Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Singularity containers can be isolated from the host environment in various steps.
From the operating system's (aka host's) view containers are just processes es all other processes running under the kernel. However, the processes of a container can be constraint and get their own namespaces, so that from their viewpoint they might not see the same paths as the other processes anymore (for example).

Fast Containment

Use the '--contain' or '–containall' switches to restrict a container instance as far as possible.

With --contain no paths/file systems from your host will be visible in the container (you can explicitly add some back with --bind ...)

and with --containall the container instance will be fully locked down, not seeing any other processes etc.

Mount Namespaces

To limit/enable what a process in a container can see in the filesystem, mount namespaces are used. A container started without bind-mounted file systems might only be able to get a limited view on what is available on the host (which is intended in many cases as to prevent harm etc.)

...