 'null', 'zero', 'random', 'urandom', and 'shm' will | |
| # be included (the same effect as the --contain options) | |
| mount dev = yes | |
| # MOUNT DEVPTS: [BOOL] | |
| # DEFAULT: yes | |
| # Should we mount a new instance of devpts if there is a 'minimal' | |
| # /dev, or -C is passed? Note, this requires that your kernel was | |
| # configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, or that you're | |
| # running kernel 4.7 or newer. | |
| mount devpts = yes | |
| # MOUNT HOME: [BOOL] | |
| # DEFAULT: yes | |
| # Should we automatically determine the calling user's home directory and | |
| # attempt to mount it's base path into the container? If the --contain option | |
| # is used, the home directory will be created within the session directory or | |
| # can be overridden with the SINGULARITY_HOME or SINGULARITY_WORKDIR | |
| # environment variables (or their corresponding command line options). | |
| mount home = yes | |
| # MOUNT TMP: [BOOL] | |
| # DEFAULT: yes | |
| # Should we automatically bind mount /tmp and /var/tmp into the container? If | |
| # the --contain option is used, both tmp locations will be created in the | |
| # session directory or can be specified via the SINGULARITY_WORKDIR | |
| # environment variable (or the --workingdir command line option). | |
| mount tmp = yes | |
| # MOUNT HOSTFS: [BOOL] | |
| # DEFAULT: no | |
| # Probe for all mounted file systems that are mounted on the host, and bind | |
| # those into the container? | |
| mount hostfs = no | |
| # BIND PATH: [STRING] | |
| # DEFAULT: Undefined | |
| # Define a list of files/directories that should be made available from within | |
| # the container. The file or directory must exist within the container on | |
| # which to attach to. you can specify a different source and destination | |
| # path (respectively) with a colon; otherwise source and dest are the same. | |
| # NOTE: these are ignored if singularity is invoked with --contain. | |
| #bind path = /etc/singularity/default-nsswitch.conf:/etc/nsswitch.conf | |
| #bind path = /opt | |
| #bind path = /scratch | |
| bind path = /etc/localtime | |
| bind path = /etc/hosts | |
| # USER BIND CONTROL: [BOOL] | |
| # DEFAULT: yes | |
| # Allow users to influence and/or define bind points at runtime? This will allow | |
| # users to specify bind points, scratch and tmp locations. (note: User bind | |
| # control is only allowed if the host also supports PR_SET_NO_NEW_PRIVS) | |
| user bind control = yes | |
| # ENABLE OVERLAY: [yes/no/try] | |
| # DEFAULT: try | |
| # Enabling this option will make it possible to specify bind paths to locations | |
| # that do not currently exist within the container. If 'try' is chosen, | |
| # overlayfs will be tried but if it is unavailable it will be silently ignored. | |
| enable overlay = try | |
| # MOUNT SLAVE: [BOOL] | |
| # DEFAULT: yes | |
| # Should we automatically propagate file-system changes from the host? | |
| # This should be set to 'yes' when autofs mounts in the system should | |
| # show up in the container. | |
| mount slave = yes | |
| # SESSIONDIR MAXSIZE: [STRING] | |
| # DEFAULT: 16 | |
| # This specifies how large the default sessiondir should be (in MB) and it will | |
| # only affect users who use the "--contain" options and don't also specify a | |
| # location to do default read/writes to (e.g. "--workdir" or "--home"). | |
| sessiondir max size = 16 | |
| # LIMIT CONTAINER OWNERS: [STRING] | |
| # DEFAULT: NULL | |
| # Only allow containers to be used that are owned by a given user. If this | |
| # configuration is undefined (commented or set to NULL), all containers are | |
| # allowed to be used. This feature only applies when Singularity is running in | |
| # SUID mode and the user is non-root. | |
| #limit container owners = gmk, singularity, nobody | |
| # LIMIT CONTAINER GROUPS: [STRING] | |
| # DEFAULT: NULL | |
| # Only allow containers to be used that are owned by a given group. If this | |
| # configuration is undefined (commented or set to NULL), all containers are | |
| # allowed to be used. This feature only applies when Singularity is running in | |
| # SUID mode and the user is non-root. | |
| #limit container groups = group1, singularity, nobody | |
| # LIMIT CONTAINER PATHS: [STRING] | |
| # DEFAULT: NULL | |
| # Only allow containers to be used that are located within an allowed path | |
| # prefix. If this configuration is undefined (commented or set to NULL), | |
| # containers will be allowed to run from anywhere on the file system. This | |
| # feature only applies when Singularity is running in SUID mode and the user is | |
| # non-root. | |
| #limit container paths = /scratch, /tmp, /global | |
| # ALLOW CONTAINER ${TYPE}: [BOOL] | |
| # DEFAULT: yes | |
| # This feature limits what kind of containers that Singularity will allow | |
| # users to use (note this does not apply for root). | |
| allow container squashfs = yes | |
| allow container extfs = yes | |
| allow container dir = yes | |
| # AUTOFS BUG PATH: [STRING] | |
| # DEFAULT: Undefined | |
| # Define list of autofs directories which produces "Too many levels of symbolink links" | |
| # errors when accessed from container (typically bind mounts) | |
| #autofs bug path = /nfs | |
| #autofs bug path = /cifs-share |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment