Hello there! For the past few days, I have been working on snapping Apptainer. Apptainer is the most popular container platform/system for high-performance computing clusters. I have a working snap built, however, to distribute via the store, I need quite a few things for the snap need to be approved. What needs to be approved is broken into the following sections below:
Justification for classic confinement
First, Apptainer needs to be granted permission to be released with classic confinement. This is because the fuse-support
interface does not fully support what Apptainer needs. Apptainer needs to be able to mount FUSE file systems outside of SNAP_USER_{DATA,COMMON}
and SNAP_{DATA,COMMON}
. Apptainer also needs the ability to bind mount directories depending on the end-users use case. Also, Apptainer may need to perform mounts or mount images on or from shared file systems such as GPFS, Lustre, or NFS.
Justification for suid binaries
Second, the Apptainer snap needs to be allowed to ship suid binaries. The currently needed suid binaries are the following:
-
newuidmap
- Needed so that Apptainer can build container images in fakeroot mode. Apptainer uses newuidmap to create its fakeroot sandbox so that non-root users do not need sudo privileges to build images. -
newgidmap
- Needed so that Apptainer can build container images in fakeroot mode. Apptainer uses newuidmap to create its fakeroot sandbox so that non-root users do not need sudo privileges to build images. -
squashfuse
- Needed so that Apptainer can mount squashfs archives as FUSE file systems. Apptainer uses squashfs under the hood to create its container images, and thensquashfuse
is used so that non-root users can mount images without needing sudo privileges.
Justification for aliases
Lastly, the Apptainer snap needs two aliases granted:
-
singularity
- This alias is needed because thesingularity
symbolic link is used to provide backwards compatibility to older scripts and programs that still use the originalsingularity
executable to interact with SIF (Singularity Image Format), .img, squashfs files. Apptainer is an open-source fork of the original Singularity container platform that has since been split into SingularityCE and SingularityPro. -
run-singularity
- Alias toapptainer run [run options…] <container>
. This executable is used to provide backwards compatibility to older scripts and programs that use therun-singularity
executable to run the%runscript
bundled within the Apptainer image. runscripts are commonly used to perform tasks such as launch Jupyter Server, launch IDEs, run compiled simulations, operate on datasets, etc.
Conclusion
Please let me know if there is any further information required, and I look forward towards hearing your response. If code auditing is required, you may find my snapcraft.yaml file here: https://github.com/canonical/apptainer/blob/main/snap/snapcraft.yaml