forked from pool/apptainer
Christian Goll
2bf2146d97
- Updated to version 1.1.0-rc1 which enables apptainer to run without
suid and additional groups. Although this is a prerelease this is
a major advantage justifying its use.
* Added a squashfuse image driver that enables mounting SIF files without
using setuid-root. Requires the squashfuse command and unprivileged user
namespaces.
* Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF
overlay partitions without using setuid-root. Requires the fuse2fs command
and unprivileged user namespaces.
* Added the ability to use persistent overlay (--overlay) and
--writable-tmpfs without using setuid-root. This requires unprivileged user
namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs
command. Persistent overlay works when the overlay path points to a regular
filesystem (known as "sandbox" mode, which is not allowed when in setuid
mode), or when it points to an EXT3 image. Does not work with a SIF
partition because that requires privileges to mount as an ext3 image.
* Extended the --fakeroot option to be useful when /etc/subuid and
/etc/subgid mappings have not been set up. If they have not been set up, a
root-mapped unprivileged user namespace (the equivalent of unshare -r)
and/or the fakeroot command from the host will be tried. Together they
emulate the mappings pretty well but they are simpler to administer. This
feature is especially useful with the --overlay and --writable-tmpfs
options and for building containers unprivileged, because they allow
installing packages that assume they're running as root. A limitation on
using it with --overlay and --writable-tmpfs however is that when only the
fakeroot command can be used (because there are no user namespaces
available, in suid mode) then the base image has to be a sandbox. This
feature works nested inside of an apptainer container, where another
apptainer command will also be in the fakeroot environment without
requesting the --fakeroot option again, or it can be used inside an
OBS-URL: https://build.opensuse.org/request/show/993098
OBS-URL: https://build.opensuse.org/package/show/network:cluster/apptainer?expand=0&rev=14
Create Apptainer Images from openSUSE/SLE
===========================================
To create openSUSE/SLE apptainer images from scratch a number
of bootdef variables need to be specified:
1. Create a bootdef file (for instance 'sle.def'), add
BootStrap: zypper
2. Set the OS version:
OSVersion: 15.0
The version number corresponds to the Leap version or the
SLE version and service pack level: <version>.<service_pack_level>
Example: SLE-12 SP4 would be 12.4.
The inital release of a major version corresponds to
<service_pack_level> 0.
3. For openSUSE the following additional variables need to be
specified:
* MirrorURL: URL to the installation repository.
Check 'man 8 zypper' for supported formats
* UpdateURL: (optional) URI of the update repository
4. For SLE, all required settings are obtained from SCC.
The following variables are recognized:
* Product: The product code: The following forms may be
used:
<product_id>
<product_id>/<os_version>
<product_id>/<os_version>/<arch>
<product_id>: SLES, SLE-HPC (SLE-12),
SLE_HPC (SLE-15), SLED
<os_version>: optional, if ommitted, the value
of OSVersion will be used.
The variable %{OSVERSION} is
recognized and replaced by OSVersion.
<arch> : The architecture to use. Defaults
to 'uname -m'.
* User: The email a subscription is registed with SCC.
* Regcode: The SCC registration code provided with the subscription.
* ProductPGP: The PGP key used to sign the repositories. Each line must
be terminated with \n. Long lines may be broken using the
continuation character '\'. See below.
Note: this is not required when an installer repository is
provided with MirrorURL.
Beginning with version 15, the URI to the installer image needs to be
provided as well:
* MirrorURL: Repository containing the SLE Installer (see also above).
Since SLE-15 consists of modules, a list of modules to be used should
to be specified as well:
* Modules: Specify the modules in a comma separated list without
spaces. Example:
SLEModules: sle-module-basesystem,sle-module-server-applications,sle-module-web-scripting,sle-module-hpc
Examples
========
Example defintions for SLE12-SP5 and SLE15-SP3 are in the same
directory as README.SUSE
ProductPGP
==========
SLEpgp: -----BEGIN PGP PUBLIC KEY BLOCK-----\n\
Version: rpm-4.11.2 (NSS-3)\n\
\n\
mQENBFEKlmsBCADbpZZbbSC5Zi+HxCR/ynYsVxU5JNNiSSZabN5GMgc9Z0hxeXxp\n\
YWvFoE/4n0+IXIsp83iKvxf06Eu8je/DXp0lMqDZu7WiT3XXAlkOPSNV4akHTDoY\n\
91SJaZCpgUJ7K1QXOPABNbREsAMN1a7rxBowjNjBUyiTJ2YuvQRLtGdK1kExsVma\n\
hieh/QxpoDyYd5w/aky3z23erCoEd+OPfAqEHd5tQIa6LOosa63BSCEl3milJ7J9\n\
vDmoGPAoS6ui7S2R5X4/+PLN8Mm2kOBrFjhmL93LX0mrGCMxsNsKgP6zabYKQEb8\n\
L028SXvl7EGoA+Vw5Vd3wIGbM73PfbgNrXjfABEBAAG0KFN1U0UgUGFja2FnZSBT\n\
aWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6JATwEEwECACYCGwMGCwkIBwMCBBUC\n\
CAMEFgIDAQIeAQIXgAUCWEfrHwUJDsIitAAKCRBwr56BOdt8gpqUB/wPSSS5BcDu\n\
Oi4n02cj4Hdt7WITKBjjo0lG1fXG1ppx1wOST+s8FertMVFY53TW6FGjcYtwVOIq\n\
rsMYiV6kf1NxUV/jcAy7VmC5EZnO0R/D3sT4Oh5hsLtERauZolK5BZmd0S51Qa8e\n\
TxZ5mX9PL2i3s/ShETc30drf83ugc7B4yZPNQWXNDPgGcC+hEeC5qw48RzHYIpUt\n\
RzHmefR5Z3ioTUbDlzy+SGP2uA7mhR4Lfk/df5fYxWfCoKlyGjtrvA65cB+Pksyn\n\
xrAeBuB+vBM+KnDrxW2Sn4AbWkzH//dfz9OJDJu4UM91hb7qxM0OkrXHQV3iNqzg\n\
MDEhky/9NqMy\n\
=GdP5\n\
-----END PGP PUBLIC KEY BLOCK-----