Building without elevated privileges with --fakeroot
The fakeroot feature (commonly referred as rootless mode) allows an unprivileged user to run a container as a "fake root" user by leveraging user namespace UID/GID mapping.
A "fake root" user has almost the same administrative rights as root but only inside the container and the requested namespaces, which means that this user:
- can set different user/group ownership for files or directories they own
- can change user/group identity with su/sudo commands
- has full privileges inside the requested namespaces (network, ipc, uts)
Note
Many computer centers, do not allow the use of "fake root" and attempt to build trigger the following error:
$ singularity build --fakeroot lolcow.sif lolcow.def
FATAL: could not use fakeroot: no mapping entry found in /etc/subuid for user
UPDATE 2022.10.19: Alvis and Rackham support building Singularity containers with apptainer / singularity
UPDATE 2023.03.08: Kebnekaise supports building containers with apptainer fakeroot option (Apptainer available on the command-line)
$ apptainer build lolcow.sif lolcow.def
INFO: Detected Singularity user configuration directory
INFO: User not listed in /etc/subuid, trying root-mapped namespace
INFO: The %post section will be run under fakeroot
INFO: Starting build...
...
INFO: Adding environment to container
INFO: Adding runscript
INFO: Creating SIF file...
INFO: Build complete: lolcow.sif
asciinema
Handy environmental variables for use on HPC clusters
Environmental variables that will help you to redirect potentially large folders to alternative location - keep in mind that your
$HOMEfolder is relatively small in size.
export PROJECT=project_folder
export SINGULARITY_CACHEDIR=/proj/${PROJECT}/nobackup/SINGULARITY_CACHEDIR
export SINGULARITY_TMPDIR=/proj/${PROJECT}/nobackup/SINGULARITY_TMPDIR
export APPTAINER_CACHEDIR=/proj/${PROJECT}/nobackup/SINGULARITY_CACHEDIR
export APPTAINER_TMPDIR=/proj/${PROJECT}/nobackup/SINGULARITY_TMPDIR
mkdir -p $APPTAINER_CACHEDIR $APPTAINER_TMPDIR