Singularity 3.0 introduces many new security related options to the container runtime. This document will describe the new methods users have for specifying the security scope and context when running Singularity containers.
Singularity provides full support for granting and revoking Linux capabilities
on a user or group basis. For example, let us suppose that an admin has
decided to grant a user capabilities to open raw sockets so that they can use
ping in a container where the binary is controlled via capabilities (i.e. a
recent version of CentOS).
To do so, the admin would issue a command such as this:
$ sudo singularity capability add --user david CAP_NET_RAW
This means the user
david has just been granted permissions (through Linux
capabilities) to open raw sockets within Singularity containers.
The admin can check that this change is in effect with the
$ sudo singularity capability list --user david CAP_NET_RAW
To take advantage of this new capability, the user
david must also request
the capability when executing a container with the
--add-caps flag like so:
$ singularity exec --add-caps CAP_NET_RAW library://centos ping -c 1 126.96.36.199 PING 188.8.131.52 (184.108.40.206) 56(84) bytes of data. 64 bytes from 220.127.116.11: icmp_seq=1 ttl=128 time=18.3 ms --- 18.104.22.168 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 18.320/18.320/18.320/0.000 ms
If the admin decides that it is no longer necessary to allow the user
to open raw sockets within Singularity containers, they can revoke the
appropriate Linux capability like so:
$ sudo singularity capability drop --user david CAP_NET_RAW
capabiltiy add and
drop subcommands will also accept the case
all to grant or revoke all Linux capabilities to a user
or group. Similarly, the
--add-caps option will accept the
Of course appropriate caution should be exercised when using this keyword.