apptainer

Download a container from Docker Hub

$ apptainer pull [path/to/image.sif] docker://[image]:[tag]

$ apptainer pull [path/to/image.sif] library://[user/collection/container]:[tag]

$ apptainer build [path/to/image.sif] [path/to/definition.def]

$ apptainer shell [path/to/image.sif]

$ apptainer exec [path/to/image.sif] [command]

$ apptainer run [path/to/image.sif]

$ apptainer inspect [path/to/image.sif]

$ apptainer [[-h|--help]]

apptainer [GLOBAL-OPTIONS] <subcommand> [<subcommand-options>] [<arguments>]

-h, --help
    Display help message

--version
    Print Apptainer version information

-c, --config FILE
    Specify alternate config file

-d, --debug
    Enable debug output

-q, --quiet
    Suppress all normal output

-v, --verbose
    Increase verbosity level

--bind PATH[:DEST]
    Bind host path to container (multiple allowed)

--cleanenv
    Launch with clean environment

--contain all|dev|etc|home|tmp
    Contain filesystem(s) within container

-e, --env VAR=VALUE
    Set environment variable in container

--env-file FILE
    Read environment variables from file

--fakeroot
    Fake root privileges inside container

-H, --home HOST[:CONTAINER]
    Remap HOME directory

--hostname NAME
    Set container hostname

-w, --pwd PATH
    Set working directory

--net
    Enable container networking

--nv
    Enable NVIDIA GPU support

--rocm
    Enable AMD ROCm GPU support

Apptainer is an open-source container platform designed for High Performance Computing (HPC) environments and shared Linux systems. It allows users to run applications in isolated, reproducible environments without root privileges, emphasizing security and usability in multi-tenant setups. Formerly Singularity, it supports the Secure Image Format (SIF), which encrypts and signs images to prevent tampering.

Key capabilities include running containers with MPI parallel jobs, GPU acceleration (--nv for NVIDIA, --rocm for AMD), and binding host resources like filesystems and devices. Common workflows: apptainer run image.sif executes the container's default runscript; apptainer exec image.sif command runs a specific command; apptainer shell image.sif provides an interactive shell.

Apptainer excels in scientific computing by preserving host privileges, enabling bind mounts for data sharing, and supporting image creation via definitions or OCI bundles. It's lightweight, with no daemon, reducing attack surface. Widely adopted in supercomputing centers for reproducible research.

Some features (e.g., unprivileged overlays, namespaces) require setuid bit on binary and kernel >=4.18. SIF images preferred for security; sandbox dirs less secure. Root needed for building privileged images.

run image.sif
exec image.sif CMD [args]
shell image.sif
build out.sif def.file
pull image.sif URL
inspect image.sif
delete instance-name

SIF (.sif), directories (sandbox), extfs. Pull from Docker Hub, library.sylabs.io (now apptainer.org), OCI registries.

Originated as Singularity in 2015 from Lawrence Berkeley National Lab for HPC. Sylabs Inc. commercialized it in 2021, prompting a 2022 community fork renamed Apptainer under Linux Foundation (BSD license). Actively developed for open HPC use.

singularity(1), podman(1), docker(1), buildah(1), bubblewrap(1)