Apptainer: Application containers for Linux
--no-mount home
won't have any effect when running apptainer from a home directory and will require --no-mount home,cwd
to avoid mounting that directory.--underlay
action option can be used to prefer underlay instead of overlay.enable overlay = driver
configuration option to always use the overlay image driver (that is, fuse-overlayfs) even when the kernel overlayfs is usable.panfs
filesystem, allowing sandbox directories to be run from panfs
without error.sessiondir maxsize
in apptainer.conf
now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.--reproducible
flag for ./mconfig
will configure Apptainer so that its binaries do not contain non-reproducible paths. This disables plugin functionality.{{ variable }}
will be replaced by a value defined either by a variable=value
entry in the %arguments
section of the definition file or through new build options --build-arg
or --build-arg-file
. By default any unused variables given in --build-arg
or --build-arg-file
result in a fatal error but the option --warn-unused-build-args
changes that to a warning rather than a fatal error.instance run
command that will execute the runscript when an instance is initiated instead of executing the startscript.sign
and verify
commands now support signing and verification with non-PGP key material by specifying the path to a private key via the --key
flag.verify
command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate
flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots
flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain, can also be specified via the --certificate-intermediates
flag.verify --ocsp-verify
option.instance stats
command displays the resource usage every second. The --no-stream
option disables this interactive mode and shows the point-in-time usage.apptainer instance stats
to be supported by default when possible.instance start
command now accepts an optional --app <name>
argument which invokes a start script within the %appstart <name>
section in the definition file. The instance stop
command still only requires the instance name.APPTAINER_INSTANCE
environment variable.APPTAINER_CONFIGDIR
environment variable.APPTAINER_SILENT
, APPTAINER_QUIET
, and APPTAINER_VERBOSE
. Also add APPTAINER_NOCOLOR
for the --nocolor
option.--no-mount
flag now accepts the value bind-paths
to disable mounting of all bind path
entries in apptainer.conf
.DOCKER_HOST
parsing when using docker-daemon://
DOCKER_USERNAME
and DOCKER_PASSWORD
supported without APPTAINER_
prefix.CAP_PERFMON
, CAP_BPF
, and CAP_CHECKPOINT_RESTORE
.setopt
definition file header for the yum
bootstrap agent. The setopt
value is passed to yum / dnf
using the --setopt
flag. This permits setting e.g. install_weak_deps=False
to bootstrap recent versions of Fedora, where systemd
(a weak dependency) cannot install correctly in the container. See examples/Fedora
for an example definition file.yum
bootstrap of an older distro may fail if the host rpm _db_backend
is not bdb
.remote get-login-password
command allows users to retrieve a remote's token. This enables piping the secret directly into docker login while preventing it from showing up in a shell's history.--rocm
mode, the whole of /dev/dri
is now bound into the container when --contain
is in use. This makes /dev/dri/render
devices available, required for later ROCm versions.--env-file
.--nv/--rocm
when duplicate <library>.so[.version]
files are listed by ldconfig -p
.DOCKER_HOST
is honored in non-build flows.apptainer.conf
comment, to refer to correct file as source of default capabilities when root default capabilities = file
.--workdir
and --scratch
options when the former is given a relative path.APPTAINER_CONFIGDIR
environment variable.APPTAINER_SILENT
, APPTAINER_QUIET
, and APPTAINER_VERBOSE
. Also add APPTAINER_NOCOLOR
for the --nocolor
option.--warn-unused-build-args
to output warnings rather than fatal errors for any additional variables given in --build-arg or --build-arg-file.enable overlay = driver
configuration option to always use the overlay image driver (that is, fuse-overlayfs) even when the kernel overlayfs is usable.unshare -r
stopped mapping the user's home directory to the fake root's home directory.--workdir
and --scratch
options when the former is given a relative path.--no-mount home
won't have any effect when running apptainer from a home directory and will require --no-mount home,cwd
to avoid mounting that directory.--underlay
action option can be used to prefer underlay instead of overlay.sessiondir maxsize
in apptainer.conf
now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.panfs
filesystem, allowing sandbox directories to be run from panfs
without error.--reproducible
flag for ./mconfig
will configure Apptainer so that its binaries do not contain non-reproducible paths. This disables plugin functionality.{{ variable }}
will be replaced by a value defined either by a variable=value
entry in the %arguments
section of the definition file or through new build options --build-arg
or --build-arg-file
.instance run
command that will execute the runscript when an instance is initiated instead of executing the startscript.sign
and verify
commands now support signing and verification with non-PGP key material by specifying the path to a private key via the --key
flag.verify
command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate
flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots
flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain, can also be specified via the --certificate-intermediates
flag.verify --ocsp-verify
option.instance stats
command displays the resource usage every second. The --no-stream
option disables this interactive mode and shows the point-in-time usage.apptainer instance stats
to be supported by default when possible.instance start
command now accepts an optional --app <name>
argument which invokes a start script within the %appstart <name>
section in the definition file. The instance stop
command still only requires the instance name.APPTAINER_INSTANCE
environment variable.--no-mount
flag now accepts the value bind-paths
to disable mounting of all bind path
entries in apptainer.conf
.DOCKER_HOST
parsing when using docker-daemon://
DOCKER_USERNAME
and DOCKER_PASSWORD
supported without APPTAINER_
prefix.CAP_PERFMON
, CAP_BPF
, and CAP_CHECKPOINT_RESTORE
.setopt
definition file header for the yum
bootstrap agent. The setopt
value is passed to yum / dnf
using the --setopt
flag. This permits setting e.g. install_weak_deps=False
to bootstrap recent versions of Fedora, where systemd
(a weak dependency) cannot install correctly in the container. See examples/Fedora
for an example definition file.yum
bootstrap of an older distro may fail if the host rpm _db_backend
is not bdb
.remote get-login-password
command allows users to retrieve a remote's token. This enables piping the secret directly into docker login while preventing it from showing up in a shell's history.--rocm
mode, the whole of /dev/dri
is now bound into the container when --contain
is in use. This makes /dev/dri/render
devices available, required for later ROCm versions.--env-file
.--nv/--rocm
when duplicate <library>.so[.version]
files are listed by ldconfig -p
.DOCKER_HOST
is honored in non-build flows.apptainer.conf
comment, to refer to correct file as source of default capabilities when root default capabilities = file
.allow setuid-mount
configuration options encrypted
, squashfs
, and extfs
, and makes the default for extfs
be "no". That disables the use of extfs mounts including for overlays or binds while in the setuid-root mode, while leaving it enabled for unprivileged user namespace mode. The default for encrypted
and squashfs
is "yes".xino=on
mount option for writable kernel overlay mount points to fix inode numbers consistency after kernel cache flush (not applicable to fuse-overlayfs).library://
protocol. See the link for details.GOCACHE
environment variable settings when building debian source package on PPA build environment.PS1
environment variable changeable via %environment
section on definition file that used to be only changeable via APPTAINERENV_PS1
outside of container. This makes the container's prompt customizable.Provides: bundled(golang())
statements to the rpm packaging for each bundled golang module.remote
is defined both globally (i.e. system-wide) and individually, change apptainer remote
commands to print an info message instead of exiting with a fatal error and to give precedence to the individual configuration./etc/singularity
when updating from singularity to apptainer, including importing singularity.conf
using a new hidden confgen
command.fakeroot
, faked
, and libfakeroot.so
if they are not suffixed by -sysv
, as is for instance the case on Gentoo Linux.--libexecdir
or --bindir
mconfig option from making apptainer think it was relocated and so preventing use of suid mode. The bug was introduced in v1.1.4.--remote
option.fakeroot-sysv
command over the fakeroot
command because the latter can be linked to either fakeroot-sysv
or fakeroot-tcp
, but fakeroot-sysv
is much faster.squashfuse_ll
to have -o uid=N
and -o gid=N
options and changed the corresponding image driver to use them when available. This makes files inside sif files appear to be owned by the user instead of by the nobody id 65534 when running in non-setuid mode.unsquashfs
from a non-standard location.unsquashfs
fails.:ro
to make it read only or using --fakeroot
./etc/subuid
-based fakeroot when /var/lib/containers/sigstore
is readable only by root.--writable-tmpfs
in non-setuid mode when using fuse-overlayfs versions 1.8 or greater by adding the fuse-overlayfs noacl
mount option to disable support for POSIX Access Control Lists.--rocm
flag in combination with -c
/ -C
by forwarding all /dri/render*
devices into the container.