Run without --privileged

[fcasson]

My use case is to use singularity in a docker image for testing of singularity images in gitlab CI with the docker executor.

Our sysadmins don't want to start the gitlab runners in privileged model for security reasons, so this looks like a non-starter unless there is a way to run the docker image without --privileged. My singularity images don't need to start any special services or open network ports, they just need to mount one directory which is in the same userspace as the user executing singularity run.

What is the fundamental limitation here that requires the --privileged mode of docker ? My niave understanding is that singularity only requires root access to install (which is already done within the docker image) but not to run, but maybe this is over-simplistic.

Would it make a difference if we install singularity into the Docker image without setuid and started the docker daemon with namespaces ?

[vsoch]

I'm not sure how the permissions have changed since I worked on it, you might want to open an issue to ask at https://github.com/sylabs/singularity. This repository is mostly just packaging the releases in a container.

[fcasson]

Okay I tried a few things including apptainer-suid (easier to install and setup) and sysbox and and I can't get it to work, e.g. this still fails:

docker run --runtime=sysbox-runc cassonf/rocky-apptainer:8.6 apptainer run docker://alpine

Info on why I tried sysbox for this use case: https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/

According to this issue singuliarty in docker without --privileged is considered a niche use case: apptainer/singularity#5458, which I guess means it is not supported.

Closing this issue since as you point out it problably belongs in the singularity / apptainer issues list.

[fcasson]

Opened apptainer/apptainer#1439

[vsoch]

Thank you @fcasson ! I'll follow along there too.