Apptainer: Application containers for Linux
--no-mount home won't have any effect when running apptainer from a home directory and will require --no-mount home,cwd to avoid mounting that directory.--underlay action option can be used to prefer underlay instead of overlay.enable overlay = driver configuration option to always use the overlay image driver (that is, fuse-overlayfs) even when the kernel overlayfs is usable.panfs filesystem, allowing sandbox directories to be run from panfs without error.sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.--reproducible flag for ./mconfig will configure Apptainer so that its binaries do not contain non-reproducible paths. This disables plugin functionality.{{ variable }} will be replaced by a value defined either by a variable=value entry in the %arguments section of the definition file or through new build options --build-arg or --build-arg-file. By default any unused variables given in --build-arg or --build-arg-file result in a fatal error but the option --warn-unused-build-args changes that to a warning rather than a fatal error.instance run command that will execute the runscript when an instance is initiated instead of executing the startscript.sign and verify commands now support signing and verification with non-PGP key material by specifying the path to a private key via the --key flag.verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain, can also be specified via the --certificate-intermediates flag.verify --ocsp-verify option.instance stats command displays the resource usage every second. The --no-stream option disables this interactive mode and shows the point-in-time usage.apptainer instance stats to be supported by default when possible.instance start command now accepts an optional --app <name> argument which invokes a start script within the %appstart <name> section in the definition file. The instance stop command still only requires the instance name.APPTAINER_INSTANCE environment variable.APPTAINER_CONFIGDIR environment variable.APPTAINER_SILENT, APPTAINER_QUIET, and APPTAINER_VERBOSE. Also add APPTAINER_NOCOLOR for the --nocolor option.--no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in apptainer.conf.DOCKER_HOST parsing when using docker-daemon://
DOCKER_USERNAME and DOCKER_PASSWORD supported without APPTAINER_ prefix.CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE.setopt definition file header for the yum bootstrap agent. The setopt value is passed to yum / dnf using the --setopt flag. This permits setting e.g. install_weak_deps=False to bootstrap recent versions of Fedora, where systemd (a weak dependency) cannot install correctly in the container. See examples/Fedora for an example definition file.yum bootstrap of an older distro may fail if the host rpm _db_backend is not bdb.remote get-login-password command allows users to retrieve a remote's token. This enables piping the secret directly into docker login while preventing it from showing up in a shell's history.--rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.--env-file.--nv/--rocm when duplicate <library>.so[.version] files are listed by ldconfig -p.DOCKER_HOST is honored in non-build flows.apptainer.conf comment, to refer to correct file as source of default capabilities when root default capabilities = file.--workdir and --scratch options when the former is given a relative path.APPTAINER_CONFIGDIR environment variable.APPTAINER_SILENT, APPTAINER_QUIET, and APPTAINER_VERBOSE. Also add APPTAINER_NOCOLOR for the --nocolor option.--warn-unused-build-args to output warnings rather than fatal errors for any additional variables given in --build-arg or --build-arg-file.enable overlay = driver configuration option to always use the overlay image driver (that is, fuse-overlayfs) even when the kernel overlayfs is usable.unshare -r stopped mapping the user's home directory to the fake root's home directory.--workdir and --scratch options when the former is given a relative path.--no-mount home won't have any effect when running apptainer from a home directory and will require --no-mount home,cwd to avoid mounting that directory.--underlay action option can be used to prefer underlay instead of overlay.sessiondir maxsize in apptainer.conf now defaults to 64 MiB for new installations. This is an increase from 16 MiB in prior versions.panfs filesystem, allowing sandbox directories to be run from panfs without error.--reproducible flag for ./mconfig will configure Apptainer so that its binaries do not contain non-reproducible paths. This disables plugin functionality.{{ variable }} will be replaced by a value defined either by a variable=value entry in the %arguments section of the definition file or through new build options --build-arg or --build-arg-file.instance run command that will execute the runscript when an instance is initiated instead of executing the startscript.sign and verify commands now support signing and verification with non-PGP key material by specifying the path to a private key via the --key flag.verify command now supports verification with X.509 certificates by specifying the path to a certificate via the --certificate flag. By default, the system root certificate pool is used as trust anchors unless overridden via the --certificate-roots flag. A pool of intermediate certificates that are not trust anchors, but can be used to form a certificate chain, can also be specified via the --certificate-intermediates flag.verify --ocsp-verify option.instance stats command displays the resource usage every second. The --no-stream option disables this interactive mode and shows the point-in-time usage.apptainer instance stats to be supported by default when possible.instance start command now accepts an optional --app <name> argument which invokes a start script within the %appstart <name> section in the definition file. The instance stop command still only requires the instance name.APPTAINER_INSTANCE environment variable.--no-mount flag now accepts the value bind-paths to disable mounting of all bind path entries in apptainer.conf.DOCKER_HOST parsing when using docker-daemon://
DOCKER_USERNAME and DOCKER_PASSWORD supported without APPTAINER_ prefix.CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE.setopt definition file header for the yum bootstrap agent. The setopt value is passed to yum / dnf using the --setopt flag. This permits setting e.g. install_weak_deps=False to bootstrap recent versions of Fedora, where systemd (a weak dependency) cannot install correctly in the container. See examples/Fedora for an example definition file.yum bootstrap of an older distro may fail if the host rpm _db_backend is not bdb.remote get-login-password command allows users to retrieve a remote's token. This enables piping the secret directly into docker login while preventing it from showing up in a shell's history.--rocm mode, the whole of /dev/dri is now bound into the container when --contain is in use. This makes /dev/dri/render devices available, required for later ROCm versions.--env-file.--nv/--rocm when duplicate <library>.so[.version] files are listed by ldconfig -p.DOCKER_HOST is honored in non-build flows.apptainer.conf comment, to refer to correct file as source of default capabilities when root default capabilities = file.allow setuid-mount configuration options encrypted, squashfs, and extfs, and makes the default for extfs be "no". That disables the use of extfs mounts including for overlays or binds while in the setuid-root mode, while leaving it enabled for unprivileged user namespace mode. The default for encrypted and squashfs is "yes".xino=on mount option for writable kernel overlay mount points to fix inode numbers consistency after kernel cache flush (not applicable to fuse-overlayfs).library:// protocol. See the link for details.GOCACHE environment variable settings when building debian source package on PPA build environment.PS1 environment variable changeable via %environment section on definition file that used to be only changeable via APPTAINERENV_PS1 outside of container. This makes the container's prompt customizable.Provides: bundled(golang()) statements to the rpm packaging for each bundled golang module.remote is defined both globally (i.e. system-wide) and individually, change apptainer remote commands to print an info message instead of exiting with a fatal error and to give precedence to the individual configuration./etc/singularity when updating from singularity to apptainer, including importing singularity.conf using a new hidden confgen command.fakeroot, faked, and libfakeroot.so if they are not suffixed by -sysv, as is for instance the case on Gentoo Linux.--libexecdir or --bindir mconfig option from making apptainer think it was relocated and so preventing use of suid mode. The bug was introduced in v1.1.4.--remote option.fakeroot-sysv command over the fakeroot command because the latter can be linked to either fakeroot-sysv or fakeroot-tcp, but fakeroot-sysv is much faster.squashfuse_ll to have -o uid=N and -o gid=N options and changed the corresponding image driver to use them when available. This makes files inside sif files appear to be owned by the user instead of by the nobody id 65534 when running in non-setuid mode.unsquashfs from a non-standard location.unsquashfs fails.:ro to make it read only or using --fakeroot./etc/subuid-based fakeroot when /var/lib/containers/sigstore is readable only by root.--writable-tmpfs in non-setuid mode when using fuse-overlayfs versions 1.8 or greater by adding the fuse-overlayfs noacl mount option to disable support for POSIX Access Control Lists.--rocm flag in combination with -c / -C by forwarding all /dri/render* devices into the container.