From d1425e75a2ae1da9c95e3d30cbdd133c0e774fee Mon Sep 17 00:00:00 2001
From: gh-actions
Date: Thu, 18 Jul 2024 21:43:21 +0000
Subject: [PATCH] Updates
---
docs/admin/main/_sources/security.rst.txt | 18 ++++++++++--------
docs/admin/main/searchindex.js | 2 +-
docs/admin/main/security.html | 16 +++++++++-------
3 files changed, 20 insertions(+), 16 deletions(-)
diff --git a/docs/admin/main/_sources/security.rst.txt b/docs/admin/main/_sources/security.rst.txt
index a011e0dab..6481e6b17 100644
--- a/docs/admin/main/_sources/security.rst.txt
+++ b/docs/admin/main/_sources/security.rst.txt
@@ -29,18 +29,20 @@ seccomp and apparmor. Please see the `Security Options section
Limits on resource usage by containers can be enforced using cgroups. On systems
that use cgroups v1, only the root user can set resource limits. On systems that
use cgroups v2 and systemd, all users can apply resource limits as long as the
-system is configured for delegation.
+system is configured for delegation to non-root users.
By default, EL9, Ubuntu 22.04, Debian 11, Fedora 31 and newer use cgroups v2 and
-are configured for delegation so that unprivileged users will be able to use the
-``--apply-cgroups`` and other resource limit flags of {Project} without
-further configuration.
-
-On EL8 and Ubuntu 20.04 it is possible to setup a compatible configuration by
-following the 'Enabling cgroup v2' and 'Enabling CPU, CPUSET, and I/O
-delegation' steps at the `rootless containers website
+are configured so that non-root users will be able to use the
+``--memory-*`` and ``--pids-limit`` flags of {Project} or
+limit those aspects with the ``--apply-cgroups`` flag.
+To enable the other resource limits follow the
+'Enabling CPU, CPUSET, and I/O delegation' step at the
+`rootless containers website
`_.
+On EL8 and Ubuntu 20.04 it is possible to set up a compatible configuration by
+also following the 'Enabling cgroup v2' step at the above website.
+
See the `Limiting Container Resources section
<{userdocs}/cgroups.html>`_ of the user guide
for more details of how to apply cgroups limits to containers at runtime.
diff --git a/docs/admin/main/searchindex.js b/docs/admin/main/searchindex.js
index ec8fc0892..a8536fdcb 100644
--- a/docs/admin/main/searchindex.js
+++ b/docs/admin/main/searchindex.js
@@ -1 +1 @@
-Search.setIndex({"docnames": ["admin_quickstart", "configfiles", "index", "installation", "license", "monitoring", "security", "singularity_migration", "user_namespace"], "filenames": ["admin_quickstart.rst", "configfiles.rst", "index.rst", "installation.rst", "license.rst", "monitoring.rst", "security.rst", "singularity_migration.rst", "user_namespace.rst"], "titles": ["Admin Quick Start", "Apptainer Configuration Files", "Admin Guide", "Installing Apptainer", "License", "Monitoring Support", "Security in Apptainer", "Migrating From Singularity", "User Namespaces & Fakeroot"], "terms": {"thi": [0, 1, 2, 3, 4, 5, 7, 8], "give": [0, 1], "an": [0, 1, 7, 8], "overview": [0, 2], "descript": [0, 1], "pointer": [0, 5], "file": [0, 2, 5, 6, 7, 8], "more": [0, 1, 2, 3, 6, 8], "inform": [0, 2, 3, 5, 7], "includ": [0, 1, 3, 4, 8], "altern": [0, 3], "option": [0, 2, 3, 5, 7, 8], "detail": [0, 1, 2, 3, 6, 8], "can": [0, 1, 3, 5, 6, 7, 8], "found": [0, 1, 3], "later": [0, 3], "guid": [0, 1, 3, 6, 7, 8], "i": [0, 1, 3, 4, 5, 6, 7, 8], "design": [0, 5], "allow": [0, 1, 3, 5, 6, 8], "contain": [0, 3, 5, 6, 8], "execut": [0, 3, 6], "thei": [0, 1, 3, 5, 7, 8], "were": [0, 1, 8], "nativ": [0, 1, 3, 5], "program": [0, 1, 3, 8], "script": [0, 3], "host": [0, 1, 3, 8], "system": [0, 2, 5, 6, 7, 8], "No": 0, "daemon": [0, 8], "requir": [0, 1, 2], "build": [0, 1, 5], "run": [0, 1, 3, 6, 8], "model": 0, "compat": [0, 1, 3, 6, 7], "share": [0, 1, 3], "As": [0, 1, 3], "result": [0, 3, 8], "integr": [0, 1, 3], "cluster": [0, 8], "schedul": [0, 1], "univa": 0, "grid": 0, "engin": 0, "torqu": 0, "slurm": 0, "sge": 0, "mani": [0, 1, 3, 8], "other": [0, 2, 3, 4, 5, 6, 8], "simpl": [0, 3, 8], "ani": [0, 1, 3, 4, 7, 8], "command": [0, 1, 3, 8], "all": [0, 1, 3, 4, 6, 7, 8], "standard": 0, "input": 0, "output": [0, 1], "error": [0, 3, 8], "pipe": 0, "ipc": 0, "commun": [0, 1, 7], "pathwai": 0, "us": [0, 1, 2, 3, 4, 5, 6, 8], "local": [0, 1, 3, 5, 7, 8], "ar": [0, 1, 3, 4, 5, 6, 7, 8], "synchron": [0, 8], "applic": [0, 1], "within": [0, 1, 7], "favor": 0, "over": [0, 1], "isol": [0, 1, 3, 8], "approach": [0, 1, 3], "By": [0, 1, 3, 6, 8], "default": [0, 1, 3, 5, 6, 7, 8], "onli": [0, 1, 3, 6, 8], "mount": [0, 3, 8], "user": [0, 1, 2, 3, 5, 6, 7], "namespac": [0, 2, 3, 7], "so": [0, 1, 3, 6, 7, 8], "have": [0, 1, 3, 7, 8], "own": [0, 1, 8], "filesystem": 0, "view": [0, 3], "access": [0, 1, 3, 8], "hardwar": 0, "gpu": [0, 2], "high": 0, "speed": [0, 1, 8], "network": [0, 2], "easi": [0, 3], "doe": [0, 1, 3, 5, 7, 8], "special": [0, 1, 4, 8], "home": [0, 1, 3], "directori": [0, 3, 7, 8], "tmp": [0, 1, 3], "space": [0, 1, 3, 8], "specif": [0, 1, 3, 4], "make": [0, 1, 3, 7, 8], "benefit": 0, "from": [0, 1, 2, 4, 5, 8], "reproduc": [0, 4], "container": [0, 1], "without": [0, 1, 3, 4, 6, 8], "major": [0, 1, 3], "chang": [0, 1, 3, 5, 7, 8], "exist": [0, 1, 3, 5, 8], "workflow": [0, 1, 3], "where": [0, 1, 3, 8], "complet": [0, 1, 8], "import": [0, 1, 2, 3, 7, 8], "addit": [0, 3, 5, 8], "linux": [0, 1, 2, 5, 7, 8], "resourc": [0, 1, 5, 6], "limit": [0, 4, 6], "accomplish": 0, "see": [0, 1, 2, 3, 4, 6, 7, 8], "section": [0, 1, 3, 6, 7, 8], "sourc": [0, 1, 4, 7], "directli": [0, 1, 3], "rpm": [0, 1, 7], "debian": [0, 6, 8], "packag": [0, 1, 7, 8], "download": [0, 3], "pre": [0, 7], "built": [0, 5], "distribut": [0, 1, 3, 4, 8], "mai": [0, 1, 3, 4, 7, 8], "also": [0, 1, 3, 7, 8], "up": [0, 1, 8], "date": 0, "upstream": 0, "version": [0, 1, 3, 5], "github": [0, 1], "To": [0, 1, 3, 5, 8], "follow": [0, 1, 3, 4, 6, 8], "instruct": [0, 2, 3], "md": [0, 1, 3], "method": [0, 1, 3, 8], "discuss": [0, 1, 3, 8], "under": [0, 1, 3, 7], "etc": [0, 1, 3, 6, 7, 8], "your": [0, 1, 3, 7, 8], "prefix": [0, 1, 3, 7], "syconfdir": 0, "you": [0, 1, 3, 7, 8], "mconfig": [0, 3], "In": [0, 1, 3, 5, 7, 8], "set": [0, 1, 3, 6, 8], "find": [0, 1, 3, 7, 8], "them": [0, 1, 3, 6, 8], "usr": [0, 1, 3, 5, 7], "deb": [0, 1, 3, 7], "edit": [0, 5, 8], "config": [0, 1, 3, 7], "global": [0, 1], "root": [0, 1, 3, 5, 6, 7, 8], "manag": [0, 3, 6, 8], "conf": [0, 2, 3, 5, 7, 8], "control": [0, 1, 6], "runtim": [0, 1, 2, 3, 7, 8], "behavior": [0, 7], "head": [0, 3], "small": [0, 5], "alpin": [0, 1, 3], "exec": [0, 1, 3], "docker": [0, 3, 8], "cat": [0, 3, 8], "releas": [0, 1, 5], "3": [0, 1, 3, 4, 5, 8], "9": [0, 3, 5], "2": [0, 1, 3, 5, 8], "about": [0, 1, 2, 3, 5, 7], "how": [0, 1, 2, 3, 6, 7, 8], "administr": [1, 2, 3, 5, 6, 7, 8], "variou": [1, 3], "let": 1, "secur": [1, 2, 3, 5, 7, 8], "restrict": [1, 3, 6, 8], "when": [1, 3, 5, 6, 7, 8], "instal": [1, 2, 7, 8], "across": [1, 3], "though": [1, 3, 8], "locat": [1, 3, 7], "differ": [1, 3, 8], "base": [1, 6, 7, 8], "pass": [1, 7], "dure": [1, 3, 7, 8], "For": [1, 3, 4, 6, 8], "describ": [1, 8], "paramet": [1, 6, 7, 8], "most": [1, 3, 8], "defin": [1, 3, 8], "entir": 1, "influenc": 1, "function": [1, 3, 8], "measur": 1, "must": [1, 3, 4, 8], "writabl": [1, 3, 8], "refus": 1, "case": [1, 3, 5, 7, 8], "non": [1, 8], "ever": 1, "privileg": [1, 3, 5, 8], "thu": 1, "do": [1, 3, 8], "The": [1, 3, 7, 8], "via": [1, 3, 5, 8], "list": [1, 3, 4, 5, 6], "below": [1, 3, 8], "group": [1, 3, 8], "togeth": [1, 3], "relev": 1, "actual": [1, 8], "order": [1, 3, 8], "featur": [1, 2, 3, 5], "need": [1, 3, 5, 7, 8], "some": [1, 3, 8], "call": [1, 3, 8], "achiev": 1, "helper": 1, "bit": [1, 8], "enabl": [1, 3, 5, 6, 7], "disabl": [1, 2, 3], "abil": [1, 8], "util": [1, 3, 8], "ye": [1, 5, 8], "suid": [1, 3, 5, 7, 8], "which": [1, 3, 5, 7, 8], "kept": 1, "known": 1, "mode": [1, 3, 8], "full": [1, 3], "maintain": [1, 3], "same": [1, 3, 7, 8], "keep": 1, "priv": 1, "grant": [1, 6, 8], "individu": 1, "launch": 1, "through": [1, 3, 8], "add": [1, 3, 8], "cap": 1, "drop": 1, "flag": [1, 3, 6], "pleas": [1, 3, 6, 7, 8], "facilit": 1, "sif": [1, 3, 6, 8], "imag": [1, 3], "max": 1, "admin": 1, "total": [1, 5], "number": [1, 3, 5, 8], "consum": 1, "given": 1, "time": [1, 3, 5, 8], "singl": [1, 3], "minim": [1, 7, 8], "usag": [1, 2, 3, 6], "help": [1, 3, 5, 7], "optim": 1, "kernel": [1, 3, 8], "cach": 1, "particularli": 1, "mpi": 1, "job": 1, "pid": 1, "n": 1, "determin": 1, "leverag": 1, "confus": 1, "process": [1, 3, 5, 8], "track": 1, "well": [1, 3], "implement": [1, 3], "automat": [1, 3, 7, 8], "creat": [1, 3, 5, 8], "modifi": [1, 7], "sever": [1, 3, 5], "eas": 1, "These": 1, "effect": 1, "overlai": [1, 8], "underlai": 1, "passwd": 1, "should": [1, 3, 5, 7], "append": 1, "entri": [1, 3, 8], "": [1, 3, 5, 6, 8], "resolv_conf": 1, "resolv": 1, "sessiondir": [1, 3], "size": [1, 3, 5, 8], "temporari": [1, 3], "assembl": 1, "compon": [1, 7, 8], "hold": [1, 3], "written": [1, 4], "tmpf": [1, 3], "plu": 1, "valu": [1, 5, 8], "64mib": 1, "If": [1, 3, 7, 8], "commonli": [1, 8], "increas": 1, "accommod": 1, "grow": 1, "specifi": [1, 8], "maximum": [1, 3, 5], "alloc": [1, 5, 8], "ahead": 1, "proc": 1, "sy": [1, 3], "dev": 1, "want": [1, 3, 7, 8], "tree": [1, 3], "null": 1, "zero": [1, 8], "random": 1, "urandom": 1, "shm": 1, "devpt": 1, "new": [1, 3, 5, 7, 8], "instanc": [1, 3], "explain": 1, "abov": [1, 3, 4, 8], "either": [1, 3, 7], "config_devpts_multiple_inst": 1, "y": [1, 3], "newer": [1, 6], "than": [1, 8], "4": [1, 3, 5, 8], "7": [1, 5], "attempt": [1, 3, 8], "var": [1, 3], "both": [1, 3], "workdir": 1, "hostf": 1, "caus": [1, 4, 7], "probe": 1, "those": [1, 3, 8], "slave": 1, "hand": 1, "propag": 1, "autof": 1, "occur": [1, 3], "reflect": 1, "f": 1, "type": [1, 3, 5, 8], "choos": 1, "primarili": [1, 3], "like": [1, 3, 7, 8], "crai": 1, "cle": 1, "5": [1, 3, 5, 8], "6": 1, "0": [1, 3, 5, 8], "up05": 1, "issu": [1, 3, 7], "panic": 1, "affect": [1, 3, 8], "recommend": [1, 3, 7, 8], "ramf": 1, "avoid": [1, 3, 5], "path": [1, 3, 5, 8], "made": [1, 3, 8], "avail": [1, 3, 5, 8], "successfulli": 1, "ignor": 1, "invok": 1, "point": [1, 3, 8], "destin": 1, "ident": [1, 7], "localtim": 1, "Or": 1, "colon": 1, "nsswitch": 1, "decid": [1, 7], "mean": [1, 3, 7], "scratch": 1, "reason": 1, "desir": 1, "who": [1, 6], "primari": [1, 3], "motiv": 1, "past": 1, "wa": [1, 5], "prevent": [1, 7], "untrust": 1, "potenti": 1, "attack": 1, "driver": [1, 3], "howev": [1, 3, 4, 7], "longer": [1, 8], "never": 1, "been": [1, 3, 7, 8], "squashf": 1, "But": 1, "provid": [1, 3, 4, 5, 8], "purpos": [1, 4], "here": [1, 6, 8], "direct": [1, 4, 8], "unprivileg": [1, 6, 8], "appli": [1, 6, 7], "possibl": [1, 3, 4, 6, 8], "creation": [1, 3, 8], "reli": [1, 8], "its": [1, 3, 4, 7, 8], "fakeroot": [1, 2, 7], "There": [1, 3, 8], "wai": [1, 3, 4, 5, 8], "stricter": 1, "check": [1, 8], "out": [1, 4, 7], "owner": 1, "permit": [1, 4, 8], "deni": [1, 3], "unencrypt": 1, "encrypt": 1, "bare": [1, 3], "e": [1, 3, 5, 7, 8], "g": [1, 3, 7], "singular": [1, 2], "x": 1, "extf": [1, 3], "dir": [1, 3], "sandbox": [1, 3], "mapper": 1, "gocryptf": 1, "fuse": [1, 8], "instead": [1, 3, 7, 8], "insid": [1, 3, 5, 8], "outsid": [1, 8], "squashfuse_l": 1, "iflimit": 1, "activ": [1, 8], "treat": 1, "otherwis": [1, 4, 8], "ext3": [1, 3], "ext4": [1, 3], "fuse2f": 1, "virtual": [1, 3, 5], "unrestrict": 1, "certain": [1, 3], "disrupt": 1, "environ": [1, 5], "net": [1, 8], "administ": [1, 8], "except": [1, 7], "40_fakeroot": [1, 8], "conflist": [1, 8], "name": [1, 3, 4, 7, 8], "workload": 1, "seamlessli": 1, "checkout": 1, "alwai": [1, 3], "nv": [1, 3], "everi": 1, "action": 1, "shell": [1, 3, 8], "implicitli": 1, "ad": 1, "fusemount": 1, "tri": 1, "doesn": [1, 3, 8], "t": [1, 3, 8], "work": [1, 2, 3, 8], "overlayf": [1, 3, 8], "A": [1, 3, 4, 5, 8], "try": [1, 8], "obsolet": 1, "equival": 1, "miss": [1, 3, 8], "nor": [1, 4], "note": [1, 3, 7], "prefer": [1, 5, 8], "overrid": 1, "current": [1, 3, 5, 8], "deprec": 1, "remov": [1, 3, 7, 8], "futur": 1, "becaus": [1, 3, 5, 7], "complic": 1, "perform": [1, 3, 7, 8], "similar": [1, 7], "custom": [1, 3, 5], "replac": [1, 3], "whenev": [1, 3, 8], "isn": 1, "veri": 1, "basic": [1, 3], "flow": 1, "pull": [1, 3], "multipl": [1, 3, 8], "part": [1, 7, 8], "v": 1, "stream": 1, "gener": [1, 3, 8], "appropri": [1, 8], "api": 1, "registri": 1, "tune": 1, "condit": [1, 4], "server": [1, 3], "cloud": 1, "each": [1, 3, 8], "byte": [1, 5], "buffer": 1, "transfer": 1, "systemd": [1, 6, 8], "whether": [1, 4, 5], "v2": [1, 6], "cgroupf": 1, "ha": [1, 3, 7, 8], "get": [1, 3], "reset": 1, "unset": 1, "It": [1, 3, 7, 8], "elev": 1, "we": [1, 3, 7, 8], "first": [1, 3, 5, 6, 8], "our": 1, "sudo": [1, 3, 5, 8], "now": [1, 8], "verifi": [1, 5, 7], "And": 1, "back": [1, 3, 8], "origin": [1, 3, 8], "test": [1, 2], "what": [1, 8], "would": [1, 3], "look": [1, 8], "dry": 1, "conjunct": 1, "write": [1, 3], "had": 1, "string": 1, "undefin": 1, "attach": 1, "respect": [1, 7], "dest": 1, "did": 1, "meter": 1, "rate": 1, "block": [1, 8], "node": [1, 3, 8], "two": [1, 3, 8], "common": [1, 3], "v1": [1, 3, 6], "separ": [1, 3, 7], "hierarchi": 1, "per": 1, "class": 1, "unifi": 1, "simplifi": 1, "structur": [1, 3, 5], "document": [1, 3, 4, 6, 7, 8], "www": 1, "org": [1, 4], "doc": [1, 3], "txt": 1, "repres": 1, "oci": [1, 3], "spec": 1, "com": [1, 3], "opencontain": 1, "blob": 1, "master": 1, "On": [1, 3, 6], "translat": 1, "ebpf": 1, "request": [1, 8], "take": [1, 5, 7, 8], "my_contain": 1, "amount": [1, 5], "500mb": 1, "524288000": 1, "start": [1, 3, 5, 8], "strategi": 1, "correspond": [1, 7], "ratio": 1, "versu": 1, "usual": 1, "1024": 1, "That": [1, 7], "50": 1, "512": 1, "enough": 1, "idl": 1, "cycl": [1, 5], "due": [1, 8], "conserv": 1, "natur": 1, "even": [1, 3, 4, 5, 8], "conflict": [1, 3], "quota": 1, "period": 1, "enforc": [1, 6], "hard": 1, "100m": 1, "100000u": 1, "20m": 1, "100000": [1, 8], "20000": 1, "mem": 1, "core": 1, "associ": 1, "field": 1, "1": [1, 3, 5, 8], "o": [1, 3, 5, 6], "compet": 1, "blockio": 1, "weight": 1, "1000": [1, 3, 8], "leafweight": 1, "accept": 1, "between": [1, 8], "10": [1, 3], "until": 1, "unless": 1, "overridden": 1, "rule": [1, 6], "relat": [1, 3], "heavili": 1, "weigh": 1, "task": [1, 8], "while": [1, 3, 7], "child": 1, "minor": 1, "loop0": 1, "loop1": 1, "weightdevic": 1, "100": 1, "read": [1, 3, 5], "absolut": 1, "16mb": 1, "second": [1, 5], "throttlereadbpsdevic": 1, "16777216": 1, "throttlewritebpsdevic": 1, "valid": 1, "constraint": [1, 7], "rather": [1, 8], "sign": [1, 3, 6], "author": [1, 6], "against": 1, "entiti": 1, "lock": 1, "down": [1, 8], "fulli": 1, "execgroup": 1, "tagnam": 1, "group2": 1, "whitelist": 1, "dirpath": 1, "keyfp": 1, "7064b1d6eff01b1262fed3f03581d99fe87eafd1": 1, "mention": 1, "three": 1, "whitestrict": 1, "long": [1, 3, 6], "one": [1, 3, 8], "blacklist": 1, "whose": 1, "older": [1, 3], "temporarili": [1, 8], "legaci": [1, 3], "signatur": [1, 6], "legacyinsecur": 1, "true": [1, 8], "keyr": [1, 3], "verif": 1, "export": 1, "privat": [1, 3, 8], "store": [1, 3, 7], "sysconfdir": [1, 3], "pgp": 1, "properli": 1, "inject": 1, "match": [1, 8], "opencl": 1, "depend": [1, 3, 8], "comput": [1, 3], "framework": 1, "nvliblist": 1, "suitabl": 1, "11": [1, 3, 6, 8], "further": [1, 6], "filenam": 1, "xxxx": 1, "form": [1, 4, 8], "ldconfig": 1, "p": [1, 8], "exectu": 1, "search": 1, "tool": [1, 3, 5], "offici": 1, "target": [1, 3], "nvccli": [1, 3], "setup": [1, 3, 6, 8], "cannot": [1, 3, 8], "oper": [1, 3, 8], "broadli": 1, "carri": 1, "rocmliblist": 1, "rocmlist": 1, "basenam": 1, "bound": [1, 5], "put": [1, 3], "ensur": [1, 8], "permiss": [1, 3, 4, 5], "exclud": 1, "smi": 1, "rocminfo": 1, "libnam": 1, "lib": [1, 3, 8], "end": [1, 3], "libamd_comgr": 1, "libcomgr": 1, "libcxlactivitylogg": 1, "receiv": 1, "warn": 1, "ld": 1, "extrem": 1, "recogn": 1, "level": 1, "break": 1, "becom": [1, 8], "toward": 1, "architectur": [1, 2, 3], "develop": [1, 3, 5], "might": [1, 3, 8], "surfac": 1, "normal": [1, 3, 8], "good": [1, 4], "multi": 1, "tenant": 1, "hpc": 1, "better": [1, 3], "revok": [1, 6], "basi": 1, "u": 1, "suppos": 1, "pinger": 1, "open": [1, 3, 5], "raw": [1, 3], "socket": 1, "ping": 1, "cap_net_raw": 1, "just": 1, "advantag": [1, 8], "sylab": [1, 3, 4], "ubuntu_p": 1, "c": [1, 3, 4], "8": [1, 3, 8], "56": 1, "84": 1, "data": [1, 4], "64": 1, "icmp_seq": 1, "ttl": 1, "52": 1, "73": 1, "m": 1, "statist": 1, "packet": 1, "transmit": 1, "loss": [1, 4], "0m": 1, "rtt": 1, "min": 1, "avg": 1, "mdev": 1, "178": 1, "000": 1, "necessari": [1, 8], "fail": 1, "subcommand": 1, "insensit": 1, "keyword": 1, "man": [1, 3, 8], "page": [1, 3, 8], "filter": 1, "being": [1, 7, 8], "alon": 1, "smaller": 1, "defaultact": 1, "scmp_act_allow": 1, "scmp_act_errno": 1, "thread": [1, 5], "return": 1, "errno": 1, "syscal": 1, "david": 1, "my": [1, 3], "insight": 1, "userdoc": 1, "appendix": 1, "wide": 1, "typic": [1, 7], "vari": [1, 3], "login": [1, 8], "account": 1, "authent": 1, "premis": 1, "fresh": 1, "defaultremot": 1, "openpgp": 1, "compani": 1, "enterpris": [1, 3], "info": [1, 3], "detect": 1, "Will": 1, "log": 1, "convers": [1, 7], "onc": [1, 3], "copi": [1, 3, 7], "modif": [1, 4], "themselv": 1, "usabl": 1, "servic": [1, 3, 4, 8], "uri": 1, "NO": [1, 4], "myremot": 1, "expos": [1, 3], "discoveri": 1, "connect": [1, 5], "protocol": 1, "url": [1, 3], "formerli": 1, "ora": 1, "unnecessari": 1, "still": [1, 5, 8], "previou": 1, "befor": [1, 3], "anonym": 1, "sylabscloud": 1, "sycloud": 1, "product": [1, 3, 4], "correl": 1, "checkpoint": [1, 7], "dmctp": 1, "restart": [1, 3, 8], "mark": 1, "flexibl": 1, "feedback": 1, "warrant": 1, "improv": 1, "overal": 1, "matur": 1, "arrai": 1, "bin": [1, 3, 5, 8], "dmtcp_command": 1, "dmtcp_discover_rm": 1, "dmtcp_launch": 1, "libdmtcp_alloc": 1, "libdmtcp_dl": 1, "libdmtcp_modifi": 1, "env": 1, "welcom": 2, "apptain": [2, 4, 5, 7, 8], "aim": 2, "cover": 2, "configur": [2, 5, 7], "topic": 2, "quickstart": 2, "window": 2, "mac": 2, "migrat": 2, "cgroup": [2, 5, 6], "toml": 2, "ecl": 2, "librari": [2, 3, 7], "capabl": [2, 6], "json": 2, "seccomp": [2, 6], "profil": [2, 3, 5, 8], "remot": [2, 3, 7], "yaml": [2, 7], "dmtcp": 2, "rootless": [2, 3, 6], "monitor": 2, "licens": [2, 3], "earlier": 3, "modern": 3, "metal": 3, "machin": 3, "often": 3, "nest": 3, "anoth": [3, 7, 8], "navig": 3, "done": [3, 8], "easili": 3, "expand": 3, "menu": 3, "left": 3, "200mib": 3, "disk": 3, "compil": 3, "cpu": [3, 5, 6], "memori": [3, 5], "least": [3, 8], "2gb": 3, "ram": 3, "fusermount": 3, "minimum": 3, "18": [3, 8], "1127": 3, "rhel7": 3, "setuid": [3, 7, 8], "bind": [3, 8], "sure": 3, "familiar": 3, "top": [3, 8], "rhel": 3, "unabl": 3, "correctli": 3, "rocm": 3, "suppli": 3, "identifi": [3, 8], "sbin": 3, "parallel": 3, "tmpdir": 3, "apptainer_tmpdir": 3, "wherev": 3, "greatest": 3, "chanc": 3, "layout": 3, "problem": 3, "especi": 3, "select": 3, "fall": 3, "notic": [3, 4, 8], "localstatedir": 3, "solut": 3, "neglig": [3, 4], "1mib": 3, "construct": 3, "area": 3, "mnt": 3, "session": 3, "mountpoint": 3, "combin": [3, 8], "userspac": 3, "aspect": 3, "referenc": 3, "lowerdir": 3, "act": [3, 8], "abl": [3, 6, 8], "upperdir": 3, "merg": 3, "onto": 3, "unsupport": 3, "subuid": [3, 8], "subgid": [3, 8], "xf": 3, "id": [3, 8], "fileserv": 3, "probabl": 3, "don": [3, 8], "layer": 3, "apptainer_cachedir": 3, "variabl": 3, "uniqu": 3, "suffici": 3, "anticip": 3, "concurr": 3, "safe": 3, "overlap": [3, 8], "expect": 3, "posix": 3, "topologi": 3, "exampl": [3, 6, 8], "mdt": 3, "client": 3, "step": [3, 6, 8], "independ": 3, "fetch": 3, "red": 3, "hat": 3, "deriv": [3, 4], "suse": 3, "opensus": 3, "easiest": 3, "curl": [3, 5], "http": [3, 4, 5], "githubusercont": 3, "main": [3, 5], "sh": 3, "few": [3, 8], "aren": 3, "rpm2cpio": 3, "cpio": 3, "pick": 3, "correct": 3, "oldest": 3, "old": [3, 7], "prebuilt": 3, "varieti": 3, "repositori": 3, "dnf": 3, "Then": [3, 5], "x86_64": 3, "immedi": 3, "after": [3, 7], "amd64": 3, "apt": 3, "updat": [3, 7, 8], "wget": 3, "cd": [3, 8], "apptainer_1": 3, "3_amd64": 3, "suid_1": 3, "dpkg": 3, "ppa": 3, "person": 3, "archiv": 3, "arm64": [3, 5], "softwar": [3, 4], "properti": 3, "obtain": [3, 5], "desktop": 3, "skip": 3, "move": [3, 7], "continu": 3, "reloc": 3, "ownership": [3, 8], "enjoi": 3, "assum": 3, "bashrc": 3, "adjust": 3, "upgrad": [3, 7], "debian_packag": 3, "show": [3, 8], "confirm": [3, 8], "troubleshoot": 3, "package_nam": 3, "package_vers": 3, "builddir": 3, "dtrudg": 3, "git": 3, "execprefix": 3, "bindir": 3, "sbindir": 3, "libexecdir": 3, "libexec": [3, 5], "datarootdir": 3, "datadir": 3, "sharedstatedir": 3, "runstatedir": 3, "includedir": 3, "docdir": 3, "infodir": 3, "libdir": 3, "localedir": 3, "mandir": 3, "apptainer_confdir": 3, "plugin_rootdir": 3, "plugin": 3, "apptainer_conf_fil": 3, "apptainer_suid_instal": 3, "storag": 3, "codebas": 3, "ci": 3, "code": [3, 4], "lint": 3, "unit": 3, "e2": 3, "exercis": 3, "larg": [3, 8], "cli": 3, "nc": 3, "starter": [3, 5], "incompat": 3, "contrari": 3, "popular": 3, "misconcept": 3, "maco": 3, "darwin": 3, "fork": 3, "bsd": [3, 4], "vm": 3, "subsystem": 3, "wsl2": 3, "lima": 3, "recent": 3, "tightli": [3, 5], "straightforward": 3, "22": [3, 6], "04": [3, 6], "prompt": 3, "powershel": 3, "enter": 3, "wsl": 3, "app": 3, "ll": 3, "ask": 3, "usernam": [3, 8], "password": 3, "nvidia": 3, "libnvidia": 3, "fssl": 3, "io": 3, "gpgkei": 3, "gpg": 3, "dearmor": 3, "toolkit": 3, "l": 3, "stabl": 3, "sed": 3, "tee": 3, "d": [3, 8], "tensorflow": 3, "latest": 3, "tensorflow_latest": 3, "nvidia_visible_devic": 3, "emul": [3, 8], "________": 3, "_______________": 3, "___": 3, "__": 3, "__________________________________": 3, "____": 3, "_": 3, "great": 3, "python": 3, "nov": 3, "26": 3, "2021": 3, "20": [3, 6], "14": 3, "08": 3, "gcc": 3, "copyright": [3, 4], "credit": 3, "tf": 3, "list_physical_devic": 3, "2022": 3, "03": 3, "25": [3, 5], "42": 3, "672088": 3, "stream_executor": 3, "cuda": 3, "cuda_gpu_executor": 3, "cc": 3, "922": 3, "could": [3, 7], "numa": 3, "bu": 3, "pci": 3, "devic": 3, "0000": 3, "01": 3, "00": 3, "numa_nod": 3, "713295": 3, "713892": 3, "physicaldevic": 3, "physical_devic": 3, "device_typ": 3, "simpler": 3, "homebrew": 3, "manual": [3, 7, 8], "brew": 3, "qemu": 3, "limactl": 3, "templat": 3, "guest": 3, "subject": 4, "claus": 4, "contributor": 4, "project": [4, 7, 8], "establish": 4, "seri": 4, "lf": 4, "llc": 4, "websit": [4, 6], "term": 4, "trademark": 4, "polici": [4, 5], "privaci": 4, "lfproject": 4, "2018": 4, "2023": 4, "inc": 4, "right": 4, "reserv": [4, 8], "2017": 4, "singularitywar": 4, "redistribut": 4, "binari": [4, 8], "met": 4, "retain": 4, "disclaim": 4, "materi": 4, "neither": 4, "holder": 4, "endors": 4, "promot": 4, "prior": [4, 8], "BY": 4, "THE": 4, "AND": 4, "AS": 4, "express": 4, "OR": 4, "impli": 4, "warranti": 4, "BUT": 4, "NOT": 4, "TO": 4, "OF": 4, "merchant": 4, "fit": 4, "FOR": 4, "particular": [4, 7], "IN": 4, "event": 4, "shall": 4, "BE": 4, "liabl": 4, "indirect": 4, "incident": 4, "exemplari": 4, "consequenti": 4, "damag": 4, "procur": 4, "substitut": 4, "profit": 4, "busi": 4, "interrupt": 4, "ON": 4, "theori": 4, "liabil": 4, "contract": 4, "strict": 4, "tort": 4, "aris": 4, "IF": 4, "advis": [4, 8], "SUCH": 4, "collect": 5, "metric": 5, "apptheu": 5, "agent": 5, "prometheu": 5, "consider": 5, "less": [5, 8], "invas": 5, "bring": 5, "too": 5, "much": 5, "itself": [5, 8], "stat": 5, "caller": 5, "trust": 5, "push": 5, "freeli": 5, "interv": 5, "sampl": 5, "manipul": [5, 8], "simpli": [5, 7], "bool": 5, "address": 5, "localhost": 5, "9091": 5, "locahost": 5, "apptheus_build_info": 5, "constant": 5, "label": 5, "revis": 5, "branch": 5, "govers": 5, "goo": 5, "goarch": 5, "gaug": 5, "go1": 5, "21": 5, "284ead0316031c8c08e2081f0468ad83bfb82e20": 5, "tag": 5, "unknown": 5, "go_gc_duration_second": 5, "summari": 5, "paus": 5, "durat": 5, "garbag": 5, "quantil": 5, "75": 5, "go_gc_duration_seconds_sum": 5, "go_gc_duration_seconds_count": 5, "go_goroutin": 5, "goroutin": 5, "13": 5, "go_info": 5, "go": 5, "go_memstats_alloc_byt": 5, "577680": 5, "go_memstats_alloc_bytes_tot": 5, "freed": 5, "counter": 5, "go_memstats_buck_hash_sys_byt": 5, "bucket": 5, "hash": 5, "tabl": 5, "5134": 5, "go_memstats_frees_tot": 5, "free": 5, "go_memstats_gc_sys_byt": 5, "metadata": 5, "563968e": 5, "06": 5, "go_memstats_heap_alloc_byt": 5, "heap": 5, "go_memstats_heap_idle_byt": 5, "wait": 5, "55648e": 5, "go_memstats_heap_inuse_byt": 5, "146304e": 5, "go_memstats_heap_object": 5, "object": 5, "2406": 5, "go_memstats_heap_released_byt": 5, "go_memstats_heap_sys_byt": 5, "702784e": 5, "go_memstats_last_gc_time_second": 5, "sinc": [5, 7], "1970": 5, "last": [5, 8], "go_memstats_lookups_tot": 5, "lookup": [5, 8], "go_memstats_mallocs_tot": 5, "malloc": 5, "go_memstats_mcache_inuse_byt": 5, "mcach": 5, "2400": 5, "go_memstats_mcache_sys_byt": 5, "15600": 5, "go_memstats_mspan_inuse_byt": 5, "mspan": 5, "45528": 5, "go_memstats_mspan_sys_byt": 5, "48888": 5, "go_memstats_next_gc_byt": 5, "next": 5, "place": [5, 7], "194304e": 5, "go_memstats_other_sys_byt": 5, "617626": 5, "go_memstats_stack_inuse_byt": 5, "stack": 5, "491520": 5, "go_memstats_stack_sys_byt": 5, "go_memstats_sys_byt": 5, "44552e": 5, "go_thread": 5, "process_cpu_seconds_tot": 5, "spent": 5, "02": 5, "process_max_fd": 5, "descriptor": 5, "048576e": 5, "process_open_fd": 5, "process_resident_memory_byt": 5, "resid": 5, "1862016e": 5, "07": 5, "process_start_time_second": 5, "unix": 5, "epoch": 5, "70902187483e": 5, "09": 5, "process_virtual_memory_byt": 5, "797275648e": 5, "process_virtual_memory_max_byt": 5, "8446744073709552e": 5, "19": 5, "kei": 6, "harden": 6, "apparmor": 6, "deleg": 6, "el9": 6, "ubuntu": 6, "fedora": 6, "31": 6, "el8": 6, "cpuset": 6, "foundat": 7, "goal": 7, "impact": [7, 8], "experi": 7, "reach": 7, "alreadi": 7, "produc": 7, "messag": 7, "cleanup": 7, "incomplet": 7, "format": [7, 8], "counterpart": 7, "renam": 7, "comment": [7, 8], "content": 7, "around": 7, "care": 7, "wipe": 7, "big": 7, "higher": 7, "risk": [7, 8], "consid": [7, 8], "restor": 7, "uid": 8, "1001": 8, "pro": 8, "con": 8, "support": 8, "addition": 8, "sysctl": 8, "line": 8, "consult": 8, "vendor": 8, "max_usernamespac": 8, "unprivileged_userns_clon": 8, "exploit": 8, "almost": 8, "year": 8, "therefor": 8, "substanti": 8, "reduc": 8, "urgent": 8, "vulner": 8, "announc": 8, "echo": 8, "max_net_namespac": 8, "90": 8, "littl": 8, "begin": 8, "unfortun": 8, "podman": 8, "privatenetwork": 8, "turn": 8, "off": 8, "hostnam": 8, "mkdir": 8, "statu": 8, "systemctl": 8, "reload": 8, "appear": 8, "refer": 8, "assist": 8, "enhanc": 8, "rest": 8, "again": 8, "gid": 8, "unus": 8, "rang": 8, "handl": 8, "With": 8, "extern": 8, "newuidmap": 8, "newgidmap": 8, "real": 8, "vacant": 8, "remap": 8, "understand": 8, "foo": 8, "65536": 8, "useradd": 8, "addus": 8, "glibc": 8, "nss": 8, "switch": 8, "mechan": 8, "ldap": 8, "provis": 8, "larger": 8, "bar": 8, "165536": 8, "sub": 8, "165535": 8, "231071": 8, "confin": 8, "wish": 8, "10000": 8, "pars": 8, "penalti": 8, "benchmark": 8, "shown": 8, "20x": 8, "happen": 8, "100001": 8, "veth": 8, "pair": 8, "implic": 8, "manner": 8, "sensit": 8, "deploi": 8, "arrang": 8, "At": 8, "central": 8, "dave": 8, "4294836224": 8, "32": 8, "subsequ": 8, "faster": 8, "r": 8, "assign": 8, "remain": 8, "uncom": 8, "re": 8}, "objects": {}, "objtypes": {}, "objnames": {}, "titleterms": {"admin": [0, 2], "quick": 0, "start": 0, "architectur": 0, "apptain": [0, 1, 3, 6], "secur": [0, 6], "instal": [0, 3], "configur": [0, 1, 3, 6, 8], "test": [0, 3], "file": [1, 3], "conf": 1, "setuid": 1, "capabl": 1, "loop": 1, "devic": 1, "namespac": [1, 8], "option": [1, 6], "session": 1, "directori": 1, "system": [1, 3], "mount": 1, "bind": 1, "manag": 1, "limit": [1, 3], "contain": 1, "execut": 1, "network": [1, 3, 8], "gpu": [1, 3], "supplement": 1, "filesystem": [1, 3, 8], "cni": 1, "plugin": 1, "extern": 1, "binari": [1, 3], "concurr": 1, "download": 1, "cgroup": 1, "updat": 1, "exampl": 1, "toml": 1, "memori": 1, "cpu": 1, "io": 1, "other": 1, "ecl": 1, "public": 1, "kei": 1, "librari": 1, "nvidia": 1, "cuda": 1, "experiment": 1, "cli": 1, "support": [1, 3, 5], "amd": 1, "radeon": 1, "rocm": 1, "liblist": 1, "format": 1, "json": 1, "seccomp": 1, "profil": 1, "remot": 1, "yaml": 1, "endpoint": 1, "exclus": 1, "insecur": 1, "http": 1, "restor": 1, "pre": [1, 3], "behavior": 1, "addit": 1, "inform": 1, "keyserv": 1, "dmtcp": 1, "guid": 2, "linux": 3, "requir": [3, 5, 8], "non": 3, "standard": 3, "ldconfig": 3, "nix": 3, "guix": 3, "environ": 3, "overlai": 3, "fakeroot": [3, 8], "uid": 3, "gid": 3, "map": [3, 8], "cach": 3, "atom": 3, "renam": 3, "nf": 3, "lustr": 3, "gpf": 3, "panf": 3, "fuse": 3, "base": 3, "unprivileg": 3, "from": [3, 7], "built": 3, "packag": 3, "rpm": 3, "epel": 3, "fedora": 3, "github": 3, "releas": 3, "debian": 3, "ubuntu": 3, "sourc": 3, "relocat": 3, "bash": 3, "complet": 3, "build": 3, "an": 3, "check": 3, "buildcfg": 3, "suit": 3, "window": 3, "mac": 3, "licens": 4, "monitor": 5, "overview": 5, "usag": 5, "runtim": 6, "migrat": 7, "singular": 7, "user": 8, "disabl": 8, "rootless": 8, "featur": 8, "basic": 8, "consider": 8, "config": 8, "ad": 8, "delet": 8, "enabl": 8}, "envversion": {"sphinx.domains.c": 2, "sphinx.domains.changeset": 1, "sphinx.domains.citation": 1, "sphinx.domains.cpp": 8, "sphinx.domains.index": 1, "sphinx.domains.javascript": 2, "sphinx.domains.math": 2, "sphinx.domains.python": 3, "sphinx.domains.rst": 2, "sphinx.domains.std": 2, "sphinx": 57}, "alltitles": {"Admin Quick Start": [[0, "admin-quick-start"]], "Architecture of Apptainer": [[0, "architecture-of-apptainer"]], "Apptainer Security": [[0, "apptainer-security"]], "Installation": [[0, "installation"]], "Configuration": [[0, "configuration"]], "Testing": [[0, "testing"]], "Apptainer Configuration Files": [[1, "apptainer-configuration-files"]], "apptainer.conf": [[1, "apptainer-conf"]], "Setuid and Capabilities": [[1, "setuid-and-capabilities"]], "Loop Devices": [[1, "loop-devices"]], "Namespace Options": [[1, "namespace-options"]], "Configuration Files": [[1, "configuration-files"]], "Session Directory and System Mounts": [[1, "session-directory-and-system-mounts"]], "Bind Mount Management": [[1, "bind-mount-management"]], "Limiting Container Execution": [[1, "limiting-container-execution"]], "Networking Options": [[1, "networking-options"]], "GPU Options": [[1, "gpu-options"]], "Supplemental Filesystems": [[1, "supplemental-filesystems"]], "CNI Configuration and Plugins": [[1, "cni-configuration-and-plugins"]], "External Binaries": [[1, "external-binaries"]], "Concurrent Downloads": [[1, "concurrent-downloads"]], "Cgroups Options": [[1, "cgroups-options"]], "Updating Configuration Options": [[1, "updating-configuration-options"]], "Example": [[1, "example"]], "cgroups.toml": [[1, "cgroups-toml"]], "Examples": [[1, "examples"]], "Limiting memory": [[1, "limiting-memory"]], "Limiting CPU": [[1, "limiting-cpu"]], "Limiting IO": [[1, "limiting-io"]], "Other limits": [[1, "other-limits"]], "ecl.toml": [[1, "ecl-toml"]], "Managing ECL public keys": [[1, "managing-ecl-public-keys"]], "GPU Library Configuration": [[1, "gpu-library-configuration"]], "NVIDIA GPUs / CUDA": [[1, "nvidia-gpus-cuda"]], "Experimental nvidia-container-cli Support": [[1, "experimental-nvidia-container-cli-support"]], "AMD Radeon GPUs / ROCm": [[1, "amd-radeon-gpus-rocm"]], "GPU liblist format": [[1, "gpu-liblist-format"]], "capability.json": [[1, "capability-json"]], "seccomp-profiles": [[1, "seccomp-profiles"]], "remote.yaml": [[1, "remote-yaml"]], "Remote Endpoints": [[1, "remote-endpoints"]], "Exclusive Endpoint": [[1, "exclusive-endpoint"]], "Insecure (HTTP) Endpoints": [[1, "insecure-http-endpoints"]], "Restoring pre-Apptainer library behavior": [[1, "restoring-pre-apptainer-library-behavior"]], "Additional Information": [[1, "additional-information"]], "Keyserver Configuration": [[1, "keyserver-configuration"]], "dmtcp-conf.yaml": [[1, "dmtcp-conf-yaml"]], "Admin Guide": [[2, "admin-guide"]], "Installing Apptainer": [[3, "installing-apptainer"]], "Installation on Linux": [[3, "installation-on-linux"]], "System Requirements": [[3, "system-requirements"]], "Non-standard ldconfig / Nix & Guix Environments": [[3, "non-standard-ldconfig-nix-guix-environments"]], "Filesystem support / limitations": [[3, "filesystem-support-limitations"]], "Overlay support": [[3, "overlay-support"]], "Fakeroot with uid/gid mapping on Network filesystems": [[3, "fakeroot-with-uid-gid-mapping-on-network-filesystems"]], "Apptainer cache / atomic rename": [[3, "apptainer-cache-atomic-rename"]], "NFS": [[3, "nfs"]], "Lustre / GPFS / PanFS": [[3, "lustre-gpfs-panfs"]], "FUSE-based filesystems": [[3, "fuse-based-filesystems"]], "Install unprivileged from pre-built binaries": [[3, "install-unprivileged-from-pre-built-binaries"]], "Install from pre-built packages": [[3, "install-from-pre-built-packages"]], "Install RPM from EPEL or Fedora": [[3, "install-rpm-from-epel-or-fedora"]], "Install from GitHub release RPMs": [[3, "install-from-github-release-rpms"]], "Install Debian packages": [[3, "install-debian-packages"]], "Install Ubuntu packages": [[3, "install-ubuntu-packages"]], "Install from Source": [[3, "install-from-source"]], "Relocatable Installation": [[3, "relocatable-installation"]], "Source bash completion file": [[3, "source-bash-completion-file"]], "Build an RPM": [[3, "build-an-rpm"]], "Build a Debian package": [[3, "build-a-debian-package"]], "Testing & Checking the Build Configuration": [[3, "testing-checking-the-build-configuration"]], "apptainer buildcfg": [[3, "apptainer-buildcfg"]], "Test Suite": [[3, "test-suite"]], "Installation on Windows or Mac": [[3, "installation-on-windows-or-mac"]], "Windows": [[3, "windows"]], "GPU Support": [[3, "gpu-support"]], "Mac": [[3, "mac"]], "License": [[4, "license"]], "Monitoring Support": [[5, "monitoring-support"]], "Overview": [[5, "overview"]], "Requirements": [[5, "requirements"], [8, "requirements"]], "Usage": [[5, "usage"]], "Security in Apptainer": [[6, "security-in-apptainer"]], "Configuration & Runtime Options": [[6, "configuration-runtime-options"]], "Migrating From Singularity": [[7, "migrating-from-singularity"]], "User Namespaces & Fakeroot": [[8, "user-namespaces-fakeroot"]], "User Namespace Requirements": [[8, "user-namespace-requirements"]], "Disabling network namespaces": [[8, "disabling-network-namespaces"]], "\u201cRootless\u201d Fakeroot feature": [[8, "rootless-fakeroot-feature"]], "Basics": [[8, "basics"]], "Filesystem considerations": [[8, "filesystem-considerations"]], "Network configuration": [[8, "network-configuration"]], "Configuration with config fakeroot": [[8, "configuration-with-config-fakeroot"]], "Adding a fakeroot mapping": [[8, "adding-a-fakeroot-mapping"]], "Deleting, disabling, enabling mappings": [[8, "deleting-disabling-enabling-mappings"]]}, "indexentries": {}})
\ No newline at end of file
+Search.setIndex({"docnames": ["admin_quickstart", "configfiles", "index", "installation", "license", "monitoring", "security", "singularity_migration", "user_namespace"], "filenames": ["admin_quickstart.rst", "configfiles.rst", "index.rst", "installation.rst", "license.rst", "monitoring.rst", "security.rst", "singularity_migration.rst", "user_namespace.rst"], "titles": ["Admin Quick Start", "Apptainer Configuration Files", "Admin Guide", "Installing Apptainer", "License", "Monitoring Support", "Security in Apptainer", "Migrating From Singularity", "User Namespaces & Fakeroot"], "terms": {"thi": [0, 1, 2, 3, 4, 5, 7, 8], "give": [0, 1], "an": [0, 1, 7, 8], "overview": [0, 2], "descript": [0, 1], "pointer": [0, 5], "file": [0, 2, 5, 6, 7, 8], "more": [0, 1, 2, 3, 6, 8], "inform": [0, 2, 3, 5, 7], "includ": [0, 1, 3, 4, 8], "altern": [0, 3], "option": [0, 2, 3, 5, 7, 8], "detail": [0, 1, 2, 3, 6, 8], "can": [0, 1, 3, 5, 6, 7, 8], "found": [0, 1, 3], "later": [0, 3], "guid": [0, 1, 3, 6, 7, 8], "i": [0, 1, 3, 4, 5, 6, 7, 8], "design": [0, 5], "allow": [0, 1, 3, 5, 6, 8], "contain": [0, 3, 5, 6, 8], "execut": [0, 3, 6], "thei": [0, 1, 3, 5, 7, 8], "were": [0, 1, 8], "nativ": [0, 1, 3, 5], "program": [0, 1, 3, 8], "script": [0, 3], "host": [0, 1, 3, 8], "system": [0, 2, 5, 6, 7, 8], "No": 0, "daemon": [0, 8], "requir": [0, 1, 2], "build": [0, 1, 5], "run": [0, 1, 3, 6, 8], "model": 0, "compat": [0, 1, 3, 6, 7], "share": [0, 1, 3], "As": [0, 1, 3], "result": [0, 3, 8], "integr": [0, 1, 3], "cluster": [0, 8], "schedul": [0, 1], "univa": 0, "grid": 0, "engin": 0, "torqu": 0, "slurm": 0, "sge": 0, "mani": [0, 1, 3, 8], "other": [0, 2, 3, 4, 5, 6, 8], "simpl": [0, 3, 8], "ani": [0, 1, 3, 4, 7, 8], "command": [0, 1, 3, 8], "all": [0, 1, 3, 4, 6, 7, 8], "standard": 0, "input": 0, "output": [0, 1], "error": [0, 3, 8], "pipe": 0, "ipc": 0, "commun": [0, 1, 7], "pathwai": 0, "us": [0, 1, 2, 3, 4, 5, 6, 8], "local": [0, 1, 3, 5, 7, 8], "ar": [0, 1, 3, 4, 5, 6, 7, 8], "synchron": [0, 8], "applic": [0, 1], "within": [0, 1, 7], "favor": 0, "over": [0, 1], "isol": [0, 1, 3, 8], "approach": [0, 1, 3], "By": [0, 1, 3, 6, 8], "default": [0, 1, 3, 5, 6, 7, 8], "onli": [0, 1, 3, 6, 8], "mount": [0, 3, 8], "user": [0, 1, 2, 3, 5, 6, 7], "namespac": [0, 2, 3, 7], "so": [0, 1, 3, 6, 7, 8], "have": [0, 1, 3, 7, 8], "own": [0, 1, 8], "filesystem": 0, "view": [0, 3], "access": [0, 1, 3, 8], "hardwar": 0, "gpu": [0, 2], "high": 0, "speed": [0, 1, 8], "network": [0, 2], "easi": [0, 3], "doe": [0, 1, 3, 5, 7, 8], "special": [0, 1, 4, 8], "home": [0, 1, 3], "directori": [0, 3, 7, 8], "tmp": [0, 1, 3], "space": [0, 1, 3, 8], "specif": [0, 1, 3, 4], "make": [0, 1, 3, 7, 8], "benefit": 0, "from": [0, 1, 2, 4, 5, 8], "reproduc": [0, 4], "container": [0, 1], "without": [0, 1, 3, 4, 8], "major": [0, 1, 3], "chang": [0, 1, 3, 5, 7, 8], "exist": [0, 1, 3, 5, 8], "workflow": [0, 1, 3], "where": [0, 1, 3, 8], "complet": [0, 1, 8], "import": [0, 1, 2, 3, 7, 8], "addit": [0, 3, 5, 8], "linux": [0, 1, 2, 5, 7, 8], "resourc": [0, 1, 5, 6], "limit": [0, 4, 6], "accomplish": 0, "see": [0, 1, 2, 3, 4, 6, 7, 8], "section": [0, 1, 3, 6, 7, 8], "sourc": [0, 1, 4, 7], "directli": [0, 1, 3], "rpm": [0, 1, 7], "debian": [0, 6, 8], "packag": [0, 1, 7, 8], "download": [0, 3], "pre": [0, 7], "built": [0, 5], "distribut": [0, 1, 3, 4, 8], "mai": [0, 1, 3, 4, 7, 8], "also": [0, 1, 3, 6, 7, 8], "up": [0, 1, 6, 8], "date": 0, "upstream": 0, "version": [0, 1, 3, 5], "github": [0, 1], "To": [0, 1, 3, 5, 6, 8], "follow": [0, 1, 3, 4, 6, 8], "instruct": [0, 2, 3], "md": [0, 1, 3], "method": [0, 1, 3, 8], "discuss": [0, 1, 3, 8], "under": [0, 1, 3, 7], "etc": [0, 1, 3, 6, 7, 8], "your": [0, 1, 3, 7, 8], "prefix": [0, 1, 3, 7], "syconfdir": 0, "you": [0, 1, 3, 7, 8], "mconfig": [0, 3], "In": [0, 1, 3, 5, 7, 8], "set": [0, 1, 3, 6, 8], "find": [0, 1, 3, 7, 8], "them": [0, 1, 3, 6, 8], "usr": [0, 1, 3, 5, 7], "deb": [0, 1, 3, 7], "edit": [0, 5, 8], "config": [0, 1, 3, 7], "global": [0, 1], "root": [0, 1, 3, 5, 6, 7, 8], "manag": [0, 3, 6, 8], "conf": [0, 2, 3, 5, 7, 8], "control": [0, 1, 6], "runtim": [0, 1, 2, 3, 7, 8], "behavior": [0, 7], "head": [0, 3], "small": [0, 5], "alpin": [0, 1, 3], "exec": [0, 1, 3], "docker": [0, 3, 8], "cat": [0, 3, 8], "releas": [0, 1, 5], "3": [0, 1, 3, 4, 5, 8], "9": [0, 3, 5], "2": [0, 1, 3, 5, 8], "about": [0, 1, 2, 3, 5, 7], "how": [0, 1, 2, 3, 6, 7, 8], "administr": [1, 2, 3, 5, 6, 7, 8], "variou": [1, 3], "let": 1, "secur": [1, 2, 3, 5, 7, 8], "restrict": [1, 3, 6, 8], "when": [1, 3, 5, 6, 7, 8], "instal": [1, 2, 7, 8], "across": [1, 3], "though": [1, 3, 8], "locat": [1, 3, 7], "differ": [1, 3, 8], "base": [1, 6, 7, 8], "pass": [1, 7], "dure": [1, 3, 7, 8], "For": [1, 3, 4, 6, 8], "describ": [1, 8], "paramet": [1, 6, 7, 8], "most": [1, 3, 8], "defin": [1, 3, 8], "entir": 1, "influenc": 1, "function": [1, 3, 8], "measur": 1, "must": [1, 3, 4, 8], "writabl": [1, 3, 8], "refus": 1, "case": [1, 3, 5, 7, 8], "non": [1, 6, 8], "ever": 1, "privileg": [1, 3, 5, 8], "thu": 1, "do": [1, 3, 8], "The": [1, 3, 7, 8], "via": [1, 3, 5, 8], "list": [1, 3, 4, 5, 6], "below": [1, 3, 8], "group": [1, 3, 8], "togeth": [1, 3], "relev": 1, "actual": [1, 8], "order": [1, 3, 8], "featur": [1, 2, 3, 5], "need": [1, 3, 5, 7, 8], "some": [1, 3, 8], "call": [1, 3, 8], "achiev": 1, "helper": 1, "bit": [1, 8], "enabl": [1, 3, 5, 6, 7], "disabl": [1, 2, 3], "abil": [1, 8], "util": [1, 3, 8], "ye": [1, 5, 8], "suid": [1, 3, 5, 7, 8], "which": [1, 3, 5, 7, 8], "kept": 1, "known": 1, "mode": [1, 3, 8], "full": [1, 3], "maintain": [1, 3], "same": [1, 3, 7, 8], "keep": 1, "priv": 1, "grant": [1, 6, 8], "individu": 1, "launch": 1, "through": [1, 3, 8], "add": [1, 3, 8], "cap": 1, "drop": 1, "flag": [1, 3, 6], "pleas": [1, 3, 6, 7, 8], "facilit": 1, "sif": [1, 3, 6, 8], "imag": [1, 3], "max": 1, "admin": 1, "total": [1, 5], "number": [1, 3, 5, 8], "consum": 1, "given": 1, "time": [1, 3, 5, 8], "singl": [1, 3], "minim": [1, 7, 8], "usag": [1, 2, 3, 6], "help": [1, 3, 5, 7], "optim": 1, "kernel": [1, 3, 8], "cach": 1, "particularli": 1, "mpi": 1, "job": 1, "pid": [1, 6], "n": 1, "determin": 1, "leverag": 1, "confus": 1, "process": [1, 3, 5, 8], "track": 1, "well": [1, 3], "implement": [1, 3], "automat": [1, 3, 7, 8], "creat": [1, 3, 5, 8], "modifi": [1, 7], "sever": [1, 3, 5], "eas": 1, "These": 1, "effect": 1, "overlai": [1, 8], "underlai": 1, "passwd": 1, "should": [1, 3, 5, 7], "append": 1, "entri": [1, 3, 8], "": [1, 3, 5, 6, 8], "resolv_conf": 1, "resolv": 1, "sessiondir": [1, 3], "size": [1, 3, 5, 8], "temporari": [1, 3], "assembl": 1, "compon": [1, 7, 8], "hold": [1, 3], "written": [1, 4], "tmpf": [1, 3], "plu": 1, "valu": [1, 5, 8], "64mib": 1, "If": [1, 3, 7, 8], "commonli": [1, 8], "increas": 1, "accommod": 1, "grow": 1, "specifi": [1, 8], "maximum": [1, 3, 5], "alloc": [1, 5, 8], "ahead": 1, "proc": 1, "sy": [1, 3], "dev": 1, "want": [1, 3, 7, 8], "tree": [1, 3], "null": 1, "zero": [1, 8], "random": 1, "urandom": 1, "shm": 1, "devpt": 1, "new": [1, 3, 5, 7, 8], "instanc": [1, 3], "explain": 1, "abov": [1, 3, 4, 6, 8], "either": [1, 3, 7], "config_devpts_multiple_inst": 1, "y": [1, 3], "newer": [1, 6], "than": [1, 8], "4": [1, 3, 5, 8], "7": [1, 5], "attempt": [1, 3, 8], "var": [1, 3], "both": [1, 3], "workdir": 1, "hostf": 1, "caus": [1, 4, 7], "probe": 1, "those": [1, 3, 6, 8], "slave": 1, "hand": 1, "propag": 1, "autof": 1, "occur": [1, 3], "reflect": 1, "f": 1, "type": [1, 3, 5, 8], "choos": 1, "primarili": [1, 3], "like": [1, 3, 7, 8], "crai": 1, "cle": 1, "5": [1, 3, 5, 8], "6": 1, "0": [1, 3, 5, 8], "up05": 1, "issu": [1, 3, 7], "panic": 1, "affect": [1, 3, 8], "recommend": [1, 3, 7, 8], "ramf": 1, "avoid": [1, 3, 5], "path": [1, 3, 5, 8], "made": [1, 3, 8], "avail": [1, 3, 5, 8], "successfulli": 1, "ignor": 1, "invok": 1, "point": [1, 3, 8], "destin": 1, "ident": [1, 7], "localtim": 1, "Or": 1, "colon": 1, "nsswitch": 1, "decid": [1, 7], "mean": [1, 3, 7], "scratch": 1, "reason": 1, "desir": 1, "who": [1, 6], "primari": [1, 3], "motiv": 1, "past": 1, "wa": [1, 5], "prevent": [1, 7], "untrust": 1, "potenti": 1, "attack": 1, "driver": [1, 3], "howev": [1, 3, 4, 7], "longer": [1, 8], "never": 1, "been": [1, 3, 7, 8], "squashf": 1, "But": 1, "provid": [1, 3, 4, 5, 8], "purpos": [1, 4], "here": [1, 6, 8], "direct": [1, 4, 8], "unprivileg": [1, 8], "appli": [1, 6, 7], "possibl": [1, 3, 4, 6, 8], "creation": [1, 3, 8], "reli": [1, 8], "its": [1, 3, 4, 7, 8], "fakeroot": [1, 2, 7], "There": [1, 3, 8], "wai": [1, 3, 4, 5, 8], "stricter": 1, "check": [1, 8], "out": [1, 4, 7], "owner": 1, "permit": [1, 4, 8], "deni": [1, 3], "unencrypt": 1, "encrypt": 1, "bare": [1, 3], "e": [1, 3, 5, 7, 8], "g": [1, 3, 7], "singular": [1, 2], "x": 1, "extf": [1, 3], "dir": [1, 3], "sandbox": [1, 3], "mapper": 1, "gocryptf": 1, "fuse": [1, 8], "instead": [1, 3, 7, 8], "insid": [1, 3, 5, 8], "outsid": [1, 8], "squashfuse_l": 1, "iflimit": 1, "activ": [1, 8], "treat": 1, "otherwis": [1, 4, 8], "ext3": [1, 3], "ext4": [1, 3], "fuse2f": 1, "virtual": [1, 3, 5], "unrestrict": 1, "certain": [1, 3], "disrupt": 1, "environ": [1, 5], "net": [1, 8], "administ": [1, 8], "except": [1, 7], "40_fakeroot": [1, 8], "conflist": [1, 8], "name": [1, 3, 4, 7, 8], "workload": 1, "seamlessli": 1, "checkout": 1, "alwai": [1, 3], "nv": [1, 3], "everi": 1, "action": 1, "shell": [1, 3, 8], "implicitli": 1, "ad": 1, "fusemount": 1, "tri": 1, "doesn": [1, 3, 8], "t": [1, 3, 8], "work": [1, 2, 3, 8], "overlayf": [1, 3, 8], "A": [1, 3, 4, 5, 8], "try": [1, 8], "obsolet": 1, "equival": 1, "miss": [1, 3, 8], "nor": [1, 4], "note": [1, 3, 7], "prefer": [1, 5, 8], "overrid": 1, "current": [1, 3, 5, 8], "deprec": 1, "remov": [1, 3, 7, 8], "futur": 1, "becaus": [1, 3, 5, 7], "complic": 1, "perform": [1, 3, 7, 8], "similar": [1, 7], "custom": [1, 3, 5], "replac": [1, 3], "whenev": [1, 3, 8], "isn": 1, "veri": 1, "basic": [1, 3], "flow": 1, "pull": [1, 3], "multipl": [1, 3, 8], "part": [1, 7, 8], "v": 1, "stream": 1, "gener": [1, 3, 8], "appropri": [1, 8], "api": 1, "registri": 1, "tune": 1, "condit": [1, 4], "server": [1, 3], "cloud": 1, "each": [1, 3, 8], "byte": [1, 5], "buffer": 1, "transfer": 1, "systemd": [1, 6, 8], "whether": [1, 4, 5], "v2": [1, 6], "cgroupf": 1, "ha": [1, 3, 7, 8], "get": [1, 3], "reset": 1, "unset": 1, "It": [1, 3, 7, 8], "elev": 1, "we": [1, 3, 7, 8], "first": [1, 3, 5, 6, 8], "our": 1, "sudo": [1, 3, 5, 8], "now": [1, 8], "verifi": [1, 5, 7], "And": 1, "back": [1, 3, 8], "origin": [1, 3, 8], "test": [1, 2], "what": [1, 8], "would": [1, 3], "look": [1, 8], "dry": 1, "conjunct": 1, "write": [1, 3], "had": 1, "string": 1, "undefin": 1, "attach": 1, "respect": [1, 7], "dest": 1, "did": 1, "meter": 1, "rate": 1, "block": [1, 8], "node": [1, 3, 8], "two": [1, 3, 8], "common": [1, 3], "v1": [1, 3, 6], "separ": [1, 3, 7], "hierarchi": 1, "per": 1, "class": 1, "unifi": 1, "simplifi": 1, "structur": [1, 3, 5], "document": [1, 3, 4, 6, 7, 8], "www": 1, "org": [1, 4], "doc": [1, 3], "txt": 1, "repres": 1, "oci": [1, 3], "spec": 1, "com": [1, 3], "opencontain": 1, "blob": 1, "master": 1, "On": [1, 3, 6], "translat": 1, "ebpf": 1, "request": [1, 8], "take": [1, 5, 7, 8], "my_contain": 1, "amount": [1, 5], "500mb": 1, "524288000": 1, "start": [1, 3, 5, 8], "strategi": 1, "correspond": [1, 7], "ratio": 1, "versu": 1, "usual": 1, "1024": 1, "That": [1, 7], "50": 1, "512": 1, "enough": 1, "idl": 1, "cycl": [1, 5], "due": [1, 8], "conserv": 1, "natur": 1, "even": [1, 3, 4, 5, 8], "conflict": [1, 3], "quota": 1, "period": 1, "enforc": [1, 6], "hard": 1, "100m": 1, "100000u": 1, "20m": 1, "100000": [1, 8], "20000": 1, "mem": 1, "core": 1, "associ": 1, "field": 1, "1": [1, 3, 5, 8], "o": [1, 3, 5, 6], "compet": 1, "blockio": 1, "weight": 1, "1000": [1, 3, 8], "leafweight": 1, "accept": 1, "between": [1, 8], "10": [1, 3], "until": 1, "unless": 1, "overridden": 1, "rule": [1, 6], "relat": [1, 3], "heavili": 1, "weigh": 1, "task": [1, 8], "while": [1, 3, 7], "child": 1, "minor": 1, "loop0": 1, "loop1": 1, "weightdevic": 1, "100": 1, "read": [1, 3, 5], "absolut": 1, "16mb": 1, "second": [1, 5], "throttlereadbpsdevic": 1, "16777216": 1, "throttlewritebpsdevic": 1, "valid": 1, "constraint": [1, 7], "rather": [1, 8], "sign": [1, 3, 6], "author": [1, 6], "against": 1, "entiti": 1, "lock": 1, "down": [1, 8], "fulli": 1, "execgroup": 1, "tagnam": 1, "group2": 1, "whitelist": 1, "dirpath": 1, "keyfp": 1, "7064b1d6eff01b1262fed3f03581d99fe87eafd1": 1, "mention": 1, "three": 1, "whitestrict": 1, "long": [1, 3, 6], "one": [1, 3, 8], "blacklist": 1, "whose": 1, "older": [1, 3], "temporarili": [1, 8], "legaci": [1, 3], "signatur": [1, 6], "legacyinsecur": 1, "true": [1, 8], "keyr": [1, 3], "verif": 1, "export": 1, "privat": [1, 3, 8], "store": [1, 3, 7], "sysconfdir": [1, 3], "pgp": 1, "properli": 1, "inject": 1, "match": [1, 8], "opencl": 1, "depend": [1, 3, 8], "comput": [1, 3], "framework": 1, "nvliblist": 1, "suitabl": 1, "11": [1, 3, 6, 8], "further": 1, "filenam": 1, "xxxx": 1, "form": [1, 4, 8], "ldconfig": 1, "p": [1, 8], "exectu": 1, "search": 1, "tool": [1, 3, 5], "offici": 1, "target": [1, 3], "nvccli": [1, 3], "setup": [1, 3, 8], "cannot": [1, 3, 8], "oper": [1, 3, 8], "broadli": 1, "carri": 1, "rocmliblist": 1, "rocmlist": 1, "basenam": 1, "bound": [1, 5], "put": [1, 3], "ensur": [1, 8], "permiss": [1, 3, 4, 5], "exclud": 1, "smi": 1, "rocminfo": 1, "libnam": 1, "lib": [1, 3, 8], "end": [1, 3], "libamd_comgr": 1, "libcomgr": 1, "libcxlactivitylogg": 1, "receiv": 1, "warn": 1, "ld": 1, "extrem": 1, "recogn": 1, "level": 1, "break": 1, "becom": [1, 8], "toward": 1, "architectur": [1, 2, 3], "develop": [1, 3, 5], "might": [1, 3, 8], "surfac": 1, "normal": [1, 3, 8], "good": [1, 4], "multi": 1, "tenant": 1, "hpc": 1, "better": [1, 3], "revok": [1, 6], "basi": 1, "u": 1, "suppos": 1, "pinger": 1, "open": [1, 3, 5], "raw": [1, 3], "socket": 1, "ping": 1, "cap_net_raw": 1, "just": 1, "advantag": [1, 8], "sylab": [1, 3, 4], "ubuntu_p": 1, "c": [1, 3, 4], "8": [1, 3, 8], "56": 1, "84": 1, "data": [1, 4], "64": 1, "icmp_seq": 1, "ttl": 1, "52": 1, "73": 1, "m": 1, "statist": 1, "packet": 1, "transmit": 1, "loss": [1, 4], "0m": 1, "rtt": 1, "min": 1, "avg": 1, "mdev": 1, "178": 1, "000": 1, "necessari": [1, 8], "fail": 1, "subcommand": 1, "insensit": 1, "keyword": 1, "man": [1, 3, 8], "page": [1, 3, 8], "filter": 1, "being": [1, 7, 8], "alon": 1, "smaller": 1, "defaultact": 1, "scmp_act_allow": 1, "scmp_act_errno": 1, "thread": [1, 5], "return": 1, "errno": 1, "syscal": 1, "david": 1, "my": [1, 3], "insight": 1, "userdoc": 1, "appendix": 1, "wide": 1, "typic": [1, 7], "vari": [1, 3], "login": [1, 8], "account": 1, "authent": 1, "premis": 1, "fresh": 1, "defaultremot": 1, "openpgp": 1, "compani": 1, "enterpris": [1, 3], "info": [1, 3], "detect": 1, "Will": 1, "log": 1, "convers": [1, 7], "onc": [1, 3], "copi": [1, 3, 7], "modif": [1, 4], "themselv": 1, "usabl": 1, "servic": [1, 3, 4, 8], "uri": 1, "NO": [1, 4], "myremot": 1, "expos": [1, 3], "discoveri": 1, "connect": [1, 5], "protocol": 1, "url": [1, 3], "formerli": 1, "ora": 1, "unnecessari": 1, "still": [1, 5, 8], "previou": 1, "befor": [1, 3], "anonym": 1, "sylabscloud": 1, "sycloud": 1, "product": [1, 3, 4], "correl": 1, "checkpoint": [1, 7], "dmctp": 1, "restart": [1, 3, 8], "mark": 1, "flexibl": 1, "feedback": 1, "warrant": 1, "improv": 1, "overal": 1, "matur": 1, "arrai": 1, "bin": [1, 3, 5, 8], "dmtcp_command": 1, "dmtcp_discover_rm": 1, "dmtcp_launch": 1, "libdmtcp_alloc": 1, "libdmtcp_dl": 1, "libdmtcp_modifi": 1, "env": 1, "welcom": 2, "apptain": [2, 4, 5, 7, 8], "aim": 2, "cover": 2, "configur": [2, 5, 7], "topic": 2, "quickstart": 2, "window": 2, "mac": 2, "migrat": 2, "cgroup": [2, 5, 6], "toml": 2, "ecl": 2, "librari": [2, 3, 7], "capabl": [2, 6], "json": 2, "seccomp": [2, 6], "profil": [2, 3, 5, 8], "remot": [2, 3, 7], "yaml": [2, 7], "dmtcp": 2, "rootless": [2, 3, 6], "monitor": 2, "licens": [2, 3], "earlier": 3, "modern": 3, "metal": 3, "machin": 3, "often": 3, "nest": 3, "anoth": [3, 7, 8], "navig": 3, "done": [3, 8], "easili": 3, "expand": 3, "menu": 3, "left": 3, "200mib": 3, "disk": 3, "compil": 3, "cpu": [3, 5, 6], "memori": [3, 5, 6], "least": [3, 8], "2gb": 3, "ram": 3, "fusermount": 3, "minimum": 3, "18": [3, 8], "1127": 3, "rhel7": 3, "setuid": [3, 7, 8], "bind": [3, 8], "sure": 3, "familiar": 3, "top": [3, 8], "rhel": 3, "unabl": 3, "correctli": 3, "rocm": 3, "suppli": 3, "identifi": [3, 8], "sbin": 3, "parallel": 3, "tmpdir": 3, "apptainer_tmpdir": 3, "wherev": 3, "greatest": 3, "chanc": 3, "layout": 3, "problem": 3, "especi": 3, "select": 3, "fall": 3, "notic": [3, 4, 8], "localstatedir": 3, "solut": 3, "neglig": [3, 4], "1mib": 3, "construct": 3, "area": 3, "mnt": 3, "session": 3, "mountpoint": 3, "combin": [3, 8], "userspac": 3, "aspect": [3, 6], "referenc": 3, "lowerdir": 3, "act": [3, 8], "abl": [3, 6, 8], "upperdir": 3, "merg": 3, "onto": 3, "unsupport": 3, "subuid": [3, 8], "subgid": [3, 8], "xf": 3, "id": [3, 8], "fileserv": 3, "probabl": 3, "don": [3, 8], "layer": 3, "apptainer_cachedir": 3, "variabl": 3, "uniqu": 3, "suffici": 3, "anticip": 3, "concurr": 3, "safe": 3, "overlap": [3, 8], "expect": 3, "posix": 3, "topologi": 3, "exampl": [3, 6, 8], "mdt": 3, "client": 3, "step": [3, 6, 8], "independ": 3, "fetch": 3, "red": 3, "hat": 3, "deriv": [3, 4], "suse": 3, "opensus": 3, "easiest": 3, "curl": [3, 5], "http": [3, 4, 5], "githubusercont": 3, "main": [3, 5], "sh": 3, "few": [3, 8], "aren": 3, "rpm2cpio": 3, "cpio": 3, "pick": 3, "correct": 3, "oldest": 3, "old": [3, 7], "prebuilt": 3, "varieti": 3, "repositori": 3, "dnf": 3, "Then": [3, 5], "x86_64": 3, "immedi": 3, "after": [3, 7], "amd64": 3, "apt": 3, "updat": [3, 7, 8], "wget": 3, "cd": [3, 8], "apptainer_1": 3, "3_amd64": 3, "suid_1": 3, "dpkg": 3, "ppa": 3, "person": 3, "archiv": 3, "arm64": [3, 5], "softwar": [3, 4], "properti": 3, "obtain": [3, 5], "desktop": 3, "skip": 3, "move": [3, 7], "continu": 3, "reloc": 3, "ownership": [3, 8], "enjoi": 3, "assum": 3, "bashrc": 3, "adjust": 3, "upgrad": [3, 7], "debian_packag": 3, "show": [3, 8], "confirm": [3, 8], "troubleshoot": 3, "package_nam": 3, "package_vers": 3, "builddir": 3, "dtrudg": 3, "git": 3, "execprefix": 3, "bindir": 3, "sbindir": 3, "libexecdir": 3, "libexec": [3, 5], "datarootdir": 3, "datadir": 3, "sharedstatedir": 3, "runstatedir": 3, "includedir": 3, "docdir": 3, "infodir": 3, "libdir": 3, "localedir": 3, "mandir": 3, "apptainer_confdir": 3, "plugin_rootdir": 3, "plugin": 3, "apptainer_conf_fil": 3, "apptainer_suid_instal": 3, "storag": 3, "codebas": 3, "ci": 3, "code": [3, 4], "lint": 3, "unit": 3, "e2": 3, "exercis": 3, "larg": [3, 8], "cli": 3, "nc": 3, "starter": [3, 5], "incompat": 3, "contrari": 3, "popular": 3, "misconcept": 3, "maco": 3, "darwin": 3, "fork": 3, "bsd": [3, 4], "vm": 3, "subsystem": 3, "wsl2": 3, "lima": 3, "recent": 3, "tightli": [3, 5], "straightforward": 3, "22": [3, 6], "04": [3, 6], "prompt": 3, "powershel": 3, "enter": 3, "wsl": 3, "app": 3, "ll": 3, "ask": 3, "usernam": [3, 8], "password": 3, "nvidia": 3, "libnvidia": 3, "fssl": 3, "io": 3, "gpgkei": 3, "gpg": 3, "dearmor": 3, "toolkit": 3, "l": 3, "stabl": 3, "sed": 3, "tee": 3, "d": [3, 8], "tensorflow": 3, "latest": 3, "tensorflow_latest": 3, "nvidia_visible_devic": 3, "emul": [3, 8], "________": 3, "_______________": 3, "___": 3, "__": 3, "__________________________________": 3, "____": 3, "_": 3, "great": 3, "python": 3, "nov": 3, "26": 3, "2021": 3, "20": [3, 6], "14": 3, "08": 3, "gcc": 3, "copyright": [3, 4], "credit": 3, "tf": 3, "list_physical_devic": 3, "2022": 3, "03": 3, "25": [3, 5], "42": 3, "672088": 3, "stream_executor": 3, "cuda": 3, "cuda_gpu_executor": 3, "cc": 3, "922": 3, "could": [3, 7], "numa": 3, "bu": 3, "pci": 3, "devic": 3, "0000": 3, "01": 3, "00": 3, "numa_nod": 3, "713295": 3, "713892": 3, "physicaldevic": 3, "physical_devic": 3, "device_typ": 3, "simpler": 3, "homebrew": 3, "manual": [3, 7, 8], "brew": 3, "qemu": 3, "limactl": 3, "templat": 3, "guest": 3, "subject": 4, "claus": 4, "contributor": 4, "project": [4, 7, 8], "establish": 4, "seri": 4, "lf": 4, "llc": 4, "websit": [4, 6], "term": 4, "trademark": 4, "polici": [4, 5], "privaci": 4, "lfproject": 4, "2018": 4, "2023": 4, "inc": 4, "right": 4, "reserv": [4, 8], "2017": 4, "singularitywar": 4, "redistribut": 4, "binari": [4, 8], "met": 4, "retain": 4, "disclaim": 4, "materi": 4, "neither": 4, "holder": 4, "endors": 4, "promot": 4, "prior": [4, 8], "BY": 4, "THE": 4, "AND": 4, "AS": 4, "express": 4, "OR": 4, "impli": 4, "warranti": 4, "BUT": 4, "NOT": 4, "TO": 4, "OF": 4, "merchant": 4, "fit": 4, "FOR": 4, "particular": [4, 7], "IN": 4, "event": 4, "shall": 4, "BE": 4, "liabl": 4, "indirect": 4, "incident": 4, "exemplari": 4, "consequenti": 4, "damag": 4, "procur": 4, "substitut": 4, "profit": 4, "busi": 4, "interrupt": 4, "ON": 4, "theori": 4, "liabil": 4, "contract": 4, "strict": 4, "tort": 4, "aris": 4, "IF": 4, "advis": [4, 8], "SUCH": 4, "collect": 5, "metric": 5, "apptheu": 5, "agent": 5, "prometheu": 5, "consider": 5, "less": [5, 8], "invas": 5, "bring": 5, "too": 5, "much": 5, "itself": [5, 8], "stat": 5, "caller": 5, "trust": 5, "push": 5, "freeli": 5, "interv": 5, "sampl": 5, "manipul": [5, 8], "simpli": [5, 7], "bool": 5, "address": 5, "localhost": 5, "9091": 5, "locahost": 5, "apptheus_build_info": 5, "constant": 5, "label": 5, "revis": 5, "branch": 5, "govers": 5, "goo": 5, "goarch": 5, "gaug": 5, "go1": 5, "21": 5, "284ead0316031c8c08e2081f0468ad83bfb82e20": 5, "tag": 5, "unknown": 5, "go_gc_duration_second": 5, "summari": 5, "paus": 5, "durat": 5, "garbag": 5, "quantil": 5, "75": 5, "go_gc_duration_seconds_sum": 5, "go_gc_duration_seconds_count": 5, "go_goroutin": 5, "goroutin": 5, "13": 5, "go_info": 5, "go": 5, "go_memstats_alloc_byt": 5, "577680": 5, "go_memstats_alloc_bytes_tot": 5, "freed": 5, "counter": 5, "go_memstats_buck_hash_sys_byt": 5, "bucket": 5, "hash": 5, "tabl": 5, "5134": 5, "go_memstats_frees_tot": 5, "free": 5, "go_memstats_gc_sys_byt": 5, "metadata": 5, "563968e": 5, "06": 5, "go_memstats_heap_alloc_byt": 5, "heap": 5, "go_memstats_heap_idle_byt": 5, "wait": 5, "55648e": 5, "go_memstats_heap_inuse_byt": 5, "146304e": 5, "go_memstats_heap_object": 5, "object": 5, "2406": 5, "go_memstats_heap_released_byt": 5, "go_memstats_heap_sys_byt": 5, "702784e": 5, "go_memstats_last_gc_time_second": 5, "sinc": [5, 7], "1970": 5, "last": [5, 8], "go_memstats_lookups_tot": 5, "lookup": [5, 8], "go_memstats_mallocs_tot": 5, "malloc": 5, "go_memstats_mcache_inuse_byt": 5, "mcach": 5, "2400": 5, "go_memstats_mcache_sys_byt": 5, "15600": 5, "go_memstats_mspan_inuse_byt": 5, "mspan": 5, "45528": 5, "go_memstats_mspan_sys_byt": 5, "48888": 5, "go_memstats_next_gc_byt": 5, "next": 5, "place": [5, 7], "194304e": 5, "go_memstats_other_sys_byt": 5, "617626": 5, "go_memstats_stack_inuse_byt": 5, "stack": 5, "491520": 5, "go_memstats_stack_sys_byt": 5, "go_memstats_sys_byt": 5, "44552e": 5, "go_thread": 5, "process_cpu_seconds_tot": 5, "spent": 5, "02": 5, "process_max_fd": 5, "descriptor": 5, "048576e": 5, "process_open_fd": 5, "process_resident_memory_byt": 5, "resid": 5, "1862016e": 5, "07": 5, "process_start_time_second": 5, "unix": 5, "epoch": 5, "70902187483e": 5, "09": 5, "process_virtual_memory_byt": 5, "797275648e": 5, "process_virtual_memory_max_byt": 5, "8446744073709552e": 5, "19": 5, "kei": 6, "harden": 6, "apparmor": 6, "deleg": 6, "el9": 6, "ubuntu": 6, "fedora": 6, "31": 6, "cpuset": 6, "el8": 6, "foundat": 7, "goal": 7, "impact": [7, 8], "experi": 7, "reach": 7, "alreadi": 7, "produc": 7, "messag": 7, "cleanup": 7, "incomplet": 7, "format": [7, 8], "counterpart": 7, "renam": 7, "comment": [7, 8], "content": 7, "around": 7, "care": 7, "wipe": 7, "big": 7, "higher": 7, "risk": [7, 8], "consid": [7, 8], "restor": 7, "uid": 8, "1001": 8, "pro": 8, "con": 8, "support": 8, "addition": 8, "sysctl": 8, "line": 8, "consult": 8, "vendor": 8, "max_usernamespac": 8, "unprivileged_userns_clon": 8, "exploit": 8, "almost": 8, "year": 8, "therefor": 8, "substanti": 8, "reduc": 8, "urgent": 8, "vulner": 8, "announc": 8, "echo": 8, "max_net_namespac": 8, "90": 8, "littl": 8, "begin": 8, "unfortun": 8, "podman": 8, "privatenetwork": 8, "turn": 8, "off": 8, "hostnam": 8, "mkdir": 8, "statu": 8, "systemctl": 8, "reload": 8, "appear": 8, "refer": 8, "assist": 8, "enhanc": 8, "rest": 8, "again": 8, "gid": 8, "unus": 8, "rang": 8, "handl": 8, "With": 8, "extern": 8, "newuidmap": 8, "newgidmap": 8, "real": 8, "vacant": 8, "remap": 8, "understand": 8, "foo": 8, "65536": 8, "useradd": 8, "addus": 8, "glibc": 8, "nss": 8, "switch": 8, "mechan": 8, "ldap": 8, "provis": 8, "larger": 8, "bar": 8, "165536": 8, "sub": 8, "165535": 8, "231071": 8, "confin": 8, "wish": 8, "10000": 8, "pars": 8, "penalti": 8, "benchmark": 8, "shown": 8, "20x": 8, "happen": 8, "100001": 8, "veth": 8, "pair": 8, "implic": 8, "manner": 8, "sensit": 8, "deploi": 8, "arrang": 8, "At": 8, "central": 8, "dave": 8, "4294836224": 8, "32": 8, "subsequ": 8, "faster": 8, "r": 8, "assign": 8, "remain": 8, "uncom": 8, "re": 8}, "objects": {}, "objtypes": {}, "objnames": {}, "titleterms": {"admin": [0, 2], "quick": 0, "start": 0, "architectur": 0, "apptain": [0, 1, 3, 6], "secur": [0, 6], "instal": [0, 3], "configur": [0, 1, 3, 6, 8], "test": [0, 3], "file": [1, 3], "conf": 1, "setuid": 1, "capabl": 1, "loop": 1, "devic": 1, "namespac": [1, 8], "option": [1, 6], "session": 1, "directori": 1, "system": [1, 3], "mount": 1, "bind": 1, "manag": 1, "limit": [1, 3], "contain": 1, "execut": 1, "network": [1, 3, 8], "gpu": [1, 3], "supplement": 1, "filesystem": [1, 3, 8], "cni": 1, "plugin": 1, "extern": 1, "binari": [1, 3], "concurr": 1, "download": 1, "cgroup": 1, "updat": 1, "exampl": 1, "toml": 1, "memori": 1, "cpu": 1, "io": 1, "other": 1, "ecl": 1, "public": 1, "kei": 1, "librari": 1, "nvidia": 1, "cuda": 1, "experiment": 1, "cli": 1, "support": [1, 3, 5], "amd": 1, "radeon": 1, "rocm": 1, "liblist": 1, "format": 1, "json": 1, "seccomp": 1, "profil": 1, "remot": 1, "yaml": 1, "endpoint": 1, "exclus": 1, "insecur": 1, "http": 1, "restor": 1, "pre": [1, 3], "behavior": 1, "addit": 1, "inform": 1, "keyserv": 1, "dmtcp": 1, "guid": 2, "linux": 3, "requir": [3, 5, 8], "non": 3, "standard": 3, "ldconfig": 3, "nix": 3, "guix": 3, "environ": 3, "overlai": 3, "fakeroot": [3, 8], "uid": 3, "gid": 3, "map": [3, 8], "cach": 3, "atom": 3, "renam": 3, "nf": 3, "lustr": 3, "gpf": 3, "panf": 3, "fuse": 3, "base": 3, "unprivileg": 3, "from": [3, 7], "built": 3, "packag": 3, "rpm": 3, "epel": 3, "fedora": 3, "github": 3, "releas": 3, "debian": 3, "ubuntu": 3, "sourc": 3, "relocat": 3, "bash": 3, "complet": 3, "build": 3, "an": 3, "check": 3, "buildcfg": 3, "suit": 3, "window": 3, "mac": 3, "licens": 4, "monitor": 5, "overview": 5, "usag": 5, "runtim": 6, "migrat": 7, "singular": 7, "user": 8, "disabl": 8, "rootless": 8, "featur": 8, "basic": 8, "consider": 8, "config": 8, "ad": 8, "delet": 8, "enabl": 8}, "envversion": {"sphinx.domains.c": 2, "sphinx.domains.changeset": 1, "sphinx.domains.citation": 1, "sphinx.domains.cpp": 8, "sphinx.domains.index": 1, "sphinx.domains.javascript": 2, "sphinx.domains.math": 2, "sphinx.domains.python": 3, "sphinx.domains.rst": 2, "sphinx.domains.std": 2, "sphinx": 57}, "alltitles": {"Admin Quick Start": [[0, "admin-quick-start"]], "Architecture of Apptainer": [[0, "architecture-of-apptainer"]], "Apptainer Security": [[0, "apptainer-security"]], "Installation": [[0, "installation"]], "Configuration": [[0, "configuration"]], "Testing": [[0, "testing"]], "Apptainer Configuration Files": [[1, "apptainer-configuration-files"]], "apptainer.conf": [[1, "apptainer-conf"]], "Setuid and Capabilities": [[1, "setuid-and-capabilities"]], "Loop Devices": [[1, "loop-devices"]], "Namespace Options": [[1, "namespace-options"]], "Configuration Files": [[1, "configuration-files"]], "Session Directory and System Mounts": [[1, "session-directory-and-system-mounts"]], "Bind Mount Management": [[1, "bind-mount-management"]], "Limiting Container Execution": [[1, "limiting-container-execution"]], "Networking Options": [[1, "networking-options"]], "GPU Options": [[1, "gpu-options"]], "Supplemental Filesystems": [[1, "supplemental-filesystems"]], "CNI Configuration and Plugins": [[1, "cni-configuration-and-plugins"]], "External Binaries": [[1, "external-binaries"]], "Concurrent Downloads": [[1, "concurrent-downloads"]], "Cgroups Options": [[1, "cgroups-options"]], "Updating Configuration Options": [[1, "updating-configuration-options"]], "Example": [[1, "example"]], "cgroups.toml": [[1, "cgroups-toml"]], "Examples": [[1, "examples"]], "Limiting memory": [[1, "limiting-memory"]], "Limiting CPU": [[1, "limiting-cpu"]], "Limiting IO": [[1, "limiting-io"]], "Other limits": [[1, "other-limits"]], "ecl.toml": [[1, "ecl-toml"]], "Managing ECL public keys": [[1, "managing-ecl-public-keys"]], "GPU Library Configuration": [[1, "gpu-library-configuration"]], "NVIDIA GPUs / CUDA": [[1, "nvidia-gpus-cuda"]], "Experimental nvidia-container-cli Support": [[1, "experimental-nvidia-container-cli-support"]], "AMD Radeon GPUs / ROCm": [[1, "amd-radeon-gpus-rocm"]], "GPU liblist format": [[1, "gpu-liblist-format"]], "capability.json": [[1, "capability-json"]], "seccomp-profiles": [[1, "seccomp-profiles"]], "remote.yaml": [[1, "remote-yaml"]], "Remote Endpoints": [[1, "remote-endpoints"]], "Exclusive Endpoint": [[1, "exclusive-endpoint"]], "Insecure (HTTP) Endpoints": [[1, "insecure-http-endpoints"]], "Restoring pre-Apptainer library behavior": [[1, "restoring-pre-apptainer-library-behavior"]], "Additional Information": [[1, "additional-information"]], "Keyserver Configuration": [[1, "keyserver-configuration"]], "dmtcp-conf.yaml": [[1, "dmtcp-conf-yaml"]], "Admin Guide": [[2, "admin-guide"]], "Installing Apptainer": [[3, "installing-apptainer"]], "Installation on Linux": [[3, "installation-on-linux"]], "System Requirements": [[3, "system-requirements"]], "Non-standard ldconfig / Nix & Guix Environments": [[3, "non-standard-ldconfig-nix-guix-environments"]], "Filesystem support / limitations": [[3, "filesystem-support-limitations"]], "Overlay support": [[3, "overlay-support"]], "Fakeroot with uid/gid mapping on Network filesystems": [[3, "fakeroot-with-uid-gid-mapping-on-network-filesystems"]], "Apptainer cache / atomic rename": [[3, "apptainer-cache-atomic-rename"]], "NFS": [[3, "nfs"]], "Lustre / GPFS / PanFS": [[3, "lustre-gpfs-panfs"]], "FUSE-based filesystems": [[3, "fuse-based-filesystems"]], "Install unprivileged from pre-built binaries": [[3, "install-unprivileged-from-pre-built-binaries"]], "Install from pre-built packages": [[3, "install-from-pre-built-packages"]], "Install RPM from EPEL or Fedora": [[3, "install-rpm-from-epel-or-fedora"]], "Install from GitHub release RPMs": [[3, "install-from-github-release-rpms"]], "Install Debian packages": [[3, "install-debian-packages"]], "Install Ubuntu packages": [[3, "install-ubuntu-packages"]], "Install from Source": [[3, "install-from-source"]], "Relocatable Installation": [[3, "relocatable-installation"]], "Source bash completion file": [[3, "source-bash-completion-file"]], "Build an RPM": [[3, "build-an-rpm"]], "Build a Debian package": [[3, "build-a-debian-package"]], "Testing & Checking the Build Configuration": [[3, "testing-checking-the-build-configuration"]], "apptainer buildcfg": [[3, "apptainer-buildcfg"]], "Test Suite": [[3, "test-suite"]], "Installation on Windows or Mac": [[3, "installation-on-windows-or-mac"]], "Windows": [[3, "windows"]], "GPU Support": [[3, "gpu-support"]], "Mac": [[3, "mac"]], "License": [[4, "license"]], "Monitoring Support": [[5, "monitoring-support"]], "Overview": [[5, "overview"]], "Requirements": [[5, "requirements"], [8, "requirements"]], "Usage": [[5, "usage"]], "Security in Apptainer": [[6, "security-in-apptainer"]], "Configuration & Runtime Options": [[6, "configuration-runtime-options"]], "Migrating From Singularity": [[7, "migrating-from-singularity"]], "User Namespaces & Fakeroot": [[8, "user-namespaces-fakeroot"]], "User Namespace Requirements": [[8, "user-namespace-requirements"]], "Disabling network namespaces": [[8, "disabling-network-namespaces"]], "\u201cRootless\u201d Fakeroot feature": [[8, "rootless-fakeroot-feature"]], "Basics": [[8, "basics"]], "Filesystem considerations": [[8, "filesystem-considerations"]], "Network configuration": [[8, "network-configuration"]], "Configuration with config fakeroot": [[8, "configuration-with-config-fakeroot"]], "Adding a fakeroot mapping": [[8, "adding-a-fakeroot-mapping"]], "Deleting, disabling, enabling mappings": [[8, "deleting-disabling-enabling-mappings"]]}, "indexentries": {}})
\ No newline at end of file
diff --git a/docs/admin/main/security.html b/docs/admin/main/security.html
index 880ccf9ac..9118d2cae 100644
--- a/docs/admin/main/security.html
+++ b/docs/admin/main/security.html
@@ -111,14 +111,16 @@ Configuration & Runtime Options
-On EL8 and Ubuntu 20.04 it is possible to setup a compatible configuration by
-following the ‘Enabling cgroup v2’ and ‘Enabling CPU, CPUSET, and I/O
-delegation’ steps at the rootless containers website.
+are configured so that non-root users will be able to use the
+--memory-*
and --pids-limit
flags of Apptainer or
+limit those aspects with the --apply-cgroups
flag.
+To enable the other resource limits follow the
+‘Enabling CPU, CPUSET, and I/O delegation’ step at the
+rootless containers website.
+On EL8 and Ubuntu 20.04 it is possible to set up a compatible configuration by
+also following the ‘Enabling cgroup v2’ step at the above website.
See the Limiting Container Resources section of the user guide
for more details of how to apply cgroups limits to containers at runtime.