Skip to content

Building without elevated privileges with --fakeroot

Online manual

The fakeroot feature (commonly referred as rootless mode) allows an unprivileged user to run a container as a "fake root" user by leveraging user namespace UID/GID mapping.

A "fake root" user has almost the same administrative rights as root but only inside the container and the requested namespaces, which means that this user:

  • can set different user/group ownership for files or directories they own
  • can change user/group identity with su/sudo commands
  • has full privileges inside the requested namespaces (network, ipc, uts)

Note

Many computer centers, do not allow the use of "fake root" and attempt to build trigger the following error:

$ singularity build --fakeroot lolcow.sif lolcow.def 
FATAL:   could not use fakeroot: no mapping entry found in /etc/subuid for user

UPDATE 2022.10.19: Alvis and Rackham support building Singularity containers with apptainer / singularity UPDATE 2023.03.08: Kebnekaise supports building containers with apptainer fakeroot option (Apptainer available on the command-line)

$ apptainer build lolcow.sif lolcow.def 
INFO:    Detected Singularity user configuration directory
INFO:    User not listed in /etc/subuid, trying root-mapped namespace
INFO:    The %post section will be run under fakeroot
INFO:    Starting build...
...
INFO:    Adding environment to container
INFO:    Adding runscript
INFO:    Creating SIF file...
INFO:    Build complete: lolcow.sif
🎥 asciinema

Handy environmental variables for use on HPC clusters

Environmental variables that will help you to redirect potentially large folders to alternative location - keep in mind that your $HOME folder is relatively small in size.

export PROJECT=project_folder

export SINGULARITY_CACHEDIR=/proj/${PROJECT}/nobackup/SINGULARITY_CACHEDIR
export SINGULARITY_TMPDIR=/proj/${PROJECT}/nobackup/SINGULARITY_TMPDIR

export APPTAINER_CACHEDIR=/proj/${PROJECT}/nobackup/SINGULARITY_CACHEDIR
export APPTAINER_TMPDIR=/proj/${PROJECT}/nobackup/SINGULARITY_TMPDIR

mkdir -p $APPTAINER_CACHEDIR $APPTAINER_TMPDIR

Documentation about Singularity / Apptainer on different HPC centers: